Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets and configs updates 1706 #3494

Merged
merged 6 commits into from
Jun 7, 2017
Merged

Secrets and configs updates 1706 #3494

merged 6 commits into from
Jun 7, 2017

Conversation

mdlinville
Copy link

@mdlinville mdlinville commented Jun 5, 2017

Proposed changes

  • Custom mount point for secrets within containers
  • Windows secrets support
  • Updates table CLI reference yaml files and adds stubs

Fixes #3430
Fixes #3483
Fixes #3482
Fixes #3290

I'm not too happy with the Windows secrets example. cc/ @friism @johnstep

Unreleased project version (optional)

17.06

@mdlinville mdlinville changed the title Secrets updates 1706 Secrets and configs updates 1706 Jun 5, 2017
@mdlinville mdlinville requested a review from thaJeztah June 5, 2017 23:06
@mdlinville
Copy link
Author

PTAL @aaronlehmann @johnstep at the secrets and configs changes
PTAL @tiborvass at the YAML updates

@mdlinville
Copy link
Author

PTAL @shin- at composefile reference.

Copy link
Contributor

@shin- shin- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One typo + one possible addition, otherwise LGTM

config.

```none
version: "3.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3.3

my_first_config:
file: ./config_data
my_second_config:
external: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be missing from the secrets doc as well (or intentionally omitted), but another valid syntax is

my_third_config:
  external:
    name: name_of_config_on_engine

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Addressed these (and added the info about secrets too).

You can attach to the same contained process multiple times simultaneously,
screen sharing style, or quickly view the progress of your detached process.
even as a different user with the appropriate permissions.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean as a different user on the host? Might want to clarify that part.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not for here, this change needs to happen in docker/cli repo.

decrypted secret is mounted into the container in an in-memory filesystem. The
location of the mount point within the container defaults to
`/run/secrets/<secret_name>`, but you can specify a custom location in Docker
17.06 and higher. You can update a service to grant it access to additional
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's mention that giving an absolute target path is the way to specify a custom location; otherwise users may be confused about how to override the mount point.


This uses the short syntax for the `--secret` flag, which creates files in
- **Docker 17.05 and earlier**:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a policy about how far back the docs cover old versions, and when we would remove something like this?

management data.

When you grant a newly-created or running service access to a config, the
config is mounted as a file in the container, in an in-memory filesystem. The
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't use an in-memory filesystem for configs... just secrets

you can customize the file name on the container using the `target` option.

```bash
$ docker service create --name="redis" --config="my-config" redis:alpine
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These flags don't need double quotes. They aren't harmful, but stylistically it's out of the ordinary.

### Simple example: Use secrets in a Windows service

This is a very simple example which shows how to use secrets with a Windows
container running on Docker 17.06 EE on Microsoft Windows Server 2013 or Docker
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

container running on Docker 17.06 EE on Microsoft Windows Server 2016 or Docker

Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one suggestion, but LGTM otherwise, great work!

This is a config
```

5. Verify that the config is **not** available if you commit the container.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this is important information (in general, committing a container is not best practice, as the container should be regarded immutable). I would personally skip this.

PS> docker config rm homepage
```

### Advanced example: Use configs with a Nginx service
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this example - combining secrets and configurations 👍

@mdlinville
Copy link
Author

Addressed the last bit of feedback, squashed the commits down to a few logical ones. Going to merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants