Documentation Index
Fetch the complete documentation index at: https://mintlify.com/fussybeaver/bollard/llms.txt
Use this file to discover all available pages before exploring further.
Docker Swarm provides two mechanisms for distributing sensitive or configuration data to containers without baking it into images:
- Secrets — encrypted at rest, only decrypted inside a running task’s filesystem at
/run/secrets/<name>. Ideal for passwords, keys, and certificates.
- Configs — not encrypted at rest, stored in the swarm Raft log. Ideal for configuration files, scripts, and other non-sensitive data.
Both APIs follow the same CRUD shape. All methods are async and return Result<T, bollard::errors::Error>.
Swarm mode must be enabled and the client must connect to a manager node for all secrets and configs operations.
Secrets
list_secrets
Return a filtered list of secrets. Note that the data field is never returned by the list or inspect endpoints.
pub async fn list_secrets(
&self,
options: Option<ListSecretsOptions>,
) -> Result<Vec<Secret>, Error>
Options — ListSecretsOptionsBuilder
| Builder method | Description |
|---|
.filters(&HashMap<&str, Vec<&str>>) | Filter by id, label, or name. |
Returns
Result<Vec<Secret>, Error>
Example
use bollard::Docker;
use bollard::query_parameters::ListSecretsOptionsBuilder;
use std::collections::HashMap;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let mut filters = HashMap::new();
filters.insert("label", vec!["env=production"]);
let options = ListSecretsOptionsBuilder::default()
.filters(&filters)
.build();
let secrets = docker.list_secrets(Some(options)).await?;
for s in &secrets {
println!("{:?}", s.spec.as_ref().and_then(|spec| spec.name.as_ref()));
}
Ok(())
}
create_secret
Store a new secret in the swarm. The secret data must be base64-encoded.
pub async fn create_secret(
&self,
secret_spec: SecretSpec,
) -> Result<IdResponse, Error>
Key SecretSpec fields
| Field | Type | Description |
|---|
name | Option<String> | Unique name for the secret within the swarm. |
data | Option<String> | Base64-encoded secret value. |
labels | Option<HashMap<String, String>> | Arbitrary key/value labels. |
driver | Option<Driver> | External secret driver configuration. |
templating | Option<Driver> | Templating driver to apply when the secret is read. |
Returns
Result<IdResponse, Error> — the generated id of the new secret.
Example
use bollard::Docker;
use bollard::models::SecretSpec;
use base64::{engine::general_purpose::STANDARD, Engine};
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let spec = SecretSpec {
name: Some("db-password".to_string()),
data: Some(STANDARD.encode("super-secret-password")),
..Default::default()
};
let response = docker.create_secret(spec).await?;
println!("Secret ID: {:?}", response.id);
Ok(())
}
Secret data cannot be updated once created — Docker’s API prohibits changing the data of an existing secret. To rotate a secret you must create a new one, update any services that reference it, and then delete the old secret.
inspect_secret
Retrieve metadata for a secret by ID or name. The data field is always omitted.
pub async fn inspect_secret(
&self,
secret_id: &str,
) -> Result<Secret, Error>
Returns
Result<Secret, Error>
Example
use bollard::Docker;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let secret = docker.inspect_secret("db-password").await?;
println!("Version: {:?}", secret.version);
Ok(())
}
delete_secret
Permanently remove a secret. This fails if any running service still references the secret.
pub async fn delete_secret(
&self,
secret_id: &str,
) -> Result<(), Error>
Returns
Result<(), Error>
Example
use bollard::Docker;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
docker.delete_secret("db-password").await?;
println!("Secret deleted");
Ok(())
}
update_secret
Update a secret’s metadata (labels, name). The data field cannot be changed.
pub async fn update_secret(
&self,
secret_id: &str,
secret_spec: SecretSpec,
options: UpdateSecretOptions,
) -> Result<(), Error>
Options — UpdateSecretOptionsBuilder
| Builder method | Type | Description |
|---|
.version(i64) | i64 | Required. Current version index from inspect_secret. |
Returns
Result<(), Error>
Example
use bollard::Docker;
use bollard::query_parameters::UpdateSecretOptionsBuilder;
use std::collections::HashMap;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let existing = docker.inspect_secret("db-password").await?;
let version = existing.version.unwrap().index.unwrap();
let mut spec = existing.spec.unwrap();
let mut labels = HashMap::new();
labels.insert("env".to_string(), "production".to_string());
spec.labels = Some(labels);
let options = UpdateSecretOptionsBuilder::default()
.version(version as i64)
.build();
docker.update_secret("db-password", spec, options).await?;
println!("Secret labels updated");
Ok(())
}
Configs
list_configs
Return a filtered list of configs stored in the swarm.
pub async fn list_configs(
&self,
options: Option<ListConfigsOptions>,
) -> Result<Vec<Config>, Error>
Options — ListConfigsOptionsBuilder
| Builder method | Description |
|---|
.filters(&HashMap<String, Vec<String>>) | Filter by id, label, or name. |
Returns
Result<Vec<Config>, Error>
Example
use bollard::Docker;
use bollard::query_parameters::ListConfigsOptionsBuilder;
use std::collections::HashMap;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let mut filters: HashMap<String, Vec<String>> = HashMap::new();
filters.insert("label".to_string(), vec!["app=myapp".to_string()]);
let options = ListConfigsOptionsBuilder::default()
.filters(&filters)
.build();
let configs = docker.list_configs(Some(options)).await?;
for c in &configs {
println!("{:?}", c.spec.as_ref().and_then(|s| s.name.as_ref()));
}
Ok(())
}
create_config
Store a new config in the swarm. The data field must be base64-encoded.
pub async fn create_config(
&self,
config_spec: ConfigSpec,
) -> Result<IdResponse, Error>
Key ConfigSpec fields
| Field | Type | Description |
|---|
name | Option<String> | Unique name for the config within the swarm. |
data | Option<String> | Base64-encoded config content. |
labels | Option<HashMap<String, String>> | Arbitrary key/value labels. |
templating | Option<Driver> | Templating driver to apply when the config is read. |
Returns
Result<IdResponse, Error> — the generated id.
Example
use bollard::Docker;
use bollard::config::ConfigSpec;
use base64::{engine::general_purpose::STANDARD, Engine};
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let nginx_conf = r#"
server {
listen 80;
location / { root /usr/share/nginx/html; }
}
"#;
let spec = ConfigSpec {
name: Some("nginx.conf".to_string()),
data: Some(STANDARD.encode(nginx_conf)),
..Default::default()
};
let response = docker.create_config(spec).await?;
println!("Config ID: {:?}", response.id);
Ok(())
}
inspect_config
Fetch details for a single config by ID or name. Unlike secrets, the data field is returned.
pub async fn inspect_config(
&self,
config_id: &str,
) -> Result<Config, Error>
Returns
Result<Config, Error>
Example
use bollard::Docker;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let config = docker.inspect_config("nginx.conf").await?;
println!("Version: {:?}", config.version);
Ok(())
}
delete_config
Remove a config. Fails if any running service still references it.
pub async fn delete_config(
&self,
config_id: &str,
) -> Result<(), Error>
Returns
Result<(), Error>
Example
use bollard::Docker;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
docker.delete_config("nginx.conf").await?;
println!("Config deleted");
Ok(())
}
update_config
Update a config’s metadata or data content.
pub async fn update_config(
&self,
config_id: &str,
config_spec: ConfigSpec,
options: UpdateConfigOptions,
) -> Result<(), Error>
Options — UpdateConfigOptionsBuilder
| Builder method | Type | Description |
|---|
.version(i64) | i64 | Required. Current version index from inspect_config. |
Returns
Result<(), Error>
Example
use bollard::Docker;
use bollard::query_parameters::UpdateConfigOptionsBuilder;
use std::collections::HashMap;
#[tokio::main]
async fn main() -> Result<(), bollard::errors::Error> {
let docker = Docker::connect_with_socket_defaults()?;
let existing = docker.inspect_config("nginx.conf").await?;
let version = existing.version.unwrap().index.unwrap();
let mut spec = existing.spec.unwrap();
let mut labels = HashMap::new();
labels.insert("env".to_string(), "production".to_string());
spec.labels = Some(labels);
let options = UpdateConfigOptionsBuilder::default()
.version(version as i64)
.build();
docker.update_config("nginx.conf", spec, options).await?;
println!("Config updated");
Ok(())
}
