21 Days of Docker-Day 15 -Introduction to Docker Swarm- Part 2

On Day 14, I gave you the basic introduction to Docker Swarm, let explore swarm more in-depth

Adding Network and Publishing Ports to Swarm Tasks

  • Publishing port for Swarm tasks is similar to what we did for docker
$ docker service create --name mypublishportservice --replicas 2 -p 8080:80 nginx
khwcntzjltfmxu8rwxy208wb2
overall progress: 2 out of 2 tasks 
1/2: running   [==================================================>] 
2/2: running   [==================================================>] 
verify: Service converged 
  • Verify it
$ docker service ls
ID                  NAME                   MODE                REPLICAS            IMAGE               PORTS
juqr8xuetjh1        myglobal               global              3/3                 nginx:latest        
khwcntzjltfm        mypublishportservice   replicated          2/2                 nginx:latest        *:8080->80/tcp

$ docker service ps mypublishportservice
ID                  NAME                     IMAGE               NODE                          DESIRED STATE       CURRENT STATE            ERROR               PORTS
mtgrus1pk5m0        mypublishportservice.1   nginx:latest        plakhera12c.mylabserver.com   Running             Running 20 seconds ago                       
ul3vtb79mu8r        mypublishportservice.2   nginx:latest        plakhera14c.mylabserver.com   Running             Running 19 seconds ago                       
[[email protected] ~]$ docker container ls
  • Go to one of the nodes and try to access it on port 8080
$ curl 172.31.21.46:8080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Lock your swarm to protect its encryption key

  • When Docker restarts, both the TLS key used to encrypt communication among swarm nodes and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node’s memory. 
  • Docker 1.13 introduces the ability to protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest, by allowing you to take ownership of these keys and to require manual unlocking of your managers. This feature is called autolock.

Enable or disable autolock on an existing swarm

  • To enable autolock on an existing swarm, set the autolock flag to true.
# docker swarm update --autolock=true
Swarm updated.
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

    SWMKEY-1-XXXXXXXXXXXXXXXXXXXXXX

Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.
  • Store the key in a safe place, such as in a password manager.
  • When Docker restarts, you need to unlock the swarm. A locked swarm causes an error like the following when you try to start or restart a service:
$ sudo systemctl restart docker
  • To unlock a locked swarm, use docker swarm unlock.
$ docker swarm unlock
Please enter unlock key: 

View the current unlock key for a running swarm

$ docker swarm unlock-key
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

    SWMKEY-1-XXXXXXXXXXXXXXXXXXXXXXX

Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.

Rotate the unlock key

$ docker swarm unlock-key --rotate
Successfully rotated manager unlock key.

To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

    SWMKEY-1-XXXXXXXXXXXXXXXXXXXXXXX

Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.

Disable autolock

docker swarm update --autolock=false

Mount Volumes with Swarm

  • To mount/create the volume using Swarm
$ docker service create --name mytestvolservice --mount type=volume,source=mytestvol,target=/mytestvol nginx
uh2t9a60p11f7ylehr6jrv0uo
overall progress: 1 out of 1 tasks 
1/1: running   
verify: Service converged 
  • To verify it
$ docker service ps mytestvolservice
ID                  NAME                 IMAGE               NODE                          DESIRED STATE       CURRENT STATE            ERROR               PORTS
yzrwdg5vwgbl        mytestvolservice.1   nginx:latest        plakhera13c.mylabserver.com   Running             Running 13 seconds ago                       
  • As you can see this is been created on plakhera13 machine, let’s login to that machine
$ docker volume ls
DRIVER              VOLUME NAME
local               mytestvol
  • Get more information about the volume
$ docker volume inspect mytestvol
[
    {
        "CreatedAt": "2019-10-21T01:43:03Z",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/mytestvol/_data", <---
        "Name": "mytestvol",
        "Options": null,
        "Scope": "local"
    }
]
$ sudo ls -l /var/lib/docker/volumes/mytestvol/_data
total 0
  • Let’s login to the container
$ docker exec -it c98ffe8fe655 bash
# cd mytestvol/
# touch mytestfile
  • Logout from the container and see if the file exist on the Docker host
$ sudo ls -l /var/lib/docker/volumes/mytestvol/_data
total 0
-rw-r--r--. 1 root root 0 Oct 21 01:45 mytestfile
  • Now the question is what will happen if you remove the service, is the Volume still exist?
$ docker service rm mytestvolservice
mytestvolservice
  • Let’s verify it, yay yes 🙂
$ docker volume ls
DRIVER              VOLUME NAME
local               mytestvol

Add or remove label metadata

Node labels provide a flexible method of node organization. You can also use node labels in service constraints. Apply constraints when you create a service to limit the nodes where the scheduler assigns tasks for the service.

  • First let get’s the node id
$ docker node ls
ID                            HOSTNAME                      STATUS              AVAILABILITY        MANAGER STATUS      ENGINE VERSION
ws27unxgekvajgwtnj43tywsy *   plakhera12c.mylabserver.com   Ready               Active              Leader              19.03.4
ce05mu24b2p600ecejmy5gj8x     plakhera13c.mylabserver.com   Ready               Active                                  19.03.4
s0tcp7y6sw5l4bc0d622mtv21     plakhera14c.mylabserver.com   Ready               Active                                  19.03.4
  • Apply the label
$ docker node update --label-add region=us-west-2 s0tcp7y6sw5l4bc0d622mtv21
s0tcp7y6sw5l4bc0d622mtv21
  • Verify it
$ docker node inspect s0tcp7y6sw5l4bc0d622mtv21
[
    {
        "ID": "s0tcp7y6sw5l4bc0d622mtv21",
        "Version": {
            "Index": 145
        },
        "CreatedAt": "2019-10-23T03:08:41.624202115Z",
        "UpdatedAt": "2019-10-23T05:29:34.502968372Z",
        "Spec": {
            "Labels": { <----------
                "region": "us-west-2"
            },
  • Create the service using the constraint
$ docker service create --name myserviceconstraint1 --constraint node.labels.region==us-west-2 --replicas 1 nginx
s1cq2avedvt1xeetbjv353j0a
overall progress: 1 out of 1 tasks 
1/1: running   [==================================================>] 
verify: Service converged 
  • Verify it
$ docker service ps myserviceconstraint1
ID                  NAME                     IMAGE               NODE                          DESIRED STATE       CURRENT STATE            ERROR               PORTS
shjn105n69hi        myserviceconstraint1.1   nginx:latest        plakhera14c.mylabserver.com   Running             Running 24 seconds ago                       

Please follow me with my Journey

This time to make learning more interactive, I am adding

  • Slack
  • Meetup

Please feel free to join this group.

Slack: 

https://100daysofdevops.slack.com/join/shared_invite/enQtNzg1MjUzMzQzMzgxLWM4Yjk0ZWJiMjY4ZWE3ODBjZjgyYTllZmUxNzFkNTgxZjQ4NDlmZjkzODAwNDczOTYwOTM2MzlhZDNkM2FkMDA

Meetup Group

If you are in the bay area, please join this meetup group https://www.meetup.com/100daysofdevops/