Open dsessler7 opened 2 years ago
MFatigati
commented
2 years ago I've been at this all morning, trying to enable secure access with SSL. It seems possible but, twice, messing with the configurations ended up crashing docker on my ec2 instance irreparably. Had to create new instances. At this point, if we can just accept incoming traffic from only the nodes in our swarm (or ourselves, now in development), that seems like the best option.
MFatigati
commented
2 years ago SSH also doesn't work. WE can remotely access a docker daemon via SSH using docker context, but that only works for terminal commands, not dockerode, so the terminal commands are just as difficult to work with as ansible.
Best method is definitely just exposing port 2375 on the manager node to the API server. Do this in one of two ways:
1) get the API server IP address (can easily be found in the terminal via curl ifconfig.me, or in other ways), and add that IP address as the ONLY allowed incoming IP address on 2375 of the manager node, or
2) create a security group, e.g., "group x," put the API server in it, and then add a rule to the manager node so that anyone in "group x" can access the manager node's port 2375.
Then run the following on the manager node:
sudo systemctl stop docker
sudo systemctl stop docker.socket
sudo dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
sudo systemctl daemon-reload
sudo systemctl restart docker.service(new commands there to account for errors I ran into)
Presumably that has to happen when this happens when the initialize route is hit.
dsessler7
commented
2 years ago I like the idea of limiting access to the docker API port to the Sentinel API server, but we should probably also at least use the secure port for the Docker API: 2376.
MFatigati
commented
2 years ago the following seems to have worked for me (just including the first part of the file:
### swarm_init.yml
---
- name: Copy docker configfile
hosts: managers
become: true
gather_facts: False
tasks:
- name: make folder for config
command: sudo mkdir -p /etc/docker
- name: make folder for override
command: sudo mkdir -p /etc/systemd/system/docker.service.d/
- name: copy daemon config file
copy:
src: ./daemon.json
dest: /etc/docker/daemon.json
- name: copy config override file
copy:
src: ./override.conf
dest: /etc/systemd/system/docker.service.d/override.conf
- name: Install Docker and Docker Compose
hosts: all
become: true
gather_facts: False
tasks:
- name: Update yum package manager
command: yum update -y
- name: Install Docker
command: yum install docker -y
- name: Enable docker
command: systemctl enable docker
- name: Start docker
command: systemctl start docker
# this is a convienience for when we have to ssh into the nodes.
- name: Add sudo permissions for default ec2-user with docker
command: sudo usermod -aG docker ec2-userfile structure with the daemon.json file and the override.conf file looks like this
:
MFatigati
commented
2 years ago I'm sure you could put them wherever makes sense. The files themselves look as follows:
// daemon.json
{
"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerdThat worked!! Thanks Michael!
MFatigati
commented
2 years ago hallelujah!
Right now, in development, we are binding the tcp port 2375 to the docker daemon on the manager instance and opening it up to the internet which is a big no-no. We need to figure out how to make this more secure.
Here are some resources:
https://docs.docker.com/engine/security/protect-access/
https://docs.docker.com/engine/reference/commandline/dockerd/