Comment on page


Docker container clusters

docker swarm init

  • Lots of PKI and security automation
    • Root signing certificate create for our Swarm
    • Certificate is issued for first Manager node
    • Join tokens are created
  • Raft database create to store root CA, configs and secrets
    • Encrypted by default on disk
    • No need for another key / value system to hold orchestration / secrets
    • Replicates logs amongst Managers via mutual TLS in "control plane"
docker swarm join-token manager
  • scaling up to multiple containers:
  • docker service update --replicas <#>

Swarm Stacks: Production grade compose

  • IN Docker 1.13 Docker adds a new layer of abstraction to Swarm called Stacks
  • Stacks accept Compose files as their declarative definition for services, networks and volumes.
  • We use 'docker stack deploy' rather than docker stack create
  • Stacks manages all those objects for us, including overlay network per stack. Adds stack name to start of their name.
  • New 'deploy:' key in Compose file, does not support 'build:'
  • Compose now ignores 'deploy:'; Swarm ignores 'build:'
  • docker-compose CLI is not needed on Swarm server
docker stack deploy -c my-stack.yml demoapp docker stack services demoapp

Swarm Secrets Storage

  • Easiest "secure" solution for storing secrets in Swarm
  • Supports generic strings or binary content up to 500Kb in size
  • Doesn't require apps to be rewritten
  • As of Docker 1.13 Swarm Raft DB is encrypted on disk
  • Only stored on disk on manager nodes
  • Default is Managers and Workers "control plane" is TLS + Mutual Auth
  • Secrets are first stored in Swarm then assigned to a Service
  • Only containers in assigned Services can see them
  • They look like files in container but are actually in-memory file system
  • /run/secrets/{secrets-name} or /run/secrets/{secrets-alias}
  • Local docker-compose can use file-based secrets, but not secure

Option 1 - create from file

docker secret create psql_user psql_user.txt

Option 2 - Create from STDIN

echo "MyDbPassWORD" | docker secret create psql_user -
// Enable secret in the service
docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pass -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres
With compose 3.1 secrets are supported inside Compose files
file: ./secret_data
external: true
name: redis_secret