Generate a swarm joining secret if none is specified

The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.

This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.

`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.

Closes #23785

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>

docs/reference/commandline/swarm_init.md

@@ -29,12 +29,24 @@ in the newly created one node Swarm cluster.
 
 ```bash
 $ docker swarm init --listen-addr 192.168.99.121:2377
+No --secret provided. Generated random secret:
+	4ao565v9jsuogtq5t8s379ulb
+
 Swarm initialized: current node (1ujecd0j9n3ro9i6628smdmth) is now a manager.
+
+To add a worker to this swarm, run the following command:
+	docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb \
+	--ca-hash sha256:07ce22bd1a7619f2adc0d63bd110479a170e7c4e69df05b67a1aa2705c88ef09 \
+	192.168.99.121:2377
 $ docker node ls
 ID                           HOSTNAME  MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS          LEADER
 1ujecd0j9n3ro9i6628smdmth *  manager1  Accepted    Ready   Active        Reachable               Yes
 ```
 
+If a secret for joining new nodes is not provided with `--secret`, `docker swarm init` will
+generate a random one and print it to the terminal (as seen in the example above). To initialize
+a swarm with no secret, use `--secret ""`.
+
 ### `--auto-accept value`
 
 This flag controls node acceptance into the cluster. By default, `worker` nodes are
@@ -47,7 +59,6 @@ For example, the following initializes a cluster with auto-acceptance of workers
 
 ```bash
 $ docker swarm init --listen-addr 192.168.99.121:2377 --auto-accept worker
-Swarm initialized: current node (1m8cdsylxbf3lk8qriqt07hx1) is now a manager.
 ```
 
 ### `--external-ca value`

docs/reference/commandline/swarm_join.md

@@ -27,7 +27,7 @@ targeted by this command becomes a `manager`. If it is not specified, it becomes
 ### Join a node to swarm as a manager
 
 ```bash
-$ docker swarm join --manager --listen-addr 192.168.99.122:2377 192.168.99.121:2377
+$ docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb --manager --listen-addr 192.168.99.122:2377 192.168.99.121:2377
 This node joined a Swarm as a manager.
 $ docker node ls
 ID                           HOSTNAME  MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS         LEADER
@@ -38,7 +38,7 @@ dvfxp4zseq4s0rih1selh0d20    manager1  Accepted    Ready   Active        Reachab
 ### Join a node to swarm as a worker
 
 ```bash
-$ docker swarm join --listen-addr 192.168.99.123:2377 192.168.99.121:2377
+$ docker swarm join --secret 4ao565v9jsuogtq5t8s379ulb --listen-addr 192.168.99.123:2377 192.168.99.121:2377
 This node joined a Swarm as a worker.
 $ docker node ls
 ID                           HOSTNAME  MEMBERSHIP  STATUS  AVAILABILITY  MANAGER STATUS         LEADER