你如何使用 docker-compose v3.1 管理秘密值? [英] how do you manage secret values with docker-compose v3.1?
问题描述
docker-compose.yml 规范的 3.1 版引入了对 secrets.
Version 3.1 of the docker-compose.yml specification introduces support for secrets.
我试过这个:
version: '3.1'
services:
a:
image: tutum/hello-world
secret:
password: the_password
b:
image: tutum/hello-world
$ docker-compose up
返回:
services.secret 不支持的配置选项:'password'
我们如何在实践中使用秘密功能?
How can we use the secrets feature in practice?
推荐答案
您可以阅读官方文档中的相应部分.
要使用机密,您需要在 docker-compose.yml
文件中添加两件事.首先,定义所有秘密的顶级 secrets:
块.然后,每个服务下的另一个 secrets:
块指定了该服务应该接收哪些秘密.
To use secrets you need to add two things into your docker-compose.yml
file. First, a top-level secrets:
block that defines all of the secrets. Then, another secrets:
block under each service that specifies which secrets the service should receive.
例如,创建 Docker 能够理解的两种类型的机密:外部机密和文件机密.
As an example, create the two types of secrets that Docker will understand: external secrets and file secrets.
第一件事:要在 Docker 中使用机密,您所在的节点必须是集群的一部分.
First thing: to use secrets with Docker, the node you are on must be part of a swarm.
$ docker swarm init
接下来,创建一个外部"秘密:
Next, create an 'external' secret:
$ echo "This is an external secret" | docker secret create my_external_secret -
(确保包含最后的破折号,-
.很容易错过.)
(Make sure to include the final dash, -
. It's easy to miss.)
$ echo "This is a file secret." > my_file_secret.txt
3.创建一个使用这两个秘密的 docker-compose.yml
文件
既然两种类型的机密都已创建,这里是 docker-compose.yml
文件,它将读取这两种机密并将它们写入 web
服务:
3. Create a docker-compose.yml
file that uses both secrets
Now that both types of secrets are created, here is the docker-compose.yml
file that will read both of those and write them to the web
service:
version: '3.1'
services:
web:
image: nginxdemos/hello
secrets: # secrets block only for 'web' service
- my_external_secret
- my_file_secret
secrets: # top level secrets block
my_external_secret:
external: true
my_file_secret:
file: my_file_secret.txt
Docker 可以从它自己的数据库(例如使用 docker secret create
创建的秘密)或从文件中读取秘密.以上显示了两个示例.
Docker can read secrets either from its own database (e.g. secrets made with docker secret create
) or from a file. The above shows both examples.
使用以下方法部署堆栈:
Deploy the stack using:
$ docker stack deploy --compose-file=docker-compose.yml secret_test
这将创建 web
服务的一个实例,名为 secret_test_web
.
This will create one instance of the web
service, named secret_test_web
.
使用docker exec -ti [container]/bin/sh
来验证秘密是否存在.
Use docker exec -ti [container] /bin/sh
to verify that the secrets exist.
(注意:在下面的 docker exec
命令中,m2jgac...
部分在你的机器上会有所不同.运行 docker ps
找到您的容器名称.)
(Note: in the below docker exec
command, the m2jgac...
portion will be different on your machine. Run docker ps
to find your container name.)
$ docker exec -ti secret_test_web.1.m2jgacogzsiaqhgq1z0yrwekd /bin/sh
# Now inside secret_test_web; secrets are contained in /run/secrets/
root@secret_test_web:~$ cd /run/secrets/
root@secret_test_web:/run/secrets$ ls
my_external_secret my_file_secret
root@secret_test_web:/run/secrets$ cat my_external_secret
This is an external secret
root@secret_test_web:/run/secrets$ cat my_file_secret
This is a file secret.
如果一切顺利,我们在第 1 步和第 2 步中创建的两个秘密应该在我们部署堆栈时创建的 web
容器中.
If all is well, the two secrets we created in steps 1 and 2 should be inside the web
container that was created when we deployed our stack.
这篇关于你如何使用 docker-compose v3.1 管理秘密值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!