try-using-docker-swarm-secrets

发表于 | 更新于: | 分类于 | 阅读次数: |
字数统计: 428 | 阅读时长 ≈ 2

尝试一下docker-swarm之secrets

很重要的功能,但使用起来很简单

https://docs.docker.com/engine/swarm/secrets/

new

1
2
3
4
5
6
7
8
9
echo "root" | docker secret create mysql57_root_password -
# daeeef4cskv7wxqq76reh4qmt


docker secret ls
# ID                          NAME                    DRIVER    CREATED         UPDATED
# daeeef4cskv7wxqq76reh4qmt   mysql57_root_password             4 seconds ago   4 seconds ago
# root@swarmworker1:~# docker service rm hello_without_constraint
# hello_without_constraint

新建一个带secret的service

1
docker service create --replicas 2 --secret mysql57_root_password --name hello_with_secret alpine ping docker.com

直接通过条件打印出mysql57_root_password

1
2
docker container exec `docker ps --filter name=hello_with_secret -q` cat /run/secrets/mysql57_root_password
# root

新建一个带secret的service并且改变secret容器中的文件位置

--secret写成这种格式 source=mysql57_root_password,target=root_password

source 和 target 很好理解

1
2
3
4
5
6
7
8
9
docker service create --replicas 2 --secret source=mysql57_root_password,target=root_password --name hello_with_secret2 alpine ping docker.com
# nod77d45cldct59wf20kvkmlc
# overall progress: 2 out of 2 tasks
# 1/2: running   [==================================================>]
# 2/2: running   [==================================================>]
# verify: Service converged

docker container exec `docker ps --filter name=hello_with_secret2 -q` cat /run/secrets/root_password
# root

尝试删除secret

1
2
docker secret rm mysql57_root_password
# Error response from daemon: rpc error: code = InvalidArgument desc = secret 'mysql57_root_password' is in use by the following service: hello_with_secret

由于有容器在使用,所以删除失败。那么,我们可以先让容器不再使用该secret

update 命令,后面再说,可以更改一个service的几乎所有属性。

这里用update命令来删除该service对密钥 mysql57_root_password 的使用

1
2
3
4
5
6
7
8
9
10
docker service update --secret-rm mysql57_root_password hello_with_secret
# hello_with_secret
# overall progress: 2 out of 2 tasks
# 1/2: running   [==================================================>]
# 2/2: running   [==================================================>]
# verify: Service converged

## 此时再运行一次查看secret
docker container exec `docker ps --filter name=hello_with_secret -q` cat /run/secrets/mysql57_root_password
# cat: can't open '/run/secrets/mysql57_root_password': No such file or directory

此时即可以删除secset了mysql57_root_password

1
2
3
4
5
6
docker secret rm mysql57_root_password
# mysql57_root_password

## 同时再ls一下,没了
docker secret ls
# ID        NAME      DRIVER    CREATED   UPDATED

小结

就是当一个稍微私密一点的env用

0%