DEV Community

adithyasrinivasan
adithyasrinivasan

Posted on • Originally published at adithya.dev on

Using Docker secrets with MySQL in Docker Compose

Prefacing this that Docker secrets were built for Docker Swarm and not for single containers. From the docs:

Note : Docker secrets are only available to swarm services, not to standalone containers. To use this feature, consider adapting your container to run as a service. Stateful containers can typically run with a scale of 1 without changing the container code.

Also, this is not completely secure as we will be using files on the host machine to feed at the build time, so if you're considering commiting this to your repository, commit just the secrets' file structure with no content.

Initial docker container that I used for a Laravel application:

mysql:
    image: mysql:8.0.22
    container_name: mysql
    restart: unless-stopped
    tty: true
    volumes:
      - ./mysql:/var/lib/mysql
    ports:
      - "3307:3306"
    environment:
      MYSQL_DATABASE: db_name
      MYSQL_USER: user_name
      MYSQL_PASSWORD: db_password
      MYSQL_ROOT_PASSWORD: db_root_password
      SERVICE_TAGS: dev
      SERVICE_NAME: mysql

Enter fullscreen mode Exit fullscreen mode

To use Docker Secrets, we need to create two files (for two passwords). I created it in the same level as the docker-compose.yml inside a folder secrets named db_password.txt and db_root_password.txt (commit at this point) and then add the passwords inside them.

Now let's change the docker container definition to this:

mysql:
    image: mysql:8.0.22
    container_name: mysql
    restart: unless-stopped
    tty: true
    volumes:
      - ./mysql:/var/lib/mysql
    ports:
      - "3307:3306"
    environment:
      MYSQL_DATABASE: db_name
      MYSQL_USER: db_user
      MYSQL_PASSWORD_FILE: /run/secrets/db_password
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
      SERVICE_TAGS: dev
      SERVICE_NAME: mysql
    secrets:
      - db_password
      - db_root_password


secrets:
  db_password:
    file: ./secrets/db_password.txt
  db_root_password:
    file: ./secrets/db_root_password.txt
Enter fullscreen mode Exit fullscreen mode

Define a secrets section on your docker-compose.yml with the file locations and then in the mysql section, we'll just use those without the extension during runtime.

Important thing to note is that MYSQL_PASSWORD and MYSQL_ROOT_PASSWORD have been replaced by MYSQL_PASSWORD_FILE and MYSQL_ROOT_PASSWORD_FILE

Run docker-compose up -d and your MySQL installation should be using these passwords from the files :)

Top comments (0)