diff --git a/www/htdocs/index.html b/www/htdocs/index.html index 976650a3..15219e6e 100644 --- a/www/htdocs/index.html +++ b/www/htdocs/index.html @@ -332,8 +332,8 @@ You are welcome to use the method that you feel the most comfortable with. ## Brand new versions! -- Engine 1.12-rc2 -- Compose 1.8-rc1 +- Engine 1.12 +- Compose 1.8 .exercise[ @@ -452,7 +452,6 @@ class: pic - Clone the repository on `node1`: ```bash git clone git://github.com/jpetazzo/orchestration-workshop - git checkout dockercon ``` ] @@ -868,7 +867,7 @@ You can refer to the [NOMENCLATURE](https://github.com/docker/swarmkit/blob/mast - Try a Swarm-specific command: ``` $ docker node ls - Error response from daemon: this node is not participating as a Swarm manager + Error response from daemon: This node is not a swarm manager. [...] ``` ] @@ -883,7 +882,7 @@ You can refer to the [NOMENCLATURE](https://github.com/docker/swarmkit/blob/mast - .warning[DO NOT execute `docker swarm init` on multiple nodes!] - You would have multiple disjoint cluster. + You would have multiple disjoint clusters. .exercise[ @@ -896,6 +895,29 @@ You can refer to the [NOMENCLATURE](https://github.com/docker/swarmkit/blob/mast --- +## Token generation + +- In the output of `docker swarm init`, we have a message + confirming that our node is now the (single) manager: + + ``` + Swarm initialized: current node (8jud...) is now a manager. + ``` + +- Docker also generated two security tokens (like passphrases or + passwords) for our cluster, and shows us the commands to use + on other nodes to add them to the cluster using those security + tokens: + + ``` + To add a worker to this swarm, run the following command: + docker swarm join \ + --token SWMTKN-1-59fl4ak4nqjmao1ofttrc4eprhrola2l87... \ + 172.31.4.182:2377 + ``` + +--- + ## Checking that Swarm mode is enabled .exercise[ @@ -911,11 +933,10 @@ The output should include: ``` Swarm: active - NodeID: d1kf12wtm4gabh9fjzbukbu50 - IsManager: Yes - Managers: 1 - Nodes: 1 - CACertHash: sha256:330cf7e8e50a0af5d0990c1e078c709... + NodeID: 8jud7o8dax3zxbags3f8yox4b + Is Manager: true + ClusterID: 2vcw2oa9rjps3a24m91xhvv0c + ... ``` --- @@ -935,8 +956,8 @@ Swarm: active The output should look like the following: ``` -ID NAME MEMBERSHIP STATUS AVAILABILITY MANAGER STATUS -d1kf...12wt * ip-172-31-25-65 Accepted Ready Active Leader +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS +8jud...ox4b * ip-172-31-4-182 Ready Active Leader ``` --- @@ -947,20 +968,85 @@ d1kf...12wt * ip-172-31-25-65 Accepted Ready Active Leader - Let's add `node2`! +- We need the token that was shown earlier + +-- + +- You wrote it down, right? + +-- + +- Don't panic, we can easily see it again 😏 + +--- + +## Adding nodes to the Swarm + .exercise[ -- Log into `node2` and join the cluster: +- Show the token again: ```bash - ssh node2 docker swarm join node1:2377 + docker swarm join-token worker ``` -- Check that the node is here indeed: +- Log into `node2`: + ```bash + ssh node2 + ``` + +- Copy paste the `docker swarm join ...` command +
(that was displayed just before) + +] + +--- + +## Check that the node was added correctly + +- Stay logged into `node2`! + +.exercise[ + +- We can still use `docker info` to verify that the node is part of the Swarm: + ```bash + $ docker info | grep ^Swarm + ``` + +] + +- However, Swarm commands will not work; try, for instance: + ``` + docker node ls + ``` + +- This is because the node that we added is currently a *worker* + +- Only *managers* can accept Swarm-specific commands + +--- + +## View our two-node cluster + +- Let's go back to `node1` and see what our cluster looks like + +.exercise[ + +- Logout from `node2` (with `exit` or `Ctrl-D` or ...) + +- View the cluster from `node1`, which is a manager: ```bash docker node ls ``` ] +The output should be similar to the following: +``` +ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS +8jud...ox4b * ip-172-31-4-182 Ready Active Leader +ehb0...4fvx ip-172-31-4-180 Ready Active +``` + --- ## Adding nodes using the Docker API @@ -974,7 +1060,8 @@ d1kf...12wt * ip-172-31-25-65 Accepted Ready Active Leader - Set `DOCKER_HOST` and add `node3` to the Swarm: ```bash - DOCKER_HOST=tcp://node3:55555 docker swarm join node1:2377 + DOCKER_HOST=tcp://node3:55555 docker swarm join \ + --token $(docker swarm join-token -q worker) node1:2377 ``` - Check that the node is here: @@ -986,136 +1073,6 @@ d1kf...12wt * ip-172-31-25-65 Accepted Ready Active Leader --- -## Controlling who can join the cluster - -- By default, any node can join the cluster - -- Let's change that and require a password for new nodes - -.exercise[ - -- Update the cluster configuration: - ```bash - docker swarm update --secret I_love_ponies - ``` - -] - ---- - -## Checking the cluster configuration - -- We can see the cluster parameters with `docker swarm inspect` - -.exercise[ - -- Check that the secret is now in place: - ```bash - docker swarm inspect - ``` - -] - -A hashed `"Secret"` field should show up twice in the `"Policies"` section. - ---- - -## Joining a password-protected cluster - -- Let's try to add a node to this cluster - - (Without providing a password) - -.exercise[ - -- Try to add node4 to the cluster: - ```bash - ssh node4 docker swarm join node1:2377 - ``` - -] - -The node will be denied right away. - ---- - -## Specifying the password when joining - -- The `docker swarm join` command also takes the `--secret` flag - -.exercise[ - -- Try again, with the right secret: - ```bash - ssh node4 docker swarm join node1:2377 --secret I_love_ponies - ``` - -- Check that the node is now in the cluster: - ```bash - docker node ls - ``` - -] - ---- - -## Enabling manual vetting of nodes - -- You can also decide to approve each node before they can join the Swarm - -- This can be enabled independently of secrets - -.exercise[ - -- Disable auto-accept mode, and remove the secret password: - ```bash - docker swarm update --auto-accept none --secret "" - ``` - -] - -Note: to disable the password, we specified an empty string. - ---- - -## Manually accepting nodes into the cluster - -.exercise[ - -- Try to get `node5` to join: - ```bash - ssh node5 docker swarm join node1:2377 - ``` - -] - -You will see a message telling that the node is *pending*. - ---- - -## Seeing pending nodes and accepting them in the cluster - -- We will use the `docker node` command - -.exercise[ - -- See nodes (including `node5` which is currently pending): - ```bash - docker node ls - ``` - -- Accept `node5` in the cluster: - ``` - docker node accept XXX - ``` - -] - -Note: you don't have to type the node ID in full; the first characters -are enough. - ---- - ## Under the hood When we do `docker swarm init`, a TLS root CA is created. Then a keypair is issued for the first node, and signed by the root CA. @@ -1126,11 +1083,9 @@ All communication is encrypted over TLS. The node keys and certificates are automatically renewed on regular intervals (by default, 90 days; this is tunable with `docker swarm update`). -As we could see, nodes can join automatically or be approved manually; in both cases, this can be done with or without a pre-shared secret; and this policy can be changed during the lifecycle of the cluster without restarting or breaking anything. - --- -## Promoting nodes to be managers +## Promoting a node to be manager - Right now, we have only one manager (node1) @@ -1145,7 +1100,7 @@ As we could see, nodes can join automatically or be approved manually; in both c docker node ls ``` -- Promote a couple of nodes to be managers: +- Promote a node to be manager: ``` docker node promote XXX YYY ```