diff --git a/docs/index.html b/docs/index.html
index d48bd6e1..1ee12857 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -1213,11 +1213,11 @@ You should see your 5 nodes.
## Using Docker Machine to communicate with a node
-- To select a node, use `eval $(docker-machine nodeX)`
+- To select a node, use `eval $(docker-machine env nodeX)`
- This sets a number of environment variables
-- To unset these variables, use `eval $(docker-machine -u)`
+- To unset these variables, use `eval $(docker-machine env -u)`
.exercise[
@@ -1268,6 +1268,10 @@ You should see your 5 nodes.
]
+Note: it can be useful to use a [custom shell prompt](
+https://github.com/jpetazzo/orchestration-workshop/blob/master/prepare-vms/scripts/postprep.rc#L68)
+reflecting the `DOCKER_HOST` variable.
+
---
## Checking that our node is here
@@ -1290,16 +1294,88 @@ You should see your 5 nodes.
---
-## Under the hood
+## Under the hood: docker swarm init
-When we do `docker swarm init`, a TLS root CA is created. Then a keypair is issued for the first node, and signed by the root CA.
+When we do `docker swarm init`:
-When further nodes join the Swarm, they are issued their own keypair, signed by the root CA, and they also receive the root CA public key and certificate.
+- a keypair is created for the root CA of our Swarm
-All communication is encrypted over TLS.
+- a keypair is created for the first node
-The node keys and certificates are automatically renewed on regular intervals
-
(by default, 90 days; this is tunable with `docker swarm update`).
+- a certificate is issued for this node
+
+- the join tokens are created
+
+---
+
+## Under the hood: join tokens
+
+There is one token to *join as a worker*, and another to *join as a manager*.
+
+The join tokens have two parts:
+
+- a secret key (preventing unauthorized nodes from joining)
+
+- a fingerprint of the root CA certificate (preventing MITM attacks)
+
+If a token is compromised, it can be rotated instantly with:
+```
+docker swarm join-token --rotate
+```
+
+---
+
+## Under the hood: docker swarm join
+
+When a node joins the Swarm:
+
+- it is issued its own keypair, signed by the root CA
+
+- if the node is a manager:
+
+ - it joins the Raft consensus
+ - it connects to the current leader
+ - it accepts connections from worker nodes
+
+- if the node is a worker:
+
+ - it connects to one of the managers (leader or follower)
+
+---
+
+## Under the hood: cluster communication
+
+- The *control plane* is encrypted over TLS
+
+- Keys and certificates are automatically renewed on regular intervals
+
+ (90 days by default; tunable with `docker swarm update`)
+
+- The *data plane* (communication between containers) is not encrypted by default
+
+ (but this can be activated on a by-network basis, using IPSEC,
+ leveraging hardware crypto if available)
+
+---
+
+## Under the hood: I want to know more!
+
+Revisit SwarmKit concepts:
+
+- Docker 1.12 Swarm Mode Deep Dive Part 1: Topology
+ ([video](https://www.youtube.com/watch?v=dooPhkXT9yI))
+
+- Docker 1.12 Swarm Mode Deep Dive Part 2: Orchestration
+ ([video](https://www.youtube.com/watch?v=_F6PSP-qhdA))
+
+Some presentations from the Docker Distributed Systems Summit in Berlin:
+
+- Heart of the SwarmKit: Topology Management
+ ([slides](https://speakerdeck.com/aluzzardi/heart-of-the-swarmkit-topology-management))
+
+- Heart of the SwarmKit: Store, Topology & Object Model
+ ([slides](http://www.slideshare.net/Docker/heart-of-the-swarmkit-store-topology-object-model))
+ ([video](https://www.youtube.com/watch?v=EmePhjGnCXY))
---
@@ -1403,10 +1479,13 @@ As we saw earlier, you can only control the Swarm through a manager node.
.exercise[
-- Log into the node:
+- Log into the node *or* use Docker Machine to talk to it:
```bash
ssh nodeX
```
+ ```bash
+ eval $(docker-machine env nodeX)
+ ```
]
@@ -1414,8 +1493,6 @@ As we saw earlier, you can only control the Swarm through a manager node.
## Viewing the logs of the container
-- We need to be logged into the node running the container
-
.exercise[
- See that the container is running and check its ID:
@@ -1428,9 +1505,12 @@ As we saw earlier, you can only control the Swarm through a manager node.
docker logs
```
-]
+- Go back to `node1` afterwards by logging out of SSH, or by running:
+ ```bash
+ eval $(docker-machine env -u)
+ ```
-Go back to `node1` afterwards.
+]
---
@@ -1483,7 +1563,7 @@ Go back to `node1` afterwards.
- Create an ElasticSearch service (and give it a name while we're at it):
```bash
docker service create --name search --publish 9200:9200 --replicas 7 \
- elasticsearch
+ elasticsearch:2
```
- Check what's going on:
@@ -1850,20 +1930,19 @@ Can you see how?
## Caveats
-.warning[It is currently not possible to join an overlay network with `docker run --net ...`;
-this might or might not change in the future. We will see how to cope
-with this limitation.]
+.warning[In Docker 1.12, you cannot join an overlay network with `docker run --net ...`.]
+
+Starting with version 1.13, you can, if the network was created with the `--attachable` flag.
*Why is that?*
Placing a container on a network requires allocating an IP address for this container.
-The allocation must be done by a manager node (worker nodes cannot update Raft's data structures).
+The allocation must be done by a manager node (worker nodes cannot update Raft data).
-As a result, `docker run --net ...` would only work on manager nodes.
+As a result, `docker run --net ...` requires collaboration with manager nodes.
-Moreover, it would significantly alter the code path for `docker run`, even in classic mode.
-
(That could be a bad thing if it's not done very carefully!)
+It alters the code path for `docker run`, so it is allowed only under strict circumstances.
---
@@ -2075,9 +2154,13 @@ class: title
- We want to run tools like `ab` or `httping` on the internal network
-- .warning[This will be very hackish]
+--
- (Better techniques and tools might become available in the future!)
+- Ah, if only we had created our overlay network with the `--attachable` flag ...
+
+--
+
+- Oh well, let's use this as an excuse to introduce New Ways To Do Things
---
@@ -2405,6 +2488,23 @@ WHY?!?
---
+## Global scheduling → global debugging
+
+- Traditional approach:
+
+ - log into a node
+ - install our Swiss Army Knife (if necessary)
+ - troubleshoot things
+
+- Proposed alternative:
+
+ - put our Swiss Army Knife in a container (e.g. [nicolaka/netshoot](https://hub.docker.com/r/nicolaka/netshoot/))
+ - run tests from multiple locations at the same time
+
+(This becomes practical with the `docker service log` command, available by enabling experimental features.)
+
+---
+
# Rolling updates
- We want to release a new version of the worker
@@ -2484,7 +2584,7 @@ Note how the build and push were fast (because caching).
- Look at our service status:
```bash
- watch -n1 "docker service ps worker | grep -v Shutdown.*Shutdown"
+ watch -n1 "docker service ps worker -a | grep -v Shutdown.*Shutdown"
```
]
@@ -2528,11 +2628,28 @@ By default, SwarmKit does a rolling upgrade, one instance at a time.
docker service update worker --update-parallelism 2 --update-delay 5s
```
+]
+
+The current upgrade will continue at a faster pace.
+
+---
+
+## Rolling back
+
+- At any time (e.g. before the upgrade is complete), we can rollback
+
+.exercise[
+
- Rollback to the previous image:
```bash
docker service update worker --image $DOCKER_REGISTRY/dockercoins_worker:v0.1
```
+- With Docker 1.13, we can also revert to the previous service specification:
+ ```bash
+ docker service update worker --rollback
+ ```
+
]
---
@@ -2556,6 +2673,20 @@ By default, SwarmKit does a rolling upgrade, one instance at a time.
---
+## Getting task information for a given node
+
+- You can see all the tasks assigned to a node with `docker node ps`
+
+- It shows the *desired state* and *current state* of each task
+
+- `docker node ps` shows info about the current node
+
+- `docker node ps ` shows info for another node
+
+- `docker node ps -a` includes stopped and failed tasks
+
+---
+
## Getting cluster-wide task information
- The Docker API doesn't expose this directly (yet)
@@ -2606,11 +2737,13 @@ Shameless promo: for more Go and Docker love, check
- Set an alias so that swarmctl can run as root and use the right control socket:
```bash
alias \
- swarmctl='sudo swarmctl --socket /var/lib/docker/swarm/control.sock'
+ swarmctl='sudo swarmctl --socket /var/run/docker/swarm/control.sock'
```
]
+(Note: with Docker 1.12, that control socket is in `/var/lib/docker/swarm/control.sock`)
+
---
## `swarmctl` in action
@@ -3119,7 +3252,7 @@ curl -sSL $RELEASEURL/snap-plugins-$SNAPVER-linux-amd64.tar.gz |
tar -C /opt -zxf-
ln -s snap-$SNAPVER /opt/snap
for BIN in snapd snapctl; do ln -s /opt/snap/bin/$BIN /usr/local/bin/$BIN; done
-' If you copy-paste that block, don't forget that final quote :-)
+' If you copy-paste that block, do not forget that final quote ☺
```
]
diff --git a/prepare-vms/settings/rc.yaml b/prepare-vms/settings/rc.yaml
index ca422227..e77d635c 100644
--- a/prepare-vms/settings/rc.yaml
+++ b/prepare-vms/settings/rc.yaml
@@ -30,6 +30,6 @@ footer: >
url: http://container.training/
engine_version: test.docker.com
-compose_version: 1.8.1
-machine_version: 0.8.2
+compose_version: 1.9.0
+machine_version: 0.9.0-rc1
swarm_version: latest