Skip to content

Swarm cluster and node TLS info in CLI#44

Merged
aaronlehmann merged 1 commit intodocker:masterfrom
cyli:root-ca-info-in-cli
May 13, 2017
Merged

Swarm cluster and node TLS info in CLI#44
aaronlehmann merged 1 commit intodocker:masterfrom
cyli:root-ca-info-in-cli

Conversation

@cyli
Copy link
Contributor

@cyli cyli commented May 8, 2017
edited
Loading

Propagate the swarm cluster and node TLS info provided by the REST API
responses to the CLI. In node ls, display only whether the nodes' TLS
info matches the cluster's TLS info, or whether the node needs cert rotation.

Signed-off-by: Ying Li ying.li@docker.com

This code was originally in moby/moby#32875.

Sample output:

$ docker system info
...
Swarm: active
 NodeID: 6rv29rh4lg4bflx5tqq3sr99p
 Is Manager: true
 ClusterID: vsm0xtdcetezj9xbxs0iad04b
 Managers: 1
 Nodes: 1
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Number of Old Snapshots to Retain: 0
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Root Rotation In Progress: false
 Node Address: 192.168.126.146
 Manager Addresses:
  192.168.126.146:2377
...

$ docker node inspect self
[
    {
        "ID": "6rv29rh4lg4bflx5tqq3sr99p",
        ...
        "Description": {
            ...
            "TLSInfo": {
                "TrustRoot": "-----BEGIN CERTIFICATE-----\nMIIBazCCARCgAwIBAgIUOzgqU4tA2q5Yv1HnkzhSIwGyIBswCgYIKoZIzj0EAwIw\nEzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAyMDAyNDAwWhcNMzcwNDI3MDAy\nNDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH\nA0IABMbiAmET+HZyve35ujrnL2kOLBEQhFDZ5MhxAuYs96n796sFlfxTxC1lM/2g\nAh8DI34pm3JmHgZxeBPKUURJHKWjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB\nAf8EBTADAQH/MB0GA1UdDgQWBBS3sjTJOcXdkls6WSY2rTx1KIJueTAKBggqhkjO\nPQQDAgNJADBGAiEAoeVWkaXgSUAucQmZ3Yhmx22N/cq1EPBgYHOBZmHt0NkCIQC3\nzONcJ/+WA21OXtb+vcijpUOXtNjyHfcox0N8wsLDqQ==\n-----END CERTIFICATE-----\n",
                "CertIssuerSubject": "MBMxETAPBgNVBAMTCHN3YXJtLWNh",
                "CertIssuerPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExuICYRP4dnK97fm6OucvaQ4sERCEUNnkyHEC5iz3qfv3qwWV/FPELWUz/aACHwMjfimbcmYeBnF4E8pRREkcpQ=="
            }
        },
     ...
    }
]

$ docker node inspect self --pretty
...
TLS Info:
 TrustRoot:
-----BEGIN CERTIFICATE-----
MIIBazCCARCgAwIBAgIUOzgqU4tA2q5Yv1HnkzhSIwGyIBswCgYIKoZIzj0EAwIw
EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAyMDAyNDAwWhcNMzcwNDI3MDAy
NDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABMbiAmET+HZyve35ujrnL2kOLBEQhFDZ5MhxAuYs96n796sFlfxTxC1lM/2g
Ah8DI34pm3JmHgZxeBPKUURJHKWjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
Af8EBTADAQH/MB0GA1UdDgQWBBS3sjTJOcXdkls6WSY2rTx1KIJueTAKBggqhkjO
PQQDAgNJADBGAiEAoeVWkaXgSUAucQmZ3Yhmx22N/cq1EPBgYHOBZmHt0NkCIQC3
zONcJ/+WA21OXtb+vcijpUOXtNjyHfcox0N8wsLDqQ==
-----END CERTIFICATE-----

 Issuer Public Key:	MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExuICYRP4dnK97fm6OucvaQ4sERCEUNnkyHEC5iz3qfv3qwWV/FPELWUz/aACHwMjfimbcmYeBnF4E8pRREkcpQ==
 Issuer Subject:	MBMxETAPBgNVBAMTCHN3YXJtLWNh

$ docker node ls
ID                            HOSTNAME            STATUS              AVAILABILITY        MANAGER STATUS
6rv29rh4lg4bflx5tqq3sr99p *   ubuntu              Ready               Active              Leader
umall6tifty5ttyx9sg6axi7b     moby  

$ docker node ls --format "table {{.ID}}\t{{.Hostname}}\t{{.TLSStatus}}"
ID                          HOSTNAME            TLS STATUS
6rv29rh4lg4bflx5tqq3sr99p   ubuntu              Ready
umall6tifty5ttyx9sg6axi7b   moby                Ready

$ docker node ls --format "{{json .}}"
{"Availability":"Active","Hostname":"ubuntu","ID":"6rv29rh4lg4bflx5tqq3sr99p","ManagerStatus":"Leader","Self":true,"Status":"Ready","TLSStatus":"Ready"}
{"Availability":"Active","Hostname":"moby","ID":"umall6tifty5ttyx9sg6axi7b","ManagerStatus":"","Self":false,"Status":"Ready","TLSStatus":"Ready"}

@cyli cyli mentioned this pull request May 8, 2017
Merged
@aaronlehmann
Copy link

aaronlehmann commented May 9, 2017

Needs a rebase already

@cyli cyli mentioned this pull request May 10, 2017
Merged
@cyli
Copy link
Contributor Author

cyli commented May 10, 2017
edited
Loading

The docs for these changes is moby/moby#33148.

Also going to reference the CA rotation docs https://github.com/cyli/docker/blob/6c847f8c437906fa26686c5167801ae48a010348/docs/reference/commandline/swarm_ca.md (from moby/moby#33152), since there was some discussion in moby/moby#32875 (comment) about whether to include the TLS info by default if there is a root rotation in progress, and https://github.com/cyli/docker/blob/6c847f8c437906fa26686c5167801ae48a010348/docs/reference/commandline/swarm_ca.md#--rotate better documents why that column could be useful (could also be added later on).

@cyli
Propagate the swarm cluster and node TLS info provided by the REST API
b75858e 
responses to the CLI. In `node ls`, display only whether the nodes' TLS
info matches the cluster's TLS info, or whether the node needs cert rotation.

Signed-off-by: Ying Li <ying.li@docker.com>
@cyli
Copy link
Contributor Author

cyli commented May 11, 2017

cc @cpuguy83 @aaronlehmann - these were the CLI changes from moby/moby#32875 before. It no longer has the conditional column, and https://github.com/cyli/docker/blob/6c847f8c437906fa26686c5167801ae48a010348/docs/reference/commandline/swarm_ca.md#--rotate gives an example of how to display the TLS status when in the middle of a root rotation.

I don't feel super strongly, but it might be convenient to just automatically show that when there is a root rotation, though. On the other hand, maybe next version we should just provide a filter in swarmkit to show all the nodes that are stuck?

mlaventure
mlaventure approved these changes May 11, 2017
View reviewed changes
Copy link
Contributor

@mlaventure mlaventure left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cyli cyli mentioned this pull request May 12, 2017
Merged
@aaronlehmann
Copy link

aaronlehmann commented May 13, 2017

LGTM

@aaronlehmann aaronlehmann merged commit 35c8732 into docker:master May 13, 2017
@cyli cyli deleted the root-ca-info-in-cli branch May 13, 2017 00:20
@thaJeztah thaJeztah added this to the 17.06.0 milestone May 15, 2017
nobiit pushed a commit to nobidev/docker-cli that referenced this pull request Nov 19, 2025
@andrewhsu
Merge pull request docker#44 from nishanttotla/cpick-cli-121
eff2539 
[cherry-pick] Enable client side digest pinning for stack deploy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mlaventure mlaventure mlaventure approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

impact/changelog

Projects

None yet

Milestone

17.06.0

Development

Successfully merging this pull request may close these issues.

4 participants

@cyli @aaronlehmann @mlaventure @thaJeztah