Secrets With Services

  • There are two ways to create secret in swarm
    • Give it a file as an argument
    • echo our secret to command
~> cat psql_user.txt
mypsqluser

~> docker secret create psql_user psql_user.txt
q4xgw4b6dvjxk2fjg88aiuics

~> echo 'myDBpassWORD' | docker secret create psql_pass -
wmrz0hdobsb3fbruf0hrqgdn4
  • Docker never expose secret to a user directly
  • Only created containers and services have access to decrypted secrets
~> docker secret inspect psql_user
[
    {
        "ID": "q4xgw4b6dvjxk2fjg88aiuics",
        "Version": {
            "Index": 283
        },
        "CreatedAt": "2017-10-04T16:34:37.483093429Z",
        "UpdatedAt": "2017-10-04T16:34:37.483093429Z",
        "Spec": {
            "Name": "psql_user",
            "Labels": {}
        }
    }
]
Service has access to assigned secret
~> docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pa
ss -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres
42773fipnmxaage7ucu3xq0go

~> docker service ps psql
ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE           ERROR               PORTS
gb0euuj7neya        psql.1              postgres:latest     node3               Running             Running 2 seconds ago

~> docker exec -it psql.1.gb0euuj7neyag7qb55ookc72t bash
[email protected]:/# ls /run/secrets/
psql_pass  psql_user
[email protected]:/# cat /run/secrets/psql_user
mypsqluser
  • Removing secrets will re-deploy the container
docker service update --secret-add
docker service update --secret-rm

results matching ""

    No results matching ""