Prefacing this that Docker secrets were built for Docker Swarm and not for single containers. From the docs:
Note: Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to run as a service. Stateful containers can typically run with a scale of 1 without changing the container code.
Also, this is not completely secure as we will be using files on the host machine to feed at the build time, so if you're considering commiting this to your repository, commit just the secrets' file structure with no content.
Initial docker container that I used for a Laravel application:
mysql: image: mysql:8.0.22 container_name: mysql restart: unless-stopped tty: true volumes: - ./mysql:/var/lib/mysql ports: - "3307:3306" environment: MYSQL_DATABASE: db_name MYSQL_USER: user_name MYSQL_PASSWORD: db_password MYSQL_ROOT_PASSWORD: db_root_password SERVICE_TAGS: dev SERVICE_NAME: mysql
To use Docker Secrets, we need to create two files (for two passwords). I created it in the same level as the docker-compose.yml inside a folder
db_root_password.txt (commit at this point) and then add the passwords inside them.
Now let's change the docker container definition to this:
mysql: image: mysql:8.0.22 container_name: mysql restart: unless-stopped tty: true volumes: - ./mysql:/var/lib/mysql ports: - "3307:3306" environment: MYSQL_DATABASE: db_name MYSQL_USER: db_user MYSQL_PASSWORD_FILE: /run/secrets/db_password MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password SERVICE_TAGS: dev SERVICE_NAME: mysql secrets: - db_password - db_root_password secrets: db_password: file: ./secrets/db_password.txt db_root_password: file: ./secrets/db_root_password.txt
secrets section on your docker-compose.yml with the file locations and then in the
mysql section, we'll just use those without the extension during runtime.
Important thing to note is that
MYSQL_ROOT_PASSWORD have been replaced by
docker-compose up -d and your MySQL installation should be using these passwords from the files :)