- `registry://<value-name>`: The credential spec is read from the Windows registry on the daemon’s host.
- `config://<config-name>`: The config name is automatically converted to the config ID in the CLI.
The credential spec contained in the specified `config` is used.
The following simple example retrieves the gMSA name and JSON contents from your Active Directory (AD) instance:
```console
$ name="mygmsa"
$ contents="{...}"
$ echo $contents > contents.json
```
Make sure that the nodes to which you are deploying are correctly configured for the gMSA.
To use a config as a credential spec, create a Docker config in a credential spec file named `credpspec.json`.
You can specify any name for the name of the `config`.
```console
$ docker config create --label com.docker.gmsa.name=mygmsa credspec credspec.json
```
Now you can create a service using this credential spec. Specify the `--credential-spec` flag with the config name:
```console
$ docker service create --credential-spec="config://credspec" <your image>
```
Your service uses the gMSA credential spec when it starts, but unlike a typical Docker config (used by passing the --config flag), the credential spec is not mounted into the container.
## Update a service
You can change almost everything about an existing service using the
`docker service update` command. When you update a service, Docker stops its
containers and restarts them with the new configuration.
Since Nginx is a web service, it works much better if you publish port 80
to clients outside the swarm. You can specify this when you create the service,
using the `-p` or `--publish` flag. When updating an existing service, the flag
is `--publish-add`. There is also a `--publish-rm` flag to remove a port that
was previously published.
Assuming that the `my_web` service from the previous section still exists, use
the following command to update it to publish port 80.
```console
$ docker service update --publish-add 80 my_web
```
To verify that it worked, use `docker service ls`:
```console
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
4nhxl7oxw5vz my_web replicated 1/1 docker.io/library/nginx@sha256:41ad9967ea448d7c2b203c699b429abe1ed5af331cd92533900c6d77490e0268 *:0->80/tcp
```
For more information on how publishing ports works, see
[publish ports](#publish-ports).
You can update almost every configuration detail about an existing service,
including the image name and tag it runs. See
[Update a service's image after creation](#update-a-services-image-after-creation).
## Remove a service
To remove a service, use the `docker service remove` command. You can remove a
service by its ID or name, as shown in the output of the `docker service ls`
command. The following command removes the `my_web` service.
```console
$ docker service remove my_web
```
## Service configuration details
The following sections provide details about service configuration. This topic
does not cover every flag or scenario. In almost every instance where you can
define a configuration at service creation, you can also update an existing
service's configuration in a similar way.
See the command-line references for
[`docker service create`](/reference/cli/docker/service/create.md) and
[`docker service update`](/reference/cli/docker/service/update.md), or run
one of those commands with the `--help` flag.
### Configure the runtime environment
You can configure the following options for the runtime environment in the
container:
* Environment variables using the `--env` flag
* The working directory inside the container using the `--workdir` flag
* The username or UID using the `--user` flag
The following service's containers have an environment variable `$MYVAR`
set to `myvalue`, run from the `/tmp/` directory, and run as the