mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
ebebd41769
this change improves the instructions for swarm join-token and swarm init; - only print the join-token command for workers instead of for both managers and workers, to prevent users from copying the wrong command. An extra line is added to explain how to obtain the manager token. - print a message that a token was rotated sucesfully if '--rotate' is used. - add some extra white-space before / after the join commands, to make copy/pasting easier. this change also does some refactoring of join-token; - move flagname-constants together with other constants - use variables for selected role ("worker" / "manager") to prevent checking for them multiple times, and to keep the "worker" / "manager" sting centralized - add an extra blank line after "join-token" instructions this makes it easier to copy, and cleans up the code a tiny bit Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
100 lines
3.1 KiB
Markdown
100 lines
3.1 KiB
Markdown
<!--[metadata]>
|
|
+++
|
|
title = "swarm join-token"
|
|
description = "The swarm join-token command description and usage"
|
|
keywords = ["swarm, join-token"]
|
|
[menu.main]
|
|
parent = "smn_cli"
|
|
+++
|
|
<![end-metadata]-->
|
|
|
|
# swarm join-token
|
|
|
|
```markdown
|
|
Usage: docker swarm join-token [--rotate] (worker|manager)
|
|
|
|
Manage join tokens
|
|
|
|
Options:
|
|
--help Print usage
|
|
-q, --quiet Only display token
|
|
--rotate Rotate join token
|
|
```
|
|
|
|
Join tokens are secrets that allow a node to join the swarm. There are two
|
|
different join tokens available, one for the worker role and one for the manager
|
|
role. You pass the token using the `--token` flag when you run
|
|
[swarm join](swarm_join.md). Nodes use the join token only when they join the
|
|
swarm.
|
|
|
|
You can view or rotate the join tokens using `swarm join-token`.
|
|
|
|
As a convenience, you can pass `worker` or `manager` as an argument to
|
|
`join-token` to print the full `docker swarm join` command to join a new node to
|
|
the swarm:
|
|
|
|
```bash
|
|
$ docker swarm join-token worker
|
|
To add a worker to this swarm, run the following command:
|
|
|
|
docker swarm join \
|
|
--token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx \
|
|
172.17.0.2:2377
|
|
|
|
$ docker swarm join-token manager
|
|
To add a manager to this swarm, run the following command:
|
|
|
|
docker swarm join \
|
|
--token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 \
|
|
172.17.0.2:2377
|
|
```
|
|
|
|
Use the `--rotate` flag to generate a new join token for the specified role:
|
|
|
|
```bash
|
|
$ docker swarm join-token --rotate worker
|
|
Succesfully rotated worker join token.
|
|
|
|
To add a worker to this swarm, run the following command:
|
|
|
|
docker swarm join \
|
|
--token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t \
|
|
172.17.0.2:2377
|
|
```
|
|
|
|
After using `--rotate`, only the new token will be valid for joining with the specified role.
|
|
|
|
The `-q` (or `--quiet`) flag only prints the token:
|
|
|
|
```bash
|
|
$ docker swarm join-token -q worker
|
|
|
|
SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t
|
|
```
|
|
|
|
### `--rotate`
|
|
|
|
Because tokens allow new nodes to join the swarm, you should keep them secret.
|
|
Be particularly careful with manager tokens since they allow new manager nodes
|
|
to join the swarm. A rogue manager has the potential to disrupt the operation of
|
|
your swarm.
|
|
|
|
Rotate your swarm's join token if a token gets checked-in to version control,
|
|
stolen, or a node is compromised. You may also want to periodically rotate the
|
|
token to ensure any unknown token leaks do not allow a rogue node to join
|
|
the swarm.
|
|
|
|
To rotate the join token and print the newly generated token, run
|
|
`docker swarm join-token --rotate` and pass the role: `manager` or `worker`.
|
|
|
|
Rotating a join-token means that no new nodes will be able to join the swarm
|
|
using the old token. Rotation does not affect existing nodes in the swarm
|
|
because the join token is only used for authorizing new nodes joining the swarm.
|
|
|
|
### `--quiet`
|
|
|
|
Only print the token. Do not print a complete command for joining.
|
|
|
|
## Related information
|
|
|
|
* [swarm join](swarm_join.md)
|