你如何使用 docker-compose v3.1 管理秘密值? [英] how do you manage secret values with docker-compose v3.1?

问题描述

docker-compose.yml 规范的 3.1 版引入了对 secrets.

Version 3.1 of the docker-compose.yml specification introduces support for secrets.

我试过这个:

version: '3.1'

services:
  a: 
    image: tutum/hello-world
  secret: 
    password: the_password
  b:
    image: tutum/hello-world

$ docker-compose up 返回:

services.secret 不支持的配置选项:'password'

我们如何在实践中使用秘密功能?

How can we use the secrets feature in practice?

推荐答案

您可以阅读官方文档中的相应部分.

要使用机密，您需要在 docker-compose.yml 文件中添加两件事.首先，定义所有秘密的顶级 secrets: 块.然后，每个服务下的另一个 secrets: 块指定了该服务应该接收哪些秘密.

To use secrets you need to add two things into your docker-compose.yml file. First, a top-level secrets: block that defines all of the secrets. Then, another secrets: block under each service that specifies which secrets the service should receive.

例如，创建 Docker 能够理解的两种类型的机密:外部机密和文件机密.

As an example, create the two types of secrets that Docker will understand: external secrets and file secrets.

第一件事:要在 Docker 中使用机密，您所在的节点必须是集群的一部分.

First thing: to use secrets with Docker, the node you are on must be part of a swarm.

$ docker swarm init

接下来，创建一个外部"秘密:

Next, create an 'external' secret:

$ echo "This is an external secret" | docker secret create my_external_secret -

(确保包含最后的破折号，-.很容易错过.)

(Make sure to include the final dash, -. It's easy to miss.)

$ echo "This is a file secret." > my_file_secret.txt

3.创建一个使用这两个秘密的 docker-compose.yml 文件

既然两种类型的机密都已创建，这里是 docker-compose.yml 文件，它将读取这两种机密并将它们写入 web 服务:

3. Create a docker-compose.yml file that uses both secrets

Now that both types of secrets are created, here is the docker-compose.yml file that will read both of those and write them to the web service:

version: '3.1'

services:
  web:
    image: nginxdemos/hello
    secrets:                    # secrets block only for 'web' service
     - my_external_secret
     - my_file_secret

secrets:                        # top level secrets block
  my_external_secret:
    external: true
  my_file_secret:
    file: my_file_secret.txt

Docker 可以从它自己的数据库(例如使用 docker secret create 创建的秘密)或从文件中读取秘密.以上显示了两个示例.

Docker can read secrets either from its own database (e.g. secrets made with docker secret create) or from a file. The above shows both examples.

使用以下方法部署堆栈:

Deploy the stack using:

$ docker stack deploy --compose-file=docker-compose.yml secret_test

这将创建 web 服务的一个实例，名为 secret_test_web.

This will create one instance of the web service, named secret_test_web.

使用docker exec -ti [container]/bin/sh 来验证秘密是否存在.

Use docker exec -ti [container] /bin/sh to verify that the secrets exist.

(注意:在下面的 docker exec 命令中，m2jgac... 部分在你的机器上会有所不同.运行 docker ps找到您的容器名称.)

(Note: in the below docker exec command, the m2jgac... portion will be different on your machine. Run docker ps to find your container name.)

$ docker exec -ti secret_test_web.1.m2jgacogzsiaqhgq1z0yrwekd /bin/sh

# Now inside secret_test_web; secrets are contained in /run/secrets/
root@secret_test_web:~$ cd /run/secrets/

root@secret_test_web:/run/secrets$ ls
my_external_secret  my_file_secret

root@secret_test_web:/run/secrets$ cat my_external_secret
This is an external secret

root@secret_test_web:/run/secrets$ cat my_file_secret
This is a file secret.

如果一切顺利，我们在第 1 步和第 2 步中创建的两个秘密应该在我们部署堆栈时创建的 web 容器中.

If all is well, the two secrets we created in steps 1 and 2 should be inside the web container that was created when we deployed our stack.

这篇关于你如何使用 docker-compose v3.1 管理秘密值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！