From 6e9ac8db59982b0e60c211608a8a1423b3ec8ab3 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Sat, 8 Apr 2017 01:43:40 -0700
Subject: [PATCH] docker: Support docker swarm secrets. (#3977)

Fixes #3896
---
 Dockerfile                        | 10 ++++++-
 Dockerfile.aarch64                | 10 ++++++-
 Dockerfile.armhf                  | 10 ++++++-
 buildscripts/docker-entrypoint.sh | 43 +++++++++++++++++++++++++++++++
 docs/docker/README.md             | 31 ++++++++++++----------
 5 files changed, 87 insertions(+), 17 deletions(-)
 create mode 100755 buildscripts/docker-entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 4dbfc540c..af9261a9c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,5 +15,13 @@ RUN  \
      rm -rf /go/pkg /go/src /usr/local/go && apk del .build-deps
 
 EXPOSE 9000
-ENTRYPOINT ["minio"]
+
+COPY buildscripts/docker-entrypoint.sh /usr/bin/
+
+RUN chmod +x /usr/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"]
+
 VOLUME ["/export"]
+
+CMD ["minio"]
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index e92905ecc..2334a73cf 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -15,5 +15,13 @@ RUN  \
      rm -rf /go/pkg /go/src /usr/local/go && apk del .build-deps
 
 EXPOSE 9000
-ENTRYPOINT ["minio"]
+
+COPY buildscripts/docker-entrypoint.sh /usr/bin/
+
+RUN chmod +x /usr/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"]
+
 VOLUME ["/export"]
+
+CMD ["minio"]
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
index 6fab9a5ce..33e8b65ed 100644
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -15,5 +15,13 @@ RUN  \
      rm -rf /go/pkg /go/src /usr/local/go && apk del .build-deps
 
 EXPOSE 9000
-ENTRYPOINT ["minio"]
+
+COPY buildscripts/docker-entrypoint.sh /usr/bin/
+
+RUN chmod +x /usr/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"]
+
 VOLUME ["/export"]
+
+CMD ["minio"]
diff --git a/buildscripts/docker-entrypoint.sh b/buildscripts/docker-entrypoint.sh
new file mode 100755
index 000000000..6f893c069
--- /dev/null
+++ b/buildscripts/docker-entrypoint.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# Minio Cloud Storage, (C) 2017 Minio, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# if command starts with an option, prepend minio
+if [ "${1}" != "minio" ]; then
+    if [ -n "${1}" ]; then
+        set -- minio "$@"
+    fi
+fi
+
+## Look for swarm secrets in default location.
+file_env() {
+    local MINIO_ACCESS_KEY_FILE="/run/secrets/access_key"
+    local MINIO_SECRET_KEY_FILE="/run/secrets/secret_key"
+
+    if [ -f $MINIO_ACCESS_KEY_FILE -a -f $MINIO_SECRET_KEY_FILE ]; then
+        if [ -f $MINIO_ACCESS_KEY_FILE ]; then
+            export MINIO_ACCESS_KEY="$(cat "$MINIO_ACCESS_KEY_FILE")"
+        fi
+        if [ -f $MINIO_SECRET_KEY_FILE ]; then
+            export MINIO_SECRET_KEY="$(cat "$MINIO_SECRET_KEY_FILE")"
+        fi
+    fi
+}
+
+## Set env if necessary.
+file_env
+
+exec "$@"
diff --git a/docs/docker/README.md b/docs/docker/README.md
index 62961228f..522898f48 100644
--- a/docs/docker/README.md
+++ b/docs/docker/README.md
@@ -1,11 +1,9 @@
 # Minio Docker Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) [![Go Report Card](https://goreportcard.com/badge/minio/minio)](https://goreportcard.com/report/minio/minio) [![Docker Pulls](https://img.shields.io/docker/pulls/minio/minio.svg?maxAge=604800)](https://hub.docker.com/r/minio/minio/) [![codecov](https://codecov.io/gh/minio/minio/branch/master/graph/badge.svg)](https://codecov.io/gh/minio/minio)
 
 ## Prerequisites
-
 Docker installed on your machine. Download the relevant installer from [here](https://www.docker.com/community-edition#/download).
 
 ## Run Standalone Minio on Docker.
-
 Minio needs a persistent volume to store configuration and application data. However, for testing purposes, you can launch Minio by simply passing a directory (`/export` in the example below). This directory gets created in the container filesystem at the time of container start. But all the data is lost after container exits.
 
 ```sh
@@ -15,7 +13,6 @@ docker run -p 9000:9000 minio/minio server /export
 To create a Minio container with persistent storage, you need to map local persistent directories from the host OS to virtual config `~/.minio` and export `/export` directories. To do this, run the below commands
 
 #### GNU/Linux and macOS
-
 ```sh
 docker run -p 9000:9000 --name minio1 \
   -v /mnt/export/minio1:/export \
@@ -24,7 +21,6 @@ docker run -p 9000:9000 --name minio1 \
 ```
 
 #### Windows
-
 ```sh
 docker run -p 9000:9000 --name minio1 \
   -v D:\export\minio1:/export \
@@ -33,7 +29,6 @@ docker run -p 9000:9000 --name minio1 \
 ```
 
 ## Run Distributed Minio on Docker
-
 Distributed Minio can be deployed via [Docker Compose](https://docs.docker.com/compose/overview/) or [Swarm mode](https://docs.docker.com/engine/swarm/). The major difference between these two being, Docker Compose creates a single host, multi-container deployment, while Swarm mode creates a multi-host, multi-container deployment.
 
 This means Docker Compose lets you quickly get started with Distributed Minio on your computer - ideal for development, testing, staging environments. While deploying Distributed Minio on Swarm offers a more robust, production level deployment.
@@ -44,11 +39,9 @@ This means Docker Compose lets you quickly get started with Distributed Minio on
 ## Minio Docker Tips
 
 ### Minio Custom Access and Secret Keys
-
 To override Minio's auto-generated keys, you may pass secret and access keys explicitly as environment variables. Minio server also allows regular strings as access and secret keys.
 
 #### GNU/Linux and macOS
-
 ```sh
 docker run -p 9000:9000 --name minio1 \
   -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \
@@ -59,8 +52,7 @@ docker run -p 9000:9000 --name minio1 \
 ```
 
 #### Windows
-
-```sh
+```powershell
 docker run -p 9000:9000 --name minio1 \
   -e "MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE" \
   -e "MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \
@@ -68,8 +60,23 @@ docker run -p 9000:9000 --name minio1 \
   -v D:\export\minio1-config:/root/.minio \
   minio/minio server /export
 ```
-### Retrieving Container ID
 
+### Minio Custom Access and Secret Keys using Docker secrets
+To override Minio's auto-generated keys, you may pass secret and access keys explicitly by creating access and secret keys as [Docker secrets](https://docs.docker.com/engine/swarm/secrets/). Minio server also allows regular strings as access and secret keys.
+
+```
+echo "AKIAIOSFODNN7EXAMPLE" | docker secret create access_key -
+echo "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | docker secret create secret_key -
+```
+
+Create a Minio service using `docker service` to read from Docker secrets.
+```
+docker service create --name="minio-service" --secret="access_key" --secret="secret_key" minio/minio server /export
+```
+
+Read more about `docker service` [here](https://docs.docker.com/engine/swarm/how-swarm-mode-works/services/)
+
+### Retrieving Container ID
 To use Docker commands on a specific container, you need to know the `Container ID` for that container. To get the `Container ID`, run
 
 ```sh
@@ -79,7 +86,6 @@ docker ps -a
 `-a` flag makes sure you get all the containers (Created, Running, Exited). Then identify the `Container ID` from the output.
 
 ### Starting and Stopping Containers
-
 To start a stopped container, you can use the [`docker start`](https://docs.docker.com/engine/reference/commandline/start/) command.
 
 ```sh
@@ -87,13 +93,11 @@ docker start <container_id>
 ```
 
 To stop a running container, you can use the [`docker stop`](https://docs.docker.com/engine/reference/commandline/stop/) command.
-
 ```sh
 docker stop <container_id>
 ```
 
 ### Minio container logs
-
 To access Minio logs, you can use the [`docker logs`](https://docs.docker.com/engine/reference/commandline/logs/) command.
 
 ```sh
@@ -101,7 +105,6 @@ docker logs <container_id>
 ```
 
 ### Monitor Minio Docker Container
-
 To monitor the resources used by Minio container, you can use the [`docker stats`](https://docs.docker.com/engine/reference/commandline/stats/) command.
 
 ```sh