Comment on page
Swarm
Docker container clusters
- Lots of PKI and security automation
- Root signing certificate create for our Swarm
- Certificate is issued for first Manager node
- Join tokens are created
- Raft database create to store root CA, configs and secrets
- Encrypted by default on disk
- No need for another key / value system to hold orchestration / secrets
- Replicates logs amongst Managers via mutual TLS in "control plane"
docker swarm join-token manager
- scaling up to multiple containers:
docker service update --replicas <#>
- IN Docker 1.13 Docker adds a new layer of abstraction to Swarm called Stacks
- Stacks accept Compose files as their declarative definition for services, networks and volumes.
- We use '
docker stack deploy
' rather than docker stack create - Stacks manages all those objects for us, including overlay network per stack. Adds stack name to start of their name.
- New '
deploy
:' key in Compose file, does not support 'build
:' - Compose now ignores '
deploy
:'; Swarm ignores 'build
:' docker-compose
CLI is not needed on Swarm server
docker stack deploy -c my-stack.yml demoapp
docker stack services demoapp
- Easiest "secure" solution for storing secrets in Swarm
- Supports generic strings or binary content up to 500Kb in size
- Doesn't require apps to be rewritten
- As of Docker 1.13 Swarm Raft DB is encrypted on disk
- Only stored on disk on manager nodes
- Default is Managers and Workers "control plane" is TLS + Mutual Auth
- Secrets are first stored in Swarm then assigned to a Service
- Only containers in assigned Services can see them
- They look like files in container but are actually in-memory file system
/run/secrets/{secrets-name}
or/run/secrets/{secrets-alias}
- Local docker-compose can use file-based secrets, but not secure
docker secret create psql_user psql_user.txt
echo "MyDbPassWORD" | docker secret create psql_user -
// Enable secret in the service
docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pass -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres
With compose 3.1 secrets are supported inside Compose files
secrets:
my_first_secret:
file: ./secret_data
my_second_secret:
external: true
name: redis_secret
Last modified 3yr ago