1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

14 commits

Author SHA1 Message Date
Antonio Murdaca
8f7a8c75ae
vendor docker/engine-api@f9cef59044
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-08-31 22:39:13 +02:00
Sebastiaan van Stijn
ebebd41769
Improve swarm join-token instructions
this change improves the instructions for
swarm join-token and swarm init;

- only print the join-token command for workers
  instead of for both managers and workers, to
  prevent users from copying the wrong command.
  An extra line is added to explain how to obtain
  the manager token.
- print a message that a token was rotated
  sucesfully if '--rotate' is used.
- add some extra white-space before / after
  the join commands, to make copy/pasting
  easier.

this change also does some refactoring of join-token;

- move flagname-constants together with other constants
- use variables for selected role ("worker" / "manager")
  to prevent checking for them multiple times, and to
  keep the "worker" / "manager" sting centralized
- add an extra blank line after "join-token" instructions
  this makes it easier to copy, and cleans up the
  code a tiny bit

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-08-02 16:44:02 +02:00
Aaron Lehmann
a0ccd0d42f Split advertised address from listen address
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.

Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.

If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).

The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.

Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).

This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.

Make corresponding API and CLI docs changes.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-07-24 09:23:07 -07:00
Andrea Luzzardi
d97c0a1f25 CLI: Change default Swarm task history retention limit.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2016-07-22 18:09:54 -07:00
Aaron Lehmann
2cc5bd33ee Replace secrets with join tokens
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121

Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.

Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-07-21 15:23:03 -07:00
johnharris85
8e14882773 Add support for comma-separated --auto-accept syntax.
Signed-off-by: John Harris <john@johnharris.io>
2016-07-11 15:47:04 -07:00
Aaron Lehmann
7342e42fce Generate a swarm joining secret if none is specified
The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.

This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.

`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.

Closes #23785

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-07-06 13:04:50 -07:00
Tonis Tiigi
11085b2260 Add support for external CAs
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-06-30 17:22:47 -07:00
Tonis Tiigi
fb3eb1c27e Unify swarm init and update options
Add api side validation and defaults for init and
join requests.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-06-21 16:34:32 -07:00
Daniel Nephin
c544649874 Add tests for AutoAcceptOption
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-06-17 19:43:38 -07:00
Daniel Nephin
595e79b805 Support a listen addr without a port, and add tests.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-06-17 19:43:38 -07:00
Justin Cormack
2322ccb8ff fix invalid typo in error message
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2016-06-17 15:27:54 +01:00
Victor Vieux
085895342c fix docker swarm init/update --secret
Signed-off-by: Victor Vieux <vieux@docker.com>
2016-06-15 17:05:10 -07:00
Daniel Nephin
12a00e6017 Add Swarm management CLI commands
As described in our ROADMAP.md, introduce new Swarm management commands
to call to the corresponding API endpoints.

This PR is fully backward compatible (joining a Swarm is an optional
feature of the Engine, and existing commands are not impacted).

Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-06-13 22:17:15 -07:00