Inception
Hello everyone, This article is part of The Swarm series, The knowledge in this series is built in sequence, Check out The Swarm series.
In the last article, we covered the way of troubleshooting and find out how to find the exact issue and fix it, using Docker CLI, And Play-with-docker lab.
Overview
In This article, We will complete The Swarm tutorials by explaining how to use and manage config objects and how to store secrets securely and use them in your deployment. in this lab Also will use the Play-with-docker lab.
Docker Config Overview
In Fact, The Config object is a file that stores some configs that you want to share among multiple container services, This config file can store any type of data (e.g. JSON, Key value, XML)
The value behind the usage of the config file is to ensure consistency across all the services and containers that use the same configuration data. This helps to avoid configuration errors and reduces the risk of downtime, Surface the docker config Docs.
Docker Secret Overview
Secrets are almost exactly like config, "Secrets are encrypted throughout their lifetime in the cluster. The data is stored encrypted in the database shared by the managers, and secrets are only delivered to nodes that are scheduled to run replicas that need the secret. Secrets are encrypted in transit from the manager node to the worker, and they are only unencrypted inside the container, where they appear with the original file contents."
“The key difference with secrets is that you can only read them in plain text at one point in the workflow: inside the container when they are loaded from the Swarm.”
-Docker in a month of lunches-
Deployment Example
In This example will deploy MongoDB and Mongo_Express container services and store the configs and secrets in external files and load them to the swarm database to ensure that the secret is secure and not appears in clear text, And will be using Play-with-Docker labs, Docker Swarm mode, Docker-compose file, config & secret files, and Docker CLI.
-
open Play-with-Docker labs, and create the below environment:
-
Create a config file object called
mongo_config.txt
that have the common configs including the username and the path to the password file.MONGO_INITDB_ROOT_USERNAME=admin MONGO_INITDB_ROOT_PASSWORD_FILE=/run/secrets/mongo_password
* Create a secret object file with the MongoDB password called `mongo_password.txt` with the following content
supersecretpassword
-
Create a secret object from the secret file created:
$ docker secret create mongo_password mongo_password.txt
-
Create a config object from the config file created:
docker config create mongo_config mongo_config.txt
-
Check the Secrets in the cluster
docker secret ls
-
Check the config in the cluster
docker config ls
-
inspect the secret with a pretty flag using the following:
docker secret inspect --pretty mongo_password
note that the inspection doesn’t print out the secret file content
-
inspect the config with a pretty flag using the following:
docker config inspect --pretty mongo_config
note that the inspection print out the content of the config file due to the config file isn’t secured as secrets.
- Create a Docker Compose file called docker-compose.yml with the MongoDB and Mongo_Express services, and reference the config and secret objects.
version: "3.7"
services:
mongo:
image: mongo:4.4
configs:
- source: mongo_config
target: /docker-entrypoint-initdb.d/mongo_config.txt
environment:
MONGO_INITDB_DATABASE: test
secrets:
- mongo_password
deploy:
replicas: 1
placement:
constraints:
- node.role == manager
mongo-express:
image: mongo-express:0.54
ports:
- "8081:8081"
environment:
ME_CONFIG_MONGODB_ADMINUSERNAME_FILE: /run/secrets/mongo_admin_username
ME_CONFIG_MONGODB_ADMINPASSWORD_FILE: /run/secrets/mongo_password
ME_CONFIG_MONGODB_SERVER: mongo
ME_CONFIG_BASICAUTH_USERNAME_FILE: /run/secrets/me_username
ME_CONFIG_BASICAUTH_PASSWORD_FILE: /run/secrets/me_password
secrets:
- mongo_password
- mongo_admin_username
- me_username
- me_password
deploy:
replicas: 1
placement:
constraints:
- node.role == manager
secrets:
mongo_password:
external: true
mongo_admin_username:
external: true
me_username:
external: true
me_password:
external: true
configs:
mongo_config:
external: true
- Just an important hint, once you create the secret you cannot update it, So will deploy the other secrets that are mentioned in the YAML file as below:
echo "mongo_pass" | docker secret create me_password -
echo "mongo_user" | docker secret create me_username -
echo "admin" | docker secret create mongo_admin_username -
- Deploy the stack to the Swarm cluster using the following
$ docker stack deploy -c docker-compose.yml myapp
-
Get Stack services
docker stack ls
-
Get Stack services
docker stack services myapp
-
More info about services
docker stack ps myapp
As Cleared the container services up and running.
Steps summarization
-
Create a config object file.
-
Create a secret object file.
-
Create a secret object from the file content.
-
Create a config object from the file content.
-
list and inspect our config and secret and ensure that the secret is secured and does not appear as clear text.
-
Create a Docker-compose YAML file for the stack deployment.
-
Manually create the missing secrets due to once you create the secret you cannot update it.
-
Deploy the stack using the docker-compose YAML file and Docker CLI.
-
print out the deployed services and ensure the services are up and running.
References
That’s it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you.