使用docker-compose时如何读取外部机密 [英] How to read external secrets when using docker-compose

问题描述

我想知道如何将外部机密传递给docker-compose产生的服务.我执行以下操作:

I wonder how can i pass external secrets into services spawned by docker-compose. I do the following:

我创建了新秘密

printf "some secret value goes here" | docker secret create wallet_password -

我的docker-compose.yml:

My docker-compose.yml:

version: "3.4"
services:
  test:
    image: alpine
    command: 'cat /run/secrets/wallet_password'
    secrets: 
    - wallet_password

secrets:
  wallet_password:
    external: true

然后我跑:

docker-compose -f services/debug/docker-compose.yml up -d --build

和

docker-compose -f services/debug/docker-compose.yml up

我收到以下答复:

WARNING: Service "test" uses secret "wallet_password" which is external. External secrets are not available to containers created by docker-compose.
WARNING: The Docker Engine you're using is running in swarm mode.

Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.

To deploy your application across the swarm, use `docker stack deploy`.

Starting debug_test_1 ...
Starting debug_test_1 ... done
Attaching to debug_test_1
test_1  | cat: can't open '/run/secrets/wallet_password': No such file or directory

Sooo....有什么方法可以将外部机密传递到docker-compose生成的容器中?

Sooo.... is there any way of passing external secret into container spawned by docker-compose?

推荐答案

不是.

外部机密不适用于docker-compose创建的容器.

External secrets are not available to containers created by docker-compose.

错误消息很好地总结了它.机密是群组模式功能，机密存储在群组管理器引擎内部.该管理员不会将这些秘密公开给外部启动的容器.只有具有机密信息的群集服务才能运行加载了机密信息的容器.

The error message sums it up pretty nicely. Secrets are a swarm mode feature, the secret is stored inside of the swarm manager engine. That manager does not expose those secrets to externally launched containers. Only swarm services with the secret can run containers with the secret loaded.

您可以在群体模式下运行服务，以提取秘密，因为它只是容器内的一个文件，容器内的应用程序只需 cat 即可取出文件内容.您还可以通过将文件作为卷安装在机密位置中，从而在以compose开头的容器中复制机密功能.为此，您希望有一个单独的撰写文件，因为卷装入和秘密装入会相互冲突.

You can run a service in swarm mode that extracts the secret since it's just a file inside the container and the application inside the container can simply cat out the file contents. You can also replicate the functionality of secrets in containers started with compose by mounting a file as a volume in the location of the secret. For that, you'd want to have a separate compose file since the volume mount and secret mount would conflict with each other.

这篇关于使用docker-compose时如何读取外部机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！