Rotating the MySQL Password and Updating the WordPress Service

[rotating the secret](#example-rotate-a-secret). Go ahead and write a blog post or two and install a WordPress plugin or theme to verify that WordPress is fully operational and its state is saved across service restarts. 8. Do not clean up any services or secrets if you intend to proceed to the next example, which demonstrates how to rotate the MySQL root password. ### Example: Rotate a secret This example builds upon the previous one. In this scenario, you create a new secret with a new MySQL password, update the `mysql` and `wordpress` services to use it, then remove the old secret. > [!NOTE] > > Changing the password on a MySQL database involves running extra > queries or commands, as opposed to just changing a single environment variable > or a file, since the image only sets the MySQL password if the database doesn’t > already exist, and MySQL stores the password within a MySQL database by default. > Rotating passwords or other secrets may involve additional steps outside of > Docker. 1. Create the new password and store it as a secret named `mysql_password_v2`. ```console $ openssl rand -base64 20 | docker secret create mysql_password_v2 - ``` 2. Update the MySQL service to give it access to both the old and new secrets. Remember that you cannot update or rename a secret, but you can revoke a secret and grant access to it using a new target filename. ```console $ docker service update \ --secret-rm mysql_password mysql $ docker service update \ --secret-add source=mysql_password,target=old_mysql_password \ --secret-add source=mysql_password_v2,target=mysql_password \ mysql ``` Updating a service causes it to restart, and when the MySQL service restarts the second time, it has access to the old secret under `/run/secrets/old_mysql_password` and the new secret under `/run/secrets/mysql_password`. Even though the MySQL service has access to both the old and new secrets now, the MySQL password for the WordPress user has not yet been changed. > [!NOTE] > > This example does not rotate the MySQL `root` password. 3. Now, change the MySQL password for the `wordpress` user using the `mysqladmin` CLI. This command reads the old and new password from the files in `/run/secrets` but does not expose them on the command line or save them in the shell history. Do this quickly and move on to the next step, because WordPress loses the ability to connect to MySQL. First, find the ID of the `mysql` container task. ```console $ docker ps --filter name=mysql -q c7705cf6176f ``` Substitute the ID in the command below, or use the second variant which uses shell expansion to do it all in a single step. ```console $ docker container exec <CONTAINER_ID> \ bash -c 'mysqladmin --user=wordpress --password="$(< /run/secrets/old_mysql_password)" password "$(< /run/secrets/mysql_password)"' ``` Or: ```console $ docker container exec $(docker ps --filter name=mysql -q) \ bash -c 'mysqladmin --user=wordpress --password="$(< /run/secrets/old_mysql_password)" password "$(< /run/secrets/mysql_password)"' ``` 4. Update the `wordpress` service to use the new password, keeping the target path at `/run/secrets/wp_db_password`. This triggers a rolling restart of the WordPress service and the new secret is used. ```console $ docker service update \ --secret-rm mysql_password \ --secret-add source=mysql_password_v2,target=wp_db_password \ wordpress ``` 5. Verify that WordPress works by browsing to http://localhost:30000/ on any swarm node again. Use the WordPress username and password

This section details the process of rotating the MySQL password for the WordPress user within a Docker Swarm environment. It involves creating a new secret containing the new password, updating the MySQL service to have access to both the old and new secrets, and then updating the WordPress service to use the new password. The section includes commands to create the new secret, update the MySQL and WordPress services with the new secret, and verify that WordPress is working with the updated password.