In this example, there are 3 servers with Docker installed on it. If docker is not installed, you can see the installation here.
There will be one manager and two workers:
Master – manager (IP: 1.1.1.1)
Slave_1 – worker (IP: 1.1.2.1)
Slave_2 – worker (IP: 1.1.2.2)
Required ports for Docker Swarm to work: 2376 and 2377 (TCP). Make sure that the swarm participants are allowed to interact.
Creating Docker Swarm
On the Master server, do the following:
docker swarm init --advertise-addr 1.1.1.1
We get a message like:
Swarm initialized: current node (ssmj2qyqxejd72p6sa9jinnza) is now a manager. To add a worker to this swarm, run the following command: docker swarm join \ --token SWMTKN-1-3qg9vovt2mxyfu1dfj2nocmkzd3i351z1z0aapd9jxxu7mafff-93r77xv8mrqsgfkf9nei902zk \ 1.1.1.1:2377 To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
Swarm is created and there is one manager in it. Information on the swarm can be viewed with the command:
docker info
Add workers to the swarm, for this we will execute the command that we received earlier when creating the swarm on the Master server on the Slave_1 and Slave_2 servers:
docker swarm join \ --token SWMTKN-1-3qg9vovt2mxyfu1dfj2nocmkzd3i351z1z0aapd9jxxu7mafff-93r77xv8mrqsgfkf9nei902zk \ 1.1.1.1:2377
If everything is ok, it will display the following message:
This node joined a swarm as a worker.
On the swarm manager (Master server), you can see a list of all the nodes in the swarm:
docker node ls
That’s it, Docker Swarm is up, now it remains to add the certificates.
Certificate generation
We return to the Master server.
Create a folder for storing certificates and generate a private CA key:
openssl genrsa -aes256 -out ca-key.pem 4096
Enter pass phrase, this is a required parameter.
Now generate the public CA key:
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Here we need to enter the FQDN of the Master server
Create a private key for the server:
openssl genrsa -out server-key.pem 4096
We create a request for signing an SSL certificate:
openssl req -subj "/CN=SERVER_MASTER_FQDN" -sha256 -new -key server-key.pem -out server.csr
Where SERVER_MASTER_FQDN is the FQDN of the Master server
For access not only through the domain name, IP addresses can be listed as follows:
echo subjectAltName = DNS:SERVER_MASTER_FQDN,IP:1.1.1.1,IP:127.0.0.1 >> extfile.cnf
Create a signed key for the server:
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Create a client key to access the docker:
openssl genrsa -out key.pem 4096
We will create a request for signature and additionally indicate the type of key use – for authorization:
openssl req -subj '/CN=client' -new -key key.pem -out client.csr echo extendedKeyUsage = clientAuth >> extfile.cnf
Get the signed client key:
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Delete request files:
rm -v client.csr server.csr
We set the necessary rights to files:
chmod -v 0400 ca-key.pem key.pem server-key.pem chmod -v 0444 ca.pem server-cert.pem cert.pem
Verify startup with TLS. If the docker service is running, then it should be stopped:
dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \ -H=0.0.0.0:2376
If everything is successful, then you can specify the TLS options in the docker configuration file, as shown here.
Setting workers
Create a directory for certificates:
mkdir /etc/docker/certs
Copy files from the Master server to this directory:
ca.pem cert.pem key.pem
Also, change the docker daemon, following the example of the server, just note that cert and key are different for client and server. "server-cert.pem" and "cert.pem", "server-key.pem" and "key.pem"
After restarting the docker daemon, you can run it on the worker:
docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=1.1.1.1:2376 version
If everything is correct, the version of the worker docker and the version of the server docker will be displayed.
That’s it, now we have Docker Swarm, which interacts with each other using TLS. Correctly, for each node in the swarm, you need to write out your keys and certificates.