Skip to main content

Using Docker Secrets to Manage Sensitive Data

Hands-On Lab

 

Photo of Travis Thomsen

Travis Thomsen

Course Development Director in Content

Length

01:00:00

Difficulty

Advanced

In order to secure a MySQL database, we’ve decided to redeploy the container it sits in as a Swarm service, using secrets. We'll use OpenSSL to generate secure passwords for both the MySQL users root and user. Then we'll save them to separate files. Next we'll create secrets for these passwords, and finally create the MySQL service using these secrets.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using Docker Secrets to Manage Sensitive Data

The Scenario

In order to secure a MySQL database, we’ve decided to redeploy the container it sits in as a Swarm service, using secrets.

We'll use OpenSSL to generate secure passwords for both the MySQL users root and user. Then we'll save them to separate files. Next we'll create secrets for these passwords, and finally create the MySQL service using these secrets.

Log In

Log in to the environment using the credentials provided on the lab page, either in a terminal session on your local machine or by clicking Instant Terminal. Note that there are two servers to log into, the manager and the worker.

Complete the Swarm Setup

We'll start off by getting a join token. On the master node, run this:

[cloud_user@manager]$ docker swarm join-token worker

Copy the join token, and then run it on the worker node:

[cloud_user@worker]$ docker swarm join --token [TOKEN] [MANAGER_PRIVATE_IP]:2377

We should get a message about this node joining a swarm as a worker. We're good to go, and we can shut the worker terminal down.

Create Secrets

Back in the manager node, we need to create the MySQL root password:

[cloud_user@manager]$ openssl rand -base64 20 > mysql_root_password.txt
[cloud_user@manager]$ docker secret create mysql_root_password mysql_root_password.txt

Create a MySQL user password:

[cloud_user@manager]$ openssl rand -base64 20 > mysql_password.txt
[cloud_user@manager]$ docker secret create mysql_password mysql_password.txt

Create an Overlay Network for the Service

[cloud_user@manager]$ docker network create -d overlay mysql_private

Create the MySQL Service

[cloud_user@manager]$ docker service create 
     --name mysql_secrets 
     --replicas 1 
     --network mysql_private 
     --mount type=volume,destination=/var/lib/mysql 
     --secret mysql_root_password 
     --secret mysql_password 
     -e MYSQL_ROOT_PASSWORD_FILE="/run/secrets/mysql_root_password" 
     -e MYSQL_PASSWORD_FILE="/run/secrets/mysql_password" 
     -e MYSQL_USER="myUser" 
     -e MYSQL_DATABASE="myDB" 
     mysql:5.7

Conclusion

If we list our services with a docker service ls, we'll see that everything is up and running, with the right number of replicas. Congratulations!