0

I've used the commands from this gist (duplicated below) to create a Docker Swarm using Consul.

docker-machine create \
  --driver=digitalocean \
  --digitalocean-access-token=$DO_TOKEN \
  --digitalocean-size=512mb \
  --digitalocean-region=nyc3 \
  --digitalocean-private-networking=true \
  --digitalocean-image=ubuntu-15-04-x64 \
    docker-swarm-kv-store

docker $(docker-machine config docker-swarm-kv-store) run -d \
  --net=host progrium/consul --server -bootstrap-expect 1

kvip=$(docker-machine ip docker-swarm-kv-store)

docker-machine create \
  --driver=digitalocean \
  --digitalocean-access-token=$DO_TOKEN \
  --digitalocean-size=2gb \
  --digitalocean-region=nyc3 \
  --digitalocean-private-networking=true \
  --digitalocean-image=ubuntu-15-04-x64 \
  --swarm \
  --swarm-master \
  --swarm-discovery consul://${kvip}:8500 \
  --engine-opt "cluster-store consul://${kvip}:8500" \
  --engine-opt "cluster-advertise eth1:2376" \
    docker-swarm-master

docker-machine create \
  --driver=digitalocean \
  --digitalocean-access-token=$DO_TOKEN \
  --digitalocean-size=2gb \
  --digitalocean-region=nyc3 \
  --digitalocean-private-networking=true \
  --digitalocean-image=ubuntu-15-04-x64 \
  --swarm \
  --swarm-discovery consul://${kvip}:8500 \
  --engine-opt "cluster-store consul://${kvip}:8500" \
  --engine-opt "cluster-advertise eth1:2376" \
    docker-swarm-agent-1

eval $(docker-machine env --swarm docker-swarm-master)
docker info

Does Docker Machine ensure that the swarm is secure (perhaps by managing SSL certs under-the-covers), or can anyone join my Consul cluster by pointing at ${kvip}:8500?

030
  • 5,901
  • 13
  • 68
  • 110
Ryan Kennedy
  • 203
  • 2
  • 11

2 Answers2

1

It looks like the answer is that the cluster isn't secured by default.

The second command listed above is where the Consul service is started. If certs were getting passed in, they'd show up in that line.

The Consul Getting Started guide requires only the hostname/port of another node in the cluster you wish to join -- no authentication needed. However, if you've generated TLS certs, you can add them as shown in the DigitalOcean tutorial. One caveat is that since the original question mentions running Consul within a Docker container, you'll need to use volumes to move the certificates in.

Ryan Kennedy
  • 203
  • 2
  • 11
1

In addition to what @RyanKennedy mentions, consider too that anyone can:

  • join an agent to the consul cluster (one way to avoid this might to be use encryption)
  • submit data to consul (which you could avoid by using ACL tokens)

Obviously, this all assumes that nothing else is providing protection, but to provide some depth to your defenses, I would definitely consider the two config items mentioned above.

iwaseatenbyagrue
  • 3,688
  • 15
  • 24