![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2018\/10\/Docker-Logo.png\"){kind=logo}
<\/p>\n<\/p>\n
In this example, there are 3 servers with Docker<\/strong> installed on it. If docker is not installed, you can see the installation here.<\/a><\/p>\n There will be one manager and two workers:<\/p>\n Master<\/strong> — manager (IP: 1.1.1.1) Required ports for Docker Swarm<\/strong> to work: 2376<\/strong> and 2377<\/strong> (TCP<\/strong>). Make sure that the swarm participants are allowed to interact.<\/p>\n On the Master<\/strong> server, do the following:<\/p>\n We get a message like:<\/p>\n Swarm is created and there is one manager in it. Information on the swarm can be viewed with the command:<\/p>\n <\/p>\n Add workers to the swarm, for this we will execute the command that we received earlier when creating the swarm on the Master<\/strong> server on the Slave_1<\/strong> and Slave_2<\/strong> servers:<\/p>\n If everything is ok, it will display the following message:<\/p>\n On the swarm manager (Master<\/strong> server), you can see a list of all the nodes in the swarm:<\/p>\n That’s it, Docker Swarm<\/strong> is up, now it remains to add the certificates.<\/p>\n We return to the Master<\/strong> server.<\/p>\n Create a folder for storing certificates and generate a private CA<\/strong> key:<\/p>\n Enter pass phrase<\/strong>, this is a required parameter.<\/p>\n Now generate the public CA<\/strong> key:<\/p>\n Here we need to enter the FQDN<\/strong> of the Master<\/strong> server<\/p>\n Create a private key for the server:<\/p>\n We create a request for signing an SSL<\/strong> certificate:<\/p>\n Where SERVER_MASTER_FQDN<\/strong> is the FQDN<\/strong> of the Master<\/strong> server<\/p>\n For access not only through the domain name, IP<\/strong> addresses can be listed as follows:<\/p>\n Create a signed key for the server:<\/p>\n Create a client key to access the docker:<\/p>\n We will create a request for signature and additionally indicate the type of key use — for authorization:<\/p>\n Get the signed client key:<\/p>\n Delete request files:<\/p>\n We set the necessary rights to files:<\/p>\n Verify startup with TLS<\/strong>. If the docker service is running, then it should be stopped:<\/p>\n If everything is successful, then you can specify the TLS<\/strong> options in the docker configuration file, as shown here.<\/a><\/p>\n Create a directory for certificates:<\/p>\n Copy files from the Master<\/strong> server to this directory:<\/p>\n Also, change the docker daemon, following the example of the server, just note that cert<\/strong> and key<\/strong> are different for client and server. "server-cert.pem<\/strong>" and "cert.pem<\/strong>", "server-key.pem<\/strong>" and "key.pem<\/strong>"<\/p>\n After restarting the docker daemon, you can run it on the worker:<\/p>\n If everything is correct, the version of the worker docker and the version of the server docker will be displayed.<\/p>\n That’s it, now we have Docker Swarm<\/strong>, which interacts with each other using TLS<\/strong>. Correctly, for each node in the swarm, you need to write out your keys and certificates.<\/p>\n","protected":false},"excerpt":{"rendered":" In this example, there are 3 servers with Docker installed on it. If docker is not installed, you can see the installation here. There will be one manager and two workers: Master — manager (IP: 1.1.1.1) Slave_1 — worker (IP: 1.1.2.1) Slave_2 — worker (IP: 1.1.2.2) Required ports for Docker Swarm to work: 2376 and … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "Docker Swarm over TLS"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[399,975],"tags":[855,771,1331,1333,375],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1672"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1672"}],"version-history":[{"count":2,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1672\/revisions"}],"predecessor-version":[{"id":1674,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/1672\/revisions\/1674"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1672"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1672"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1672"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nSlave_1<\/strong> — worker (IP: 1.1.2.1)
\nSlave_2<\/strong> — worker (IP: 1.1.2.2)<\/p>\nCreating Docker Swarm<\/h3>\n
\r\ndocker swarm init --advertise-addr 1.1.1.1\r\n<\/pre>\n
Swarm initialized: current node (ssmj2qyqxejd72p6sa9jinnza) is now a manager.\r\n\r\nTo add a worker to this swarm, run the following command:\r\n\r\ndocker swarm join \\\r\n--token SWMTKN-1-3qg9vovt2mxyfu1dfj2nocmkzd3i351z1z0aapd9jxxu7mafff-93r77xv8mrqsgfkf9nei902zk \\\r\n1.1.1.1:2377\r\n\r\nTo add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.<\/pre>\n
\r\ndocker info\r\n<\/pre>\n
\r\ndocker swarm join \\\r\n--token SWMTKN-1-3qg9vovt2mxyfu1dfj2nocmkzd3i351z1z0aapd9jxxu7mafff-93r77xv8mrqsgfkf9nei902zk \\\r\n1.1.1.1:2377\r\n<\/pre>\n
This node joined a swarm as a worker.<\/pre>\n
\r\ndocker node ls\r\n<\/pre>\n
Certificate generation<\/h3>\n
\r\nopenssl genrsa -aes256 -out ca-key.pem 4096\r\n<\/pre>\n
\r\nopenssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem\r\n<\/pre>\n
\r\nopenssl genrsa -out server-key.pem 4096\r\n<\/pre>\n
\r\nopenssl req -subj "\/CN=SERVER_MASTER_FQDN" -sha256 -new -key server-key.pem -out server.csr\r\n<\/pre>\n
\r\necho subjectAltName = DNS:SERVER_MASTER_FQDN,IP:1.1.1.1,IP:127.0.0.1 >> extfile.cnf\r\n<\/pre>\n
\r\nopenssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \\\r\n-CAcreateserial -out server-cert.pem -extfile extfile.cnf\r\n<\/pre>\n
\r\nopenssl genrsa -out key.pem 4096\r\n<\/pre>\n
\r\nopenssl req -subj '\/CN=client' -new -key key.pem -out client.csr\r\necho extendedKeyUsage = clientAuth >> extfile.cnf\r\n<\/pre>\n
\r\nopenssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf\r\n<\/pre>\n
\r\nrm -v client.csr server.csr\r\n<\/pre>\n
\r\nchmod -v 0400 ca-key.pem key.pem server-key.pem\r\nchmod -v 0444 ca.pem server-cert.pem cert.pem\r\n<\/pre>\n
\r\ndockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \\\r\n-H=0.0.0.0:2376\r\n<\/pre>\n
Setting workers<\/h3>\n
\r\nmkdir \/etc\/docker\/certs\r\n<\/pre>\n
ca.pem\r\ncert.pem\r\nkey.pem<\/pre>\n
\r\ndocker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=1.1.1.1:2376 version\r\n<\/pre>\n