Create CONTRIBUTING.md

Fix typos

CONTRIBUTING.md

@@ -0,0 +1,3 @@
+# Contributing to MRSK development
+
+MRSK is written in Ruby. You should have Ruby 3.2+ installed on your machine in order to work on MRSK. If that's already setup, run `bundle` in the root directory to install all dependencies. Then you can run `bin/test` to run all tests.

Gemfile

@@ -6,3 +6,5 @@ gemspec
 gem "debug"
 gem "mocha"
 gem "railties"
+gem "ed25519"
+gem "bcrypt_pbkdf"

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    mrsk (0.8.0)
+    mrsk (0.8.4)
       activesupport (>= 7.0)
       dotenv (~> 2.8)
       sshkit (~> 1.21)
@@ -29,6 +29,7 @@ GEM
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
+    bcrypt_pbkdf (1.1.0)
     builder (3.2.4)
     concurrent-ruby (1.1.10)
     crass (1.0.6)
@@ -36,6 +37,7 @@ GEM
       irb (>= 1.5.0)
       reline (>= 0.3.1)
     dotenv (2.8.1)
+    ed25519 (1.3.0)
     erubi (1.12.0)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
@@ -96,7 +98,9 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  bcrypt_pbkdf
   debug
+  ed25519
   mocha
   mrsk!
   railties

README.md

@@ -1,6 +1,8 @@
 # MRSK
 
-MRSK deploys web apps in containers to servers running Docker with zero downtime. It uses the dynamic reverse-proxy Traefik to hold requests while the new application container is started and the old one is stopped. It works seamlessly across multiple hosts, using SSHKit to execute commands. It was built for Rails applications, but works with any type of web app that can be bundled with Docker.
+MRSK deploys web apps anywhere from bare metal to cloud VMs using Docker with zero downtime. It uses the dynamic reverse-proxy Traefik to hold requests while the new application container is started and the old one is stopped. It works seamlessly across multiple hosts, using SSHKit to execute commands. It was built for Rails applications, but works with any type of web app that can be containerized with Docker.
+
+Watch the screencast: https://www.youtube.com/watch?v=LL1cV2FXZ5I
 
 ## Installation
 
@@ -31,37 +33,39 @@ mrsk deploy
 
 This will:
 
-1. Connect to the servers over SSH (using root by default, authenticated by your loaded ssh key)
+1. Connect to the servers over SSH (using root by default, authenticated by your ssh key)
 2. Install Docker on any server that might be missing it (using apt-get)
 3. Log into the registry both locally and remotely
 4. Build the image using the standard Dockerfile in the root of the application.
 5. Push the image to the registry.
-6. Pull the image from the registry on the servers.
+6. Pull the image from the registry onto the servers.
 7. Ensure Traefik is running and accepting traffic on port 80.
 8. Ensure your app responds with `200 OK` to `GET /up`.
-9. Stop any containers running a previous versions of the app.
-10. Start a new container with the version of the app that matches the current git version hash.
+9. Start a new container with the version of the app that matches the current git version hash.
+10. Stop the old container running the previous version of the app.
 11. Prune unused images and stopped containers to ensure servers don't fill up.
 
 Voila! All the servers are now serving the app on port 80. If you're just running a single server, you're ready to go. If you're running multiple servers, you need to put a load balancer in front of them.
 
 ## Vision
 
-In the past decade+, there's been an explosion in commercial offerings that make deploying web apps easier. Heroku kicked it off with an incredible offering that stayed ahead of the competition seemingly forever. These days we have excellent alternatives like Fly.io and Render. And hosted Kubernetes is making things easier too on AWS, GCP, Digital Ocean, and elsewhere. But these are all offerings that have you renting computers in the cloud at a premium. If you want to run on our own hardware, or even just have a clear migration path to do so, you need to carefully consider how locked in you get to these commercial platforms. Preferably before the bills swallow your business whole!
+In the past decade+, there's been an explosion in commercial offerings that make deploying web apps easier. Heroku kicked it off with an incredible offering that stayed ahead of the competition seemingly forever. These days we have excellent alternatives like Fly.io and Render. And hosted Kubernetes is making things easier too on AWS, GCP, Digital Ocean, and elsewhere. But these are all offerings that have you renting computers in the cloud at a premium. If you want to run on your own hardware, or even just have a clear migration path to do so in the future, you need to carefully consider how locked in you get to these commercial platforms. Preferably before the bills swallow your business whole!
 
-MRSK seeks to bring the advance in ergonomics pioneered by these commercial offerings to deploying web apps anywhere. Whether that's low-cost cloud options without the managed-service markup from the likes of Digital Ocean, Hetzner, OVH, etc, or it's your own colocated metal. To MRSK, it's all the same. Feed the config file a list of IP addresses with vanilla Ubuntu servers that have seen no prep beyond an added SSH key, and you'll be running in literally minutes.
+MRSK seeks to bring the advance in ergonomics pioneered by these commercial offerings to deploying web apps anywhere. Whether that's low-cost cloud options without the managed-service markup from the likes of Digital Ocean, Hetzner, OVH, etc, or it's your own colocated bare metal. To MRSK, it's all the same. Feed the config file a list of IP addresses with vanilla Ubuntu servers that have seen no prep beyond an added SSH key, and you'll be running in literally minutes.
 
-This structure also gives you enormous portability. You can have your web app deployed on several clouds at ease like this. Or you can buy the baseline with your own hardware, then deploy to a cloud before a big seasonal spike to get more capacity. When you're not locked into a single provider from a tooling perspective, there's a lot of compelling options available.
+This approach gives you enormous portability. You can have your web app deployed on several clouds at ease like this. Or you can buy the baseline with your own hardware, then deploy to a cloud before a big seasonal spike to get more capacity. When you're not locked into a single provider from a tooling perspective, there are a lot of compelling options available.
 
-Ultimately, MRSK is meant to compress the complexity of going to production using open source tooling that isn't tied to any commercial offering. Not to zero, though. You're probably still better off with a fully managed service if basic Linux or Docker is still difficult, but from an early stage when those concepts are familiar.
+Ultimately, MRSK is meant to compress the complexity of going to production using open source tooling that isn't tied to any commercial offering. Not to zero, mind you. You're probably still better off with a fully managed service if basic Linux or Docker is still difficult, but as soon as those concepts are familiar, you'll be ready to go with MRSK.
 
 ## Why not just run Capistrano, Kubernetes or Docker Swarm?
 
-MRSK basically is Capistrano for Containers, which allow us to use vanilla servers as the hosts. No need to ensure that the servers have just the right version of Ruby or other dependencies you need. That all lives in the Docker image now. You can boot a brand new Ubuntu (or whatever) server, add it to the deploy servers of MRSK, and it'll be auto-provisioned with Docker, and run right away. Docker's layer caching also allows for quicker deployments with less mucking about on the server. And the images built for MRSK can be used for CI or later introspection.
+MRSK basically is Capistrano for Containers, without the need to carefully prepare servers in advance. No need to ensure that the servers have just the right version of Ruby or other dependencies you need. That all lives in the Docker image now. You can boot a brand new Ubuntu (or whatever) server, add it to the list of servers in MRSK, and it'll be auto-provisioned with Docker, and run right away. Docker's layer caching also speeds up deployments with less mucking about on the server. And the images built for MRSK can be used for CI or later introspection.
 
 Kubernetes is a beast. Running it yourself on your own hardware is not for the faint of heart. It's a fine option if you want to run on someone else's platform, either transparently [like Render](https://thenewstack.io/render-cloud-deployment-with-less-engineering/) or explicitly on AWS/GCP, but if you'd like the freedom to move between cloud and your own hardware, or even mix the two, MRSK is much simpler. You can see everything that's going on, it's just basic Docker commands being called.
 
-Docker Swarm is much simpler than Kubernetes, but it's still built on the same declarative model that uses state reconciliation. MRSK is intentionally designed to around imperative commands, like Capistrano.
+Docker Swarm is much simpler than Kubernetes, but it's still built on the same declarative model that uses state reconciliation. MRSK is intentionally designed around imperative commands, like Capistrano.
+
+Ultimately, there are a myriad of ways to deploy web apps, but this is the toolkit we're using at [37signals](https://37signals.com) to bring [HEY](https://www.hey.com) [home from the cloud](https://world.hey.com/dhh/why-we-re-leaving-the-cloud-654b47e0) without losing the advantages of modern containerization tooling.
 
 ## Configuration
 
@@ -74,6 +78,71 @@ MRSK_REGISTRY_PASSWORD=pw
 DB_PASSWORD=secret123
 ```
 
+### Using a generated .env file
+
+#### 1password as a secret store
+
+If you're using a centralized secret store, like 1Password, you can create `.env.erb` as a template which looks up the secrets. Example of a .env.erb file:
+
+```erb
+<% if (session_token = `op signin --account my-one-password-account --raw`.strip) != "" %># Generated by mrsk envify
+GITHUB_TOKEN=<%= `gh config get -h github.com oauth_token`.strip %>
+MRSK_REGISTRY_PASSWORD=<%= `op read "op://Vault/Docker Hub/password" -n --session  #{session_token}` %>
+RAILS_MASTER_KEY=<%= `op read "op://Vault/My App/RAILS_MASTER_SECRET" -n --session #{session_token}` %>
+MYSQL_ROOT_PASSWORD=<%= `op read "op://Vault/My App/MYSQL_ROOT_PASSWORD" -n --session #{session_token}` %>
+<% else raise ArgumentError, "Session token missing" end %>
+```
+
+This template can safely be checked into git. Then everyone deploying the app can run `mrsk envify` when they setup the app for the first time or passwords change to get the correct `.env` file.
+
+If you need separate env variables for different destinations, you can set them with `.env.destination.erb` for the template, which will generate `.env.staging` when run with `mrsk envify -d staging`.
+
+#### bitwarden as a secret store
+
+If you are using open source secret store like bitwarden, you can create `.env.erb` as a template which looks up the secrets. 
+
+You can store `SOME_SECRET` in a secure note in bitwarden vault. 
+
+```
+$ bw list items --search SOME_SECRET | jq
+? Master password: [hidden]
+
+[
+  {
+    "object": "item",
+    "id": "123123123-1232-4224-222f-234234234234",
+    "organizationId": null,
+    "folderId": null,
+    "type": 2,
+    "reprompt": 0,
+    "name": "SOME_SECRET",
+    "notes": "yyy",
+    "favorite": false,
+    "secureNote": {
+      "type": 0
+    },
+    "collectionIds": [],
+    "revisionDate": "2023-02-28T23:54:47.868Z",
+    "creationDate": "2022-11-07T03:16:05.828Z",
+    "deletedDate": null
+  }
+]
+```
+
+and extract the `id` of `SOME_SECRET` from the `json` above and use in the `erb` below.
+
+
+Example `.env.erb` file:
+
+```erb
+<% if (session_token=`bw unlock --raw`.strip) != "" %># Generated by mrsk envify
+SOME_SECRET=<%= `bw get notes 123123123-1232-4224-222f-234234234234 --session #{session_token}` %>
+<% else raise ArgumentError, "session_token token missing" end %>
+```
+
+Then everyone deploying the app can run `mrsk envify` and mrsk will generate `.env` 
+
+
 ### Using another registry than Docker Hub
 
 The default registry is Docker Hub, but you can change it using `registry/server`:
@@ -211,7 +280,7 @@ servers:
 
 ### Using remote builder for native multi-arch
 
-If you're developing on ARM64 (like Apple Silicon), but you want to deploy on AMD64 (x86 64-bit), you can use multi-archecture images. By default, MRSK will setup a local buildx configuration that does this through QEMU emulation. But this can be quite slow, especially on the first build.
+If you're developing on ARM64 (like Apple Silicon), but you want to deploy on AMD64 (x86 64-bit), you can use multi-architecture images. By default, MRSK will setup a local buildx configuration that does this through QEMU emulation. But this can be quite slow, especially on the first build.
 
 If you want to speed up this process by using a remote AMD64 host to natively build the AMD64 part of the image, while natively building the ARM64 part locally, you can do so using builder options:
 
@@ -251,7 +320,7 @@ This is also a good option if you're running MRSK from a CI server that shares a
 
 ### Using build secrets for new images
 
-Some images need a secret passed in during build time, like a GITHUB_TOKEN to give access to private gem repositories. This can be done by having the secret in ENV, then referencing it in the builder configuration:
+Some images need a secret passed in during build time, like a GITHUB_TOKEN, to give access to private gem repositories. This can be done by having the secret in ENV, then referencing it in the builder configuration:
 
 ```yaml
 builder:
@@ -330,22 +399,20 @@ accessories:
 
 Now run `mrsk accessory start mysql` to start the MySQL server on 1.1.1.3. See `mrsk accessory` for all the commands possible.
 
-### Using a generated .env file
+### Using Cron
 
-If you're using a centralized secret store, like 1Password, you can create `.env.erb` as a template which looks up the secrets. Example of a .env.erb file:
+You can use a specific container to run your Cron jobs:
 
-```erb
-<% if (session_token = `op signin --account my-one-password-account --raw`.strip) != "" %># Generated by mrsk envify
-GITHUB_TOKEN=<%= `gh config get -h github.com oauth_token`.strip %>
-MRSK_REGISTRY_PASSWORD=<%= `op read "op://Vault/Docker Hub/password" -n --session  #{session_token}` %>
-RAILS_MASTER_KEY=<%= `op read "op://Vault/My App/RAILS_MASTER_SECRET" -n --session #{session_token}` %>
-MYSQL_ROOT_PASSWORD=<%= `op read "op://Vault/My App/MYSQL_ROOT_PASSWORD" -n --session #{session_token}` %>
-<% else raise ArgumentError, "Session token missing" end %>
+```yaml
+servers:
+  cron:
+    hosts:
+      - 192.168.0.1
+    cmd:
+      bash -c "cat config/crontab | crontab - && cron -f"
 ```
 
-This template can safely be checked into git. Then everyone deploying the app can run `mrsk envify` when they setup the app for the first time or passwords change to get the correct `.env` file.
-
-If you need separate env variables for different destinations, you can set them with `.env.destination.erb` for the template, which will generate `.env.staging` when run with `mrsk envify -d staging`.
+This assumes the Cron settings are stored in `config/crontab`.
 
 ### Using audit broadcasts
 
@@ -498,7 +565,7 @@ If you wish to remove the entire application, including Traefik, containers, ima
 
 ## Stage of development
 
-This is alpha software. Lots of stuff is missing. Lots of stuff will keep moving around for a while.
+This is beta software. Commands may still move around. But we're live in production at [37signals](https://37signals.com).
 
 ## License
 

lib/mrsk/cli/accessory.rb

@@ -13,7 +13,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
           execute *accessory.run
         end
 
-        audit_broadcast "Booted accessory #{name}"
+        audit_broadcast "Booted accessory #{name}" unless options[:skip_broadcast]
       end
     end
   end
@@ -153,9 +153,7 @@ class Mrsk::Cli::Accessory < Mrsk::Cli::Base
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
   def remove(name)
     if name == "all"
-      if options[:confirmed] || ask("This will remove all containers and images for all accessories. Are you sure?", limited_to: %w( y N ), default: "N") == "y"
-        MRSK.accessory_names.each { |accessory_name| remove(accessory_name) }
-      end
+      MRSK.accessory_names.each { |accessory_name| remove(accessory_name) }
     else
       if options[:confirmed] || ask("This will remove all containers and images for #{name}. Are you sure?", limited_to: %w( y N ), default: "N") == "y"
         with_accessory(name) do

lib/mrsk/cli/app.rb

@@ -3,20 +3,26 @@ class Mrsk::Cli::App < Mrsk::Cli::Base
   def boot
     say "Get most recent version available as an image...", :magenta unless options[:version]
     using_version(options[:version] || most_recent_version_available) do |version|
-      say "Start container with version #{version} (or reboot if already running)...", :magenta
+      say "Start container with version #{version} using a #{MRSK.config.readiness_delay}s readiness delay (or reboot if already running)...", :magenta
 
+      cli = self
+      
       MRSK.config.roles.each do |role|
         on(role.hosts) do |host|
           execute *MRSK.auditor.record("Booted app version #{version}"), verbosity: :debug
 
           begin
-            execute *MRSK.app.stop, raise_on_non_zero_exit: false
+            old_version = capture_with_info(*MRSK.app.current_running_version).strip
             execute *MRSK.app.run(role: role.name)
+            sleep MRSK.config.readiness_delay
+            execute *MRSK.app.stop(version: old_version), raise_on_non_zero_exit: false if old_version.present?
+
           rescue SSHKit::Command::Failed => e
             if e.message =~ /already in use/
-              error "Rebooting container with same version already deployed on #{host}"
+              error "Rebooting container with same version #{version} already deployed on #{host} (may cause gap in zero-downtime promise!)"
               execute *MRSK.auditor.record("Rebooted app version #{version}"), verbosity: :debug
 
+              execute *MRSK.app.stop(version: version)
               execute *MRSK.app.remove_container(version: version)
               execute *MRSK.app.run(role: role.name)
             else

lib/mrsk/cli/base.rb

@@ -20,6 +20,8 @@ module Mrsk::Cli
     class_option :config_file, aliases: "-c", default: "config/deploy.yml", desc: "Path to config file"
     class_option :destination, aliases: "-d", desc: "Specify destination to be used for config file (staging -> deploy.staging.yml)"
 
+    class_option :skip_broadcast, aliases: "-B", type: :boolean, default: false, desc: "Skip audit broadcasts"
+
     def initialize(*)
       super
       load_envs

lib/mrsk/cli/healthcheck.rb

@@ -1,5 +1,7 @@
 class Mrsk::Cli::Healthcheck < Mrsk::Cli::Base
-  MAX_ATTEMPTS = 5
+  MAX_ATTEMPTS = 7
+
+  class HealthcheckError < StandardError; end
 
   default_command :perform
 
@@ -18,7 +20,7 @@ class Mrsk::Cli::Healthcheck < Mrsk::Cli::Base
           if status == "200"
             info "#{target} succeeded with 200 OK!"
           else
-            raise "#{target} failed with status #{status}"
+            raise HealthcheckError, "#{target} failed with status #{status}"
           end
         rescue SSHKit::Command::Failed
           if attempt <= MAX_ATTEMPTS
@@ -31,7 +33,7 @@ class Mrsk::Cli::Healthcheck < Mrsk::Cli::Base
             raise
           end
         end
-      rescue SSHKit::Command::Failed => e
+      rescue SSHKit::Command::Failed, HealthcheckError => e
         error capture_with_info(*MRSK.healthcheck.logs)
 
         if e.message =~ /curl/

lib/mrsk/cli/main.rb

@@ -32,7 +32,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
       invoke "mrsk:cli:prune:all"
     end
 
-    audit_broadcast "Deployed app in #{runtime.to_i} seconds"
+    audit_broadcast "Deployed app in #{runtime.to_i} seconds" unless options[:skip_broadcast]
   end
 
   desc "redeploy", "Deploy app to servers without bootstrapping servers, starting Traefik, pruning, and registry login"
@@ -47,7 +47,7 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
       invoke "mrsk:cli:app:boot"
     end
 
-    audit_broadcast "Redeployed app in #{runtime.to_i} seconds"
+    audit_broadcast "Redeployed app in #{runtime.to_i} seconds" unless options[:skip_broadcast]
   end
 
   desc "rollback [VERSION]", "Rollback app to VERSION"
@@ -55,14 +55,21 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
     MRSK.version = version
 
     if container_name_available?(MRSK.config.service_with_version)
-      say "Stop current version, then start version #{version}...", :magenta
+      say "Start version #{version}, then wait #{MRSK.config.readiness_delay}s for app to boot before stopping the old version...", :magenta
+
+      cli = self
 
       on(MRSK.hosts) do |host|
-        execute *MRSK.app.stop, raise_on_non_zero_exit: false
+        old_version = capture_with_info(*MRSK.app.current_running_version).strip.presence
+
         execute *MRSK.app.start
+
+        sleep MRSK.config.readiness_delay
+
+        execute *MRSK.app.stop(version: old_version), raise_on_non_zero_exit: false
       end
 
-      audit_broadcast "Rolled back app to version #{version}"
+      audit_broadcast "Rolled back app to version #{version}" unless options[:skip_broadcast]
     else
       say "The app version '#{version}' is not available as a container (use 'mrsk app containers' for available versions)", :red
     end
@@ -135,10 +142,10 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
   desc "remove", "Remove Traefik, app, accessories, and registry session from servers"
   option :confirmed, aliases: "-y", type: :boolean, default: false, desc: "Proceed without confirmation question"
   def remove
-    if options[:confirmed] || ask(remove_confirmation_question, limited_to: %w( y N ), default: "N") == "y"
+    if options[:confirmed] || ask("This will remove all containers and images. Are you sure?", limited_to: %w( y N ), default: "N") == "y"
       invoke "mrsk:cli:traefik:remove", [], options.without(:confirmed)
       invoke "mrsk:cli:app:remove", [], options.without(:confirmed)
-      invoke "mrsk:cli:accessory:remove", [ "all" ]
+      invoke "mrsk:cli:accessory:remove", [ "all" ], options
       invoke "mrsk:cli:registry:logout", [], options.without(:confirmed)
     end
   end
@@ -178,10 +185,4 @@ class Mrsk::Cli::Main < Mrsk::Cli::Base
       on(host) { container_names = capture_with_info(*MRSK.app.list_container_names).split("\n") }
       Array(container_names).include?(container_name)
     end
-
-    def remove_confirmation_question      
-      "This will remove all containers and images. " +
-      (MRSK.config.accessories.any? ? "Including #{MRSK.config.accessories.collect(&:name).to_sentence}. " : "") +
-      "Are you sure?"
-    end
 end

lib/mrsk/commands/app.rb

@@ -18,8 +18,10 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
     docker :start, service_with_version
   end
 
-  def stop
-    pipe current_container_id, xargs(docker(:stop))
+  def stop(version: nil)
+    pipe \
+      version ? container_id_for_version(version) : current_container_id,
+      xargs(docker(:stop))
   end
 
   def info
@@ -132,6 +134,10 @@ class Mrsk::Commands::App < Mrsk::Commands::Base
       end
     end
 
+    def container_id_for_version(version)
+      container_id_for(container_name: service_with_version(version))    
+    end
+
     def service_filter
       [ "--filter", "label=service=#{config.service}" ]
     end

lib/mrsk/configuration.rb

@@ -136,6 +136,9 @@ class Mrsk::Configuration
     { "path" => "/up", "port" => 3000 }.merge(raw_config.healthcheck || {})
   end
 
+  def readiness_delay
+    raw_config.readiness_delay || 7
+  end
 
   def valid?
     ensure_required_keys_present && ensure_env_available

lib/mrsk/configuration/role.rb

@@ -58,10 +58,10 @@ class Mrsk::Configuration::Role
     def traefik_labels
       if running_traefik?
         {
-          "traefik.http.routers.#{config.service}.rule" => "'PathPrefix(`/`)'",
+          "traefik.http.routers.#{config.service}.rule" => "PathPrefix(`/`)",
           "traefik.http.services.#{config.service}.loadbalancer.healthcheck.path" => config.healthcheck["path"],
           "traefik.http.services.#{config.service}.loadbalancer.healthcheck.interval" => "1s",
-          "traefik.http.middlewares.#{config.service}.retry.attempts" => "3",
+          "traefik.http.middlewares.#{config.service}.retry.attempts" => "5",
           "traefik.http.middlewares.#{config.service}.retry.initialinterval" => "500ms"
         }
       else

lib/mrsk/utils.rb

@@ -1,13 +1,14 @@
 module Mrsk::Utils
   extend self
 
-  # Return a list of shell arguments using the same named argument against the passed attributes (hash or array).
+  # Return a list of escaped shell arguments using the same named argument against the passed attributes (hash or array).
   def argumentize(argument, attributes, redacted: false)
-    Array(attributes).flat_map do |k, v|
-      if v.present?
-        [ argument, redacted ? redact("#{k}=#{v}") : "#{k}=#{v}" ]
+    Array(attributes).flat_map do |key, value|
+      if value.present?
+        escaped_pair = [ key, value.to_s.dump.gsub(/`/, '\\\\`') ].join("=")
+        [ argument, redacted ? redact(escaped_pair) : escaped_pair ]
       else
-        [ argument, k ]
+        [ argument, key ]
       end
     end
   end

lib/mrsk/version.rb

@@ -1,3 +1,3 @@
 module Mrsk
-  VERSION = "0.8.0"
+  VERSION = "0.8.4"
 end

test/cli/accessory_test.rb

@@ -14,7 +14,7 @@ class CliAccessoryTest < CliTestCase
   end
 
   test "boot" do
-    assert_match "Running docker run --name app-mysql --detach --restart unless-stopped --log-opt max-size=10m --publish 3306:3306 -e [REDACTED] -e MYSQL_ROOT_HOST=% --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=app-mysql mysql:5.7 on 1.1.1.3", run_command("boot", "mysql")
+    assert_match "Running docker run --name app-mysql --detach --restart unless-stopped --log-opt max-size=10m --publish 3306:3306 -e [REDACTED] -e MYSQL_ROOT_HOST=\"%\" --volume $PWD/app-mysql/etc/mysql/my.cnf:/etc/mysql/my.cnf --volume $PWD/app-mysql/data:/var/lib/mysql --label service=\"app-mysql\" mysql:5.7 on 1.1.1.3", run_command("boot", "mysql")
   end
 
   test "exec" do

test/cli/app_test.rb

@@ -2,7 +2,16 @@ require_relative "cli_test_case"
 
 class CliAppTest < CliTestCase
   test "boot" do
-    assert_match /Running docker run --detach --restart unless-stopped/, run_command("boot")
+    # Stub current version fetch
+    SSHKit::Backend::Abstract.any_instance.stubs(:capture)
+      .returns("999") # new version
+      .then
+      .returns("123") # old version
+
+    run_command("boot").tap do |output|
+      assert_match /docker run --detach --restart unless-stopped/, output
+      assert_match /docker container ls --all --filter name=app-123 --quiet | xargs docker stop/, output
+    end
   end
 
   test "boot will reboot if same version is already running" do
@@ -11,12 +20,17 @@ class CliAppTest < CliTestCase
     # Prevent expected failures from outputting to terminal
     Thread.report_on_exception = false
 
-    MRSK.app.stubs(:run).raises(SSHKit::Command::Failed.new("already in use")).then.returns([ :docker, :run ])
+    MRSK.app.stubs(:run)
+      .raises(SSHKit::Command::Failed.new("already in use"))
+      .then
+      .raises(SSHKit::Command::Failed.new("already in use"))
+      .then
+      .returns([ :docker, :run ])
 
     run_command("boot").tap do |output|
-      assert_match /Rebooting container with same version already deployed/, output # Can't start what's already running
-      assert_match /docker ps --quiet --filter label=service=app \| xargs docker stop/, output # Stop what's running
-      assert_match /docker container ls --all --filter name=app-999 --quiet \| xargs docker container rm/, output # Remove old container
+      assert_match /Rebooting container with same version 999 already deployed/, output # Can't start what's already running
+      assert_match /docker container ls --all --filter name=app-999 --quiet | xargs docker container rm/, output # Stop old running
+      assert_match /docker container ls --all --filter name=app-999 --quiet | xargs docker container rm/, output # Remove old container
       assert_match /docker run/, output # Start new container
     end
   ensure

test/cli/main_test.rb

@@ -19,7 +19,7 @@ class CliMainTest < CliTestCase
     Mrsk::Cli::Main.any_instance.stubs(:container_name_available?).returns(true)
 
     run_command("rollback", "123").tap do |output|
-      assert_match /Stop current version, then start version 123/, output
+      assert_match /Start version 123/, output
       assert_match /docker ps -q --filter label=service=app | xargs docker stop/, output
       assert_match /docker start app-123/, output
     end

test/commands/accessory_test.rb

@@ -49,11 +49,11 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
 
   test "run" do
     assert_equal \
-      "docker run --name app-mysql --detach --restart unless-stopped --log-opt max-size=10m --publish 3306:3306 -e MYSQL_ROOT_PASSWORD=secret123 -e MYSQL_ROOT_HOST=% --label service=app-mysql mysql:8.0",
+      "docker run --name app-mysql --detach --restart unless-stopped --log-opt max-size=10m --publish 3306:3306 -e MYSQL_ROOT_PASSWORD=\"secret123\" -e MYSQL_ROOT_HOST=\"%\" --label service=\"app-mysql\" mysql:8.0",
       @mysql.run.join(" ")
 
     assert_equal \
-      "docker run --name app-redis --detach --restart unless-stopped --log-opt max-size=10m --publish 6379:6379 -e SOMETHING=else --volume /var/lib/redis:/data --label service=app-redis --label cache=true redis:latest",
+      "docker run --name app-redis --detach --restart unless-stopped --log-opt max-size=10m --publish 6379:6379 -e SOMETHING=\"else\" --volume /var/lib/redis:/data --label service=\"app-redis\" --label cache=\"true\" redis:latest",
       @redis.run.join(" ")
   end
 
@@ -78,7 +78,7 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
 
   test "execute in new container" do
     assert_equal \
-      "docker run --rm -e MYSQL_ROOT_PASSWORD=secret123 -e MYSQL_ROOT_HOST=% mysql:8.0 mysql -u root",
+      "docker run --rm -e MYSQL_ROOT_PASSWORD=\"secret123\" -e MYSQL_ROOT_HOST=\"%\" mysql:8.0 mysql -u root",
       @mysql.execute_in_new_container("mysql", "-u", "root").join(" ")
   end
 
@@ -90,7 +90,7 @@ class CommandsAccessoryTest < ActiveSupport::TestCase
 
   test "execute in new container over ssh" do
     @mysql.stub(:run_over_ssh, ->(cmd) { cmd.join(" ") }) do
-      assert_match %r|docker run -it --rm -e MYSQL_ROOT_PASSWORD=secret123 -e MYSQL_ROOT_HOST=% mysql:8.0 mysql -u root|,
+      assert_match %r|docker run -it --rm -e MYSQL_ROOT_PASSWORD=\"secret123\" -e MYSQL_ROOT_HOST=\"%\" mysql:8.0 mysql -u root|,
         @mysql.execute_in_new_container_over_ssh("mysql", "-u", "root")
     end
   end

test/commands/app_test.rb

@@ -14,7 +14,7 @@ class CommandsAppTest < ActiveSupport::TestCase
 
   test "run" do
     assert_equal \
-      "docker run --detach --restart unless-stopped --log-opt max-size=10m --name app-999 -e RAILS_MASTER_KEY=456 --label service=app --label role=web --label traefik.http.routers.app.rule='PathPrefix(`/`)' --label traefik.http.services.app.loadbalancer.healthcheck.path=/up --label traefik.http.services.app.loadbalancer.healthcheck.interval=1s --label traefik.http.middlewares.app.retry.attempts=3 --label traefik.http.middlewares.app.retry.initialinterval=500ms dhh/app:999",
+      "docker run --detach --restart unless-stopped --log-opt max-size=10m --name app-999 -e RAILS_MASTER_KEY=\"456\" --label service=\"app\" --label role=\"web\" --label traefik.http.routers.app.rule=\"PathPrefix(\\`/\\`)\" --label traefik.http.services.app.loadbalancer.healthcheck.path=\"/up\" --label traefik.http.services.app.loadbalancer.healthcheck.interval=\"1s\" --label traefik.http.middlewares.app.retry.attempts=\"5\" --label traefik.http.middlewares.app.retry.initialinterval=\"500ms\" dhh/app:999",
       @app.run.join(" ")
   end
 
@@ -22,7 +22,7 @@ class CommandsAppTest < ActiveSupport::TestCase
     @config[:volumes] = ["/local/path:/container/path" ]
 
     assert_equal \
-      "docker run --detach --restart unless-stopped --log-opt max-size=10m --name app-999 -e RAILS_MASTER_KEY=456 --volume /local/path:/container/path --label service=app --label role=web --label traefik.http.routers.app.rule='PathPrefix(`/`)' --label traefik.http.services.app.loadbalancer.healthcheck.path=/up --label traefik.http.services.app.loadbalancer.healthcheck.interval=1s --label traefik.http.middlewares.app.retry.attempts=3 --label traefik.http.middlewares.app.retry.initialinterval=500ms dhh/app:999",
+      "docker run --detach --restart unless-stopped --log-opt max-size=10m --name app-999 -e RAILS_MASTER_KEY=\"456\" --volume /local/path:/container/path --label service=\"app\" --label role=\"web\" --label traefik.http.routers.app.rule=\"PathPrefix(\\`/\\`)\" --label traefik.http.services.app.loadbalancer.healthcheck.path=\"/up\" --label traefik.http.services.app.loadbalancer.healthcheck.interval=\"1s\" --label traefik.http.middlewares.app.retry.attempts=\"5\" --label traefik.http.middlewares.app.retry.initialinterval=\"500ms\" dhh/app:999",
       @app.run.join(" ")
   end
 
@@ -30,7 +30,7 @@ class CommandsAppTest < ActiveSupport::TestCase
     @config[:healthcheck] = { "path" => "/healthz" }
 
     assert_equal \
-      "docker run --detach --restart unless-stopped --log-opt max-size=10m --name app-999 -e RAILS_MASTER_KEY=456 --label service=app --label role=web --label traefik.http.routers.app.rule='PathPrefix(`/`)' --label traefik.http.services.app.loadbalancer.healthcheck.path=/healthz --label traefik.http.services.app.loadbalancer.healthcheck.interval=1s --label traefik.http.middlewares.app.retry.attempts=3 --label traefik.http.middlewares.app.retry.initialinterval=500ms dhh/app:999",
+      "docker run --detach --restart unless-stopped --log-opt max-size=10m --name app-999 -e RAILS_MASTER_KEY=\"456\" --label service=\"app\" --label role=\"web\" --label traefik.http.routers.app.rule=\"PathPrefix(\\`/\\`)\" --label traefik.http.services.app.loadbalancer.healthcheck.path=\"/healthz\" --label traefik.http.services.app.loadbalancer.healthcheck.interval=\"1s\" --label traefik.http.middlewares.app.retry.attempts=\"5\" --label traefik.http.middlewares.app.retry.initialinterval=\"500ms\" dhh/app:999",
       @app.run.join(" ")
   end
 
@@ -94,7 +94,7 @@ class CommandsAppTest < ActiveSupport::TestCase
 
   test "execute in new container" do
     assert_equal \
-      "docker run --rm -e RAILS_MASTER_KEY=456 dhh/app:999 bin/rails db:setup",
+      "docker run --rm -e RAILS_MASTER_KEY=\"456\" dhh/app:999 bin/rails db:setup",
       @app.execute_in_new_container("bin/rails", "db:setup").join(" ")
   end
 
@@ -106,7 +106,7 @@ class CommandsAppTest < ActiveSupport::TestCase
 
   test "execute in new container over ssh" do
     @app.stub(:run_over_ssh, ->(cmd, host:) { cmd.join(" ") }) do
-      assert_match %r|docker run -it --rm -e RAILS_MASTER_KEY=456 dhh/app:999 bin/rails c|,
+      assert_match %r|docker run -it --rm -e RAILS_MASTER_KEY=\"456\" dhh/app:999 bin/rails c|,
         @app.execute_in_new_container_over_ssh("bin/rails", "c", host: "app-1")
     end
   end

test/commands/builder_test.rb

@@ -9,7 +9,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
     builder = new_builder_command
     assert_equal "multiarch", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch -t dhh/app:123 -t dhh/app:latest --label service=app .",
+      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch -t dhh/app:123 -t dhh/app:latest --label service=\"app\" .",
       builder.push.join(" ")
   end
 
@@ -17,7 +17,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
     builder = new_builder_command(builder: { "multiarch" => false })
     assert_equal "native", builder.name
     assert_equal \
-      "docker build -t dhh/app:123 -t dhh/app:latest --label service=app . && docker push dhh/app:123",
+      "docker build -t dhh/app:123 -t dhh/app:latest --label service=\"app\" . && docker push dhh/app:123",
       builder.push.join(" ")
   end
 
@@ -25,7 +25,7 @@ class CommandsBuilderTest < ActiveSupport::TestCase
     builder = new_builder_command(builder: { "local" => { }, "remote" => { } })
     assert_equal "multiarch/remote", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --label service=app .",
+      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch-remote -t dhh/app:123 -t dhh/app:latest --label service=\"app\" .",
       builder.push.join(" ")
   end
 
@@ -33,42 +33,42 @@ class CommandsBuilderTest < ActiveSupport::TestCase
     builder = new_builder_command(builder: { "remote" => { "arch" => "amd64" } })
     assert_equal "native/remote", builder.name
     assert_equal \
-      "docker buildx build --push --platform linux/amd64 --builder mrsk-app-native-remote -t dhh/app:123 -t dhh/app:latest --label service=app .",
+      "docker buildx build --push --platform linux/amd64 --builder mrsk-app-native-remote -t dhh/app:123 -t dhh/app:latest --label service=\"app\" .",
       builder.push.join(" ")
   end
 
   test "build args" do
     builder = new_builder_command(builder: { "args" => { "a" => 1, "b" => 2 } })
     assert_equal \
-      "-t dhh/app:123 -t dhh/app:latest --label service=app --build-arg a=1 --build-arg b=2",
+      "-t dhh/app:123 -t dhh/app:latest --label service=\"app\" --build-arg a=\"1\" --build-arg b=\"2\"",
       builder.target.build_options.join(" ")
   end
 
   test "build secrets" do
     builder = new_builder_command(builder: { "secrets" => ["token_a", "token_b"] })
     assert_equal \
-      "-t dhh/app:123 -t dhh/app:latest --label service=app --secret id=token_a --secret id=token_b",
+      "-t dhh/app:123 -t dhh/app:latest --label service=\"app\" --secret id=\"token_a\" --secret id=\"token_b\"",
       builder.target.build_options.join(" ")
   end
 
   test "native push with build args" do
     builder = new_builder_command(builder: { "multiarch" => false, "args" => { "a" => 1, "b" => 2 } })
     assert_equal \
-      "docker build -t dhh/app:123 -t dhh/app:latest --label service=app --build-arg a=1 --build-arg b=2 . && docker push dhh/app:123",
+      "docker build -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --build-arg a=\"1\" --build-arg b=\"2\" . && docker push dhh/app:123",
       builder.push.join(" ")
   end
 
   test "multiarch push with build args" do
     builder = new_builder_command(builder: { "args" => { "a" => 1, "b" => 2 } })
     assert_equal \
-      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch -t dhh/app:123 -t dhh/app:latest --label service=app --build-arg a=1 --build-arg b=2 .",
+      "docker buildx build --push --platform linux/amd64,linux/arm64 --builder mrsk-app-multiarch -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --build-arg a=\"1\" --build-arg b=\"2\" .",
       builder.push.join(" ")
   end
 
   test "native push with with build secrets" do
     builder = new_builder_command(builder: { "multiarch" => false, "secrets" => [ "a", "b" ] })
     assert_equal \
-      "docker build -t dhh/app:123 -t dhh/app:latest --label service=app --secret id=a --secret id=b . && docker push dhh/app:123",
+      "docker build -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --secret id=\"a\" --secret id=\"b\" . && docker push dhh/app:123",
       builder.push.join(" ")
   end
 

test/configuration/accessory_test.rb

@@ -72,20 +72,20 @@ class ConfigurationAccessoryTest < ActiveSupport::TestCase
   end
 
   test "label args" do
-    assert_equal ["--label", "service=app-mysql"], @config.accessory(:mysql).label_args
-    assert_equal ["--label", "service=app-redis", "--label", "cache=true"], @config.accessory(:redis).label_args
+    assert_equal ["--label", "service=\"app-mysql\""], @config.accessory(:mysql).label_args
+    assert_equal ["--label", "service=\"app-redis\"", "--label", "cache=\"true\""], @config.accessory(:redis).label_args
   end
 
   test "env args with secret" do
     ENV["MYSQL_ROOT_PASSWORD"] = "secret123"
-    assert_equal ["-e", "MYSQL_ROOT_PASSWORD=secret123", "-e", "MYSQL_ROOT_HOST=%"], @config.accessory(:mysql).env_args
+    assert_equal ["-e", "MYSQL_ROOT_PASSWORD=\"secret123\"", "-e", "MYSQL_ROOT_HOST=\"%\""], @config.accessory(:mysql).env_args
     assert @config.accessory(:mysql).env_args[1].is_a?(SSHKit::Redaction)
   ensure
     ENV["MYSQL_ROOT_PASSWORD"] = nil
   end
 
   test "env args without secret" do
-    assert_equal ["-e", "SOMETHING=else"], @config.accessory(:redis).env_args
+    assert_equal ["-e", "SOMETHING=\"else\""], @config.accessory(:redis).env_args
   end
 
   test "volume args" do

test/configuration/role_test.rb

@@ -38,11 +38,11 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
   end
 
   test "label args" do
-    assert_equal [ "--label", "service=app", "--label", "role=workers" ], @config_with_roles.role(:workers).label_args
+    assert_equal [ "--label", "service=\"app\"", "--label", "role=\"workers\"" ], @config_with_roles.role(:workers).label_args
   end
 
   test "special label args for web" do
-    assert_equal [ "--label", "service=app", "--label", "role=web", "--label", "traefik.http.routers.app.rule='PathPrefix(`/`)'", "--label", "traefik.http.services.app.loadbalancer.healthcheck.path=/up", "--label", "traefik.http.services.app.loadbalancer.healthcheck.interval=1s", "--label", "traefik.http.middlewares.app.retry.attempts=3", "--label", "traefik.http.middlewares.app.retry.initialinterval=500ms"], @config.role(:web).label_args
+    assert_equal [ "--label", "service=\"app\"", "--label", "role=\"web\"", "--label", "traefik.http.routers.app.rule=\"PathPrefix(\\`/\\`)\"", "--label", "traefik.http.services.app.loadbalancer.healthcheck.path=\"/up\"", "--label", "traefik.http.services.app.loadbalancer.healthcheck.interval=\"1s\"", "--label", "traefik.http.middlewares.app.retry.attempts=\"5\"", "--label", "traefik.http.middlewares.app.retry.initialinterval=\"500ms\""], @config.role(:web).label_args
   end
 
   test "custom labels" do
@@ -57,8 +57,8 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
   end
 
   test "overwriting default traefik label" do
-    @deploy[:labels] = { "traefik.http.routers.app.rule" => "'Host(`example.com`) || (Host(`example.org`) && Path(`/traefik`))'" }
-    assert_equal "'Host(`example.com`) || (Host(`example.org`) && Path(`/traefik`))'", @config.role(:web).labels["traefik.http.routers.app.rule"]
+    @deploy[:labels] = { "traefik.http.routers.app.rule" => "\"Host(\\`example.com\\`) || (Host(\\`example.org\\`) && Path(\\`/traefik\\`))\"" }
+    assert_equal "\"Host(\\`example.com\\`) || (Host(\\`example.org\\`) && Path(\\`/traefik\\`))\"", @config.role(:web).labels["traefik.http.routers.app.rule"]
   end
 
   test "default traefik label on non-web role" do
@@ -66,12 +66,12 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
       c[:servers]["beta"] = { "traefik" => "true", "hosts" => [ "1.1.1.5" ] }
     })
 
-    assert_equal [ "--label", "service=app", "--label", "role=beta", "--label", "traefik.http.routers.app.rule='PathPrefix(`/`)'", "--label", "traefik.http.services.app.loadbalancer.healthcheck.path=/up", "--label", "traefik.http.services.app.loadbalancer.healthcheck.interval=1s", "--label", "traefik.http.middlewares.app.retry.attempts=3", "--label", "traefik.http.middlewares.app.retry.initialinterval=500ms" ], config.role(:beta).label_args
+    assert_equal [ "--label", "service=\"app\"", "--label", "role=\"beta\"", "--label", "traefik.http.routers.app.rule=\"PathPrefix(\\`/\\`)\"", "--label", "traefik.http.services.app.loadbalancer.healthcheck.path=\"/up\"", "--label", "traefik.http.services.app.loadbalancer.healthcheck.interval=\"1s\"", "--label", "traefik.http.middlewares.app.retry.attempts=\"5\"", "--label", "traefik.http.middlewares.app.retry.initialinterval=\"500ms\"" ], config.role(:beta).label_args
   end
 
   test "env overwritten by role" do
     assert_equal "redis://a/b", @config_with_roles.role(:workers).env["REDIS_URL"]
-    assert_equal ["-e", "REDIS_URL=redis://a/b", "-e", "WEB_CONCURRENCY=4"], @config_with_roles.role(:workers).env_args
+    assert_equal ["-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
   end
 
   test "env secret overwritten by role" do
@@ -95,9 +95,9 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
     }
 
     ENV["REDIS_PASSWORD"] = "secret456"
-    ENV["DB_PASSWORD"] = "secret123"
+    ENV["DB_PASSWORD"] = "secret&\"123"
 
-    assert_equal ["-e", "REDIS_PASSWORD=secret456", "-e", "DB_PASSWORD=secret123", "-e", "REDIS_URL=redis://a/b", "-e", "WEB_CONCURRENCY=4"], @config_with_roles.role(:workers).env_args
+    assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "DB_PASSWORD=\"secret&\\\"123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
   ensure
     ENV["REDIS_PASSWORD"] = nil
     ENV["DB_PASSWORD"] = nil
@@ -116,7 +116,7 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
 
     ENV["DB_PASSWORD"] = "secret123"
 
-    assert_equal ["-e", "DB_PASSWORD=secret123", "-e", "REDIS_URL=redis://a/b", "-e", "WEB_CONCURRENCY=4"], @config_with_roles.role(:workers).env_args
+    assert_equal ["-e", "DB_PASSWORD=\"secret123\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
   ensure
     ENV["DB_PASSWORD"] = nil
   end
@@ -133,7 +133,7 @@ class ConfigurationRoleTest < ActiveSupport::TestCase
 
     ENV["REDIS_PASSWORD"] = "secret456"
 
-    assert_equal ["-e", "REDIS_PASSWORD=secret456", "-e", "REDIS_URL=redis://a/b", "-e", "WEB_CONCURRENCY=4"], @config_with_roles.role(:workers).env_args
+    assert_equal ["-e", "REDIS_PASSWORD=\"secret456\"", "-e", "REDIS_URL=\"redis://a/b\"", "-e", "WEB_CONCURRENCY=\"4\""], @config_with_roles.role(:workers).env_args
   ensure
     ENV["REDIS_PASSWORD"] = nil
   end

test/configuration_test.rb

@@ -89,7 +89,7 @@ class ConfigurationTest < ActiveSupport::TestCase
   end
 
   test "env args" do
-    assert_equal [ "-e", "REDIS_URL=redis://x/y" ], @config.env_args
+    assert_equal [ "-e", "REDIS_URL=\"redis://x/y\"" ], @config.env_args
   end
 
   test "env args with clear and secrets" do
@@ -98,7 +98,7 @@ class ConfigurationTest < ActiveSupport::TestCase
       env: { "clear" => { "PORT" => "3000" }, "secret" => [ "PASSWORD" ] }
     }) })
 
-    assert_equal [ "-e", "PASSWORD=secret123", "-e", "PORT=3000" ], config.env_args
+    assert_equal [ "-e", "PASSWORD=\"secret123\"", "-e", "PORT=\"3000\"" ], config.env_args
     assert config.env_args[1].is_a?(SSHKit::Redaction)
   ensure
     ENV["PASSWORD"] = nil
@@ -109,7 +109,7 @@ class ConfigurationTest < ActiveSupport::TestCase
       env: { "clear" => { "PORT" => "3000" } }
     }) })
 
-    assert_equal [ "-e", "PORT=3000" ], config.env_args
+    assert_equal [ "-e", "PORT=\"3000\"" ], config.env_args
   end
 
   test "env args with only secrets" do
@@ -118,7 +118,7 @@ class ConfigurationTest < ActiveSupport::TestCase
       env: { "secret" => [ "PASSWORD" ] }
     }) })
 
-    assert_equal [ "-e", "PASSWORD=secret123" ], config.env_args
+    assert_equal [ "-e", "PASSWORD=\"secret123\"" ], config.env_args
     assert config.env_args[1].is_a?(SSHKit::Redaction)
   ensure
     ENV["PASSWORD"] = nil
@@ -181,6 +181,6 @@ class ConfigurationTest < ActiveSupport::TestCase
   end
 
   test "to_h" do
-    assert_equal({ :roles=>["web"], :hosts=>["1.1.1.1", "1.1.1.2"], :primary_host=>"1.1.1.1", :version=>"missing", :repository=>"dhh/app", :absolute_image=>"dhh/app:missing", :service_with_version=>"app-missing", :env_args=>["-e", "REDIS_URL=redis://x/y"], :ssh_options=>{:user=>"root", :auth_methods=>["publickey"]}, :volume_args=>["--volume", "/local/path:/container/path"], :healthcheck=>{"path"=>"/up", "port"=>3000 }}, @config.to_h)
+    assert_equal({ :roles=>["web"], :hosts=>["1.1.1.1", "1.1.1.2"], :primary_host=>"1.1.1.1", :version=>"missing", :repository=>"dhh/app", :absolute_image=>"dhh/app:missing", :service_with_version=>"app-missing", :env_args=>["-e", "REDIS_URL=\"redis://x/y\""], :ssh_options=>{:user=>"root", :auth_methods=>["publickey"]}, :volume_args=>["--volume", "/local/path:/container/path"], :healthcheck=>{"path"=>"/up", "port"=>3000 }}, @config.to_h)
   end
 end

test/fixtures/deploy_with_accessories.yml

@@ -27,3 +27,5 @@ accessories:
     port: 6379
     directories:
       - data:/data
+
+readiness_delay: 0