1十、經過案例學習Secret （Swarm17）

時間 2019-11-30

標籤經過案例學習 secret swarm17 swarm 简体版

原文原文鏈接

參考 http://www.javashuo.com/article/p-qdedwmuy-k.html

在下面的例子中，咱們會部署一個 WordPress 應用，WordPress 是流行的開源博客系統。

咱們將建立一個 Mysql Service ，將密碼保存到secret 中。咱們還會建立一個 WordPress service ，他將使用 secret 鏈接Mysql 。這個例子將展現如何使用secret避免在image中存放敏感信息，或者在命令行中直接傳遞敏感信息。

建立 secret

 
  root@host03:~# openssl rand -base64 20 | docker secret create mysql_root_password -    #    直接生成隨機字符串並建立secret 
 
   4pjwxd6sr9du56wi1zpicejoy 
 
  root@host03:~# docker secret inspect mysql_root_password 
 
   [ 
 
       { 
 
           "ID": "4pjwxd6sr9du56wi1zpicejoy", 
 
           "Version": { 
 
               "Index": 17167 
 
           }, 
 
           "CreatedAt": "2019-05-16T06:52:50.88254189Z", 
 
           "UpdatedAt": "2019-05-16T06:52:50.88254189Z", 
 
           "Spec": { 
 
               "Name": "mysql_root_password", 
 
               "Labels": {} 
 
           } 
 
       } 
 
   ] 
 
  root@host03:~# openssl rand -base64 20 > password.txt    #    生成隨機字符串保存到文件 
 
  root@host03:~# docker secret create mysql_root_password_file ./password.txt    #    從文件讀取密碼生成secret 
 
   m6rc31lat7wutlcmfxn88z8dy 
 
  root@host03:~# docker secret inspect mysql_root_password_file 
 
   [ 
 
       { 
 
           "ID": "m6rc31lat7wutlcmfxn88z8dy", 
 
           "Version": { 
 
               "Index": 17168 
 
           }, 
 
           "CreatedAt": "2019-05-16T06:54:19.792675996Z", 
 
           "UpdatedAt": "2019-05-16T06:54:19.792675996Z", 
 
           "Spec": { 
 
               "Name": "mysql_root_password_file", 
 
               "Labels": {} 
 
           } 
 
       } 
 
   ] 
 
  root@host03:~# openssl rand -base64 20 | docker secret create mysql_password -    #    咱們這裏爲WordPress建立一個非root的secret 
 
   v6a7aqck9okemsopzc870e6p4 
 
  root@host03:~# docker secret inspect mysql_password 
 
   [ 
 
       { 
 
           "ID": "v6a7aqck9okemsopzc870e6p4", 
 
           "Version": { 
 
               "Index": 17169 
 
           }, 
 
           "CreatedAt": "2019-05-16T06:57:15.399204873Z", 
 
           "UpdatedAt": "2019-05-16T06:57:15.399204873Z", 
 
           "Spec": { 
 
               "Name": "mysql_password", 
 
               "Labels": {} 
 
           } 
 
       } 
 
   ] 
 
  root@host03:~# docker secret ls 
 
   ID                          NAME                       DRIVER              CREATED              UPDATED 
 
  v6a7aqck9okemsopzc870e6p4   mysql_password                                 About a minute ago   About a minute ago     
 
  4pjwxd6sr9du56wi1zpicejoy   mysql_root_password                            5 minutes ago        5 minutes ago          
 
   m6rc31lat7wutlcmfxn88z8dy   mysql_root_password_file                       4 minutes ago        4 minutes ago

建立自定義 overlay 網絡

 
  root@host03:~# docker network create --driver overlay mysql_private 
 
   ssi9vxai6fppn1xfydaoedjth 
 
  root@host03:~# docker network ls 
 
   NETWORK ID          NAME                DRIVER              SCOPE 
 
   c31c660ab056        bridge              bridge              local 
 
   b5ff39d0ca1f        docker_gwbridge     bridge              local 
 
   e9f624212e28        host                host                local 
 
   sngp88bsqode        ingress             overlay             swarm 
 
  ssi9vxai6fpp        mysql_private       overlay             swarm 
 
   39b5e5857095        none                null                local

建立mysql service

 
  root@host03:~# docker service create --name mysql --network mysql_private --secret source=mysql_root_password,target=mysql_root_password --secret source=mysql_password,target=mysql_password -e MYSQL_ROOT_PASSWORD_FILE='/run/secrets/mysql_root_password' -e MYSQL_PASSWORD_FILE='/run/secrets/mysql_password' -e MYSQL_USER='wordpress' -e MYSQL_DATABASE='wordpress' mysql:5.7 
 
   image mysql:latest could not be accessed on a registry to record 
 
   its digest. Each node will access mysql:latest independently, 
 
   possibly leading to different nodes running different 
 
   versions of the image. 
 
   wtcc6kth07v7hmf528bfe1p1y 
 
   overall progress: 1 out of 1 tasks 
 
   1/1: running   [==================================================>] 
 
   verify: Service converged 
 
  root@host03:~# docker service ps mysql 
 
   ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE                 ERROR                           PORTS 
 
   p69wao0p573p        mysql.1             mysql:latest        host01              Running             Running about a minute ago

建立 WordPress service

 
  root@host03:~# docker service create --name wordpress --network mysql_private --publish 80:80 --secret source=mysql_password,target=wp_db_password -e WORDPRESS_DB_HOST='mysql:3306' -e WORDPRESS_DB_NAME='wordpress' -e WORDPRESS_DB_USER='wordpress' -e WORDPRESS_DB_PASSWORD_FILE='/run/secrets/wp_db_password' wordpress 
 
   sl396197rt8jh52xwsrg7x2gv 
 
   overall progress: 1 out of 1 tasks 
 
   1/1: running   [==================================================>] 
 
   verify: Service converged 
 
  root@host03:~# docker service ps wordpress 
 
   ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE            ERROR               PORTS 
 
   bvlccd2fsho2        wordpress.1         wordpress:latest    host02              Running             Running 17 seconds ago