文档 https://docs.docker.com/engine/swarm/secrets/
secret其实就是指敏感信息的保护,如密码、ssh-key、证书等。
创建secret
有两种方式
1. 从标准的收入读取
vagrant@swarm-manager:~$ echo abc123 | docker secret create mysql_pass -
4nkx3vpdd41tbvl9qs24j7m6w
vagrant@swarm-manager:~$ docker secret ls
ID NAME DRIVER CREATED UPDATED
4nkx3vpdd41tbvl9qs24j7m6w mysql_pass 8 seconds ago 8 seconds ago
vagrant@swarm-manager:~$ docker secret inspect mysql_pass
[
{
"ID": "4nkx3vpdd41tbvl9qs24j7m6w",
"Version": {
"Index": 4562
},
"CreatedAt": "2021-07-25T22:36:51.544523646Z",
"UpdatedAt": "2021-07-25T22:36:51.544523646Z",
"Spec": {
"Name": "mysql_pass",
"Labels": {}
}
}
]
vagrant@swarm-manager:~$ docker secret rm mysql_pass
mysql_pass
vagrant@swarm-manager:~$
创建secret中最后的
-表示从标准输入读取数据。secret创建后存储与swarm的raft数据库中。
2. 从文件读取
vagrant@swarm-manager:~$ ls
mysql_pass.txt
vagrant@swarm-manager:~$ more mysql_pass.txt
abc123
vagrant@swarm-manager:~$ docker secret create mysql_pass mysql_pass.txt
elsodoordd7zzpgsdlwgynq3f
vagrant@swarm-manager:~$ docker secret inspect mysql_pass
[
{
"ID": "elsodoordd7zzpgsdlwgynq3f",
"Version": {
"Index": 4564
},
"CreatedAt": "2021-07-25T22:38:14.143954043Z",
"UpdatedAt": "2021-07-25T22:38:14.143954043Z",
"Spec": {
"Name": "mysql_pass",
"Labels": {}
}
}
]
vagrant@swarm-manager:~$
secret在service中的存储
- 创建一个busybox的service
[vagrant@swarm-manager ~]$ echo abc123 > mysql_pass
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ ls
flask-redis mysql_pass
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ docker create secret mysql_pass^C
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ docker secret create mysql_pass ^C
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ mv mysql_pass mysql_pass.txt
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ docker secret create mysql_pass mysql_pass.txt
q857fiit06y042kgaurtnfnth
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ docker secret ls
ID NAME DRIVER CREATED UPDATED
q857fiit06y042kgaurtnfnth mysql_pass 5 seconds ago 5 seconds ago
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ docker service create --name test --secret mysql_pass busybox ping 8.8.8.8
oo9v1zpsd8bh0r4ky7x9sosf7
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$ docker service ps test
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
eymo24tj6uqf test.1 busybox:latest swarm-worker1 Running Running 40 seconds ago
[vagrant@swarm-manager ~]$
[vagrant@swarm-manager ~]$
- 在worker1中进入到对应容器,在
/run/secrets中的与指定secret名称相同的mysql_pass可查看到secret
[vagrant@swarm-worker1 ~]$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
255bfbfa952e busybox:latest "ping 8.8.8.8" 26 seconds ago Up 25 seconds test.1.eymo24tj6uqf080fdxw8rwdef
f6adfc5dfe31 nicolaka/netshoot "nsenter --net=/netn…" 5 hours ago Up 5 hours interesting_shtern
[vagrant@swarm-worker1 ~]$
[vagrant@swarm-worker1 ~]$ docker exec -it 255 sh
/ #
/ # cd /run/secrets/
/run/secrets # ls
mysql_pass
/run/secrets # more mysql_pass
abc123
/run/secrets #
secret 的使用
参考 https://hub.docker.com/_/mysql
vagrant@swarm-manager:~$ docker service create --name mysql-demo --secret mysql_pass --env MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_pass mysql:5.7
wb4z2ximgqaefephu9f4109c7
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
vagrant@swarm-manager:~$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
wb4z2ximgqae mysql-demo replicated 1/1 mysql:5.7
vagrant@swarm-manager:~$ docker service ps mysql-demo
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
909429p4uovy mysql-demo.1 mysql:5.7 swarm-worker2 Running Running 32 seconds ago
vagrant@swarm-manager:~$
