Docker Secrets in Swarm (Offline Machine)
What Is Docker Secrets?
Docker secrets is Docker’s secrets management service, offered as part of its container orchestration stack. In Docker, a secret is any piece of data, like passwords, SSH private credentials, certificates, or API keys, that shouldn’t be stored unencrypted in plain text files. Docker secrets automates the process of keeping this data secure.
In this article, we will go through an example to better understand Docker Secret.
Docker Swarm Enable
In order to use Docker Secret, Swarm must first be active on our machine. We can check the activity with docker info. If it is not active, we can activate swarm and set it as manager by running the command below.
#docker swarm init --advertise-addr 192.168.149.131
Made the adjustments and created a token for us. After the command is run, we provide our controls with the docker info command.
#docker info
Now that swarm has been activated, we can easily continue our operations.
Creating a Secret
To create a secret you have to run the following command:
#openssl rand -base64 12 | docker secret create db_root_password –
#openssl rand -base64 12 | docker secret create db_dba_password –
Thus, we wanted random to generate 12-bit passwords in base64 format.2 secrets were created for root and admin.
We can examine the details with the following commands :
#docker secret inspect db_root_password
#docker secret inspect db_dba_password
These created secrets can be used in yaml files or dockerfiles.For this, let’s continue by creating a compose file.
Build docker-compose
We specify the details of the services we will use in the yml file:
#vi docker-compose.ymlversion: '3.6'services:
db:
image: mysql
secrets:
- db_root_password
- db_dba_password
deploy:
replicas: 1
placement:
constraints: [node.role == manager]
resources:
reservations:
memory: 128M
limits:
memory: 256M
ports:
- 3306:3306
environment:
MYSQL_USER: dba
MYSQL_DATABASE: mydb
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_PASSWORD_FILE: /run/secrets/db_dba_password
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- type: bind
source: /opt/docker/volumes/mysql
target: /var/lib/mysql
adminer:
image: adminer
ports:
- 8080:8080secrets:
db_root_password:
external: true
db_dba_password:
external: true
We can examine the details with the following commands.Since our offline machine does not have myql and adminer images, we will move the images from our online machine to this machine. Otherwise our compose file will not work.
Image Creation
- Online Machine
Image setup is complete :
#docker pull mysql
#docker pull adminer
We save images in tar :
#docker save adminer > adminer.tar
#docker save mysql > mysql.tar
We send the generated images to the root directory of the offline machine.
- Offline Machine
We check the existence of images :
We make the images available with the following commands :
#docker load < adminer.tar
#docker load < mysql.tar
Docker Stack Deploy
We perform the create operation of the services :
#docker stack deploy -c docker-compose.yml apps
We see that the services are defined in order.
We can view from which file the secret keys are taken :
#docker exec -it $(docker ps -f name=apps_db -q) ls /run/secrets/
We can see the password content:
#docker exec -it $(docker ps -f name=apps_db -q) cat /run/secrets/db_dba_password#docker exec -it $(docker ps -f name=apps_db -q) cat /run/secrets/db_root_password
If we want to connect to msql db as root, the following command is run , will write the password we created here after the enter password section:
#docker exec -it $(docker ps -f name=apps_db -q) mysql -u root -p
The connection was made successfully.
We can list databases :
#show databases;
Let’s create a new database :
#create database clases;
Let’s check, is our database created ?
#show databases;
Everything seems fine . See you in my next post :)))
