Merge pull request #19029 from dvdksn/swarm-fix-revoke-mysql-pw-access

swarm fix revoke mysql pw access

content/engine/swarm/secrets.md

@@ -214,7 +214,7 @@ real-world example, continue to
 
 5.  Verify that the secret is not available if you commit the container.
 
-    ```none
+    ```console
     $ docker commit $(docker ps --filter name=redis -q) committed_redis
 
     $ docker run --rm -it committed_redis cat /run/secrets/my_secret_data
@@ -249,7 +249,7 @@ real-world example, continue to
     to the secret. The container ID is different, because the
     `service update` command redeploys the service.
 
-    ```none
+    ```console
     $ docker container exec -it $(docker ps --filter name=redis -q) cat /run/secrets/my_secret_data
 
     cat: can't open '/run/secrets/my_secret_data': No such file or directory
@@ -284,24 +284,24 @@ This example assumes that you have PowerShell installed.
 
 2.  If you have not already done so, initialize or join the swarm.
 
-    ```powershell
+    ```console
-    docker swarm init
+    > docker swarm init
     ```
 
 3.  Save the `index.html` file as a swarm secret named `homepage`.
 
-    ```powershell
+    ```console
-    docker secret create homepage index.html
+    > docker secret create homepage index.html
     ```
 
 4.  Create an IIS service and grant it access to the `homepage` secret.
 
-    ```powershell
+    ```console
-    docker service create
+    > docker service create `
-        --name my-iis
+        --name my-iis `
-        --publish published=8000,target=8000
+        --publish published=8000,target=8000 `
-        --secret src=homepage,target="\inetpub\wwwroot\index.html"
+        --secret src=homepage,target="\inetpub\wwwroot\index.html" `
-        microsoft/iis:nanoserver  
+        microsoft/iis:nanoserver
     ```
 
     > **Note**
@@ -315,10 +315,10 @@ This example assumes that you have PowerShell installed.
 
 6.  Remove the service and the secret.
 
-    ```powershell
+    ```console
-    docker service rm my-iis
+    > docker service rm my-iis
-    docker secret rm homepage
+    > docker secret rm homepage
-    docker image remove secret-test
+    > docker image remove secret-test
     ```
 
 ### Intermediate example: Use secrets with a Nginx service
@@ -360,7 +360,7 @@ generate the site key and certificate, name the files `site.key` and
     the following contents into it. This constrains the root CA to signing leaf
     certificates and not intermediate CAs.
 
-    ```none
+    ```ini
     [root_ca]
     basicConstraints = critical,CA:TRUE,pathlen:1
     keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
@@ -394,7 +394,7 @@ generate the site key and certificate, name the files `site.key` and
     certificate so that it can only be used to authenticate a server and
     can't be used to sign certificates.
 
-    ```none
+    ```ini
     [server]
     authorityKeyIdentifier=keyid,issuer
     basicConstraints = critical,CA:FALSE
@@ -425,7 +425,7 @@ generate the site key and certificate, name the files `site.key` and
     In the current directory, create a new file called `site.conf` with the
     following contents:
 
-    ```none
+    ```nginx
     server {
         listen                443 ssl;
         server_name           localhost;
@@ -748,11 +748,6 @@ line.
     wvnh0siktqr3  mysql  replicated  1/1       mysql:latest
     ```
 
-    At this point, you could actually revoke the `mysql` service's access to the
-    `mysql_password` and `mysql_root_password` secrets because the passwords
-    have been saved in the MySQL system database. Don't do that for now, because
-    we use them later to facilitate rotating the MySQL password.
-
 5.  Now that MySQL is set up, create a WordPress service that connects to the
     MySQL service. The WordPress service has the following characteristics:
 
@@ -768,9 +763,7 @@ line.
       nodes.
     - Has access to the `mysql_password` secret, but specifies a different
       target file name within the container. The WordPress container uses
-      the mount point `/run/secrets/wp_db_password`. Also specifies that the
+      the mount point `/run/secrets/wp_db_password`.
-      secret is not group-or-world-readable, by setting the mode to
-      `0400`.
     - Sets the environment variable `WORDPRESS_DB_PASSWORD_FILE` to the file
       path where the secret is mounted. The WordPress service reads the
       MySQL password string from that file and add it to the `wp-config.php`
@@ -788,7 +781,7 @@ line.
          --network mysql_private \
          --publish published=30000,target=80 \
          --mount type=volume,source=wpdata,destination=/var/www/html \
-         --secret source=mysql_password,target=wp_db_password,mode=0400 \
+         --secret source=mysql_password,target=wp_db_password \
          -e WORDPRESS_DB_USER="wordpress" \
          -e WORDPRESS_DB_PASSWORD_FILE="/run/secrets/wp_db_password" \
          -e WORDPRESS_DB_HOST="mysql:3306" \
@@ -913,14 +906,13 @@ use it, then remove the old secret.
     ```
 
 4.  Update the `wordpress` service to use the new password, keeping the target
-    path at `/run/secrets/wp_db_password` and keeping the file permissions at
+    path at `/run/secrets/wp_db_password`. This triggers a rolling restart of
-    `0400`.  This triggers a rolling restart of the WordPress service and
+    the WordPress service and the new secret is used.
-    the new secret is used.
 
     ```console
     $ docker service update \
          --secret-rm mysql_password \
-         --secret-add source=mysql_password_v2,target=wp_db_password,mode=0400 \
+         --secret-add source=mysql_password_v2,target=wp_db_password \
          wordpress    
     ```
 
@@ -1041,4 +1033,4 @@ Each service uses environment variables to specify where the service should look
 for that secret data.
 
 More information on short and long syntax for secrets can be found in the
-[Compose Specification](../../compose/compose-file/09-secrets.md).
+[Compose Specification](../../compose/compose-file/09-secrets.md).