secrets
敏感数据保护。例如:密码,key,证书等用Secret保护。
官方文档地址:https://docs.docker.com/engine/swarm/secrets/
创建secret (有两种方式)
从标准的收入读取
$ echo abc123 | docker secret create mysql_pass -
4nkx3vpdd41tbvl9qs24j7m6w
$ docker secret ls
ID NAME DRIVER CREATED UPDATED
4nkx3vpdd41tbvl9qs24j7m6w mysql_pass 8 seconds ago 8 seconds ago
$ docker secret inspect mysql_pass
[
{
"ID": "4nkx3vpdd41tbvl9qs24j7m6w",
"Version": {
"Index": 4562
},
"CreatedAt": "2021-07-25T22:36:51.544523646Z",
"UpdatedAt": "2021-07-25T22:36:51.544523646Z",
"Spec": {
"Name": "mysql_pass",
"Labels": {}
}
}
]
$ docker secret rm mysql_pass
mysql_pass
从文件读取
$ echo abc123 > mysql_pass.txt
$ more mysql_pass.txt
abc123
$ docker secret create mysql_pass1 mysql_pass.txt
nj5iq99wersb2elrxsty1uw2c
$ docker secret ls
ID NAME DRIVER CREATED UPDATED
g3n9pqprwkfozn64w5dhrenxj mysql_pass 2 minutes ago 2 minutes ago
nj5iq99wersb2elrxsty1uw2c mysql_pass1 12 seconds ago 12 seconds ago
$
secret 的使用
命令启动,docker service create --name mysql-demo --secret mysql_pass mysql:5.7
,默认放在容器的/run/secrets/
目录下
官方的mysql的secrets使用方式
Docker Secrets
As an alternative to passing sensitive information via environment variables, _FILE may be appended to the previously listed environment variables, causing the initialization script to load the values for those variables from files present in the container. In particular, this can be used to load passwords from Docker secrets stored in /run/secrets/<secret_name>
files. For example:
$ docker run --name some-mysql -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root -d mysql:tag
Currently, this is only supported for MYSQL_ROOT_PASSWORD
, MYSQL_ROOT_HOST
, MYSQL_DATABASE
, MYSQL_USER
, and MYSQL_PASSWORD
.
执行
$ docker service create --name mysql-demo --secret mysql_pass --env MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_pass mysql:5.7
wb4z2ximgqaefephu9f4109c7
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
wb4z2ximgqae mysql-demo replicated 1/1 mysql:5.7
$ docker service ps mysql-demo
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
909429p4uovy mysql-demo.1 mysql:5.7 swarm-worker2 Running Running 32 seconds ago
使用 Secrets in Compose(stack部署swarm也可以用)
secrets关键字,再去加载对于的文件内容。
version: "3.9"
services:
db:
image: mysql:latest
volumes:
- db_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD_FILE: /run/secrets/db_password
secrets: # 容器使用secrets
- db_root_password
- db_password
wordpress:
depends_on:
- db
image: wordpress:latest
ports:
- "8000:80"
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD_FILE: /run/secrets/db_password
secrets: # 容器使用secrets
- db_password
secrets: # 声明secrets
db_password:# 数据库密码
file: db_password.txt #密码的文件地址
db_root_password:
file: db_root_password.txt
volumes:
db_data: