Generate a swarm joining secret if none is specified #24349
Conversation
aaronlehmann
added
area/cli
area/swarm
status/1-design-review
and removed
status/0-triage
labels
|
Note that this PR does not change the defaults for auto-acceptance. So while a secret will be required in all cases, under default settings, a node can't join as a manager without approval, even though it presents the secret. It will still show up as a pending node, which needs to be accepted with |
|
cc @sfsmithcha |
| if !flags.Changed("secret") { | ||
| var secretBytes [generatedSecretEntropyBytes]byte | ||
|
|
||
| if _, err := io.ReadFull(cryptorand.Reader, secretBytes[:]); err != nil { |
aaronlehmann
force-pushed
the
swarm-secrets-by-default
branch
from
a67a5e3
to
fed3ce3
Compare
|
Updated to made |
|
|
||
| var nn big.Int | ||
| nn.SetBytes(secretBytes[:]) | ||
| secret = fmt.Sprintf("%0[1]*s", maxGeneratedSecretLength, nn.Text(generatedSecretBase)) |
There was a problem hiding this comment.
This block (62-70) looks like it should be in its own function func generateRandomSecret() string
aaronlehmann
force-pushed
the
swarm-secrets-by-default
branch
from
fed3ce3
to
2283df0
Compare
|
@dnephin: Updated to address the comments, PTAL. |
|
Design LGTM |
|
Thanks LGTM |
|
@aaronlehmann this LGTM, but are you going to do the changes we talked about yesterday in another PR? |
|
@diogomonica: Yes, I'm planning to do those as a followup. I'm waiting for design review on the mockup, and also on the swarmkit PR moby/swarmkit#1128. |
The current behavior of `docker swarm init` is to set up a swarm that has no secret for joining, and does not require manual acceptance for workers. Since workers may sometimes receive sensitive data such as pull credentials, it makes sense to harden the defaults. This change makes `docker swarm init` generate a random secret if none is provided, and print it to the terminal. This secret will be needed to join workers or managers to the swarm. In addition to improving access control to the cluster, this setup removes an avenue for denial-of-service attacks, since the secret is necessary to even create an entry in the node list. `docker swarm init --secret ""` will set up a swarm without a secret, matching the old behavior. `docker swarm update --secret ""` removes the automatically generated secret after `docker swarm init`. Closes moby#23785 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
aaronlehmann
force-pushed
the
swarm-secrets-by-default
branch
from
2283df0
to
7342e42
Compare
|
Didn't quite understand. So, the old behavior still exists right? Nodes can join swarm cluster without any secret and the default Or are you saying that passing So, are we dropping Can we also update the respective documentation? |
|
@praving5: The new behavior is that Node acceptance is a separate concept from the joining secret. The defaults there haven't changed, so it's still necessary to accept managers with The documentation you mentioned was updated as part of this PR. |
The current behavior of
docker swarm initis to set up a swarm thathas no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes
docker swarm initgenerate a random secret if noneis provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
docker swarm init --secret ""will set up a swarm without a secret,matching the old behavior.
docker swarm update --secret ""removes theautomatically generated secret after
docker swarm init.Closes #23785
cc @diogomonica @aluzzardi @tonistiigi @dnephin