# Swarm ## docker swarm init * Lots of PKI and security automation * Root signing certificate create for our Swarm * Certificate is issued for first Manager node * Join tokens are created * Raft database create to store root CA, configs and secrets * Encrypted by default on disk * No need for another key / value system to hold orchestration / secrets * Replicates logs amongst Managers via mutual TLS in "control plane" `docker swarm join-token manager` * scaling up to multiple containers: * `docker service update --replicas <#>` ## Swarm Stacks: Production grade compose * IN Docker 1.13 Docker adds a new layer of abstraction to Swarm called Stacks * Stacks accept Compose files as their declarative definition for services, networks and volumes. * We use '`docker stack deploy`' rather than docker stack create * Stacks manages all those objects for us, including overlay network per stack. Adds stack name to start of their name. * New '`deploy`:' key in Compose file, does not support '`build`:' * Compose now ignores '`deploy`:'; Swarm ignores '`build`:' * `docker-compose` CLI is not needed on Swarm server `docker stack deploy -c my-stack.yml demoapp`\ `docker stack services demoapp` ## Swarm Secrets Storage * Easiest "secure" solution for storing secrets in Swarm * Supports generic strings or binary content up to 500Kb in size * Doesn't require apps to be rewritten * As of Docker 1.13 Swarm Raft DB is encrypted on disk * Only stored on disk on manager nodes * Default is Managers and Workers "control plane" is TLS + Mutual Auth * Secrets are first stored in Swarm then assigned to a Service * Only containers in assigned Services can see them * They look like files in container but are actually in-memory file system * `/run/secrets/{secrets-name}` or `/run/secrets/{secrets-alias}` * Local docker-compose can use file-based secrets, but not secure ### Option 1 - create from file `docker secret create psql_user psql_user.txt` ### Option 2 - Create from STDIN `echo "MyDbPassWORD" | docker secret create psql_user -` // Enable secret in the service `docker service create --name psql --secret psql_user --secret psql_pass -e POSTGRES_PASSWORD_FILE=/run/secrets/psql_pass -e POSTGRES_USER_FILE=/run/secrets/psql_user postgres` With compose 3.1 secrets are supported inside Compose files ```yaml secrets: my_first_secret: file: ./secret_data my_second_secret: external: true name: redis_secret ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notebook.iuriioapps.com/containers-and-microservices/docker/swarm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.