a00d12a8dd
The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.
Closes #23785
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 7342e42fce)
Signed-off-by: Tibor Vass <tibor@docker.com>
70 lines
2.4 KiB
Markdown
70 lines
2.4 KiB
Markdown
<!--[metadata]>
|
|
+++
|
|
title = "Add nodes to the swarm"
|
|
description = "Add nodes to the swarm"
|
|
keywords = ["tutorial, cluster management, swarm"]
|
|
advisory = "rc"
|
|
[menu.main]
|
|
identifier="add-nodes"
|
|
parent="swarm-tutorial"
|
|
weight=13
|
|
+++
|
|
<![end-metadata]-->
|
|
|
|
# Add nodes to the swarm
|
|
|
|
Once you've [created a swarm](create-swarm.md) with a manager node, you're ready
|
|
to add worker nodes.
|
|
|
|
1. Open a terminal and ssh into the machine where you want to run a worker node.
|
|
This tutorial uses the name `worker1`.
|
|
|
|
2. Run the following command to create a worker node joined to
|
|
the existing swarm:
|
|
|
|
```
|
|
docker swarm join --secret <SECRET> <MANAGER-IP>:<PORT>
|
|
```
|
|
|
|
Replace `<SECRET>` with the secret that was printed by `docker swarm init` in the
|
|
previous step. Replace `<MANAGER-IP>` with the address of the manager node
|
|
and `<PORT>` with the port where the manager listens.
|
|
|
|
In the tutorial, the following command joins `worker1` to the swarm on `manager1`:
|
|
|
|
```
|
|
$ docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb 192.168.99.100:2377
|
|
|
|
This node joined a Swarm as a worker.
|
|
```
|
|
|
|
3. Open a terminal and ssh into the machine where you want to run a second
|
|
worker node. This tutorial uses the name `worker2`.
|
|
|
|
4. Run `docker swarm join --secret <SECRET> <MANAGER-IP>:<PORT>` to create a worker node joined to
|
|
the existing Swarm.
|
|
|
|
Replace `<SECRET>` with the secret that was printed by `docker swarm init` in the
|
|
previous step. Replace `<MANAGER-IP>` with the address of the manager node
|
|
and `<PORT>` with the port where the manager listens.
|
|
|
|
5. Open a terminal and ssh into the machine where the manager node runs and run
|
|
the `docker node ls` command to see the worker nodes:
|
|
|
|
```bash
|
|
ID HOSTNAME MEMBERSHIP STATUS AVAILABILITY MANAGER STATUS LEADER
|
|
03g1y59jwfg7cf99w4lt0f662 worker2 Accepted Ready Active
|
|
9j68exjopxe7wfl6yuxml7a7j worker1 Accepted Ready Active
|
|
dxn1zf6l61qsb1josjja83ngz * manager1 Accepted Ready Active Reachable Yes
|
|
```
|
|
|
|
The `MANAGER` column identifies the manager nodes in the swarm. The empty
|
|
status in this column for `worker1` and `worker2` identifies them as worker nodes.
|
|
|
|
Swarm management commands like `docker node ls` only work on manager nodes.
|
|
|
|
|
|
## What's next?
|
|
|
|
Now your swarm consists of a manager and two worker nodes. In the next step of
|
|
the tutorial, you [deploy a service](deploy-service.md) to the swarm.
|