-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate a swarm joining secret if none is specified #24349
Conversation
Note that this PR does not change the defaults for auto-acceptance. So while a secret will be required in all cases, under default settings, a node can't join as a manager without approval, even though it presents the secret. It will still show up as a pending node, which needs to be accepted with |
cc @sfsmithcha |
if !flags.Changed("secret") { | ||
var secretBytes [generatedSecretEntropyBytes]byte | ||
|
||
if _, err := io.ReadFull(cryptorand.Reader, secretBytes[:]); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: same as rand.Read()
a67a5e3
to
fed3ce3
Compare
Updated to made |
|
||
var nn big.Int | ||
nn.SetBytes(secretBytes[:]) | ||
secret = fmt.Sprintf("%0[1]*s", maxGeneratedSecretLength, nn.Text(generatedSecretBase)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block (62-70) looks like it should be in its own function func generateRandomSecret() string
fed3ce3
to
2283df0
Compare
@dnephin: Updated to address the comments, PTAL. |
Design LGTM |
Thanks LGTM |
@aaronlehmann this LGTM, but are you going to do the changes we talked about yesterday in another PR? |
@diogomonica: Yes, I'm planning to do those as a followup. I'm waiting for design review on the mockup, and also on the swarmkit PR moby/swarmkit#1128. |
The current behavior of `docker swarm init` is to set up a swarm that has no secret for joining, and does not require manual acceptance for workers. Since workers may sometimes receive sensitive data such as pull credentials, it makes sense to harden the defaults. This change makes `docker swarm init` generate a random secret if none is provided, and print it to the terminal. This secret will be needed to join workers or managers to the swarm. In addition to improving access control to the cluster, this setup removes an avenue for denial-of-service attacks, since the secret is necessary to even create an entry in the node list. `docker swarm init --secret ""` will set up a swarm without a secret, matching the old behavior. `docker swarm update --secret ""` removes the automatically generated secret after `docker swarm init`. Closes moby#23785 Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2283df0
to
7342e42
Compare
Didn't quite understand. So, the old behavior still exists right? Nodes can join swarm cluster without any secret and the default Or are you saying that passing So, are we dropping Can we also update the respective documentation? |
@praving5: The new behavior is that Node acceptance is a separate concept from the joining secret. The defaults there haven't changed, so it's still necessary to accept managers with The documentation you mentioned was updated as part of this PR. |
The current behavior of
docker swarm init
is to set up a swarm thathas no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes
docker swarm init
generate a random secret if noneis provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
docker swarm init --secret ""
will set up a swarm without a secret,matching the old behavior.
docker swarm update --secret ""
removes theautomatically generated secret after
docker swarm init
.Closes #23785
cc @diogomonica @aluzzardi @tonistiigi @dnephin