In this article we will show how to lock and unlock a Docker Swarm.
When the Docker daemon restarts, the TLS key used to encrypt communication between the swarm nodes and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node’s memory. Docker allows us to protect these keys by allowing us to take ownership of them and to require us to manually unlock the swarm manager node. This is the docker swarm autolock feature. This article will cover how to enable the autolock feature, how to lock docker swarm and how to unlock the swarm cluster.
Enabling Autolock when Creating a New Docker Swarm
When creating a new docker swarm, autolock can be enabled by including it in the docker swarm init command. For example:
$ docker swarm init --autolockThe unlock key will be included in the output from the command:
To unlock a swarm manager after it restarts, run the `docker swarm unlock`
command and provide the following key:
SWMKEY-1-WdfH/IX284+lRcXuoVfejiow33HJEKY13MIHX+tTt8
Ensure the key is stored in a very safe place, such as your password repository. It will be needed when the docker manager restarts and you then need to unlock the swarm.
Enabling Autolock on an Existing Docker Swarm
You can also enable autolock on an existing docker swarm. To do so you would run the following on a swarm manager node:
$ docker swarm update --autolock=true
Swarm updated.
To unlock a swarm manager after it restarts, run thedocker swarm unlock
command and provide the following key:
Once again, ensure you store the unlock key safely!
Testing the Autolock Feature
On my test system, I will restart docker, with the autolock feature enabled:
$ sudo service docker restart
Now if we try to list docker services there is the following message:
$ docker service ls Error response from daemon: Swarm is encrypted and needs to be unlocked before it can be used. Please use "docker swarm unlock" to unlock it.
We now need to unlock the swarm before it is usable.
Unlocking a Docker Swarm
A docker swarm can be unlocked using the docker swarm unlock command:
$ docker swarm unlock
Please enter unlock key:
Once unlocked, docker service commands can be ran as before.
Viewing the auto lock key
On an unlocked swarm manager node you can view the unlock key by running the docker swarm unlock-key command
$ docker swarm unlock-key
To unlock a swarm manager after it restarts, run the docker swarm unlock
command and provide the following key:
SWMKEY-1-Ueyx3eHnHexgQNXQNVyHHA7ea2G5GCxYUPpmxQ+TfrQ
Please remember to store this key in a password manager, since without it you
will not be able to restart the manager.
Rotating the Swarm Unlock Key
You can rotate the unlock key by using the following command:
$ docker swarm unlock-key --rotateBe sure store the new key safely. It’s also recommended to keep a note of the old key for a little while, if you have multiple manager nodes, to ensure all managers have the new key.
Disable Auto lock
Finally, if you wish to disable the auto-lock feature then you can do so, on an unlocked manager node, with the following command:
$ docker swarm update --autolock=falseDon’t forget to check out the official documentation on this feature, which can be found here.
Learning Docker?
If you are starting out, then I highly recommend this book. Thirsty for more?
Then it’s time to take your Docker skills to the next level with this book (It’s my favorite). Also, check out my page on Docker Certification.