Detailed explanation of Docker Secret management and use

1. What is Docker Secret

1. Scenario display

We know that some services require passwords, such as MySQL service:

version: '3'

services:

 web:
  image: wordpress
  ports:
   -8080:80
  volumes:
   - ./www:/var/www/html
  environment:
   WORDPRESS_DB_NAME=wordpress
   WORDPRESS_DB_HOST: mysql
   WORDPRESS_DB_PASSWORD: root
  networks:
   - my-network
  depends_on:
   -mysql
  deploy:
   mode: replicated
   replicas: 3
   restart_policy:
    condition: on-failure
    delay: 5s
    max_attempts: 3
   update_config:
    parallelism: 1
    delay: 10s

 mysql:
  image: mysql
  environment:
   MYSQL_ROOT_PASSWORD: root
   MYSQL_DATABASE: wordpress
  volumes:
   -mysql-data:/var/lib/mysql
  networks:
   - my-network
  deploy:
   mode: global
   placement:
    constraints:
     - node.role == manager

volumes:
 mysql-data:

networks:
 my-network:
  driver: overlay

You can see that the two service passwords in this docker-compose.yml are in plain text, which makes it not very secure. So what is Docker secret and can it solve the above problem?

Docker Secret

We know that the manager node maintains consistency of state through the distributed storage database Raft Database, which itself keeps information secret, so this database can be used to store some sensitive information, such as account numbers, passwords, etc., and then allow it to access by authorizing the service, thus avoiding the password from being displayed in plain text.

In summary, the management of secrets in a secret swarm is accomplished by the following steps:

The secret exists in the Raft Database of the Swarm Manager node
A secret can be assigned to a service, and then the service can see the secret
Inside the container, secrets look like files, but they are actually memory.

2. Creation and use of Docker Secret

1. Creation

Let's first look at some help instructions created:

[root@centos-7 ~]# docker secret --help

Usage: docker secret COMMAND

Manage Docker secrets

Commands:
 create Create a secret from a file or STDIN as content
 inspect Display detailed information on one or more secrets
 ls List secrets
 rm Remove one or more secrets

Run 'docker secret COMMAND --help' for more information on a command.

The first command is the created command. Let’s see what help information it has:

[root@centos-7 ~]# docker secret create --help

Usage: docker secret create [OPTIONS] SECRET [file|-]

Create a secret from a file or STDIN as content

Options:
 -d, --driver string Secret driver
 -l, --label list Secret labels
   --template-driver string Template driver

You can see that the secret can come from a file or a standard output. Then there are two ways to create Secret:

File-based creation
Create from command line

1. Create based on files

First, create a file to store the password

[root@centos-7 ~]# vim mysql-password
root

Then create a secret

[root@centos-7 ~]# docker secret create mysql-pass mysql-password 
texcct9ojqcz6n40woe97dd7k

mysql-pass is the name of the secret, and mysql-password is the file we created to store the password. After executing this command, the password in the file is stored in the Raft Database of the manager node in Swarm. For security reasons, you can now delete this file directly because the password is already in Swarm.

[root@centos-7 ~]# rm -f mysql-password

Now you can view the secret list:

[root@centos-7 ~]# docker secret ls
ID NAME DRIVER CREATED UPDATED
texcct9ojqcz6n40woe97dd7k mysql-pass 4 minutes ago 4 minutes ago

Already exists.

2. Create based on command line

[root@centos-7 ~]# echo "root" | docker secret create mysql-pass2 -
hrtmn5yr3r3k66o39ba91r2e4
[root@centos-7 ~]# docker secret ls
ID NAME DRIVER CREATED UPDATED
texcct9ojqcz6n40woe97dd7k mysql-pass 6 minutes ago 6 minutes ago
hrtmn5yr3r3k66o39ba91r2e4 mysql-pass2 5 seconds ago 5 seconds ago

This method is still very simple to create successfully

(II) Other operations

So are there any other operations for secret?

[root@centos-7 ~]# docker secret --help

Usage: docker secret COMMAND

Manage Docker secrets

Commands:
 create Create a secret from a file or STDIN as content
 inspect Display detailed information on one or more secrets
 ls List secrets
 rm Remove one or more secrets

Run 'docker secret COMMAND --help' for more information on a command.

You can see that in addition to the create command, there are also inspect, ls, and rm commands.

1. inspect

[root@centos-7 ~]# docker secret inspect mysql-pass2
[
  {
    "ID": "hrtmn5yr3r3k66o39ba91r2e4",
    "Version": {
      "Index": 4061
    },
    "CreatedAt": "2020-02-07T08:39:25.630341396Z",
    "UpdatedAt": "2020-02-07T08:39:25.630341396Z",
    "Spec": {
      "Name": "mysql-pass2",
      "Labels": {}
    }
  }
]

Display some details of secret

2.rm

[root@centos-7 ~]# docker secret rm mysql-pass2
mysql-pass2
[root@centos-7 ~]# docker secret ls
ID NAME DRIVER CREATED UPDATED
texcct9ojqcz6n40woe97dd7k mysql-pass 12 minutes ago 12 minutes ago

Deleting a secret

(III) Use of Secret in a Single Container

1. View secret in container

We have created a secret. How can we authorize it to a specific service after starting a service so that it can see it? First check if there are similar commands or parameters in the command to create the service:

[root@centos-7 ~]# docker service create --help

Usage: docker service create [OPTIONS] IMAGE [COMMAND] [ARG...]

Create a new service

Options:
   --config config Specify configurations to expose to the service
...
 --secret secret Specify secrets to expose to the service
...
...

There is indeed such a command that can expose the secret to the service when creating the service.

2. Create a service

[root@centos-7 ~]# docker service create --name demo --secret mysql-pass busybox sh -c "while true; do sleep 3600; done"
zwgk5w0rpf17hn77axz6cn8di
overall progress: 1 out of 1 tasks 
1/1: running  
verify: Service converged

Check which node the service is running on:

[root@centos-7 ~]# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
zwgk5w0rpf17 demo replicated 1/1 busybox:latest   
[root@centos-7 ~]# docker service ps demo
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
yvr9lwvg8oca demo.1 busybox:latest localhost.localdomain Running Running 51 seconds ago

You can see that this service is running on the node of the localhost.localdomain host. Let's go to this node and enter the container to see if we can view the secret:

[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
36573adf21f6 busybox:latest "sh -c 'while true; …"4 minutes ago Up 4 minutes demo.1.yvr9lwvg8ocatym20hdfublhd
[root@localhost ~]# docker exec -it 36573adf21f6 /bin/sh
/#ls
bin dev etc home proc root run sys tmp usr var
/ # cd /run/secrets
/run/secrets # ls
mysql-pass
/run/secrets # cat mysql-pass 
root
/run/secrets #

You can see that it is indeed feasible.

2. MySQL service

For details about the MySQL image, see https://hub.docker.com/_/mysql, which contains a description of the secret:

As an alternative to passing sensitive information via environment variables, _FILE can be appended to the previously listed environment variables, causing the init script to load the values of those variables from files present in the container. In particular, this can be used to load passwords from a Docker Secret stored in the /run/secrets/<secret_name> file. For example:

$ docker run --name some-mysql -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-root -d mysql:tag

Currently, this supports only MYSQL_ROOT_PASSWORD, MYSQL_ROOT_HOST, MYSQL_DATABASE, MYSQL_USER, and MYSQL_PASSWORD.

So we need to create a file secret to store sensitive information of the database. Since it has been created before, there is no need to create it again here:

[root@centos-7 ~]# docker secret ls
ID NAME DRIVER CREATED UPDATED
texcct9ojqcz6n40woe97dd7k mysql-pass 4 hours ago 4 hours ago

Start the mysql service:

[root@centos-7 ~]# docker service create --name db --secret mysql-pass -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql-pass mysql
sbpagzqvpwt8ifymavf8o5xmi
overall progress: 1 out of 1 tasks 
1/1: running  
verify: Service converged

Check which node the mysql service is on:

[root@centos-7 ~]# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
sbpagzqvpwt8 db replicated 0/1 mysql:latest    
[root@centos-7 ~]# docker service ps db
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
qlmfm6u7lg8u db.1 mysql:latest localhost.localdomain Running Starting 2 seconds ago

Enter the service container on the worker node to view the secret:

[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2ac2a810e931 mysql:latest "docker-entrypoint.s..." 3 minutes ago Up 2 minutes 3306/tcp, 33060/tcp db.1.qlmfm6u7lg8u8i1v2m2c3ls3r

[root@localhost ~]# docker exec -it 2ac2a810e931 /bin/sh
# cd /run/secrets/
# ls
mysql-pass
# cat mysql-pass
root

Now that you know the password, you can enter the MySQL database.

#mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.19 MySQL Community Server - GPL

Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

(IV) Use of Secret in Stack

Stack uses the docker-compose.yml file to deploy the stack, so how to define secret in docker-compose.yml?

version: '3'

services:

 web:
  image: wordpress
  ports:
   -8080:80
  secrets:
   -my-pw
  environment:
   WORDPRESS_DB_HOST: mysql
   WORDPRESS_DB_PASSWORD_FILE: /run/secrets/wordpress-pass
  networks:
   - my-network
  depends_on:
   -mysql
  deploy:
   mode: replicated
   replicas: 3
   restart_policy:
    condition: on-failure
    delay: 5s
    max_attempts: 3
   update_config:
    parallelism: 1
    delay: 10s

 mysql:
  image: mysql
  secrets:
   -my-pw
  environment:
   MYSQL_ROOT_PASSWORD_FILE: /run/secrets/mysql-pass
   MYSQL_DATABASE: wordpress
  volumes:
   -mysql-data:/var/lib/mysql
  networks:
   - my-network
  deploy:
   mode: global
   placement:
    constraints:
     - node.role == manager

volumes:
 mysql-data:

networks:
 my-network:
  driver: overlay

The secret is created by defining WORDPRESS_DB_PASSWORD_FILE and MYSQL_ROOT_PASSWORD_FILE in the environment. Obviously, we must create the corresponding secret file before running this docker-compose.yml file. Then you can deploy the stack using the docker stack deploy command.

This is the end of this article about the management and use of Docker Secret. For more relevant Docker Secret content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!

You may also be interested in:

How to manage users and groups when running Docker
Detailed explanation of Docker data volume management
Detailed explanation of container data volumes and data management in Docker
Detailed explanation of Docker Volume permission management
Detailed explanation of Docker using Linux iptables and Interfaces to manage container networks
Docker data management named volume detailed explanation
Detailed explanation of the construction and interface management of Docker private warehouse
Detailed explanation of creating and managing Docker clusters
A brief discussion on Docker basics: data management
Docker Basics Learning Data Management
Detailed explanation of Docker data management (data volumes & data volume containers)
Network management and network isolation implementation of Docker containers

<<: Pure js to achieve typewriter effect

>>: Summary of 16 XHTML1.0 and HTML Compatibility Guidelines