Docker Swarm Series: #6th Managing config and secret objects


Hello everyone, This article is part of The Swarm series, The knowledge in this series is built in sequence, Check out The Swarm series.

In the last article, we covered the way of troubleshooting and find out how to find the exact issue and fix it, using Docker CLI, And Play-with-docker lab.


In This article, We will complete The Swarm tutorials by explaining how to use and manage config objects and how to store secrets securely and use them in your deployment. in this lab Also will use the Play-with-docker lab.

Docker Config Overview

In Fact, The Config object is a file that stores some configs that you want to share among multiple container services, This config file can store any type of data (e.g. JSON, Key value, XML)

The value behind the usage of the config file is to ensure consistency across all the services and containers that use the same configuration data. This helps to avoid configuration errors and reduces the risk of downtime, Surface the docker config Docs.

Docker Secret Overview

Secrets are almost exactly like config, "Secrets are encrypted throughout their lifetime in the cluster. The data is stored encrypted in the database shared by the managers, and secrets are only delivered to nodes that are scheduled to run replicas that need the secret. Secrets are encrypted in transit from the manager node to the worker, and they are only unencrypted inside the container, where they appear with the original file contents."

“The key difference with secrets is that you can only read them in plain text at one point in the workflow: inside the container when they are loaded from the Swarm.”
-Docker in a month of lunches-

Deployment Example

In This example will deploy MongoDB and Mongo_Express container services and store the configs and secrets in external files and load them to the swarm database to ensure that the secret is secure and not appears in clear text, And will be using Play-with-Docker labs, Docker Swarm mode, Docker-compose file, config & secret files, and Docker CLI.

  • open Play-with-Docker labs, and create the below environment:

  • Create a config file object called mongo_config.txt that have the common configs including the username and the path to the password file.


* Create a secret object file with the MongoDB password called `mongo_password.txt` with the following content

  • Create a secret object from the secret file created:

    $ docker secret create mongo_password mongo_password.txt

  • Create a config object from the config file created:

    docker config create mongo_config mongo_config.txt

  • Check the Secrets in the cluster

    docker secret ls

  • Check the config in the cluster

    docker config ls

  • inspect the secret with a pretty flag using the following:

    docker secret inspect --pretty mongo_password

note that the inspection doesn’t print out the secret file content

  • inspect the config with a pretty flag using the following:

    docker config inspect --pretty mongo_config

note that the inspection print out the content of the config file due to the config file isn’t secured as secrets.

  • Create a Docker Compose file called docker-compose.yml with the MongoDB and Mongo_Express services, and reference the config and secret objects.
version: "3.7"
    image: mongo:4.4
      - source: mongo_config
        target: /docker-entrypoint-initdb.d/mongo_config.txt
      - mongo_password
      replicas: 1
          - node.role == manager

    image: mongo-express:0.54
      - "8081:8081"
      ME_CONFIG_MONGODB_ADMINUSERNAME_FILE: /run/secrets/mongo_admin_username
      ME_CONFIG_MONGODB_ADMINPASSWORD_FILE: /run/secrets/mongo_password
      ME_CONFIG_BASICAUTH_USERNAME_FILE: /run/secrets/me_username
      ME_CONFIG_BASICAUTH_PASSWORD_FILE: /run/secrets/me_password
      - mongo_password
      - mongo_admin_username
      - me_username
      - me_password
      replicas: 1
          - node.role == manager

    external: true
    external: true
    external: true
    external: true

    external: true
  • Just an important hint, once you create the secret you cannot update it, So will deploy the other secrets that are mentioned in the YAML file as below:
echo "mongo_pass" | docker secret create me_password -
echo "mongo_user" | docker secret create me_username -
echo "admin" | docker secret create mongo_admin_username -

  • Deploy the stack to the Swarm cluster using the following
$ docker stack deploy -c docker-compose.yml myapp

  • Get Stack services

    docker stack ls

  • Get Stack services

    docker stack services myapp

  • More info about services

    docker stack ps myapp

As Cleared the container services up and running.

Steps summarization

  • Create a config object file.

  • Create a secret object file.

  • Create a secret object from the file content.

  • Create a config object from the file content.

  • list and inspect our config and secret and ensure that the secret is secured and does not appear as clear text.

  • Create a Docker-compose YAML file for the stack deployment.

  • Manually create the missing secrets due to once you create the secret you cannot update it.

  • Deploy the stack using the docker-compose YAML file and Docker CLI.

  • print out the deployed services and ensure the services are up and running.


That’s it, Very straightforward, very fast🚀. Hope this article inspired you and will appreciate your feedback. Thank you.

1 Like