How is a Swarm stack file different from a plain compose file?

A stack file uses the same compose syntax but adds a deploy section that only Swarm reads — replicas, placement, update_config, restart_policy, and resources. docker compose up ignores deploy, while docker stack deploy honors it and runs the services across the cluster.

What do placement constraints do?

Constraints restrict which nodes a service's tasks can run on, for example node.role == worker to keep workloads off managers, or node.labels.tier == app to pin a service to labeled hardware. The scheduler only places replicas on matching nodes.

Why is order start-first in the update config?

start-first launches the new task and waits for it to be healthy before stopping the old one, avoiding a capacity dip during deploys. The default stop-first stops the old task before starting the new, which can briefly reduce availability.

What does external true mean for secrets?

It tells Swarm the secret already exists in the cluster — created with docker secret create — rather than being defined inline. This keeps secret values out of the stack file and out of version control, which is the secure pattern.

What is failure_action rollback?

If a rolling update causes tasks to fail, Swarm automatically reverts the service to its previous spec instead of leaving it broken. Combined with start-first updates, it makes deploys safer with no manual intervention.

Docker Swarm Stack File Builder

A Docker Swarm stack file builder that generates a docker stack deploy-ready compose v3.8 file. Each service gets a full deploy block — replicas, placement constraints, a safe rolling-update policy, restart rules, and resource limits — plus external secret references and an overlay network tying the cluster together.

How it works

A stack file looks like a compose file but adds a deploy section that only Swarm interprets. For every service the builder emits replicas, an optional placement.constraints list, and an update_config using order: start-first with failure_action: rollback so deploys add capacity before removing it and self-heal on failure. A restart_policy retries failed tasks, and a resources block sets CPU and memory limits and reservations.

Secrets you list per service are referenced under each service and collected into a top-level secrets: block marked external: true — meaning you create them once in the cluster with docker secret create and never store their values in the file. All services join a single top-level overlay network so they can reach each other by name across nodes.

Tips and notes

Run docker stack deploy on a manager node. Workers cannot deploy stacks, and the overlay network requires Swarm mode to be active.
Create secrets first: echo "value" | docker secret create db_password -. The external: true reference will fail to deploy if the secret does not already exist.
Keep update_config.parallelism at 1 for stateful services so you never take down more than one replica at a time; raise it for stateless services to deploy faster.
Placement constraints are AND-ed together. Use node labels (docker node update --label-add tier=app node1) to target specific hardware tiers cleanly.

Docker Swarm Stack File Builder

Email me this result

How it works

Tips and notes