Docker container clusters

docker swarm init

  • Lots of PKI and security automation

    • Root signing certificate create for our Swarm

    • Certificate is issued for first Manager node

    • Join tokens are created

  • Raft database create to store root CA, configs and secrets

    • Encrypted by default on disk

    • No need for another key / value system to hold orchestration / secrets

    • Replicates logs amongst Managers via mutual TLS in "control plane"

docker swarm join-token manager

  • scaling up to multiple containers:

  • docker service update --replicas <#>

Swarm Stacks: Production grade compose

  • IN Docker 1.13 Docker adds a new layer of abstraction to Swarm called Stacks

  • Stacks accept Compose files as their declarative definition for services, networks and volumes.

  • We use 'docker stack deploy' rather than docker stack create

  • Stacks manages all those objects for us, including overlay network per stack. Adds stack name to start of their name.

  • New 'deploy:' key in Compose file, does not support 'build:'

  • Compose now ignores 'deploy:'; Swarm ignores 'build:'

  • docker-compose CLI is not needed on Swarm server

docker stack deploy -c my-stack.yml demoapp docker stack services demoapp

Swarm Secrets Storage

  • Easiest "secure" solution for storing secrets in Swarm

  • Supports generic strings or binary content up to 500Kb in size

  • Doesn't require apps to be rewritten

  • As of Docker 1.13 Swarm Raft DB is encrypted on disk

  • Only stored on disk on manager nodes

  • Default is Managers and Workers "control plane" is TLS + Mutual Auth

  • Secrets are first stored in Swarm then assigned to a Service

  • Only containers in assigned Services can see them

  • They look like files in container but are actually in-memory file system

  • /run/secrets/{secrets-name} or /run/secrets/{secrets-alias}

  • Local docker-compose can use file-based secrets, but not secure

Option 1 - create from file

docker secret create psql_user psql_user.txt

Option 2 - Create from STDIN

echo "MyDbPassWORD" | docker secret create psql_user -

// Enable secret in the service

docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pass -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres

With compose 3.1 secrets are supported inside Compose files

    file: ./secret_data
    external: true
    name: redis_secret

Last updated