Docker container clusters

docker swarm init

    Lots of PKI and security automation
      Root signing certificate create for our Swarm
      Certificate is issued for first Manager node
      Join tokens are created
    Raft database create to store root CA, configs and secrets
      Encrypted by default on disk
      No need for another key / value system to hold orchestration / secrets
      Replicates logs amongst Managers via mutual TLS in "control plane"
docker swarm join-token manager
    scaling up to multiple containers:
    docker service update --replicas <#>

Swarm Stacks: Production grade compose

    IN Docker 1.13 Docker adds a new layer of abstraction to Swarm called Stacks
    Stacks accept Compose files as their declarative definition for services, networks and volumes.
    We use 'docker stack deploy' rather than docker stack create
    Stacks manages all those objects for us, including overlay network per stack. Adds stack name to start of their name.
    New 'deploy:' key in Compose file, does not support 'build:'
    Compose now ignores 'deploy:'; Swarm ignores 'build:'
    docker-compose CLI is not needed on Swarm server
docker stack deploy -c my-stack.yml demoapp docker stack services demoapp

Swarm Secrets Storage

    Easiest "secure" solution for storing secrets in Swarm
    Supports generic strings or binary content up to 500Kb in size
    Doesn't require apps to be rewritten
    As of Docker 1.13 Swarm Raft DB is encrypted on disk
    Only stored on disk on manager nodes
    Default is Managers and Workers "control plane" is TLS + Mutual Auth
    Secrets are first stored in Swarm then assigned to a Service
    Only containers in assigned Services can see them
    They look like files in container but are actually in-memory file system
    /run/secrets/{secrets-name} or /run/secrets/{secrets-alias}
    Local docker-compose can use file-based secrets, but not secure

Option 1 - create from file

docker secret create psql_user psql_user.txt

Option 2 - Create from STDIN

echo "MyDbPassWORD" | docker secret create psql_user -
// Enable secret in the service
docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pass -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres
With compose 3.1 secrets are supported inside Compose files
file: ./secret_data
external: true
name: redis_secret
Last modified 1yr ago