mirror of https://github.com/docker/cli.git
Document the swarm root CA rotation CLI command.
Signed-off-by: Ying Li <ying.li@docker.com>
This commit is contained in:
parent
9810554494
commit
e1cd83f28a
|
@ -24,6 +24,7 @@ Options:
|
||||||
--help Print usage
|
--help Print usage
|
||||||
|
|
||||||
Commands:
|
Commands:
|
||||||
|
ca Manage root CA
|
||||||
init Initialize a swarm
|
init Initialize a swarm
|
||||||
join Join a swarm as a node and/or manager
|
join Join a swarm as a node and/or manager
|
||||||
join-token Manage join tokens
|
join-token Manage join tokens
|
||||||
|
|
|
@ -0,0 +1,122 @@
|
||||||
|
---
|
||||||
|
title: "swarm ca"
|
||||||
|
description: "The swarm ca command description and usage"
|
||||||
|
keywords: "swarm, ca"
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- This file is maintained within the docker/docker Github
|
||||||
|
repository at https://github.com/docker/docker/. Make all
|
||||||
|
pull requests against that repo. If you see this file in
|
||||||
|
another repository, consider it read-only there, as it will
|
||||||
|
periodically be overwritten by the definitive file. Pull
|
||||||
|
requests which include edits to this file in other repositories
|
||||||
|
will be rejected.
|
||||||
|
-->
|
||||||
|
|
||||||
|
# swarm ca
|
||||||
|
|
||||||
|
```markdown
|
||||||
|
Usage: docker swarm ca [OPTIONS]
|
||||||
|
|
||||||
|
Manage root CA
|
||||||
|
|
||||||
|
Options:
|
||||||
|
--ca-cert pem-file Path to the PEM-formatted root CA certificate to use for the new cluster
|
||||||
|
--ca-key pem-file Path to the PEM-formatted root CA key to use for the new cluster
|
||||||
|
--cert-expiry duration Validity period for node certificates (ns|us|ms|s|m|h) (default 2160h0m0s)
|
||||||
|
-d, --detach Exit immediately instead of waiting for the root rotation to converge
|
||||||
|
--external-ca external-ca Specifications of one or more certificate signing endpoints
|
||||||
|
--help Print usage
|
||||||
|
-q, --quiet Suppress progress output
|
||||||
|
--rotate Rotate the swarm CA - if no certificate or key are provided, new ones will be generated
|
||||||
|
```
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
View or rotate the current swarm CA certificate. This command must target a manager node.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Run the `docker swarm ca` command without any options to view the current root CA certificate
|
||||||
|
in PEM format.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ docker swarm ca
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBazCCARCgAwIBAgIUJPzo67QC7g8Ebg2ansjkZ8CbmaswCgYIKoZIzj0EAwIw
|
||||||
|
EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAzMTcxMDAwWhcNMzcwNDI4MTcx
|
||||||
|
MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||||
|
A0IABKL6/C0sihYEb935wVPRA8MqzPLn3jzou0OJRXHsCLcVExigrMdgmLCC+Va4
|
||||||
|
+sJ+SLVO1eQbvLHH8uuDdF/QOU6jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
|
||||||
|
Af8EBTADAQH/MB0GA1UdDgQWBBSfUy5bjUnBAx/B0GkOBKp91XvxzjAKBggqhkjO
|
||||||
|
PQQDAgNJADBGAiEAnbvh0puOS5R/qvy1PMHY1iksYKh2acsGLtL/jAIvO4ACIQCi
|
||||||
|
lIwQqLkJ48SQqCjG1DBTSBsHmMSRT+6mE2My+Z3GKA==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
```
|
||||||
|
|
||||||
|
Pass the `--rotate` flag (and optionally a `--ca-cert`, along with a `--ca-key` or
|
||||||
|
`--external-ca` parameter flag), in order to rotate the current swarm root CA.
|
||||||
|
|
||||||
|
```
|
||||||
|
$ docker swarm ca --rotate
|
||||||
|
desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e
|
||||||
|
rotated TLS certificates: [=========================> ] 1/2 nodes
|
||||||
|
rotated CA certificates: [> ] 0/2 nodes
|
||||||
|
```
|
||||||
|
|
||||||
|
Once the rotation os finished (all the progress bars have completed) the now-current
|
||||||
|
CA certificate will be printed:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ docker swarm ca --rotate
|
||||||
|
desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e
|
||||||
|
rotated TLS certificates: [==================================================>] 2/2 nodes
|
||||||
|
rotated CA certificates: [==================================================>] 2/2 nodes
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBazCCARCgAwIBAgIUFynG04h5Rrl4lKyA4/E65tYKg8IwCgYIKoZIzj0EAwIw
|
||||||
|
EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTE2MDAxMDAwWhcNMzcwNTExMDAx
|
||||||
|
MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||||
|
A0IABC2DuNrIETP7C7lfiEPk39tWaaU0I2RumUP4fX4+3m+87j0DU0CsemUaaOG6
|
||||||
|
+PxHhGu2VXQ4c9pctPHgf7vWeVajQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
|
||||||
|
Af8EBTADAQH/MB0GA1UdDgQWBBSEL02z6mCI3SmMDmITMr12qCRY2jAKBggqhkjO
|
||||||
|
PQQDAgNJADBGAiEA263Eb52+825EeNQZM0AME+aoH1319Zp9/J5ijILW+6ACIQCg
|
||||||
|
gyg5u9Iliel99l7SuMhNeLkrU7fXs+Of1nTyyM73ig==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
```
|
||||||
|
|
||||||
|
### `--rotate`
|
||||||
|
|
||||||
|
Root CA Rotation is recommended if one or more of the swarm managers have been
|
||||||
|
compromised, so that those managers can no longer connect to or be trusted by
|
||||||
|
any other node in the cluster.
|
||||||
|
|
||||||
|
Alternately, root CA rotation can be used to give control of the swarm CA
|
||||||
|
to an external CA, or to take control back from an external CA.
|
||||||
|
|
||||||
|
The `--rotate` flag does not require any parameters to do a rotation, but you can
|
||||||
|
optionally specify a certificate and key, or a certificate and external CA URL,
|
||||||
|
and those will be used instead of an automatically-generated certificate/key pair.
|
||||||
|
|
||||||
|
Because the root CA key should be kept secret, if provided it will not be visible
|
||||||
|
when viewing swarm any information via the CLI or API.
|
||||||
|
|
||||||
|
The root CA rotation will not be completed until all registered nodes have
|
||||||
|
rotated their TLS certificates. If the rotation is not completing within a
|
||||||
|
reasonable amount of time, try running
|
||||||
|
`docker node ls --format {{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}` to
|
||||||
|
see if any nodes are down or otherwise unable to rotate TLS certificates.
|
||||||
|
|
||||||
|
|
||||||
|
### `--detach`
|
||||||
|
|
||||||
|
Initiate the root CA rotation, but do not wait for the completion of or display the
|
||||||
|
progress of the rotation.
|
||||||
|
|
||||||
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm init](swarm_init.md)
|
||||||
|
* [swarm join](swarm_join.md)
|
||||||
|
* [swarm join-token](swarm_join_token.md)
|
||||||
|
* [swarm leave](swarm_leave.md)
|
||||||
|
* [swarm unlock](swarm_unlock.md)
|
||||||
|
* [swarm unlock-key](swarm_unlock_key.md)
|
|
@ -159,6 +159,7 @@ by passing `--availability=drain` to `docker swarm init`.
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [swarm join](swarm_join.md)
|
* [swarm join](swarm_join.md)
|
||||||
* [swarm join-token](swarm_join_token.md)
|
* [swarm join-token](swarm_join_token.md)
|
||||||
* [swarm leave](swarm_leave.md)
|
* [swarm leave](swarm_leave.md)
|
||||||
|
|
|
@ -121,6 +121,7 @@ by passing `--availability=drain` to `docker swarm join`.
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [swarm init](swarm_init.md)
|
* [swarm init](swarm_init.md)
|
||||||
* [swarm join-token](swarm_join_token.md)
|
* [swarm join-token](swarm_join_token.md)
|
||||||
* [swarm leave](swarm_leave.md)
|
* [swarm leave](swarm_leave.md)
|
||||||
|
|
|
@ -106,6 +106,7 @@ Only print the token. Do not print a complete command for joining.
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [swarm init](swarm_init.md)
|
* [swarm init](swarm_init.md)
|
||||||
* [swarm join](swarm_join.md)
|
* [swarm join](swarm_join.md)
|
||||||
* [swarm leave](swarm_leave.md)
|
* [swarm leave](swarm_leave.md)
|
||||||
|
|
|
@ -62,6 +62,7 @@ command.
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [node rm](node_rm.md)
|
* [node rm](node_rm.md)
|
||||||
* [swarm init](swarm_init.md)
|
* [swarm init](swarm_init.md)
|
||||||
* [swarm join](swarm_join.md)
|
* [swarm join](swarm_join.md)
|
||||||
|
|
|
@ -40,6 +40,7 @@ Please enter unlock key:
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [swarm init](swarm_init.md)
|
* [swarm init](swarm_init.md)
|
||||||
* [swarm join](swarm_join.md)
|
* [swarm join](swarm_join.md)
|
||||||
* [swarm join-token](swarm_join_token.md)
|
* [swarm join-token](swarm_join_token.md)
|
||||||
|
|
|
@ -83,6 +83,7 @@ Only print the unlock key, without instructions.
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [swarm init](swarm_init.md)
|
* [swarm init](swarm_init.md)
|
||||||
* [swarm join](swarm_join.md)
|
* [swarm join](swarm_join.md)
|
||||||
* [swarm join-token](swarm_join_token.md)
|
* [swarm join-token](swarm_join_token.md)
|
||||||
|
|
|
@ -43,6 +43,7 @@ $ docker swarm update --cert-expiry 720h
|
||||||
|
|
||||||
## Related commands
|
## Related commands
|
||||||
|
|
||||||
|
* [swarm ca](swarm_ca.md)
|
||||||
* [swarm init](swarm_init.md)
|
* [swarm init](swarm_init.md)
|
||||||
* [swarm join](swarm_join.md)
|
* [swarm join](swarm_join.md)
|
||||||
* [swarm join-token](swarm_join_token.md)
|
* [swarm join-token](swarm_join_token.md)
|
||||||
|
|
Loading…
Reference in New Issue