Docker Machine won't scale well for massive Docker Engine deployments, but it turns out to be very useful for automatically securing small number of nodes. In the following section, we'll use Docker Machine to secure our Swarm manager using the generic driver, a driver that allows us to control existing hosts.
In our case, we already did set up a Docker Swarm manager on mg0. Furthermore, we want to secure Docker Engine by enabling the TLS connection for its remote endpoint.
How can Docker Machine do the work for us? First, Docker Machine connects to the host via SSH; detects the operating system of mg0, in our case, Ubuntu; and the provisioner, in our case, systemd.
After that, it installs the Docker Engine; however, in case one is already in place, like here, it will skip this step.
Then, as the most important part, it generates a Root CA certificate, as well as all certificates, and stores them on the host. It also automatically configures Docker to use those certificates. Finally, it restarts Docker.
If everything goes well, Docker Engine will be started again with TLS enabled.
We then used Docker Machine to generate a Root CA for the Engine on mg0, mg1 and mg2, and configure a TLS connection. Then, we later used the Docker client to further control Swarm without the need of SSH, which is slower.
$ docker-machine create --driver generic --generic-ip-address=$(belt ip mg0) mg0 Running pre-create checks... Creating machine... (mg0) No SSH key specified. Assuming an existing key at the default location. Waiting for machine to be running, this may take a few minutes... Detecting operating system of created instance... Waiting for SSH to be available... Detecting the provisioner... Provisioning with ubuntu(systemd)... Installing Docker... Copying certs to the local machine directory... Copying certs to the remote machine... Setting Docker configuration on the remote daemon... Checking connection to Docker... Then we can test our working swarm with `docker info`. We grep only 15 lines for the brevity. $ docker $(docker-machine config mg0) info | grep -A 15 Swarm Swarm: active NodeID: 24j7sytbomhshtayt74lf7njo Is Manager: true ClusterID: 8rshkwfq4hsil2tdb3idpqdeg Managers: 3 Nodes: 3 Orchestration: Task History Retention Limit: 5 Raft: Snapshot Interval: 10000 Heartbeat Tick: 1 Election Tick: 3 Dispatcher: Heartbeat Period: 5 seconds CA Configuration: Expiry Duration: 3 months
Also, docker node ls
will work normally with this setup We verified now that the 3 managers formed the initial swarm, and were able to accept a bunch of workers:
$ docker $(docker-machine config mg0) node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS 24j7sytbomhshtayt74lf7njo * mg0 Ready Active Leader 2a4jcvp32aoa6olaxlelthkws mg1 Ready Active Reachable 94po1ln0j0g5fgjnjfvm1w02r mg2 Ready Active Reachable
How secure is this cluster?
We will use the Docker client to connect to the Docker Engine equipped TLS; and, there's another TLS connection among the swarm's node with CA expiring in three months, and it will be auto-rotated. Advanced security setup will be discussed in Chapter 9, Securing a Swarm Cluster and the Docker Software Supply Chain.