Nixpert: Docker Secrets

Secrets in swarm services:

Docker secrets: [Read this]
https://docs.docker.com/compose/compose-file/

[node1] (local) root@192.168.0.48 ~
$ vi psql_user.txt
[node1] (local) root@192.168.0.48 ~
$ ls -l
total 4
-rw-r--r-- 1 root root 11 Dec 5 09:06 psql_user.txt
[node1] (local) root@192.168.0.48 ~

[node1] (local) root@192.168.0.48 ~
$ docker secret create psql_user psql_user.txt
byy4t9quhze5szjbc80bhom0h

[node1] (local) root@192.168.0.48 ~
$ docker secret ls
ID NAME DRIVER CREATED UPDATED
byy4t9quhze5szjbc80bhom0h psql_user 7 seconds ago 7 seconds ago

[node1] (local) root@192.168.0.48 ~
$ echo "myDBpassword" | docker secret create psql_pass -
bxo4wjfzu2zhd2q4ta27svulg

[node1] (local) root@192.168.0.48 ~
$ docker secret ls
ID NAME DRIVER CREATED UPDATED
bxo4wjfzu2zhd2q4ta27svulg psql_pass 5 seconds ago 5 seconds ago
byy4t9quhze5szjbc80bhom0h psql_user About a minute ago About a minute ago

[node1] (local) root@192.168.0.48 ~
$ docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE="/run/secrets/psql_pass" -e POSTGRES_USER_FILE="/run/secrets/psql_user" postgres:10
ytaihypssd284n5hgwrrco03p
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
ytaihypssd28 psql replicated 1/1 postgres:10
[node1] (local) root@192.168.0.48 ~
$

[node1] (local) root@192.168.0.48 ~
$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b47ad0fab13e postgres:10 "docker-entrypoint.s…" 2 minutes ago Up 2 minutes 5432/tcp psql.1.2eq4lnmgtxwtt95sfdb5kl8tc
[node1] (local) root@192.168.0.48 ~
$ docker exec -it psql.1.2eq4lnmgtxwtt95sfdb5kl8tc /bin/bash
root@b47ad0fab13e:/#
root@b47ad0fab13e:/#
root@b47ad0fab13e:/# ls -l /var/run/secrets
total 8
-r--r--r-- 1 root root 13 Dec 5 11:36 psql_pass
-r--r--r-- 1 root root 11 Dec 5 11:36 psql_user
root@b47ad0fab13e:/# cat psql_pass
cat: psql_pass: No such file or directory
root@b47ad0fab13e:/# cat /var/run/secrets/psql_user
mypsqluser
root@b47ad0fab13e:/# cat /var/run/secrets/psql_pass
myDBpassword
root@b47ad0fab13e:/#

in single step, we can use the filter command on docker container ls as below:

$ docker exec -it $(docker container ls --filter=name=psql.1.pljpjdv1gfw5cjj391hp5gocx -q) cat /var/run/secrets/psql_user /var/run/secrets/psql_pass
mypsqluser
myDBpassword
[node1] (local) root@192.168.0.48 ~
$

Removing and Adding Secrets:

$ docker service update --secret-rm psql_pass psql
psql
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Waiting 5 seconds to verify that tasks are stable...
service update paused: update paused due to failure or early termination of task uf5d81gn9fwar7tc3ck2rzk7v
[node1] (local) root@192.168.0.48 ~
$ docker logs -f uf5d81gn9fwar7tc3ck2rzk7v
Error: No such container: uf5d81gn9fwar7tc3ck2rzk7v
[node1] (local) root@192.168.0.48 ~
$ docker logs -f psql
Error: No such container: psql
[node1] (local) root@192.168.0.48 ~
$ docker service update --secret-add psql_pass psql
psql
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ps psql
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
pljpjdv1gfw5 psql.1 postgres:10 node1 Running Running 13 seconds ago
rcqrflg3ys2l \_ psql.1 postgres:10 node3 Shutdown Shutdown 14 seconds ago
rtj2adwcbvqd \_ psql.1 postgres:10 node3 Shutdown Failed 17 seconds ago "task: non-zero exit (1)"
tt6bnrapsuqc \_ psql.1 postgres:10 node2 Shutdown Failed 23 seconds ago "task: non-zero exit (1)"
jvm6bru9has1 \_ psql.1 postgres:10 node2 Shutdown Failed 29 seconds ago "task: non-zero exit (1)"
[node1] (local) root@192.168.0.48 ~
$

Stack Deployment with Secrets:

[node1] (local) root@192.168.0.48 ~/stack_secret
$ pwd
/root/stack_secret
[node1] (local) root@192.168.0.47 ~
$ ls -l
total 12
-rw-r--r-- 1 root root 330 Dec 5 13:12 docker-compose.yml
-rw-r--r-- 1 root root 11 Dec 5 13:05 psql_pass.txt
-rw-r--r-- 1 root root 11 Dec 5 12:56 psql_user.txt
$

[node1] (local) root@192.168.0.47 ~
$ cat docker-compose.yml
version: "3.1"

services:
psql:
image: postgres
secrets:
- psql_user
- psql_pass
environment:
POSTGRES_PASSWORD_FILE: /run/secrets/psql_pass
POSTGRES_USER_FILE: /run/secrets/psql_user
secrets:
psql_user:
file: ./psql_user.txt
psql_pass:
file: ./psql_pass.txt

[node1] (local) root@192.168.0.47 ~
$ docker stack deploy -c docker-compose.yml mydb
Creating network mydb_default
Creating secret mydb_psql_pass
Creating secret mydb_psql_user
Creating service mydb_psql

$ docker stack services mydb
ID NAME MODE REPLICAS IMAGE PORTS
siljsp552khq mydb_psql replicated 1/1 postgres:latest

$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
50424ddde5e8 postgres:latest "docker-entrypoint.s…" 2 minutes ago Up 2 minutes 5432/tcp mydb_psql.1.zajk5nzb2f8wsuu387qdlh6w1
[node1] (local) root@192.168.0.47 ~
$

[node1] (local) root@192.168.0.47 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
siljsp552khq mydb_psql replicated 1/1 postgres:latest

==============================

Using manually created secret key..

$ cat docker-compose.yml
version: "3.1"

services:
psql:
image: postgres
secrets:
- psql_user
- psql_pass
environment:
POSTGRES_PASSWORD_FILE: /run/secrets/psql_pass
POSTGRES_USER_FILE: /run/secrets/psql_user
secrets:
psql_user:
file: ./psql_user.txt
psql_pass:
external: true

[node1] (local) root@192.168.0.47 ~
$ docker stack deploy -c docker-compose.yml shaan_db
Creating network shaan_db_default
Creating secret shaan_db_psql_user
Creating service shaan_db_psql

[node1] (local) root@192.168.0.47 ~
$ docker secret ls
ID NAME DRIVER CREATED UPDATED
ng2dvoba0rgej3a15wk3h70lk mydb_psql_pass 9 minutes ago 9 minutes ago
ub16w99vumayn9byti2xd4a6j mydb_psql_user 9 minutes ago 6 minutes ago
rnepvx0rity1obcpdjwz5etww psql_pass 20 minutes ago 20 minutes ago
ymk7abjzm9k1cl4mkjwlnat4h psql_user 22 minutes ago 22 minutes ago
w791noqa5uams9nediirbrpdp shaan_db_psql_user 4 minutes ago 4 minutes ago

$
[node1] (local) root@192.168.0.47 ~
$ docker stack services shaan_db
ID NAME MODE REPLICAS IMAGE PORTS
85apa2295g3z shaan_db_psql replicated 1/1 postgres:latest
[node1] (local) root@192.168.0.47 ~
$

$ docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
50424ddde5e8 postgres:latest "docker-entrypoint.s…" 11 minutes ago Up 11 minutes 5432/tcp mydb_psql.1.zajk5nzb2f8wsuu387qdlh6w1
[node1] (local) root@192.168.0.47 ~
$

=====================================++++++++++++++++++++++++==============================================

Using Secrets with local docker-compose:

use of external here is not possible, it will read the data only from a file.

[node1] (local) root@192.168.0.48 ~
$ echo "mysqluser" >> psql_user.txt
[node1] (local) root@192.168.0.48 ~
$ echo "mysqlpass" >> psql_pass.txt
[node1] (local) root@192.168.0.48 ~
$ vi docker-compose.yml
$ cat
$
[node1] (local) root@192.168.0.48 ~
$ ls -l
total 12
-rw-r--r-- 1 root root 337 Dec 5 14:32 docker-compose.yml
-rw-r--r-- 1 root root 10 Dec 5 14:31 psql_pass.txt
-rw-r--r-- 1 root root 10 Dec 5 14:31 psql_user.txt

[node1] (local) root@192.168.0.48 ~
$ cat docker-compose.yml
version: "3.1"

services:
psql:
image: postgres
secrets:
- psql_user
- psql_pass
environment:
POSTGRES_PASSWORD_FILE: /run/secrets/psql_pass
POSTGRES_USER_FILE: /run/secrets/psql_user
secrets:
psql_user:
file: ./psql_user.txt
psql_pass:
file: ./psql_pass.txt

[node1] (local) root@192.168.0.48 ~

$ docker-compose up -d
Creating network "root_default" with the default driver
Pulling psql (postgres:)...
latest: Pulling from library/postgres
000eee12ec04: Pull complete
7b8ef50e8d64: Pull complete
304f7c67e7db: Pull complete
9fe4298c8c65: Pull complete
f1ca857656d1: Pull complete
95d6c34812f7: Pull complete
9436c546bd1d: Pull complete
922326a079d9: Pull complete
d6e9dcf0d140: Pull complete
83ac3914c283: Pull complete
5ffbf9359c6e: Pull complete
d280abe82126: Pull complete
f5a37695fe7e: Pull complete
233830cd10db: Pull complete
Creating root_psql_1 ... done

$ docker-compose ps
Name Command State Ports
--------------------------------------------------------------
root_psql_1 docker-entrypoint.sh postgres Up 5432/tcp

[node1] (local) root@192.168.0.48 ~
$ docker-compose exec psql cat /run/secrets/psql_user
mysqluser
[node1] (local) root@192.168.0.48 ~
$ docker-compose exec psql cat /run/secrets/psql_pass
mysqlpass
[node1] (local) root@192.168.0.48 ~

=================================================

Service Updates Changing things in fly:

[node1] (local) root@192.168.0.48 ~
$ docker service create -p 8088:80 --name web nginx:1.13.7
tmyt1dejy4yo57ra4zprrex0v
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ps web
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
l4m6jbfvmc73 web.1 nginx:1.13.7 node3 Running Running 15 seconds ago
[node1] (local) root@192.168.0.48 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
tmyt1dejy4yo web replicated 1/1 nginx:1.13.7 *:8088->80/tcp
[node1] (local) root@192.168.0.48 ~
$ docker service scale web=5
web scaled to 5
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
tmyt1dejy4yo web replicated 5/5 nginx:1.13.7 *:8088->80/tcp
[node1] (local) root@192.168.0.48 ~
$ docker service ps web
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
l4m6jbfvmc73 web.1 nginx:1.13.7 node3 Running Running about a minute ago
dluq1tdmgb26 web.2 nginx:1.13.7 node2 Running Running 17 seconds ago
3ltygd8ac0x8 web.3 nginx:1.13.7 node1 Running Running 17 seconds ago
ve90v55vw6ej web.4 nginx:1.13.7 node1 Running Running 17 seconds ago
xkpbdyddes1e web.5 nginx:1.13.7 node3 Running Running 23 seconds ago
[node1] (local) root@192.168.0.48 ~
$ docker service update --image=nginx:1.13.6 web
web
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ps web
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
ykk35721lfq8 web.1 nginx:1.13.6 node3 Running Running 9 seconds ago
l4m6jbfvmc73 \_ web.1 nginx:1.13.7 node3 Shutdown Shutdown 10 seconds ago
zxtc5e3f10b8 web.2 nginx:1.13.6 node2 Running Running 14 seconds ago
dluq1tdmgb26 \_ web.2 nginx:1.13.7 node2 Shutdown Shutdown 15 seconds ago
qv1sagk0bg93 web.3 nginx:1.13.6 node1 Running Running 19 seconds ago
3ltygd8ac0x8 \_ web.3 nginx:1.13.7 node1 Shutdown Shutdown 20 seconds ago
mzv2lnvsfoql web.4 nginx:1.13.6 node1 Running Running 30 seconds ago
ve90v55vw6ej \_ web.4 nginx:1.13.7 node1 Shutdown Shutdown 31 seconds ago
igc4wle7zdl8 web.5 nginx:1.13.6 node2 Running Running 24 seconds ago
xkpbdyddes1e \_ web.5 nginx:1.13.7 node3 Shutdown Shutdown 26 seconds ago
[node1] (local) root@192.168.0.48 ~

--publish-rm 8088 --- didn't work.. it didn't remove the port.

[node1] (local) root@192.168.0.48 ~
$ docker service update --publish-rm 8088 --publish-add 9090:80 web
web
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
tmyt1dejy4yo web replicated 5/5 nginx:1.13.6 *:8088->80/tcp, *:9090->80/tcp

Not working with protocol name even:

$ docker service update --publish-rm 9090/tcp web
web
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
tmyt1dejy4yo web replicated 5/5 nginx:1.13.6 *:9090->80/tcp
[node1] (local) root@192.168.0.48 ~
$

$ docker service update --force web
web
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
[node1] (local) root@192.168.0.48 ~
$ docker service ps web
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
gakst2n9vanw web.1 nginx:1.13.6 node1 Running Running 19 seconds ago
np4e0axqis25 \_ web.1 nginx:1.13.6 node1 Shutdown Shutdown 20 seconds ago
ebtonyoqotco \_ web.1 nginx:1.13.6 node1 Shutdown Shutdown 7 minutes ago
5u7drspuh05y \_ web.1 nginx:1.13.6 node2 Shutdown Shutdown 8 minutes ago
klugm1ewn7d0 \_ web.1 nginx:1.13.6 node2 Shutdown Shutdown 9 minutes ago
pjg88cas6z4i web.2 nginx:1.13.6 node1 Running Running 34 seconds ago
z6s78f3rhbe2 \_ web.2 nginx:1.13.6 node1 Shutdown Shutdown 35 seconds ago
0annlcygd2p1 \_ web.2 nginx:1.13.6 node1 Shutdown Shutdown 7 minutes ago
pbrcxskzj8cg \_ web.2 nginx:1.13.6 node1 Shutdown Shutdown 8 minutes ago
t1aixkqbisjg \_ web.2 nginx:1.13.6 node1 Shutdown Shutdown 9 minutes ago
v6lu5pbqkse8 web.3 nginx:1.13.6 node3 Running Running 15 seconds ago
iaduslck52ol \_ web.3 nginx:1.13.6 node3 Shutdown Shutdown 16 seconds ago
uvzlmvo6yyap \_ web.3 nginx:1.13.6 node3 Shutdown Shutdown 7 minutes ago
6kucwfp1o8b5 \_ web.3 nginx:1.13.6 node1 Shutdown Shutdown 8 minutes ago
8hw8giau7h6p \_ web.3 nginx:1.13.6 node1 Shutdown Shutdown 9 minutes ago
iqo6kn8dizet web.4 nginx:1.13.6 node2 Running Running 24 seconds ago
1vd6wuaeen70 \_ web.4 nginx:1.13.6 node2 Shutdown Shutdown 25 seconds ago
zt2e7cd9rpgc \_ web.4 nginx:1.13.6 node3 Shutdown Shutdown 7 minutes ago
12cl2aorwxjk \_ web.4 nginx:1.13.6 node3 Shutdown Shutdown 9 minutes ago
pznrjzjvb94r \_ web.4 nginx:1.13.6 node3 Shutdown Shutdown 9 minutes ago
3a65tidkcl9q web.5 nginx:1.13.6 node2 Running Running 29 seconds ago
woywovxt6lux \_ web.5 nginx:1.13.6 node2 Shutdown Shutdown 30 seconds ago
0ow06ukdw1qm \_ web.5 nginx:1.13.6 node2 Shutdown Shutdown 7 minutes ago
bqh8xoiyzxud \_ web.5 nginx:1.13.6 node2 Shutdown Shutdown 8 minutes ago
b0jbkvyf8ks4 \_ web.5 nginx:1.13.6 node2 Shutdown Shutdown 9 minutes ago
[node1] (local) root@192.168.0.48 ~
$ docker service ps web | grep -i running
gakst2n9vanw web.1 nginx:1.13.6 node1 Running Running 32 seconds ago
pjg88cas6z4i web.2 nginx:1.13.6 node1 Running Running 46 seconds ago
v6lu5pbqkse8 web.3 nginx:1.13.6 node3 Running Running 27 seconds ago
iqo6kn8dizet web.4 nginx:1.13.6 node2 Running Running 37 seconds ago
3a65tidkcl9q web.5 nginx:1.13.6 node2 Running Running 41 seconds ago
[node1] (local) root@192.168.0.48 ~
$
[node1] (local) root@192.168.0.48 ~
$

Nixpert

Docker Secrets

Secrets in swarm services:

Removing and Adding Secrets:

Stack Deployment with Secrets:

Using manually created secret key..

Using Secrets with local docker-compose:

Service Updates Changing things in fly:

Not working with protocol name even:

No comments:

Post a Comment

Installation of Jenkins on Linux and Deployment NGINX through Jenkins

Report Abuse