Closed cyli closed 6 years ago
Do we really want to document how to downgrade, or should we tell that all nodes in your swarm need to be running the same version of Docker?
I don't think we officially support downgrades. Also this fix shipped a while ago and I haven't seen folks complaining about side effects of this so let's close this one.
That PR was actually pretty recently merged, so I don't think anyone would be experiencing it yet. If we don't support downgrades though then that should be fine.
Given that this only applies to downgrades, even if a few folks stumble on the issue I'm hopeful they will find this issue with your great write up and use it to fix their problem. If a ton of users start having this problem (which I doubt) we can always include this in the docs later on.
Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.
If you have found a problem that seems similar to this, please open a new issue.
/lifecycle locked
Problem description
https://github.com/docker/swarmkit/pull/2246 stops generating and storing keys in PKCS1 format and stores them in PKCS8 format instead. Older versions of docker can read unencrypted PKCS8 format, but not encrypted PKCS8 format. Therefore, on swarm nodes, once TLS keys have been rotated to be in PKCS 8 format, if they are encrypted (such as on managers with autolock enabled), downgrading to a version of docker that cannot read encrypted PKCS8 keys can be problematic.
Project version(s) affected
Future version of docker that includes changes from https://github.com/docker/swarmkit/pull/2246.
Suggestions for a fix
We should document the downgrade process.
If, after upgrading to a version of docker that stores keys in PKCS8 format, and you want to downgrade, check if your manager keys are stored as encrypted PKCS8 keys (worker keys are not encrypted). If you have autolock enabled on your swarm, then it's possible that you have PKCS8 encrypted keys (if the TLS certs have been renewed since you upgraded, or you installed the newer version of docker and now want to downgrade, or if you enabled autolock post-upgrade). In order to downgrade, we need to decrypt the keys, so make sure that autolock is disabled, and before downgrading each manager node, verify that the keys are no longer encrypted.
They should go from looking like this (an encrypted PKCS8 key):
to this (an unencrypted PKCS8 key):
This will guarantee that the older version of docker can read the key. Autolock can be re-enabled once all the managers have been downgraded.
(As a note, in case it's useful for documentation purposes, PKCS1 encrypted keys look like:
and unencrypted PKCS keys look like:
The unencrypted version is missing the
Proc-Type
andDEK-Info
headers)cc @alyyousuf7 @friism @aluzzardi @diogomonica