Open dsessler7 opened 2 years ago
I've been at this all morning, trying to enable secure access with SSL. It seems possible but, twice, messing with the configurations ended up crashing docker on my ec2 instance irreparably. Had to create new instances. At this point, if we can just accept incoming traffic from only the nodes in our swarm (or ourselves, now in development), that seems like the best option.
SSH also doesn't work. WE can remotely access a docker daemon via SSH using docker context
, but that only works for terminal commands, not dockerode, so the terminal commands are just as difficult to work with as ansible.
Best method is definitely just exposing port 2375 on the manager node to the API server. Do this in one of two ways:
1) get the API server IP address (can easily be found in the terminal via curl ifconfig.me
, or in other ways), and add that IP address as the ONLY allowed incoming IP address on 2375 of the manager node, or
2) create a security group, e.g., "group x," put the API server in it, and then add a rule to the manager node so that anyone in "group x" can access the manager node's port 2375.
Then run the following on the manager node:
sudo systemctl stop docker
sudo systemctl stop docker.socket
sudo dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
sudo systemctl daemon-reload
sudo systemctl restart docker.service
(new commands there to account for errors I ran into)
Presumably that has to happen when this happens when the initialize
route is hit.
I like the idea of limiting access to the docker API port to the Sentinel API server, but we should probably also at least use the secure port for the Docker API: 2376.
the following seems to have worked for me (just including the first part of the file:
### swarm_init.yml
---
- name: Copy docker configfile
hosts: managers
become: true
gather_facts: False
tasks:
- name: make folder for config
command: sudo mkdir -p /etc/docker
- name: make folder for override
command: sudo mkdir -p /etc/systemd/system/docker.service.d/
- name: copy daemon config file
copy:
src: ./daemon.json
dest: /etc/docker/daemon.json
- name: copy config override file
copy:
src: ./override.conf
dest: /etc/systemd/system/docker.service.d/override.conf
- name: Install Docker and Docker Compose
hosts: all
become: true
gather_facts: False
tasks:
- name: Update yum package manager
command: yum update -y
- name: Install Docker
command: yum install docker -y
- name: Enable docker
command: systemctl enable docker
- name: Start docker
command: systemctl start docker
# this is a convienience for when we have to ssh into the nodes.
- name: Add sudo permissions for default ec2-user with docker
command: sudo usermod -aG docker ec2-user
file structure with the daemon.json
file and the override.conf
file looks like this
:
I'm sure you could put them wherever makes sense. The files themselves look as follows:
// daemon.json
{
"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}
override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
That worked!! Thanks Michael!
hallelujah!
Right now, in development, we are binding the tcp port 2375 to the docker daemon on the manager instance and opening it up to the internet which is a big no-no. We need to figure out how to make this more secure.
Here are some resources:
https://docs.docker.com/engine/security/protect-access/
https://docs.docker.com/engine/reference/commandline/dockerd/