Using Docker Secrets to Manage Sensitive Data

1 hour
  • 3 Learning Objectives

About this Hands-on Lab

In order to secure a MySQL database, we’ve decided to redeploy the container it sits in as a Swarm service, using secrets.

We’ll use OpenSSL to generate secure passwords for both the MySQL users `root` and `user`. Then, we’ll save them to separate files. Next, we’ll create secrets for these passwords and finally create the MySQL service using these secrets.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create Secrets

Note: Please allow the lab extra time to fully spin up.

Create the MySQL root password:

openssl rand -base64 20 > mysql_root_password.txt
docker secret create mysql_root_password mysql_root_password.txt

Create a MySQL user password:

openssl rand -base64 20 > mysql_password.txt
docker secret create mysql_password mysql_password.txt
Create an Overlay Network for the Service

Create an overlay network:

docker network create -d overlay mysql_private
Create the MySQL Service

Create a MySQL service:

docker service create 
     --name mysql_secrets 
     --replicas 1 
     --network mysql_private 
     --mount type=volume,destination=/var/lib/mysql 
     --secret mysql_root_password 
     --secret mysql_password 
     -e MYSQL_ROOT_PASSWORD_FILE="/run/secrets/mysql_root_password" 
     -e MYSQL_PASSWORD_FILE="/run/secrets/mysql_password" 
     -e MYSQL_USER="myUser" 
     -e MYSQL_DATABASE="myDB" 

Additional Resources

Note: Please allow the lab extra time to fully spin up.

Complete the Swarm Setup

On the manager node, the swarm has already been initialized. Get the worker token and have the worker node join the swarm.

Randomly Generate the MySQL Passwords

Use openssl rand -base64 20 to randomly generate a password for mysql_root_password and save it to mysql_root_password.txt.

Use openssl rand -base64 20 to randomly generate a password for mysql_password and save it to mysql_password.txt.

Create the MySQL Service

Create an overlay network called mysql_private and use the overlay driver:

  1. Create a service called mysql_secrets.
  2. The service should have one replica.
  3. Make sure it is attached to mysql_private.
  4. Mount a volume to /var/lib/mysql.
  5. Make sure the service uses the following: secret mysql_root_password and mysql_password.
  6. Create the following environment variables:
    • MYSQL_ROOT_PASSWORD_FILE: Set it to the in memory path to the mysql_root_password secret.
    • MYSQL_PASSWORD_FILE: Set it to the in memory path to the mysql_password secret.
    • MYSQL_USER: Set it to myUser.
    • MYSQL_DATABASE: Set it to myDB.

Use the mysql:5.7 image.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?