Docker Swarm over TLS

In this example, there are 3 servers with Docker installed on it. If docker is not installed, you can see the installation here.

There will be one manager and two workers:

Master - manager (IP: 1.1.1.1)
Slave_1 - worker (IP: 1.1.2.1)
Slave_2 - worker (IP: 1.1.2.2)

Required ports for Docker Swarm to work: 2376 and 2377 (TCP). Make sure that the swarm participants are allowed to interact.

Creating Docker Swarm

On the Master server, do the following:

docker swarm init --advertise-addr 1.1.1.1

We get a message like:

Swarm initialized: current node (ssmj2qyqxejd72p6sa9jinnza) is now a manager.

To add a worker to this swarm, run the following command:

docker swarm join \
--token SWMTKN-1-3qg9vovt2mxyfu1dfj2nocmkzd3i351z1z0aapd9jxxu7mafff-93r77xv8mrqsgfkf9nei902zk \
1.1.1.1:2377

To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.

Swarm is created and there is one manager in it. Information on the swarm can be viewed with the command:

docker info

Add workers to the swarm, for this we will execute the command that we received earlier when creating the swarm on the Master server on the Slave_1 and Slave_2 servers:

docker swarm join \
--token SWMTKN-1-3qg9vovt2mxyfu1dfj2nocmkzd3i351z1z0aapd9jxxu7mafff-93r77xv8mrqsgfkf9nei902zk \
1.1.1.1:2377

If everything is ok, it will display the following message:

This node joined a swarm as a worker.

On the swarm manager (Master server), you can see a list of all the nodes in the swarm:

docker node ls

That's it, Docker Swarm is up, now it remains to add the certificates.

Certificate generation

We return to the Master server.

Create a folder for storing certificates and generate a private CA key:

openssl genrsa -aes256 -out ca-key.pem 4096

Enter pass phrase, this is a required parameter.

Now generate the public CA key:

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Here we need to enter the FQDN of the Master server

Create a private key for the server:

openssl genrsa -out server-key.pem 4096

We create a request for signing an SSL certificate:

openssl req -subj "/CN=SERVER_MASTER_FQDN" -sha256 -new -key server-key.pem -out server.csr

Where SERVER_MASTER_FQDN is the FQDN of the Master server

For access not only through the domain name, IP addresses can be listed as follows:

echo subjectAltName = DNS:SERVER_MASTER_FQDN,IP:1.1.1.1,IP:127.0.0.1 >> extfile.cnf

Create a signed key for the server:

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf

Create a client key to access the docker:

openssl genrsa -out key.pem 4096

We will create a request for signature and additionally indicate the type of key use - for authorization:

openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf

Get the signed client key:

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf

Delete request files:

rm -v client.csr server.csr

We set the necessary rights to files:

chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem

Verify startup with TLS. If the docker service is running, then it should be stopped:

dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
-H=0.0.0.0:2376

If everything is successful, then you can specify the TLS options in the docker configuration file, as shown here.

Setting workers

Create a directory for certificates:

mkdir /etc/docker/certs

Copy files from the Master server to this directory:

ca.pem
cert.pem
key.pem

Also, change the docker daemon, following the example of the server, just note that cert and key are different for client and server. "server-cert.pem" and "cert.pem", "server-key.pem" and "key.pem"

After restarting the docker daemon, you can run it on the worker:

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=1.1.1.1:2376 version

If everything is correct, the version of the worker docker and the version of the server docker will be displayed.

That's it, now we have Docker Swarm, which interacts with each other using TLS. Correctly, for each node in the swarm, you need to write out your keys and certificates.

Tagged: Tags