一、简介
在微服务架构应用中,众多组件在集群中动态地创建、伸缩、更新。在如此动态和大规模的分布式系统上,管理和分发密码、证书等敏感信息将会是非常具有挑战性的工作。对于容器应用,传统的秘密分发方式,如将秘钥存放在容器镜像中,或是利用环境变量,volume动态挂载方式动态传入都存在着潜在的安全风险。
为了应对这个问题,在Docker 1.13及更高版本中,Docker推出了Secrets管理,可以在Swarm mode集群中安全地管理密码、密钥证书等敏感信息,并允许在多个Docker容器实例之间共享访问指定的秘密信息。
二、基本功能和应用
注: docker secret 只能从Docker Swarm模式的manager节点调用,如果你在本机进行试验,请先执行 docker swarm init 命令
Docker命令行工具提供了docker secret命令来管理敏感信息
# docker secret --help Usage: docker secret COMMAND Manage Docker secrets Options: Commands: create Create a secret from a file or STDIN as content inspect Display detailed information on one or more secrets ls List secrets rm Remove one or more secrets
其中 docker secret create 支持从标准输入读取信息,并且存入指定的secret
(1)创建两个secrets
# echo "Password4DB" | docker secret create db_password - anyyxxynb6r9ra9698f38c86x # echo "Password4Root" | docker secret create root_password - 8ipun85hi89ibsg5ftp3l3uda
# docker secret ls ID NAME DRIVER CREATED UPDATED anyyxxynb6r9ra9698f38c86x db_password 3 minutes ago 3 minutes ago 8ipun85hi89ibsg5ftp3l3uda root_password 3 minutes ago 3 minutes ago
(2)创建一个db服务,并引用secret作为数据库和root密码
# docker service create --name my-db --publish 3306:3306 --secret db_password --secret root_password -e MYSQL_ROOT_PASSWORD_FILE=/run/secrets/root_password -e MYSQL_USER=dbtest -e MYSQL_DATABASE=dbtest -e MYSQL_PASSWORD_FILE=/run/secrets/db_password mysql
(3)检查服务状态
# docker service ls ID NAME MODE REPLICAS IMAGE PORTS b9rvq5wwln5p my-db replicated 1/1 mysql:latest *:3306->3306/tcp # docker service ps my-db ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS 7hezr6rtkp0k my-db.1 mysql:latest node-03 Running Running 4 minutes ago
(4)查看挂在到容器中的密码文件
# docker exec -it 56d5845c6741 ls /run/secrets/ db_password root_password # docker exec -it 56d5845c6741 cat /run/secrets/db_password Password4DB # docker exec -it 56d5845c6741 cat /run/secrets/root_password Password4Root
(5)登入验证
# mysql -h host_ip -uroot -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or g. Your MySQL connection id is 2 Server version: 5.7.21 MySQL Community Server (GPL) Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | dbtest | | mysql | | performance_schema | | sys | +--------------------+ 5 rows in set (0.00 sec)
三、容器编排中使用 docker secret
从 Docker Compose V3.1开始,支持在容器编排文件中使用 secret,这可以方便地在不同容器中分享所需的敏感信息。下面将使用 Compose 模板来构建一个Wordpress应用,通过 secret 实现 “wordpress”服务容器和“db”服务容器中共享数据库密码。
(1)secret_stack.yml
version: "3.3"
services:
wordpress:
image: wordpress:latest
secrets:
- wp_db_password
ports:
- "8080:80"
environment:
- WORDPRESS_DB_USER=wordpress
- WORDPRESS_DB_NAME=wordpress
- WORDPRESS_DB_PASSWORD_FILE=/run/secrets/wp_db_password
- WORDPRESS_DB_HOST=mysql
deploy:
replicas: 3
update_config:
parallelism: 2
delay: 10s
restart_policy:
condition: on-failure
mysql:
image: mysql:latest
secrets:
- wp_db_password
- root_db_password
environment:
- MYSQL_USER=wordpress
- MYSQL_DATABASE=wordpress
- MYSQL_PASSWORD_FILE=/run/secrets/wp_db_password
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/root_db_password
deploy:
replicas: 1
restart_policy:
condition: on-failure
secrets:
wp_db_password:
external: true
root_db_password:
external: true
(2)生成密码
[root@manager stack_compose]# echo "Password4DB" | docker secret create wp_db_password - xtkut0zoe7u774aymwremncpj [root@manager stack_compose]# echo "Password4Root" | docker secret create root_db_password - nx22on48v96qdph2k3s7hs6mv
(3)部署服务
# docker stack deploy -c secret_stack.yml wordpress
(4)查看部署情况
[root@manager ~]# docker service ls ID NAME MODE REPLICAS IMAGE PORTS xa450wyt625o wordpress_mysql replicated 1/1 mysql:latest otpkb5li30vx wordpress_wordpress replicated 3/3 wordpress:latest *:8080->80/tcp
(5)配置WordPress
访问host_ip:8080
