From 1c57d98347522e301785780aceeaf90f7442e847 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Thu, 16 Jun 2016 17:04:33 -0700 Subject: [PATCH 1/2] Add cert-expiry to swarm update Signed-off-by: Tonis Tiigi Upstream-commit: 7d8d51aa9d0c1737ff7f97a3efac0a2ef0975b56 Component: engine --- components/engine/api/client/swarm/update.go | 8 ++++++++ .../engine/docs/reference/commandline/swarm_update.md | 1 + 2 files changed, 9 insertions(+) diff --git a/components/engine/api/client/swarm/update.go b/components/engine/api/client/swarm/update.go index a26b0d59f2..c3eff5d43d 100644 --- a/components/engine/api/client/swarm/update.go +++ b/components/engine/api/client/swarm/update.go @@ -18,6 +18,7 @@ type updateOptions struct { secret string taskHistoryLimit int64 dispatcherHeartbeat time.Duration + nodeCertExpiry time.Duration } func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command { @@ -38,6 +39,7 @@ func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command { flags.StringVar(&opts.secret, "secret", "", "Set secret value needed to accept nodes into cluster") flags.Int64Var(&opts.taskHistoryLimit, "task-history-limit", 10, "Task history retention limit") flags.DurationVar(&opts.dispatcherHeartbeat, "dispatcher-heartbeat", time.Duration(5*time.Second), "Dispatcher heartbeat period") + flags.DurationVar(&opts.nodeCertExpiry, "cert-expiry", time.Duration(90*24*time.Hour), "Validity period for node certificates") return cmd } @@ -92,5 +94,11 @@ func mergeSwarm(swarm *swarm.Swarm, flags *pflag.FlagSet) error { } } + if flags.Changed("cert-expiry") { + if v, err := flags.GetDuration("cert-expiry"); err == nil { + spec.CAConfig.NodeCertExpiry = v + } + } + return nil } diff --git a/components/engine/docs/reference/commandline/swarm_update.md b/components/engine/docs/reference/commandline/swarm_update.md index 942a330ea1..afbcf6455e 100644 --- a/components/engine/docs/reference/commandline/swarm_update.md +++ b/components/engine/docs/reference/commandline/swarm_update.md @@ -22,6 +22,7 @@ parent = "smn_cli" --help Print usage --secret string Set secret value needed to accept nodes into cluster --task-history-limit int Task history retention limit (default 10) + --cert-expiry duration Validity period for node certificates (default 2160h0m0s) Updates a Swarm cluster with new parameter values. This command must target a manager node. From 7f08beb5b20f04241651bd3ddaf0e7351f122343 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Thu, 16 Jun 2016 17:04:56 -0700 Subject: [PATCH 2/2] Add integration test for parsing swarm update options Signed-off-by: Tonis Tiigi Upstream-commit: a933ac3c27ac88cf69a2bc2bc16ce076486c0206 Component: engine --- .../integration-cli/docker_cli_swarm_test.go | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 components/engine/integration-cli/docker_cli_swarm_test.go diff --git a/components/engine/integration-cli/docker_cli_swarm_test.go b/components/engine/integration-cli/docker_cli_swarm_test.go new file mode 100644 index 0000000000..95deab5766 --- /dev/null +++ b/components/engine/integration-cli/docker_cli_swarm_test.go @@ -0,0 +1,76 @@ +// +build !windows + +package main + +import ( + "encoding/json" + "time" + + "github.com/docker/docker/pkg/integration/checker" + "github.com/docker/engine-api/types/swarm" + "github.com/go-check/check" +) + +func (s *DockerSwarmSuite) TestSwarmUpdate(c *check.C) { + d := s.AddDaemon(c, true, true) + + getSpec := func() swarm.Spec { + out, err := d.Cmd("swarm", "inspect") + c.Assert(err, checker.IsNil) + var sw []swarm.Swarm + c.Assert(json.Unmarshal([]byte(out), &sw), checker.IsNil) + c.Assert(len(sw), checker.Equals, 1) + return sw[0].Spec + } + + out, err := d.Cmd("swarm", "update", "--cert-expiry", "30h", "--dispatcher-heartbeat", "11s", "--auto-accept", "manager", "--auto-accept", "worker", "--secret", "foo") + c.Assert(err, checker.IsNil, check.Commentf("out: %v", out)) + + spec := getSpec() + c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour) + c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, uint64(11*time.Second)) + + c.Assert(spec.AcceptancePolicy.Policies, checker.HasLen, 2) + + for _, p := range spec.AcceptancePolicy.Policies { + c.Assert(p.Autoaccept, checker.Equals, true) + c.Assert(p.Secret, checker.NotNil) + c.Assert(*p.Secret, checker.Not(checker.Equals), "") + } + + out, err = d.Cmd("swarm", "update", "--auto-accept", "none") + c.Assert(err, checker.IsNil, check.Commentf("out: %v", out)) + + spec = getSpec() + c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour) + c.Assert(spec.Dispatcher.HeartbeatPeriod, checker.Equals, uint64(11*time.Second)) + + c.Assert(spec.AcceptancePolicy.Policies, checker.HasLen, 2) + + for _, p := range spec.AcceptancePolicy.Policies { + c.Assert(p.Autoaccept, checker.Equals, false) + // secret is still set + c.Assert(p.Secret, checker.NotNil) + c.Assert(*p.Secret, checker.Not(checker.Equals), "") + } + + out, err = d.Cmd("swarm", "update", "--auto-accept", "manager", "--secret", "") + c.Assert(err, checker.IsNil, check.Commentf("out: %v", out)) + + spec = getSpec() + + c.Assert(spec.AcceptancePolicy.Policies, checker.HasLen, 2) + + for _, p := range spec.AcceptancePolicy.Policies { + c.Assert(p.Autoaccept, checker.Equals, p.Role == swarm.NodeRoleManager) + // secret has been removed + c.Assert(p.Secret, checker.IsNil) + } + + // setting anything under 30m for cert-expiry is not allowed + out, err = d.Cmd("swarm", "update", "--cert-expiry", "15m") + c.Assert(err, checker.NotNil) + c.Assert(out, checker.Contains, "minimum certificate expiry time") + spec = getSpec() + c.Assert(spec.CAConfig.NodeCertExpiry, checker.Equals, 30*time.Hour) +}