Running a containerized app in Yandex Serverless Containers
- Prepare your cloud
- Create a service account
- Create a network and configure the security group
- Create a VM with MongoDB
- Create a Yandex Lockbox secret
- Create a registry in Container Registry
- Push the Docker image to the registry
- Create a Serverless Containers container
- Create an API Gateway
- Test the application
- How to delete the resources you created
Follow this guide to deploy a containerized app in Serverless Containers to administer a MongoDB DBMS.
The DBMS is deployed on a Yandex Compute Cloud VM. A Yandex Container Registry registry is used to host the container with the app. Yandex Lockbox is used to encrypt sensitive data. Secure access to the application is enabled over the Yandex API Gateway API gateway. The entire infrastructure of the containerized app resides in a single folder.
To deploy your containerized app:
- Prepare your cloud.
- Create a service account.
- Create a network and configure the security group.
- Create a Compute Cloud VM with MongoDB.
- Create a Yandex Lockbox secret and version.
- Create a registry in Container Registry.
- Push the Docker image to Container Registry.
- Create a Serverless Containers container.
- Create an API Gateway API gateway.
- Test the application.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The application support cost includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Secret storage fees (see Yandex Lockbox pricing).
- Fee for storing a Docker image (see Yandex Container Registry pricing).
- Fee for the number of container calls, computing resources allocated to execute the application, and outgoing traffic (see Serverless Containers pricing).
- Fee for requests to the API gateway (see Yandex API Gateway pricing).
Create a service account
Create a service account and assign it the roles for the folder to host the containerized app infrastructure.
- In the management console
, go to the folder that will host the containerized app infrastructure. - In the list of services, select Identity and Access Management.
- Click Create service account.
- Enter the service account name:
mongo-express
. - Click Add role and select the
container-registry.images.puller
,lockbox.payloadViewer
, andserverless-containers.containerInvoker
roles. - Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a service account named
mongo-express
:yc iam service-account create --name mongo-express
-
Assign the service account the
container-registry.images.puller
,lockbox.payloadViewer
, andserverless-containers.containerInvoker
roles for the folder that will host your container:yc resource-manager folder add-access-binding <folder_name_or_ID> \ --role container-registry.images.puller, lockbox.payloadViewer, serverless-containers.containerInvoker \ --subject serviceAccount:<service_account_ID>
Where:
<folder_name_or_ID>
: Name or ID of the folder to host the container.--subject serviceAccount
:mongo-express
service account ID.
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
To assign the service account a role for the folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.
Create a network and configure the security group
-
In the management console
, select the folder to host the network. -
In the list of services, select Virtual Private Cloud.
-
At the top right, click Create network.
-
In the Name field, specify
mongo-express-network
. -
In the Advanced field, select Create subnets.
-
Click Create network.
-
In the left-hand panel, select
Security groups. -
Click the
icon next to the default security group created formongo-express-network
. -
In the menu that opens, click Edit.
-
Configure the security group:
-
Click Create security group.
-
Under Rules, add a rule using the instructions below the table:
Traffic
directionDescription Port range Protocol Destination name /
SourceCIDR blocks Incoming
any
27017
Any
CIDR
0.0.0.0/0
- Select the Egress or Ingress tab.
- Click Add rule.
- In the Port range field of the window that opens, specify a single port or a range of ports that traffic will come to or from. To open all ports, click Select the full range.
- In the Protocol field, specify the appropriate protocol or leave Any to allow traffic transmission over any protocol.
- In the Destination name or Source field, select the
CIDR
, and the rule will apply to a range of IP addresses. In the CIDR blocks field, specify0.0.0.0/0
. - Click Save.
-
Click Save.
-
Click Save once again.
-
-
Create a cloud network:
yc vpc network create \ --name mongo-express-network
-
Get the name or ID of the group to edit:
yc vpc security-groups list
Result:
+----------------------+---------------------------------+------------------------------------+----------------------+ | ID | NAME | DESCRIPTION | NETWORK-ID | +----------------------+---------------------------------+------------------------------------+----------------------+ | enp9bmjge93b******** | default-sg-enp509crtquf******** | Default security group for network | enp509crtquf******** | +----------------------+---------------------------------+------------------------------------+----------------------+
-
Add a rule using the
update-rules
command and the--add-rule
parameter:yc vpc security-group update-rules <group_name_or_ID> \ --add-rule "direction=ingress,port=27017,protocol=any,v4-cidrs=[0.0.0.0/0,0.0.0.0/0]"
Where
<group_name_or_ID>
is the value obtained at the previous step.
-
To create a cloud network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call, and provide the following in the request:
- ID of the folder to host the network.
- Name of the new network,
mongo-express-network
, in thename
parameter.
-
To add a rule to a security group, use the updateRules REST API method for the SecurityGroup resource or the SecurityGroupService/UpdateRules gRPC API call, and provide the following in your request:
-
ID of the security group you want to add rules to, in the
securityGroupId
parameter.To get the security group ID, use the list REST API method for the SecurityGroup resource or the SecurityGroupService/List gRPC API call and provide the folder ID in the
folderId
request parameter. -
New security group rules, in the
additionRuleSpecs[]
array:- Traffic direction:
ingress
. - Name of the traffic transmission protocol, in the
additionRuleSpecs[].protocolName
parameter:any
. - List of CIDRs and subnet masks, in the
additionRuleSpecs[].cidrBlocks.v4CidrBlocks[]
parameter:[0.0.0.0/0,0.0.0.0/0]
. - First port in the traffic ports range, in the
additionRuleSpecs[].ports.fromPort
parameter:0
. - Last port in the traffic ports range, in the
additionRuleSpecs[].ports.toPort
parameter:65535
.
- Traffic direction:
-
Create a VM with MongoDB
We recommend using a VM with basic configuration.
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image:
-
Go to the Container Solution tab and click Configure.
-
In the window that opens, go to the Docker Compose tab and enter the VM specification:
version: '3.1' services: mongo: image: mongo restart: always environment: MONGO_INITDB_ROOT_USERNAME: mongo_db_user MONGO_INITDB_ROOT_PASSWORD: <password> ports: - 27017:27017
In the
MONGO_INITDB_ROOT_PASSWORD
parameter, specify the password to use for accessing the database. To create a password, you can use the password generator . Save the password as you will need it in the next steps. -
Click Apply.
-
-
Under Location, select an availability zone to create your VM in. If you do not know which availability zone you need, leave the default one.
-
Under Network settings:
- In the Subnet field, select a subnet in the
mongo-express-network
network you created earlier. - In the Public IP field, select
Auto
.
- In the Subnet field, select a subnet in the
-
Under Access, select SSH key and specify the VM access data:
- Under Login, enter the username. Do not use
root
or other names reserved by the OS. To perform operations requiring superuser permissions, use thesudo
command. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, enter the username. Do not use
-
Under General information, specify the VM name:
mongo-vm
. -
Click Create VM.
Wait for the VM status to change to Running
and save its public IP address: you will need it for connecting to the database.
-
Prepare a key pair (public and private keys) for SSH access to the VM.
-
Create
docker-spec.yaml
, a Docker container specification file:version: '3.1' services: mongo: image: mongo restart: always environment: MONGO_INITDB_ROOT_USERNAME: mongo_db_user MONGO_INITDB_ROOT_PASSWORD: <password> ports: - 27017:27017
In the
MONGO_INITDB_ROOT_PASSWORD
parameter, specify the password to use for accessing the database. To create a password, you can use the password generator . Save the password as you will need it in the next steps. -
Run this command:
yc compute instance create-with-container \ --coi-spec-file docker-spec.yaml \ --name mongo-vm \ --zone ru-central1-b \ --ssh-key ssh-key.pub \ --create-boot-disk size=30
Where:
--coi-spec-file
: Path to the Docker container specification file.--name
: VM name.--zone
: Availability zone.--ssh-key
: Contents of the public key file. You need to create a key pair for the SSH connection yourself.--create-boot-disk size
: Boot disk size. It must be at least 30 GB.
Result:
done (1m40s) id: epde18u4mahl******** folder_id: b1g7gvsi89m3******** created_at: "2023-02-08T10:34:06.601Z" name: mongo-vm ...
Create a Yandex Lockbox secret
A Yandex Lockbox secret will store the encrypted authentication credentials.
- In the management console
, select the folder where you want to create a secret. - In the list of services, select Lockbox.
- Click Create secret.
- In the Name field, enter a name for the secret:
mongodb-creds
. - Under Version:
- In the Key field, enter
login
. - In the Value field, enter
mongo_db_user
as your DB user login.
- In the Key field, enter
- Click Add key/value and specify the second secret:
- In the Key field, enter
password
. - In the Value field, enter the password to access the database: the
MONGO_INITDB_ROOT_PASSWORD
value from the VM specification.
- In the Key field, enter
- Click Create.
-
Use the following command to create the
mongodb-creds
secret:yc lockbox secret create \ --name mongodb-creds \ --payload "[{'key': 'login', 'text_value': 'mongo_db_user'},{'key': 'password', 'text_value': '<password>'}]"
Where:
--name
: Secret name.--payload
: Contents of the secret as a YAML or JSON array.<password>
:MONGO_INITDB_ROOT_PASSWORD
value from the VM specification.
Result:
id: e6q6nbjfu9m2******** folder_id: b1qt6g8ht345******** created_at: "2023-02-08T10:34:06.601Z" name: mongodb-creds status: ACTIVE current_version: id: e6q0s9airqca******** secret_id: e6q6nbjfu9m2******** created_at: "2023-02-08T10:34:06.601Z" status: ACTIVE payload_entry_keys: - login - password
To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.
Create a registry in Container Registry
The registry in Container Registry will house the Docker image of the mongo-express
application.
- In the management console
, select the folder to create a registry in. - In the list of services, select Container Registry.
- Click Create registry.
- Specify a name for the registry:
app-registry
. - Click Create registry.
Create the app-registry
registry:
yc container registry create --name app-registry
Result:
done
id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: app-registry
status: ACTIVE
created_at: "2023-02-08T10:34:06.601Z"
To create a registry, use the create REST API method for the Registry resource or the RegistryService/CreateRegistryRequest gRPC API call.
Push the Docker image to the registry
-
Create a Docker Hub
account. -
Install Docker:
-
Download
themongo-express
image:docker pull mongo-express
The result will be as follows:
Using default tag: latest latest: Pulling from library/mongo-express 6a428f9f83b0: Pull complete f2b1fb32259e: Pull complete 40888f2a0a1f: Pull complete 4e3cc9ce09be: Pull complete eaa1898f3899: Pull complete ab4078090382: Pull complete ae780a42c79e: Pull complete e60224d64a04: Pull complete Digest: sha256:dcfcf89bf91238ff129469a5a94523b3025913dcc41597d72d4d5f4a******** Status: Downloaded newer image for mongo-express:latest docker.io/library/mongo-express:latest
-
Authenticate in Container Registry using the Docker credential helper:
CLI-
Configure Docker to use
docker-credential-yc
:yc container registry configure-docker
Result:
Credential helper is configured in '/home/<user>/.docker/config.json'
Settings are saved in the current user's profile.
-
Check that the
${HOME}/.docker/config.json
configuration file includes the following line:"cr.yandex": "yc"
Docker is ready to use.
-
-
Push the Docker image to the registry:
CLI-
Assign a URL to the pushed
mongo-express
image using the following format:cr.yandex/<registry_ID>/<Docker_image_name>:<tag>
:docker tag mongo-express \ cr.yandex/<registry_ID>/mongo-express:mongo-tag
-
Push the
mongo-express
image to the registry:docker push cr.yandex/<registry_ID>/mongo-express:mongo-tag
-
Create a Serverless Containers container
To run your application in Yandex Cloud, create a container and its revision:
- In the management console
, select the folder where you want to create a container. - Select Serverless Containers.
- Click Create container.
- Enter the container name:
mongo-express-container
. - Click Create.
- Go to the Editor tab.
- Under Resources, enter the amount of RAM:
1024 MB
. - Under Image settings:
- In the Image URL field, specify the Docker image you pushed previously.
- In the Environment variables field, add the following variables:
ME_CONFIG_BASICAUTH_USERNAME
: Leave empty.ME_CONFIG_BASICAUTH_PASSWORD
: Leave empty.VCAP_APP_PORT
: Set the port to8080
.ME_CONFIG_MONGODB_SERVER
: Specify the VM public IP address obtained previously.
- In the Lockbox secrets field, specify these secrets:
ME_CONFIG_MONGODB_AUTH_USERNAME
: Secret with thelogin
key.ME_CONFIG_MONGODB_AUTH_PASSWORD
: Secret with thepassword
key.
- Under Settings:
- In the Service account field, specify
mongo-express
. - In the Timeout, s field, specify
15
.
- In the Service account field, specify
- Under Resources, enter the amount of RAM:
- Click Create revision.
-
Create a container:
yc serverless container create --name mongo-express-container
Result:
id: bba3fva6ka5g******** folder_id: b1gqvft7kjk3******** created_at: "2023-02-08T10:34:06.601Z" name: mongo-express-container url: https://bba3fva6ka5g********.containers.yandexcloud.net/ status: ACTIVE
-
Create a container revision:
yc serverless container revision deploy \ --container-name mongo-express-container \ --image <Docker_image_URL> \ --cores 1 \ --memory 1GB \ --concurrency 1 \ --execution-timeout 15s \ --service-account-id <mongo_express_service_account_ID> \ --environment ME_CONFIG_BASICAUTH_USERNAME="", ME_CONFIG_BASICAUTH_PASSWORD="", VCAP_APP_PORT=8080, ME_CONFIG_MONGODB_SERVER=<VM_public_address> \ --secret environment-variable=ME_CONFIG_MONGODB_AUTH_USERNAME,key=login \ --secret environment-variable=ME_CONFIG_MONGODB_AUTH_PASSWORD,key=password
Where:
-
--image
: URL of themongo-express
Docker image you pushed earlier. -
--service-account-id
: ID of themongo-express
service account you created earlier. -
--environment
: Environment variables:ME_CONFIG_BASICAUTH_USERNAME
: Leave empty.ME_CONFIG_BASICAUTH_PASSWORD
: Leave empty.VCAP_APP_PORT
: Set the port to8080
.ME_CONFIG_MONGODB_SERVER
: Specify the VM public IP address obtained previously.
-
--secret environment-variable
:ME_CONFIG_MONGODB_AUTH_USERNAME
andME_CONFIG_MONGODB_AUTH_PASSWORD
secrets you created earlier.
Result:
id: bbajn5q2d74c******** container_id: bba3fva6ka5g******** created_at: "2023-02-08T10:34:06.601Z" image: image_url: cr.yandex/crpd3cicopk7********/mongo-express-container:latest image_digest: sha256:de8e1dce7ceceeafaae122f7670084a1119c961cd9ea1795eae92bd******** resources: memory: "1073741824" cores: "1" execution_timeout: 15s service_account_id: ajeqnasj95o7******** status: ACTIVE
-
To create a container, use the create REST API method for the Container resource or the ContainerService/Create gRPC API call.
To create a container revision, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.
Create an API Gateway
Create an API gateway with the x-yc-apigateway-integration:serverless_containers
extension.
-
In the management console
, select the folder where you want to create an API gateway. -
In the list of services, select API Gateway.
-
Click Create API gateway.
-
In the Name field, enter a name for the API gateway:
mongo-express-gw
. -
In the Specification section, add the specification:
openapi: 3.0.0 info: title: Sample API version: 1.0.0 servers: - url: https://mongo-express-container.apigw.yandexcloud.net paths: /{proxy+}: x-yc-apigateway-any-method: x-yc-apigateway-integration: type: serverless_containers container_id: <container_ID> service_account_id: <service_account_ID> parameters: - explode: false in: path name: proxy required: false schema: default: '-' type: string style: simple
Where:
container_id
: Container ID formongo-express-container
.service_account_id
:mongo-express
service account ID.
-
Click Create.
-
Prepare an OpenAPI 3.0
API specification file.Specification
openapi: 3.0.0 info: title: Sample API version: 1.0.0 servers: - url: https://mongo-express-container.apigw.yandexcloud.net paths: /{proxy+}: x-yc-apigateway-any-method: x-yc-apigateway-integration: type: serverless_containers container_id: <container_ID> service_account_id: <service_account_ID> parameters: - explode: false in: path name: proxy required: false schema: default: '-' type: string style: simple
Where:
container_id
: Container ID formongo-express-container
.service_account_id
:mongo-express
service account ID.
-
Specify the parameters and create an API gateway using this command:
yc serverless api-gateway create \ --name mongo-express-gw \ --spec=<specification_file_path>
To create an API gateway, use the create REST API method for the ApiGateway resource or the ApiGatewayService/Create gRPC API call.
Test the application
Click https://mongo-express-container.apigw.yandexcloud.net
to use the MongoDB admin panel.
How to delete the resources you created
To stop paying for the resources you created: