Assume there is a cluster of 5 Managers running.

If 3 upon 5 nodes fail, the system

will stop scheduling any more tasks. This can tolerate a maximum loss of one
manager.

The existing tasks will continue to run but the scheduler will not be able to re
balance tasks and cope with any failures.

Docker recommendations:

Have more than one Master node as well as odd number of Master nodes for High
Availability.
Have maximum of seven manager nodes for a Swarm.

Consider an example shown in the picture. The diagram shows 3 replicas of redis
server running in 3 containers. You want to load balance between three instances of
an redis server.

Each of the three instances is a task in the swarm.

The container is an isolated process.

In this model, each task invokes one container. You can assume a task to be a slot
where the scheduler places a container. The scheduler identified the task to be in
a running state when the container comes up.

Tasks automatically terminate, when there is a failure in the container.

Here are the list of states that a task progresses through.

NEW : Task is initialized.

PENDING : Resources for the task are allocated.

ASSIGNED : Swarm assigned the task to nodes.

ACCEPTED : The task was accepted by a worker node. If a worker node rejects the
task, the state changes to REJECTED.

PREPARING : Docker is preparing the task.

STARTING : Docker is starting the task.

RUNNING : The task is executing.

COMPLETE : The task exited without an error code.

FAILED : The task exited with an error code.

SHUTDOWN : Docker requested the task to shut down.

REJECTED : The worker node rejected the task.

ORPHANED : The node was down for too long.

When you create a service, orchestrator realises the desired state by scheduling
tasks.
Every task is uni- directional and progresses through a series of states.
The Scheduler instructs the worker nodes to run the task
An executor in the worker node executes the task on be-half of the worker node.

To summarize, here is the complete workflow.

Step 1: Create a service by using docker service create or the UCP web UI or CLI.

Step 2: The request goes to a Docker manager node.

Step 3: The Docker manager node schedules the service to run on particular nodes.

Step 4: Each service can start multiple tasks.

Step 5: Each task has a life cycle, with states like NEW, PENDING, and COMPLETE.

Step 6: Tasks are execution units that run once to completion. When a task stops,
it isn�t executed again, but a new task may take its place.

If you do not want a service task to be executed currently, then you can configure
to place the service state in pending.

Ways to achieve this:

Scale the service to 0 to prevent the service from being deployed.

Configure the memory allocation for the service in such a way that no node in the
swarm has this required amount of memory.
Add placement constraints on service which will not be honoured at that moment.

There are two types of service deployments.

Replicated
Global

Replicated Service:

In this type, you will specify the number of replicas (identical tasks) that you
would run as tasks on the containers.

Global Service:

This service runs one task per worker node. You need not specify any number of
replicas. Swarm automatically adds or removes tasks based on the total number of
active nodes at a given time.

Few examples are monitoring agents and anti-virus scanners.

Initialize the Swarm

Let us now get acquainted with Docker Swarm commands.

To initialize swarm,
docker swarm init
Note:

You can configure the manager node to publish its address as a Manager with the
mentioned ip address as below.

docker swarm init --advertise-addr <ip-address>

Docker Swarm Help

docker swarm --help
This command lists the basic Swarm commands with the usage details.

List the Nodes

docker node ls
This command will list the number of nodes currently available in the Swarm.

You will learn more basic commands going through the upcoming scenario in the
playground.

Deploy a Service with Constraints

You can add your own constraints while deploying a service. This will ensure that
the service will get scheduled as a task only when the constraint is met. This
constraint is known as placement.

Let us consider an example where you add a constraint to deploy a service only on
node where there is SSD storage.

docker service create --name testService --replicas 2 --constraint

node.labels.disk==ssd tomcat

Service discovery is a technique that Docker uses to transfer the request that
comes from external clients to separate nodes to execute it without exposing any
node details.

For example, if you have an event service which saves data using MySQL service
(both services are connected through overlay network). You will have to expose the
port details of your event service to the client. MySQL service port details are
required to be shared with the event service alone.

Service Discovery - How it works

Docker assigns a virtual IP (VIP) to the service by default when you create a
service. This IP will be used by clients to reach out to the service.

Docker has the worker nodes list for every service to route request between nodes.

Routing Mesh in Docker Swarm enables multi-host networking. This enables containers
on various hosts to talk to each other as if they are on the same host.

This is carried out by creating a Virtual Extensible LAN (VXLAN), which is designed
for cloud-based networking.

Docker Swarm internally has an ingress load balancer to distribute the traffic to
containers that are directly exposed to public.

You can also configure external load balancer to direct the request to appropriate
containers irrespective of whichever host runs the service.
The key feature of Swarm mode is High Availability. Lets consider this scenario
explained in the image.

User will still be able to fetch the application from any node in the Swarm, even
though the corresponding node/ Manager node is down.

Network Traffic in Swarm Mode

A Docker swarm generates two different kinds of traffic

Control and management plane traffic:

This traffic includes all Swarm management communication like Swarm command to
join/leave swarm. This communication is encrypted.

Application data plane traffic:

This includes all communication from external clients to container and

communication between containers.

Communications between docker daemons participating in swarm mode happens through

overlay network.

Overlay network for Swarm mode is similar to user defined network bridge network
within containers.

This network is available by default when the Swarm mode is initialized. This
bridge network connects hosts ports to container ports that are connected to
overlay network.

This is also a kind of overlay network which enables load balancing among nodes.
This network is available by default when you initialize or join a swarm.

Docker has an in built Public Key Infrastructure (PKI) that enables to maintain a
secure container orchestration system.

Communication between nodes happens through Transport Layer Security (TLS) which
authenticates, authorize and encrypt communications.

Certificate Authorities
When you initialize a swarm, the current node is marked as the manager node and it
generates a new root certificate authority (CA) with a key pair. This is used by
other nodes to join the swarm.

You can also add your own externally- generated CA, which is added using the flag
--external-ca during swarm initialization.

Manager node also generates two tokens,

worker node token (worker node to join swarm)

manager node token (manager node to join swarm)

There is a possibility that the whole cluster could be compromised if the root CA
gets leaked.

Docker Swarm mode also uses external CAs. This is used to retain the Swarm
Managers' identity.
Command to include an external CA

docker swarm init --external-ca protocol=cfssl,url=https://ca.example.com

Every three months, the certificate on every node gets renewed by default. This can
be configured as well to update the time interval using Swarm update command.

docker swarm update --cert-expiry <TIME PERIOD>

For e.g.
docker swarm update --cert-expiry 2h
Minimum rotation value is 1 hour.

You can also rotate the swarm root CA, when the cluster CA key is compromised. This
is done so that all nodes stop trusting the old CA.

Command to generate a new CA.

docker swarm ca --rotate

--ca-cert -->specify the root certificate

--external-ca -->to use root CA that is external to Swarm

--ca-key -->specify the exact key

Secrets are nothing but a set of data that should be kept encrypted without being
exposed in the transport network. e.g. password, security token etc.

This secret can be accessed only by the services/tasks that is permitted explicitly
through permission grant access.

Below are the few that can be stored as Secrets.

Passwords
SSH Keys
Database name/ Server name
TLS certificates and keys

Secrets isolate themselves from the container data.

Therefore it is easy to run the service in various environment without modifying

the secret name wheres the secret data can be updated according to the environment
being run.

Config data can also be added to Secrets.

Command to create a Secret

docker secret create SECRET file|-

e.g.
docker secret create secret1 tokenfile

echo "test Secret" | docker secret create secret2 -

List Secrets

docker secret ls
Get detailed information on Secret
docker secret inspect <secret-name>

docker secret inspect secret1

Remove one or more secrets

docker secret rm <secret-name>

docker secret rm secret2

Create a service with secret

docker service create --name <service-name> --secret <secret-name> <image-name>

docker service create --name tomcatService --secret secret1 tomcat

Lock Swarm Mode - Commands

Here are the commands for Docker Swarm lock.

You can try these commands in a ubuntu machine with docker installed.

This will not work in the playground, since you do not have root privilege in the
playground to restart the service.

To autolock Swarm when initialised.

docker swarm init --autolock

You will see a key being generated as below.

To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:

SWMKEY-1-WuYH/IX284+lRcXuoVf38viIDK3HJEKY13MIHX+tTt8

When you restart the instance, you will have to unlock the swarm with the key
generated. Otherwise the services will not start and you will notice an error
asking to unlock the swarm.

Command to restart the docker instance.

sudo service docker restart

Command to view the list of running services.

docker service ls
You will now notice an error as below.

Error response from daemon: Swarm is encrypted and needs to be unlocked before it
can be used. Please use "docker swarm unlock" to unlock it.

Update autolock feature on an existing swarm

docker swarm update --autolock=true

docker swarm update --autolock=false
To unlock a Swarm.

docker swarm unlock

View the unlock key for the Swarm running currently

docker swarm unlock-key

Rotate the Swarm unlock key

docker swarm unlock-key --rotate

Note:

If the docker instance goes down before the key is rotated, you may have to unlock
the Swarm with the old key. Do keep a note of both the keys (old and new) for few
minutes.

Which of the following is not a node type in Docker Swarm

Scheduler Node

Maximum number of master nodes in a swarm recommended by Docker

7

Per Raft algorithm, system requires majority of members to agree on values proposed
to the cluster
(N/2)+1

Docker Swarm API command is used to communicate

external clients to containers

Which of the following is a valid command to create a service

docker service create

Docker command to initialize docker swarm

docker swarm init

Command to list the services running

docker service ls

Docker swarm command to drain a worker node

docker node update worker node drain

Docker swarm command to apply rolling update on a tomcat service image version
docker service update

Docker assigns service a ______ for the clients to identify the service
Virtual IP

Technique used by Docker Swarm mode to enable multi- host networking

Routing Mesh

Docker swarm command to apply rolling update on a tomcat service image version
docker service update --image tomcat 9.0

Docker swarm command to inspect the new swarm service created

docker service inspect

No. of tokens generated when the master node is initialized in swarm mode
two

Docker swarm command to activate a drain worker node

docker node update <worker-node> active

When a task stops, it isn�t executed again, but a new task may take its place.
true

Assume a Swarm cluster has 7 Swarm managers. System can tolerate _____ no. of
failures
(N-1)/2

Which is not a valid way to configure a pending service

none of the option

Docker swarm command to list the task running on the manager node

Worker Node is responsible for container Orchestration

False

Docker command to list the secrets

docker secret ls

Swarm task status when the task is initialized

New

Maximum number of tasks that can be executed in a Drain node

3

Docker swarm command to autolock swarm when initialized

docker swarm init --autolock

In Docker Swarm, you can define the task and container relationship as
one to many

command to list the tasks running on a service

docker service ls <service-name>

Which is not a correct type of service deployments for Docker Swarm

series

Which is not a valid way to create a docker service

UCB Web UI

Manager node can also act as a worker node

true

Docker swarm command to scale an existing service by 5 instances

docker service scale

bridge network that connects hosts ports to container ports in overlay network.
User defined

$docker service create --name Test --secret secret1 redis. Which of the following
is incorrect w.r.t the output for this command
create a redis image for a service

Docker swarm command to remove a service

docker service rm service-name

In Docker Swarm , all communication between nodes happens through Transport Layer
Security
true

Assume a Swarm cluster has 7 Swarm managers. System can tolerate _____ no. of
failures
(N-1)/2