Using Docker Secrets to Manage Sensitive Data

Get Started
1 hour
  • 3 Learning Objectives

About this Hands-on Lab

In order to secure a MySQL database, we’ve decided to redeploy the container it sits in as a Swarm service, using secrets.

We’ll use OpenSSL to generate secure passwords for both the MySQL users `root` and `user`. Then we’ll save them to separate files. Next we’ll create secrets for these passwords, and finally create the MySQL service using these secrets.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create Secrets

Create the MySQL root password:

openssl rand -base64 20 > mysql_root_password.txt
docker secret create mysql_root_password mysql_root_password.txt

Create a MySQL user password:

openssl rand -base64 20 > mysql_password.txt
docker secret create mysql_password mysql_password.txt
Create an Overlay Network for the Service

Create an Overlay network:

docker network create -d overlay mysql_private
Create the MySQL Service

Create a MySQL service:

docker service create 
     --name mysql_secrets 
     --replicas 1 
     --network mysql_private 
     --mount type=volume,destination=/var/lib/mysql 
     --secret mysql_root_password 
     --secret mysql_password 
     -e MYSQL_ROOT_PASSWORD_FILE="/run/secrets/mysql_root_password" 
     -e MYSQL_PASSWORD_FILE="/run/secrets/mysql_password" 
     -e MYSQL_USER="myUser" 
     -e MYSQL_DATABASE="myDB" 
     mysql:5.7

Additional Resources

Complete the Swarm Setup

On the manager node, the swarm has already been initialized. Get the worker token and have the worker node join the swarm.

Randomly generate the MySQL passwords

Use openssl rand -base64 20 to randomly generate a password for mysql_root_password and save it to mysql_root_password.txt.

Use openssl rand -base64 20 to randomly generate a password for mysql_password and save it to mysql_password.txt.

Create the MySQL Service

Create an overlay network called mysql_private and use the overlay driver.

Create a service called mysql_secrets.
The service should have 1 replica.
Make sure it is attached to mysql_private. Mount a volume to /var/lib/mysql.
Make sure the service uses the following: secret mysql_root_password and mysql_password.
Create the following environment variables:

  • MYSQL_ROOT_PASSWORD_FILE: Set it to the in memory path to the mysql_root_password secret.
  • MYSQL_PASSWORD_FILE: Set it to the in memory path to the mysql_password secret.
  • MYSQL_USER: Set it to myUser.
  • MYSQL_DATABASE: Set it to myDB.

Use the mysql:5.7 image.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?