Files

Aaron Lehmann 29b9ce751d Generate a swarm joining secret if none is specified

The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.

This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.

`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.

Closes #23785

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: e632408a37
Component: cli

2017-06-02 00:07:49 +00:00

2.1 KiB

Raw Blame History

swarm join

Usage:	docker swarm join [OPTIONS] HOST:PORT

Join a Swarm as a node and/or manager.

Options:
      --help                Print usage
      --listen-addr value   Listen address (default 0.0.0.0:2377)
      --manager             Try joining as a manager.
      --secret string       Secret for node acceptance

Join a node to a Swarm cluster. If the --manager flag is specified, the docker engine targeted by this command becomes a manager. If it is not specified, it becomes a worker.

Join a node to swarm as a manager

$ docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb --manager --listen-addr 192.168.99.122:2377 192.168.99.121:2377
This node joined a Swarm as a manager.
$ docker node ls
ID                           HOSTNAME  MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS         LEADER
dkp8vy1dq1kxleu9g4u78tlag *  manager2  Accepted    Ready   Active        Reachable
dvfxp4zseq4s0rih1selh0d20    manager1  Accepted    Ready   Active        Reachable              Yes

Join a node to swarm as a worker

$ docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb --listen-addr 192.168.99.123:2377 192.168.99.121:2377
This node joined a Swarm as a worker.
$ docker node ls
ID                           HOSTNAME  MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS         LEADER
7ln70fl22uw2dvjn2ft53m3q5    worker2   Accepted    Ready   Active
dkp8vy1dq1kxleu9g4u78tlag    worker1   Accepted    Ready   Active        Reachable
dvfxp4zseq4s0rih1selh0d20 *  manager1  Accepted    Ready   Active        Reachable              Yes

`--manager`

Joins the node as a manager

`--listen-addr value`

The node listens for inbound Swarm manager traffic on this IP:PORT

`--secret string`

Secret value required for nodes to join the swarm

2.1 KiB Raw Blame History

swarm join

Join a node to swarm as a manager

Join a node to swarm as a worker

--manager

--listen-addr value

--secret string

Related information

2.1 KiB

Raw Blame History

`--manager`

`--listen-addr value`

`--secret string`