文档 https://docs.docker.com/engine/swarm/secrets/
secret其实就是指敏感信息的保护,如密码、ssh-key、证书等。
创建secret
1. 从标准的收入读取
vagrant@swarm-manager:~$ echo abc123 | docker secret create mysql_pass -4nkx3vpdd41tbvl9qs24j7m6wvagrant@swarm-manager:~$ docker secret lsID NAME DRIVER CREATED UPDATED4nkx3vpdd41tbvl9qs24j7m6w mysql_pass 8 seconds ago 8 seconds agovagrant@swarm-manager:~$ docker secret inspect mysql_pass[{"ID": "4nkx3vpdd41tbvl9qs24j7m6w","Version": {"Index": 4562},"CreatedAt": "2021-07-25T22:36:51.544523646Z","UpdatedAt": "2021-07-25T22:36:51.544523646Z","Spec": {"Name": "mysql_pass","Labels": {}}}]vagrant@swarm-manager:~$ docker secret rm mysql_passmysql_passvagrant@swarm-manager:~$
创建secret中最后的
-表示从标准输入读取数据。secret创建后存储与swarm的raft数据库中。
2. 从文件读取
vagrant@swarm-manager:~$ lsmysql_pass.txtvagrant@swarm-manager:~$ more mysql_pass.txtabc123vagrant@swarm-manager:~$ docker secret create mysql_pass mysql_pass.txtelsodoordd7zzpgsdlwgynq3fvagrant@swarm-manager:~$ docker secret inspect mysql_pass[{"ID": "elsodoordd7zzpgsdlwgynq3f","Version": {"Index": 4564},"CreatedAt": "2021-07-25T22:38:14.143954043Z","UpdatedAt": "2021-07-25T22:38:14.143954043Z","Spec": {"Name": "mysql_pass","Labels": {}}}]vagrant@swarm-manager:~$
secret在service中的存储
创建一个busybox的service
[vagrant@swarm-manager ~]$ echo abc123 > mysql_pass[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ lsflask-redis mysql_pass[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ docker create secret mysql_pass^C[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ docker secret create mysql_pass ^C[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ mv mysql_pass mysql_pass.txt[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ docker secret create mysql_pass mysql_pass.txtq857fiit06y042kgaurtnfnth[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ docker secret lsID NAME DRIVER CREATED UPDATEDq857fiit06y042kgaurtnfnth mysql_pass 5 seconds ago 5 seconds ago[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ docker service create --name test --secret mysql_pass busybox ping 8.8.8.8oo9v1zpsd8bh0r4ky7x9sosf7overall progress: 1 out of 1 tasks1/1: running [==================================================>]verify: Service converged[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$ docker service ps testID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTSeymo24tj6uqf test.1 busybox:latest swarm-worker1 Running Running 40 seconds ago[vagrant@swarm-manager ~]$[vagrant@swarm-manager ~]$
在worker1中进入到对应容器,在
/run/secrets中的与指定secret名称相同的mysql_pass可查看到secret[vagrant@swarm-worker1 ~]$ docker container lsCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES255bfbfa952e busybox:latest "ping 8.8.8.8" 26 seconds ago Up 25 seconds test.1.eymo24tj6uqf080fdxw8rwdeff6adfc5dfe31 nicolaka/netshoot "nsenter --net=/netn…" 5 hours ago Up 5 hours interesting_shtern[vagrant@swarm-worker1 ~]$[vagrant@swarm-worker1 ~]$ docker exec -it 255 sh/ #/ # cd /run/secrets//run/secrets # lsmysql_pass/run/secrets # more mysql_passabc123/run/secrets #
secret 的使用
参考 https://hub.docker.com/_/mysql
vagrant@swarm-manager:~$ docker service create --name mysql-demo --secret mysql_pass --env MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_pass mysql:5.7wb4z2ximgqaefephu9f4109c7overall progress: 1 out of 1 tasks1/1: running [==================================================>]verify: Service convergedvagrant@swarm-manager:~$ docker service lsID NAME MODE REPLICAS IMAGE PORTSwb4z2ximgqae mysql-demo replicated 1/1 mysql:5.7vagrant@swarm-manager:~$ docker service ps mysql-demoID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS909429p4uovy mysql-demo.1 mysql:5.7 swarm-worker2 Running Running 32 seconds agovagrant@swarm-manager:~$
若有收获,就点个赞吧
0 人点赞
