一、實作功能
docker secret可以減少使用者名和密碼的明顯顯示,進而可以減少暴露密碼的可能性,保證系統安全可靠。是以,docker secret可以安全存儲這個密碼,同時配置設定給特定service,使之可以有權限通路該密碼的權限。
二、定義
1. secret包含内容
(1)SSH
(2)使用者名和密碼
(3)TLS認證
(4)不想其他人看到的内容
2. swarm架構
3. secret management
(1)secret management存在swarm manager節點的Raft database中
(2)Secret可以配置設定給特定service,使隻有這個service可以看到這個secret。
(3)在container内部,secret看起來是個檔案,但是實際存儲在記憶體中
三、操作
1.方法一:通過檔案的方式建立secret
(1) 建立password檔案内容是admin123321
(2)建立secret
[[email protected] secret-example]$ docker secret create my-pw password
nqef5lnfh13bbv5760qm7airt
(3)删除原始檔案
[[email protected] secret-example]$ mv password password.bak
(4)檢視swarm-manager節點上面有哪些secret
[[email protected] secret-example]$ docker secret ls
ID NAME DRIVER CREATED UPDATED
nqef5lnfh13bbv5760qm7airt my-pw About a minute ago About a minute ago
2. 通過指令建立secret
(1)通過echo輸入建立
[[email protected] secret-example]$ echo "admin2" | docker secret create my-pw2 -
vqba8gjsz0qszwgf50xjxnzjt
(2) 檢視
docker secret ls
3.删除secret
[[email protected] secret-example]$ echo "admin2" | docker secret create my-pw2 -
vqba8gjsz0qszwgf50xjxnzjt
4.在busybox服務上使用secret密碼
(1)建立busybox服務
[[email protected] secret-example]$ docker service create --name client --secret my-pw busybox sh -c "while true;do sleep 3600; done"
zlp2n7tlgfr0tk7ylpuj51m1n
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
(2)檢視
[[email protected] secret-example]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zlp2n7tlgfr0 client replicated 1/1 busybox:latest
(3)進入busybox
-》檢視service開啟在那一台伺服器上面
[[email protected] secret-example]$ docker service ps client
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
k6fr8eb1puss client.1 busybox:latest swarm-worker2 Running Running 56 seconds ago
-》進入worker2,開啟服務
[[email protected] etc]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5c714523df99 busybox:latest "sh -c 'while true;d…" About a minute ago Up About a minute client.1.k6fr8eb1pusshb8q0vvft422o
[[email protected] etc]$ docker exec -it 5c714 sh
/ #
-》檢視password
/ # cd /run/secrets/
/run/secrets # ls
my-pw
/run/secrets # cat my-pw
admin123321
/run/secrets #
5.在建立mysql服務時使用secret
(1)部署mysql服務
[[email protected] secret-example]$ docker service create --name db --secret my-pw -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my-pw hub.c.163.com/library/mysql:5.7
ufmzh7ao8d85jgibfvijdu519
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
(2)檢視
[[email protected] secret-example]$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zlp2n7tlgfr0 client replicated 1/1 busybox:latest
ufmzh7ao8d85 db replicated 1/1 hub.c.163.com/library/mysql:5.7
(3)檢視服務具體分布
[[email protected] secret-example]$ docker service ps db
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
pks09gwcl95n db.1 hub.c.163.com/library/mysql:5.7 swarm-manager Running Running about a minute ago
(4)進入mysql内部
[[email protected] secret-example]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fbf85e74e13f hub.c.163.com/library/mysql:5.7 "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp db.1.pks09gwcl95nsuxc9bv3qv75r
[[email protected] secret-example]$ docker exec -it fbf8 sh
#
(5)檢視密碼
# cd /run/secrets
# ls
my-pw
# cat my-pw
admin123321
(6)然後登陸mysql
# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.18 MySQL Community Server (GPL)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.01 sec)