Hello everyone, This article is part of The Swarm series, The knowledge in this series is built in sequence, Check out The Swarm series.
In This article, We will complete The Swarm tutorials by explaining how to use and manage config objects and how to store secrets securely and use them in your deployment. in this lab Also will use the Play-with-docker lab.
In Fact, The Config object is a file that stores some configs that you want to share among multiple container services, This config file can store any type of data (e.g. JSON, Key value, XML)
The value behind the usage of the config file is to ensure consistency across all the services and containers that use the same configuration data. This helps to avoid configuration errors and reduces the risk of downtime, Surface the docker config Docs.
Secrets are almost exactly like config, "Secrets are encrypted throughout their lifetime in the cluster. The data is stored encrypted in the database shared by the managers, and secrets are only delivered to nodes that are scheduled to run replicas that need the secret. Secrets are encrypted in transit from the manager node to the worker, and they are only unencrypted inside the container, where they appear with the original file contents."
“The key difference with secrets is that you can only read them in plain text at one point in the workflow: inside the container when they are loaded from the Swarm.”
-Docker in a month of lunches-
In This example will deploy MongoDB and Mongo_Express container services and store the configs and secrets in external files and load them to the swarm database to ensure that the secret is secure and not appears in clear text, And will be using Play-with-Docker labs, Docker Swarm mode, Docker-compose file, config & secret files, and Docker CLI.
open Play-with-Docker labs, and create the below environment:
Create a config file object called
mongo_config.txtthat have the common configs including the username and the path to the password file.
* Create a secret object file with the MongoDB password called `mongo_password.txt` with the following content
Create a secret object from the secret file created:
$ docker secret create mongo_password mongo_password.txt
Create a config object from the config file created:
docker config create mongo_config mongo_config.txt
Check the Secrets in the cluster
docker secret ls
Check the config in the cluster
docker config ls
inspect the secret with a pretty flag using the following:
docker secret inspect --pretty mongo_password
note that the inspection doesn’t print out the secret file content
inspect the config with a pretty flag using the following:
docker config inspect --pretty mongo_config
note that the inspection print out the content of the config file due to the config file isn’t secured as secrets.
- Create a Docker Compose file called docker-compose.yml with the MongoDB and Mongo_Express services, and reference the config and secret objects.
version: "3.7" services: mongo: image: mongo:4.4 configs: - source: mongo_config target: /docker-entrypoint-initdb.d/mongo_config.txt environment: MONGO_INITDB_DATABASE: test secrets: - mongo_password deploy: replicas: 1 placement: constraints: - node.role == manager mongo-express: image: mongo-express:0.54 ports: - "8081:8081" environment: ME_CONFIG_MONGODB_ADMINUSERNAME_FILE: /run/secrets/mongo_admin_username ME_CONFIG_MONGODB_ADMINPASSWORD_FILE: /run/secrets/mongo_password ME_CONFIG_MONGODB_SERVER: mongo ME_CONFIG_BASICAUTH_USERNAME_FILE: /run/secrets/me_username ME_CONFIG_BASICAUTH_PASSWORD_FILE: /run/secrets/me_password secrets: - mongo_password - mongo_admin_username - me_username - me_password deploy: replicas: 1 placement: constraints: - node.role == manager secrets: mongo_password: external: true mongo_admin_username: external: true me_username: external: true me_password: external: true configs: mongo_config: external: true
- Just an important hint, once you create the secret you cannot update it, So will deploy the other secrets that are mentioned in the YAML file as below:
echo "mongo_pass" | docker secret create me_password - echo "mongo_user" | docker secret create me_username - echo "admin" | docker secret create mongo_admin_username -
- Deploy the stack to the Swarm cluster using the following
$ docker stack deploy -c docker-compose.yml myapp
Get Stack services
docker stack ls
Get Stack services
docker stack services myapp
More info about services
docker stack ps myapp
As Cleared the container services up and running.
Create a config object file.
Create a secret object file.
Create a secret object from the file content.
Create a config object from the file content.
list and inspect our config and secret and ensure that the secret is secured and does not appear as clear text.
Create a Docker-compose YAML file for the stack deployment.
Manually create the missing secrets due to once you create the secret you cannot update it.
Deploy the stack using the docker-compose YAML file and Docker CLI.
print out the deployed services and ensure the services are up and running.
That’s it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you.