前言
manager节点保持状态的一致是通过Raft Database分布式存储的数据库。
secret 存在swarm manager 节点raft database里面;
secret 可以assign给一个service,这个service就能看到这个secret;
在container内部secret看起来像文件,但是实际是在内存中。
一、docker secret 命令
1、docker secret
[root@swarm-master ~]# docker secret --help
Usage: docker secret COMMAND
Manage Docker secrets
Commands:
create Create a secret from a file or STDIN as content 从文件或标准输入创建secret
inspect Display detailed information on one or more secrets 查看secret详细信息
ls List secrets 查看secret列表
rm Remove one or more secrets 删除secret
Run 'docker secret COMMAND --help' for more information on a command.
2、 创建secret
(1)从文件创建
创建文件
vi mysql_pwd.txt
[root@swarm-master test]# cat mysql_pwd.txt
root
创建secret
[root@swarm-master test]# docker secret create mysql_pwd mysql_pwd.txt
u2wzwgyql77tktvtghcp262d8
查看secret
[root@swarm-master test]# docker secret ls
ID NAME DRIVER CREATED UPDATED
u2wzwgyql77tktvtghcp262d8 mysql_pwd 54 seconds ago 54 seconds ago
(2)从标准输入创建
创建secret
[root@swarm-master test]# echo "root" | docker secret create mysql_pwd1 -
0n2hmnfg9xo0f8agmt7zlxene
查看secret
[root@swarm-master test]# docker secret ls
ID NAME DRIVER CREATED UPDATED
u2wzwgyql77tktvtghcp262d8 mysql_pwd 2 minutes ago 2 minutes ago
0n2hmnfg9xo0f8agmt7zlxene mysql_pwd1 16 seconds ago 16 seconds ago
3、查看secret详细信息
[root@swarm-master test]# docker secret inspect mysql_pwd
[
{
"ID": "u2wzwgyql77tktvtghcp262d8",
"Version": {
"Index": 127
},
"CreatedAt": "2021-12-06T21:26:49.481649688Z",
"UpdatedAt": "2021-12-06T21:26:49.481649688Z",
"Spec": {
"Name": "mysql_pwd",
"Labels": {}
}
}
]
4、删除secret
[root@swarm-master test]# docker secret rm mysql_pwd1
mysql_pwd1
[root@swarm-master test]# docker secret ls
ID NAME DRIVER CREATED UPDATED
u2wzwgyql77tktvtghcp262d8 mysql_pwd 6 minutes ago 6 minutes ago
二、secret 的使用
1.容器中的使用
创建service
[root@swarm-master test]# docker run -d --name nginx-01 -p 80:80 --secret mysql_pwd nginx:latest
unknown flag: --secret
See 'docker run --help'.
[root@swarm-master test]# docker service create --replicas 1 --name nginx-01 -p 80:80 --secret mysql_pwd nginx:latest
uutlgl7nxqwzews1g51ir6z5x
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
查看容器
[root@swarm-master test]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a7d568845b69 nginx:latest "/docker-entrypoint.…" 21 minutes ago Up 21 minutes 80/tcp nginx-01.1.d3
[root@swarm-master test]# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
uutlgl7nxqwz nginx-01 replicated 1/1 nginx:latest *:80->80/tcp
[root@swarm-master test]# docker service ps nginx-01
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
d3clr7fdub7x nginx-01.1 nginx:latest swarm-master Running Running 18 minutes ago
可以看出service是运行在swarm-master上,进入service容器查看secret
[root@swarm-master test]# docker exec -it a7d568845b69 /bin/bash
root@a7d568845b69:/# cat /run/secrets/mysql_pwd
root
2.mysql容器中的使用
创建mysql服务
[root@swarm-masterdocker service service create --name mysql_test --secret mysql_pwd -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_pwd mysql:5.7.32
z21peh2c0ddse4fqb4ao086ii
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
查看服务
[root@swarm-master test]# docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
z21peh2c0dds mysql_test replicated 1/1 mysql:5.7.32
uutlgl7nxqwz nginx-01 replicated 1/1 nginx:latest *:80->80/tcp
[root@swarm-master test]# docker service ps mysql_test
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ogm783sa2fw9 mysql_test.1 mysql:5.7.32 swarm-node02 Running Running 44 seconds ago
mysql_test服务运行在swarm-node02上,在swarm-node02节点上进入容器
[root@swarm-node02 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
81df330d461b mysql:5.7.32 "docker-entrypoint.s…" 54 seconds ago Up 52 seconds 3306/tcp, 33060/tcp mysql_test.1.ogm783sa2fw9rx6apdy05jkny
[root@swarm-node02 ~]#
[root@swarm-node02 ~]# docker exec -it 81df330d461b /bin/bash
root@81df330d461b:/#
查看secret
root@81df330d461b:/# cat /run/secrets/mysql_pwd
root
用密码进入mysql
root@81df330d461b:/# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.32 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
3.docker-compose中的使用
(1)docker-compose.yml文件
[root@swarm-master test]# cat docker-compose.yml
version: '3.6'
services:
mysql_test_01:
image: mysql:5.7.32
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/r_pwd
MYSQL_DATABASE: mysql
MYSQL_USER: test
MYSQL_PASSWORD_FILE: /run/secrets/t_pwd
secrets:
- r_pwd
- t_pwd
secrets:
r_pwd:
file: ../password_test
t_pwd:
file: ../password_test
(2)docker-compose 启动
[root@swarm-master test]# docker-compose up
WARNING: The Docker Engine you're using is running in swarm mode.
Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.
To deploy your application across the swarm, use `docker stack deploy`.
Creating network "test_default" with the default driver
Pulling mysql_test_01 (mysql:5.7.32)...
5.7.32: Pulling from library/mysql
a076a628af6f: Pull complete
f6c208f3f991: Pull complete
88a9455a9165: Pull complete
406c9b8427c6: Pull complete
7c88599c0b25: Pull complete
25b5c6debdaf: Pull complete
43a5816f1617: Pull complete
7065aaa2655f: Pull complete
b4bc531db40f: Pull complete
8c3e9d7c9815: Pull complete
fadfb9734ed2: Pull complete
Digest: sha256:e08834258fcc0efd01df358222333919df53d4a0d9b2a54da05b204b822e3b7b
Status: Downloaded newer image for mysql:5.7.32
Creating test_mysql_test_01_1 ... done
Attaching to test_mysql_test_01_1
(3)docker stack 启动
同样可以使用docker stack 启动
[root@swarm-master test]# docker stack deploy mysql_test_02 -c docker-compose.yml
Creating network mysql_test_02_default
Creating secret mysql_test_02_r_pwd
Creating secret mysql_test_02_t_pwd
Creating service mysql_test_02_mysql_test_01
(4)查看容器
[root@swarm-master test]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bb057e6c749a mysql:5.7.32 "docker-entrypoint.s…" 6 minutes ago Up 6 minutes 3306/tcp, 33060/tcp test_mysql_test_01_1
(5)进入容器
[root@swarm-master test]# docker exec -it bb057e6c749a /bin/bash
root@bb057e6c749a:/# ls /run/secrets/
r_pwd t_pwd
(6)分别用root用户和test用户登录mysql
root@bb057e6c749a:/# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.32 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
root@bb057e6c749a:/# mysql -utest -p
Enter password:
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: YES)
root@bb057e6c749a:/# mysql -utest -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.32 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
|