On Day 14, I gave you the basic introduction to Docker Swarm, let explore swarm more in-depth
Adding Network and Publishing Ports to Swarm Tasks
- Publishing port for Swarm tasks is similar to what we did for docker
$ docker service create --name mypublishportservice --replicas 2 -p 8080:80 nginx
khwcntzjltfmxu8rwxy208wb2
overall progress: 2 out of 2 tasks
1/2: running [==================================================>]
2/2: running [==================================================>]
verify: Service converged - Verify it
$ docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
juqr8xuetjh1 myglobal global 3/3 nginx:latest
khwcntzjltfm mypublishportservice replicated 2/2 nginx:latest *:8080->80/tcp
$ docker service ps mypublishportservice
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
mtgrus1pk5m0 mypublishportservice.1 nginx:latest plakhera12c.mylabserver.com Running Running 20 seconds ago
ul3vtb79mu8r mypublishportservice.2 nginx:latest plakhera14c.mylabserver.com Running Running 19 seconds ago
[cloud_user@plakhera12c ~]$ docker container ls
- Go to one of the nodes and try to access it on port 8080
$ curl 172.31.21.46:8080
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Lock your swarm to protect its encryption key
- When Docker restarts, both the TLS key used to encrypt communication among swarm nodes and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node’s memory.
- Docker 1.13 introduces the ability to protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest, by allowing you to take ownership of these keys and to require manual unlocking of your managers. This feature is called autolock.
Enable or disable autolock on an existing swarm
- To enable autolock on an existing swarm, set the
autolockflag totrue.
# docker swarm update --autolock=true
Swarm updated.
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
SWMKEY-1-XXXXXXXXXXXXXXXXXXXXXX
Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.
- Store the key in a safe place, such as in a password manager.
- When Docker restarts, you need to unlock the swarm. A locked swarm causes an error like the following when you try to start or restart a service:
$ sudo systemctl restart docker- To unlock a locked swarm, use
docker swarm unlock.
$ docker swarm unlock
Please enter unlock key: View the current unlock key for a running swarm
$ docker swarm unlock-key
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
SWMKEY-1-XXXXXXXXXXXXXXXXXXXXXXX
Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.Rotate the unlock key
$ docker swarm unlock-key --rotate
Successfully rotated manager unlock key.
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
SWMKEY-1-XXXXXXXXXXXXXXXXXXXXXXX
Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.
Disable autolock
docker swarm update --autolock=falseMount Volumes with Swarm
- To mount/create the volume using Swarm
$ docker service create --name mytestvolservice --mount type=volume,source=mytestvol,target=/mytestvol nginx
uh2t9a60p11f7ylehr6jrv0uo
overall progress: 1 out of 1 tasks
1/1: running
verify: Service converged
- To verify it
$ docker service ps mytestvolservice
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
yzrwdg5vwgbl mytestvolservice.1 nginx:latest plakhera13c.mylabserver.com Running Running 13 seconds ago
- As you can see this is been created on plakhera13 machine, let’s login to that machine
$ docker volume ls
DRIVER VOLUME NAME
local mytestvol- Get more information about the volume
$ docker volume inspect mytestvol
[
{
"CreatedAt": "2019-10-21T01:43:03Z",
"Driver": "local",
"Labels": null,
"Mountpoint": "/var/lib/docker/volumes/mytestvol/_data", <---
"Name": "mytestvol",
"Options": null,
"Scope": "local"
}
]
$ sudo ls -l /var/lib/docker/volumes/mytestvol/_data
total 0
- Let’s login to the container
$ docker exec -it c98ffe8fe655 bash
# cd mytestvol/
# touch mytestfile- Logout from the container and see if the file exist on the Docker host
$ sudo ls -l /var/lib/docker/volumes/mytestvol/_data
total 0
-rw-r--r--. 1 root root 0 Oct 21 01:45 mytestfile- Now the question is what will happen if you remove the service, is the Volume still exist?
$ docker service rm mytestvolservice
mytestvolservice
- Let’s verify it, yay yes 🙂
$ docker volume ls
DRIVER VOLUME NAME
local mytestvolAdd or remove label metadata
Node labels provide a flexible method of node organization. You can also use node labels in service constraints. Apply constraints when you create a service to limit the nodes where the scheduler assigns tasks for the service.
- First let get’s the node id
$ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
ws27unxgekvajgwtnj43tywsy * plakhera12c.mylabserver.com Ready Active Leader 19.03.4
ce05mu24b2p600ecejmy5gj8x plakhera13c.mylabserver.com Ready Active 19.03.4
s0tcp7y6sw5l4bc0d622mtv21 plakhera14c.mylabserver.com Ready Active 19.03.4
- Apply the label
$ docker node update --label-add region=us-west-2 s0tcp7y6sw5l4bc0d622mtv21
s0tcp7y6sw5l4bc0d622mtv21- Verify it
$ docker node inspect s0tcp7y6sw5l4bc0d622mtv21
[
{
"ID": "s0tcp7y6sw5l4bc0d622mtv21",
"Version": {
"Index": 145
},
"CreatedAt": "2019-10-23T03:08:41.624202115Z",
"UpdatedAt": "2019-10-23T05:29:34.502968372Z",
"Spec": {
"Labels": { <----------
"region": "us-west-2"
},
- Create the service using the constraint
$ docker service create --name myserviceconstraint1 --constraint node.labels.region==us-west-2 --replicas 1 nginx
s1cq2avedvt1xeetbjv353j0a
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
- Verify it
$ docker service ps myserviceconstraint1
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
shjn105n69hi myserviceconstraint1.1 nginx:latest plakhera14c.mylabserver.com Running Running 24 seconds ago Please follow me with my Journey
- Website:https://100daysofdevops.com/
- Twitter:@100daysofdevops OR @lakhera2015
- Facebook:https://www.facebook.com/groups/795382630808645/
- Medium:https://medium.com/@devopslearning
- GitHub:https://github.com/100daysofdevops/21_Days_of_Docker
This time to make learning more interactive, I am adding
- Slack
- Meetup
Please feel free to join this group.
Slack:
Meetup Group
If you are in the bay area, please join this meetup group https://www.meetup.com/100daysofdevops/