Join SwarmKit maintainers Drew and Nishant as they showcase features that have made Swarm Mode even more powerful, without compromising the operational simplicity it was designed with. They will discuss the implementation of new features that streamline deployments, increase security, and reduce downtime. These substantial additions to Swarm Mode are completely transparent and straightforward to use, and users may not realize they're already benefiting from these improvements under the hood.
5. Background: What Is Swarm?
You start with this
Database
Web Server 2
Web Server 1
Server
6. Background: What Is Swarm?
Then you need more servers
Database
Replica
Web Server 2
Web Server 2
Server 2
Database
Replica
Web Server 2
Web Server 1
Server 1
Database
Replica
Web Server 1
Web Server 1
Server 3
7. Background: What Is Swarm?
Database
Replica
Web Server 2
Web Server 2
Server 2
Database
Replica
Web Server 2
Web Server 1
Server 1
Database
Replica
Web Server 1
Web Server 1
Server 3
You have to figure out where to put new things
New
Service
New
Service
New
Service
?
?
?
8. Background: What Is Swarm?
Database
Replica
Web Server 2
Web Server 2
Server 2
Database
Replica
Web Server 2
Web Server 1
Dead Server
Database
Replica
Web Dead 1
Web Server 1
Server 3
You have to manually compensate for failures
9. Swarm is Cluster Orchestration
And it’s simple!
Many Discrete Computers One Cluster
Hand Architecting Algorithmic Scheduling
Manual Recovery Automatic Rescheduling
10. Swarm is Cluster
OrchestrationBuilt on services
Service Spec Service
Image Name
# of replicas
Network
Attachments
Exposed ports
...
Orchestrated
14. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
15. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
16. Prioritize spreading out containers in a service instead
of equalizing the number of containers per node
HA Scheduling
17. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
Consider you have 2
nodes.
HA Scheduling
18. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
And then you add a
third node.
HA Scheduling Worker 3
19. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
And then you add a
new service with 3 new
replicas.
HA Scheduling Worker 3
Service 3
Service 3
Service 3
?
?
?
20. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
Under the old
algorithm, something
like this would happen.
HA Scheduling Worker 3
Service 3
Service 3
Service 3
21. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
With HA scheduling, the
service gets spread
across the nodes.
HA Scheduling Worker 3
Service 3
Service 3
Service 3
22. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
And if a service is
already evenly spread?
HA Scheduling Worker 3
Service 3
Service 3
Service 3
Service 3
?
23. Service 2
Service 2
Worker 1
Service 1
Service 2
Worker 2
Service 1
What does this look
like?
Then absolute number
of containers is the
tiebreaker.
HA Scheduling Worker 3
Service 3
Service 3
Service 3
Service 3
24. $ docker service create --replicas 3 dockercon
HA Scheduling: How to Use
25. $ docker service create --replicas 3 dockercon
HA Scheduling: How to Use
That’s it! You’re already using
it!
26. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
27. Spread in order across arbitrary labeled nodes
Topology-Aware Scheduling
34. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
35. • All cluster-wide communication is encrypted
• Security should be easy to use
Raft Log Encryption
38. Raft Log: How to Encrypt
/var/lib/docker/swarm
$ docker swarm init
# basic cluster create command
39. Raft Log: How to Encrypt
/var/lib/docker/swarm
$ docker swarm init
# basic cluster create command
That’s it! Your Raft log is
encrypted and secure!
40. • The Raft log and TLS encryption keys are still on disk
• Who protects the protector?
What’s the Catch
43. $ docker swarm init --autolock
Swarm initialized: current node (u3hujejsk5plrmfn3uq10kmu5) is now
a manager.
[...]
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
SWMKEY-1-yDrZW4AyTzPiqpJvYGL5sKqkX5XFvQJBm1ztGwFDgiI
Please remember to store this key in a password manager, since without
it you will not be able to restart the manager.
Protecting Encryption Keys
44. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
45. • Services often require sensitive information (like
passwords)
• Need a way to securely distribute such information across
the cluster
Securely Distributing Passwords
46. $ docker service create -e password=TOTALLYSECURE dockercon
The Old Way
$ docker service create -v some/host/dir:/password dockercon
47. Passing a secret in an
environment variable
Environment
Variables
$ docker service create
-e password=TOTALLYSECURE
dockercon
Service
Node
54. Node
crash-log.txt
Service crashed 04/17/17 12:58:33
Service down 04/17/17 13:00:00
Service down 04/17/17 13:01:00
Service Config 04/17/17 13:01:30
Replicas: 3
…
Network Config 04/17/17 13:02:00
Aliases: net
…
ENV: 04/17/17 13:01:15
password:
TOTALLYSECURE
The service crashes and
dumps out a crash log file
Environment
Variables
The log file contains a
plaintext password and is
saved to disk
55. $ docker service create -e password=TOTALLYSECURE dockercon
The Old Way
$ docker service create -v some/host/dir:/password dockercon
56. Node 1
/password
$ docker service create
-v some/host/dir:/password
dockercon
Node 2
/password
Volume must exist on every
node that service needs to
run on
Volumes
57. Node 1
Service
/password
$ docker service create
-v some/host/dir:/password
dockercon
Node 2
/password
Service
Volume must exist on every
node that service needs to
run on
Volumes
60. $ docker service create -e password=TOTALLYSECURE dockercon
The Old Way
$ docker service create -v some/host/dir:/password dockercon
61. • Easy to use
• Mitigate the risk from workarounds
• Seamlessly work with Swarm Services
Docker Secrets
62. A basic Swarm cluster
The Raft log is encrypted and
secure
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
63. Let’s encrypt the encryption
keys for added security
It takes just one command!
Secrets
$ docker swarm update --autolock=true
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
64. Let’s start a service
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
$ docker service create
--replicas 3
dockercon
65. Ready to create a
secret (password)
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
$ docker secret create
my-password password.file
password
66. That was easy!
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
67. Secret shared across
managers via the Raft store
Your secret is safe with Swarm
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
68. Update service to use
the secret
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
$ docker service update
--secret-add=my-password
Dockercon
69. Secret only sent to nodes
running the service
Stored in tmpfs mounted into
the container
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
70. Secret only sent to nodes
running the service
Stored in tmpfs mounted into
the container
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
71. Secret only sent to nodes
running the service
Stored in tmpfs mounted into
the container
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
72. Node failure
Service instance needs
to be rescheduled
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
73. Secret moves with the service
Dead worker node does
not have secret
Secrets
Manager ManagerManager Raft Store
Worker Worker Worker Worker Worker
Client
Service Service Service
74. Secrets are now
first-class objects
The right way is also
the easy way
$ docker secret create my-password
password.file
x1r790346t2t3sofmpchee5pm
$ docker service update
--secret-add=my-password
Dockercon
Secrets
75. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
76. Health-Aware Orchestration
Defining Image Healthchecks in the Dockerfile
FROM dockercon
. . .
HEALTHCHECK --interval 10s
--timeout 3s
--retries 5
CMD curl http://localhost/health
. . .
CMD [“start”]
86. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
87. Roll back a service to the previous spec
Two Ways:
1. Manually through service update --rollback
2. Automatically as --update-failure-action=rollback
Service Rollbacks
116. What’s New in Swarm Mode
Improvements New Features
High-Availability Scheduling Topology-Aware Scheduling
Encrypted Raft Log Secrets
Health-Aware Orchestration Service Rollbacks
Service Logs
117. SSH into each node?
Set up a logging system?
Getting Logs from a Service
118. Fetch logs from containers of a service
Includes logs from stopped containers
Use same API options as container logs
Sends log context (service, node, and task ids) as details
Service Logs
119. $ docker service logs --tail 10 dockercon | sort -k3 -k4
dockercon.3.vo3l16eyy4cl@moby | 2017/04/03 23:12:26 Got a healthcheck!
dockercon.1.wy9wq4m4rvtf@moby | 2017/04/03 23:12:28 Got a healthcheck!
dockercon.2.co0nmnczoz62@moby | 2017/04/03 23:12:28 Got a healthcheck!
dockercon.3.vo3l16eyy4cl@moby | 2017/04/03 23:12:28 Got a healthcheck!
dockercon.1.wy9wq4m4rvtf@moby | 2017/04/03 23:12:30 Got a healthcheck!
dockercon.2.co0nmnczoz62@moby | 2017/04/03 23:12:30 Got a healthcheck!
dockercon.3.vo3l16eyy4cl@moby | 2017/04/03 23:12:30 Got a healthcheck!
dockercon.1.wy9wq4m4rvtf@moby | 2017/04/03 23:12:32 Got a healthcheck!
dockercon.2.co0nmnczoz62@moby | 2017/04/03 23:12:32 Got a healthcheck!
dockercon.3.vo3l16eyy4cl@moby | 2017/04/03 23:12:32 Got a healthcheck!
Service Logs
120. Log Request Is Made
Log Model
Swarm
Worker
Swarm
Worker
Swarm
Worker
Client
Swarm
Manager
121. Swarm Manager creates a
Subscription and dispatches
to the workers
Log Model
Swarm
Worker
Swarm
Worker
Swarm
Worker
Client
Swarm
Manager
122. Swarm Workers start logs
for every container that
matches the selector
Logs come back as a single
aggregated stream
Log Model
Swarm
Worker
Stream to
Manager
Service Container
Service Container
Different Service
123. Swarm Workers start
streaming back logs to the
manager
Log Model
Swarm
Worker
Swarm
Worker
Swarm
Worker
Client
Swarm
Manager
124. Manager aggregates all of the
logs and returns them as one
stream to the client
Log Model
Swarm
Worker
Swarm
Worker
Swarm
Worker
Client
Swarm
Manager
125. Logs can be followed.
Streams from new replicas as
they come up.
Ends the stream when the
user cancels
Log Model
Swarm
Worker
Swarm
Worker
Swarm
Worker
Client
Swarm
Manager