Professional Documents
Culture Documents
Docker Swarm
Docker Swarm
The existing tasks will continue to run but the scheduler will not be able to re
balance tasks and cope with any failures.
Docker recommendations:
Have more than one Master node as well as odd number of Master nodes for High
Availability.
Have maximum of seven manager nodes for a Swarm.
Consider an example shown in the picture. The diagram shows 3 replicas of redis
server running in 3 containers. You want to load balance between three instances of
an redis server.
In this model, each task invokes one container. You can assume a task to be a slot
where the scheduler places a container. The scheduler identified the task to be in
a running state when the container comes up.
ACCEPTED : The task was accepted by a worker node. If a worker node rejects the
task, the state changes to REJECTED.
Step 1: Create a service by using docker service create or the UCP web UI or CLI.
Step 3: The Docker manager node schedules the service to run on particular nodes.
Step 5: Each task has a life cycle, with states like NEW, PENDING, and COMPLETE.
Step 6: Tasks are execution units that run once to completion. When a task stops,
it isn�t executed again, but a new task may take its place.
If you do not want a service task to be executed currently, then you can configure
to place the service state in pending.
Replicated
Global
Replicated Service:
In this type, you will specify the number of replicas (identical tasks) that you
would run as tasks on the containers.
Global Service:
This service runs one task per worker node. You need not specify any number of
replicas. Swarm automatically adds or removes tasks based on the total number of
active nodes at a given time.
To initialize swarm,
docker swarm init
Note:
You can configure the manager node to publish its address as a Manager with the
mentioned ip address as below.
You will learn more basic commands going through the upcoming scenario in the
playground.
Let us consider an example where you add a constraint to deploy a service only on
node where there is SSD storage.
Service discovery is a technique that Docker uses to transfer the request that
comes from external clients to separate nodes to execute it without exposing any
node details.
For example, if you have an event service which saves data using MySQL service
(both services are connected through overlay network). You will have to expose the
port details of your event service to the client. MySQL service port details are
required to be shared with the event service alone.
Docker has the worker nodes list for every service to route request between nodes.
Routing Mesh in Docker Swarm enables multi-host networking. This enables containers
on various hosts to talk to each other as if they are on the same host.
This is carried out by creating a Virtual Extensible LAN (VXLAN), which is designed
for cloud-based networking.
Docker Swarm internally has an ingress load balancer to distribute the traffic to
containers that are directly exposed to public.
You can also configure external load balancer to direct the request to appropriate
containers irrespective of whichever host runs the service.
The key feature of Swarm mode is High Availability. Lets consider this scenario
explained in the image.
User will still be able to fetch the application from any node in the Swarm, even
though the corresponding node/ Manager node is down.
This traffic includes all Swarm management communication like Swarm command to
join/leave swarm. This communication is encrypted.
Overlay network for Swarm mode is similar to user defined network bridge network
within containers.
This network is available by default when the Swarm mode is initialized. This
bridge network connects hosts ports to container ports that are connected to
overlay network.
This is also a kind of overlay network which enables load balancing among nodes.
This network is available by default when you initialize or join a swarm.
Docker has an in built Public Key Infrastructure (PKI) that enables to maintain a
secure container orchestration system.
Communication between nodes happens through Transport Layer Security (TLS) which
authenticates, authorize and encrypt communications.
Certificate Authorities
When you initialize a swarm, the current node is marked as the manager node and it
generates a new root certificate authority (CA) with a key pair. This is used by
other nodes to join the swarm.
You can also add your own externally- generated CA, which is added using the flag
--external-ca during swarm initialization.
There is a possibility that the whole cluster could be compromised if the root CA
gets leaked.
Docker Swarm mode also uses external CAs. This is used to retain the Swarm
Managers' identity.
Command to include an external CA
Every three months, the certificate on every node gets renewed by default. This can
be configured as well to update the time interval using Swarm update command.
For e.g.
docker swarm update --cert-expiry 2h
Minimum rotation value is 1 hour.
You can also rotate the swarm root CA, when the cluster CA key is compromised. This
is done so that all nodes stop trusting the old CA.
Secrets are nothing but a set of data that should be kept encrypted without being
exposed in the transport network. e.g. password, security token etc.
This secret can be accessed only by the services/tasks that is permitted explicitly
through permission grant access.
Passwords
SSH Keys
Database name/ Server name
TLS certificates and keys
e.g.
docker secret create secret1 tokenfile
docker secret ls
Get detailed information on Secret
docker secret inspect <secret-name>
You can try these commands in a ubuntu machine with docker installed.
This will not work in the playground, since you do not have root privilege in the
playground to restart the service.
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
SWMKEY-1-WuYH/IX284+lRcXuoVf38viIDK3HJEKY13MIHX+tTt8
When you restart the instance, you will have to unlock the swarm with the key
generated. Otherwise the services will not start and you will notice an error
asking to unlock the swarm.
docker service ls
You will now notice an error as below.
Error response from daemon: Swarm is encrypted and needs to be unlocked before it
can be used. Please use "docker swarm unlock" to unlock it.
If the docker instance goes down before the key is rotated, you may have to unlock
the Swarm with the old key. Do keep a note of both the keys (old and new) for few
minutes.
Per Raft algorithm, system requires majority of members to agree on values proposed
to the cluster
(N/2)+1
Docker swarm command to apply rolling update on a tomcat service image version
docker service update
Docker assigns service a ______ for the clients to identify the service
Virtual IP
Docker swarm command to apply rolling update on a tomcat service image version
docker service update --image tomcat 9.0
No. of tokens generated when the master node is initialized in swarm mode
two
When a task stops, it isn�t executed again, but a new task may take its place.
true
Assume a Swarm cluster has 7 Swarm managers. System can tolerate _____ no. of
failures
(N-1)/2
Docker swarm command to list the task running on the manager node
In Docker Swarm, you can define the task and container relationship as
one to many
bridge network that connects hosts ports to container ports in overlay network.
User defined
$docker service create --name Test --secret secret1 redis. Which of the following
is incorrect w.r.t the output for this command
create a redis image for a service
In Docker Swarm , all communication between nodes happens through Transport Layer
Security
true
Assume a Swarm cluster has 7 Swarm managers. System can tolerate _____ no. of
failures
(N-1)/2