Automated Docker Swarm cluster setup/provisioning/deployment using Ansible.
Host node OS is assumed to be Ubuntu (tested with 16.04 LTS (Xenial) and 18.04 LTS (Bionic)).
At the end of the provisioning, each node will be configured with:
- Latest Ubuntu updates
- Non-root user access
- SSH access restrained to non-root user and disabled password connection
- Docker Swarm use
ufwinstead ofiptables ufwports setup for generic web access (22, 80, 443) and Docker Swarm communication (2376, 2377, 7946, 4789)fail2bansetup with sensible ban ruleslogwatchsetup for daily reports to provided e-mail address
pipenv install -d
pipenv shell
-
Run vagrant
vagrant up -
Add local vm domain names to
/etc/hosts10.0.0.10 leader.local 10.0.0.11 manager.local 10.0.0.12 worker.local
-
Generate crypted password for non-root user with:
python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))" -
Setup
.envfile (with crypted password)HOST_USERNAME=user HOST_PASSWORD=******** HOST_SSH_PUB_FILE=~/.ssh/id_rsa.pub HOST_ADMIN_EMAIL= -
Reload
.envfile:pipenv shell -
Run the main playbook with the proper inventory config:
ansible-playbook -i {development, staging, production} site.ymlThe first time the whole playbook is run, if it fails to connect try running it with the
rootremote user:ansible-playbook -i {development, staging, production} site.yml -u root
docker-machine create \
--driver generic \
--generic-ip-address=10.0.0.10 \
--generic-ssh-port 22 \
--generic-ssh-user root \
--generic-ssh-key ~/.ssh/id_rsa \
leader
eval $(docker-machine env leader)
docker node ls
eval $(docker-machine env -u)
-
Enable auto-lock:
docker-machine ssh leader > docker swarm update --autolock=true > sudo service docker restart > exit -
Un-lock the swarm using the displayed encryption key:
eval $(docker-machine env leader) docker swarm unlock docker node ls
The MIT License (MIT)
Copyright (c) 2018 Romain Clement