您如何使用docker-compose v3.1管理秘密值? [英] how do you manage secret values with docker-compose v3.1?
问题描述
docker-compose.yml规范的版本3.1引入了对秘密。
我尝试过:
版本:'3.1'
服务:
a:
image:tutum / hello-world
秘密:
密码:the_password
b:
image:tutum / hello-world
$ docker-compose up
返回:
services.secret的不支持的配置选项:'password'
我们如何在实践中使用秘密功能?
您可以阅读官方文档中的相应部分。
要使用秘密,您需要在 docker-compose.yml
文件中添加两项。首先,定义所有秘密的顶级秘密:
块。然后,另一个秘密:
阻止每个服务,其中指定 保密服务应该收到。
例如,创建Docker将理解的两种类型的秘密:外部秘密和文件秘密。
1。创建一个外部秘密使用 docker secret create
第一件事:使用Docker的秘密,节点你必须是群体的一部分。
$ docker swarm init
pre>
接下来,创建一个外部秘密:
$回声这是一个外部秘密| docker secret创建my_external_secret -
(确保包含最后的破折号,
。很容易错过。)
2。将另一个秘密写入文件
$ echo这是一个文件秘密。 > my_file_secret.txt
3。创建一个使用两个秘密的
docker-compose.yml
文件
现在这两种类型的秘密都是创建的,在这里是
docker-compose.yml
文件,将读取这两个文件并将其写入web
服务:版本:'3.1'
服务:
web:
image:nginxdemos / hello
secretts:#secrets block only for'web'service
- my_external_secret
- my_file_secret
secretts:#顶级秘密块
my_external_secret:
external:true
my_file_secret:
文件:my_file_secret.txt
Docker可以从自己的数据库(例如使用
docker secret create
制作的秘密)或从文件读取秘密。上面显示了两个例子。
4。部署您的测试堆栈
使用以下方式部署堆栈:
$ docker stack deploy --compose-file = docker-compose.yml secret_test
这将创建一个
web
服务,命名为secret_test_web
。
5。验证由服务创建的容器是否具有两个秘密
使用
docker exec -ti [container] / bin / sh
(注意:在下面的
docker exec
命令中,m2jgac ...
部分将在您的机器上不同,运行docker ps
找到您的容器名称。)$ docker exec -ti secret_test_web.1.m2jgacogzsiaqhgq1z0yrwekd / bin / sh
#现在里面secret_test_web;秘密包含在/ run / secrets /
root @ secret_test_web:〜$ cd / run / secrets /
root @ secret_test_web:/ run / secrets $ ls
my_external_secret my_file_secret
root @ secret_test_web:/ run / secrets $ cat my_external_secret
这是一个外部秘密
root @ secret_test_web:/ run / secrets $ cat my_file_secret
这是一个文件秘密。
如果一切顺利,我们在步骤1和2中创建的两个秘密应该在
web
在我们部署堆栈时创建的容器。Version 3.1 of the docker-compose.yml specification introduces support for secrets.
I tried this:
version: '3.1' services: a: image: tutum/hello-world secret: password: the_password b: image: tutum/hello-world
$ docker-compose up
returns:
Unsupported config option for services.secret: 'password'
How can we use the secrets feature in practice?
解决方案You can read the corresponding section from the official documentation.
To use secrets you need to add two things into your
docker-compose.yml
file. First, a top-levelsecrets:
block that defines all of the secrets. Then, anothersecrets:
block under each service that specifies which secrets the service should receive.As an example, create the two types of secrets that Docker will understand: external secrets and file secrets.
1. Create an 'external' secret using
docker secret create
First thing: to use secrets with Docker, the node you are on must be part of a swarm.
$ docker swarm init
Next, create an 'external' secret:
$ echo "This is an external secret" | docker secret create my_external_secret -
(Make sure to include the final dash,
-
. It's easy to miss.)2. Write another secret into a file
$ echo "This is a file secret." > my_file_secret.txt
3. Create a
docker-compose.yml
file that uses both secretsNow that both types of secrets are created, here is the
docker-compose.yml
file that will read both of those and write them to theweb
service:version: '3.1' services: web: image: nginxdemos/hello secrets: # secrets block only for 'web' service - my_external_secret - my_file_secret secrets: # top level secrets block my_external_secret: external: true my_file_secret: file: my_file_secret.txt
Docker can read secrets either from its own database (e.g. secrets made with
docker secret create
) or from a file. The above shows both examples.4. Deploy your test stack
Deploy the stack using:
$ docker stack deploy --compose-file=docker-compose.yml secret_test
This will create one instance of the
web
service, namedsecret_test_web
.5. Verify that the container created by the service has both secrets
Use
docker exec -ti [container] /bin/sh
to verify that the secrets exist.(Note: in the below
docker exec
command, them2jgac...
portion will be different on your machine. Rundocker ps
to find your container name.)$ docker exec -ti secret_test_web.1.m2jgacogzsiaqhgq1z0yrwekd /bin/sh # Now inside secret_test_web; secrets are contained in /run/secrets/ root@secret_test_web:~$ cd /run/secrets/ root@secret_test_web:/run/secrets$ ls my_external_secret my_file_secret root@secret_test_web:/run/secrets$ cat my_external_secret This is an external secret root@secret_test_web:/run/secrets$ cat my_file_secret This is a file secret.
If all is well, the two secrets we created in steps 1 and 2 should be inside the
web
container that was created when we deployed our stack.这篇关于您如何使用docker-compose v3.1管理秘密值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!