在下面的例子中,咱們會部署一個 WordPress 應用,WordPress 是流行的開源博客系統。
咱們將建立一個 Mysql Service ,將密碼保存到secret 中。咱們還會建立一個 WordPress service ,他將使用 secret 鏈接Mysql 。這個例子將展現如何使用secret避免在image中存放敏感信息,或者在命令行中直接傳遞敏感信息。
建立 secret
root@host03:~# openssl rand -base64 20 | docker secret create mysql_root_password - # 直接生成隨機字符串並建立secret
4pjwxd6sr9du56wi1zpicejoy
root@host03:~# docker secret inspect mysql_root_password
[
{
"ID": "4pjwxd6sr9du56wi1zpicejoy",
"Version": {
"Index": 17167
},
"CreatedAt": "2019-05-16T06:52:50.88254189Z",
"UpdatedAt": "2019-05-16T06:52:50.88254189Z",
"Spec": {
"Name": "mysql_root_password",
"Labels": {}
}
}
]
root@host03:~# openssl rand -base64 20 > password.txt # 生成隨機字符串保存到文件
root@host03:~# docker secret create mysql_root_password_file ./password.txt # 從文件讀取密碼生成secret
m6rc31lat7wutlcmfxn88z8dy
root@host03:~# docker secret inspect mysql_root_password_file
[
{
"ID": "m6rc31lat7wutlcmfxn88z8dy",
"Version": {
"Index": 17168
},
"CreatedAt": "2019-05-16T06:54:19.792675996Z",
"UpdatedAt": "2019-05-16T06:54:19.792675996Z",
"Spec": {
"Name": "mysql_root_password_file",
"Labels": {}
}
}
]
root@host03:~# openssl rand -base64 20 | docker secret create mysql_password - # 咱們這裏爲WordPress建立一個非root的secret
v6a7aqck9okemsopzc870e6p4
root@host03:~# docker secret inspect mysql_password
[
{
"ID": "v6a7aqck9okemsopzc870e6p4",
"Version": {
"Index": 17169
},
"CreatedAt": "2019-05-16T06:57:15.399204873Z",
"UpdatedAt": "2019-05-16T06:57:15.399204873Z",
"Spec": {
"Name": "mysql_password",
"Labels": {}
}
}
]
root@host03:~# docker secret ls
ID NAME DRIVER CREATED UPDATED
v6a7aqck9okemsopzc870e6p4 mysql_password About a minute ago About a minute ago
4pjwxd6sr9du56wi1zpicejoy mysql_root_password 5 minutes ago 5 minutes ago
m6rc31lat7wutlcmfxn88z8dy mysql_root_password_file 4 minutes ago 4 minutes ago
建立自定義 overlay 網絡
root@host03:~# docker network create --driver overlay mysql_private
ssi9vxai6fppn1xfydaoedjth
root@host03:~# docker network ls
NETWORK ID NAME DRIVER SCOPE
c31c660ab056 bridge bridge local
b5ff39d0ca1f docker_gwbridge bridge local
e9f624212e28 host host local
sngp88bsqode ingress overlay swarm
ssi9vxai6fpp mysql_private overlay swarm
39b5e5857095 none null local
建立mysql service
root@host03:~# docker service create --name mysql --network mysql_private --secret source=mysql_root_password,target=mysql_root_password --secret source=mysql_password,target=mysql_password -e MYSQL_ROOT_PASSWORD_FILE='/run/secrets/mysql_root_password' -e MYSQL_PASSWORD_FILE='/run/secrets/mysql_password' -e MYSQL_USER='wordpress' -e MYSQL_DATABASE='wordpress' mysql:5.7
image mysql:latest could not be accessed on a registry to record
its digest. Each node will access mysql:latest independently,
possibly leading to different nodes running different
versions of the image.
wtcc6kth07v7hmf528bfe1p1y
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
root@host03:~# docker service ps mysql
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
p69wao0p573p mysql.1 mysql:latest host01 Running Running about a minute ago
建立 WordPress service
root@host03:~# docker service create --name wordpress --network mysql_private --publish 80:80 --secret source=mysql_password,target=wp_db_password -e WORDPRESS_DB_HOST='mysql:3306' -e WORDPRESS_DB_NAME='wordpress' -e WORDPRESS_DB_USER='wordpress' -e WORDPRESS_DB_PASSWORD_FILE='/run/secrets/wp_db_password' wordpress
sl396197rt8jh52xwsrg7x2gv
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
root@host03:~# docker service ps wordpress
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
bvlccd2fsho2 wordpress.1 wordpress:latest host02 Running Running 17 seconds ago
訪問 WordPress頁面 http://10.12.31.211