diff options
Diffstat (limited to 'devdocs/docker/engine%2Freference%2Fcommandline%2Fswarm_ca%2Findex.html')
| -rw-r--r-- | devdocs/docker/engine%2Freference%2Fcommandline%2Fswarm_ca%2Findex.html | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/devdocs/docker/engine%2Freference%2Fcommandline%2Fswarm_ca%2Findex.html b/devdocs/docker/engine%2Freference%2Fcommandline%2Fswarm_ca%2Findex.html new file mode 100644 index 00000000..be8867ae --- /dev/null +++ b/devdocs/docker/engine%2Freference%2Fcommandline%2Fswarm_ca%2Findex.html @@ -0,0 +1,41 @@ +<h1>docker swarm ca</h1> <p><br></p> <p>Display and rotate the root CA</p> <p><span class="badge badge-info" data-toggle="tooltip" data-placement="right" title="This command works with the Swarm orchestrator.">Swarm</span> This command works with the Swarm orchestrator.</p> <h2 id="usage">Usage</h2> <div class="highlight"><pre class="highlight" data-language="">$ docker swarm ca [OPTIONS] +</pre></div> <p>Refer to the <a href="#options">options section</a> for an overview of available <a href="#options"><code class="language-plaintext highlighter-rouge">OPTIONS</code></a> for this command.</p> <h2 id="description">Description</h2> <p name="extended-description">View or rotate the current swarm CA certificate.</p> <blockquote> <p><strong>Note</strong></p> <p>This is a cluster management command, and must be executed on a swarm manager node. To learn about managers and workers, refer to the <a href="../../../swarm/index">Swarm mode section</a> in the documentation.</p> </blockquote> <p>For example uses of this command, refer to the <a href="#examples">examples section</a> below.</p> <h2 id="options">Options</h2> <table> <thead> <tr> <td>Name, shorthand</td> <td>Default</td> <td>Description</td> </tr> </thead> <tbody> <tr> <td><code class="language-plaintext highlighter-rouge">--ca-cert</code></td> <td></td> <td>Path to the PEM-formatted root CA certificate to use for the new cluster</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">--ca-key</code></td> <td></td> <td>Path to the PEM-formatted root CA key to use for the new cluster</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">--cert-expiry</code></td> <td><code class="language-plaintext highlighter-rouge">2160h0m0s</code></td> <td>Validity period for node certificates (ns|us|ms|s|m|h)</td> </tr> <tr> <td> +<code class="language-plaintext highlighter-rouge">--detach</code> , <code class="language-plaintext highlighter-rouge">-d</code> +</td> <td></td> <td>Exit immediately instead of waiting for the root rotation to converge</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">--external-ca</code></td> <td></td> <td>Specifications of one or more certificate signing endpoints</td> </tr> <tr> <td> +<code class="language-plaintext highlighter-rouge">--quiet</code> , <code class="language-plaintext highlighter-rouge">-q</code> +</td> <td></td> <td>Suppress progress output</td> </tr> <tr> <td><code class="language-plaintext highlighter-rouge">--rotate</code></td> <td></td> <td>Rotate the swarm CA - if no certificate or key are provided, new ones will be generated</td> </tr> </tbody> </table> <h2 id="examples">Examples</h2> <p>Run the <code class="language-plaintext highlighter-rouge">docker swarm ca</code> command without any options to view the current root CA certificate in PEM format.</p> <div class="highlight"><pre class="highlight" data-language="">$ docker swarm ca + +-----BEGIN CERTIFICATE----- +MIIBazCCARCgAwIBAgIUJPzo67QC7g8Ebg2ansjkZ8CbmaswCgYIKoZIzj0EAwIw +EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAzMTcxMDAwWhcNMzcwNDI4MTcx +MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABKL6/C0sihYEb935wVPRA8MqzPLn3jzou0OJRXHsCLcVExigrMdgmLCC+Va4 ++sJ+SLVO1eQbvLHH8uuDdF/QOU6jQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBSfUy5bjUnBAx/B0GkOBKp91XvxzjAKBggqhkjO +PQQDAgNJADBGAiEAnbvh0puOS5R/qvy1PMHY1iksYKh2acsGLtL/jAIvO4ACIQCi +lIwQqLkJ48SQqCjG1DBTSBsHmMSRT+6mE2My+Z3GKA== +-----END CERTIFICATE----- +</pre></div> <p>Pass the <code class="language-plaintext highlighter-rouge">--rotate</code> flag (and optionally a <code class="language-plaintext highlighter-rouge">--ca-cert</code>, along with a <code class="language-plaintext highlighter-rouge">--ca-key</code> or <code class="language-plaintext highlighter-rouge">--external-ca</code> parameter flag), in order to rotate the current swarm root CA.</p> <div class="highlight"><pre class="highlight" data-language="">$ docker swarm ca --rotate +desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e + rotated TLS certificates: [=========================> ] 1/2 nodes + rotated CA certificates: [> ] 0/2 nodes +</pre></div> <p>Once the rotation os finished (all the progress bars have completed) the now-current CA certificate will be printed:</p> <div class="highlight"><pre class="highlight" data-language="">$ docker swarm ca --rotate +desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e + rotated TLS certificates: [==================================================>] 2/2 nodes + rotated CA certificates: [==================================================>] 2/2 nodes +-----BEGIN CERTIFICATE----- +MIIBazCCARCgAwIBAgIUFynG04h5Rrl4lKyA4/E65tYKg8IwCgYIKoZIzj0EAwIw +EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTE2MDAxMDAwWhcNMzcwNTExMDAx +MDAwWjATMREwDwYDVQQDEwhzd2FybS1jYTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABC2DuNrIETP7C7lfiEPk39tWaaU0I2RumUP4fX4+3m+87j0DU0CsemUaaOG6 ++PxHhGu2VXQ4c9pctPHgf7vWeVajQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBSEL02z6mCI3SmMDmITMr12qCRY2jAKBggqhkjO +PQQDAgNJADBGAiEA263Eb52+825EeNQZM0AME+aoH1319Zp9/J5ijILW+6ACIQCg +gyg5u9Iliel99l7SuMhNeLkrU7fXs+Of1nTyyM73ig== +-----END CERTIFICATE----- +</pre></div> <h3 id="--rotate"><code class="language-plaintext highlighter-rouge">--rotate</code></h3> <p>Root CA Rotation is recommended if one or more of the swarm managers have been compromised, so that those managers can no longer connect to or be trusted by any other node in the cluster.</p> <p>Alternately, root CA rotation can be used to give control of the swarm CA to an external CA, or to take control back from an external CA.</p> <p>The <code class="language-plaintext highlighter-rouge">--rotate</code> flag does not require any parameters to do a rotation, but you can optionally specify a certificate and key, or a certificate and external CA URL, and those will be used instead of an automatically-generated certificate/key pair.</p> <p>Because the root CA key should be kept secret, if provided it will not be visible when viewing swarm any information via the CLI or API.</p> <p>The root CA rotation will not be completed until all registered nodes have rotated their TLS certificates. If the rotation is not completing within a reasonable amount of time, try running <code class="language-plaintext highlighter-rouge">docker node ls --format '{{.ID}} {{.Hostname}} {{.Status}} {{.TLSStatus}}'</code> to see if any nodes are down or otherwise unable to rotate TLS certificates.</p> <h3 id="--detach"><code class="language-plaintext highlighter-rouge">--detach</code></h3> <p>Initiate the root CA rotation, but do not wait for the completion of or display the progress of the rotation.</p> <h2 id="parent-command">Parent command</h2> <table> <thead> <tr> <th style="text-align: left">Command</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><a href="../swarm/index">docker swarm</a></td> <td style="text-align: left">Manage Swarm</td> </tr> </tbody> </table> <h2 id="related-commands">Related commands</h2> <table> <thead> <tr> <td>Command</td> <td>Description</td> </tr> </thead> <tbody> <tr> <td><a href="index">docker swarm ca</a></td> <td>Display and rotate the root CA</td> </tr> <tr> <td><a href="../swarm_init/index">docker swarm init</a></td> <td>Initialize a swarm</td> </tr> <tr> <td><a href="../swarm_join/index">docker swarm join</a></td> <td>Join a swarm as a node and/or manager</td> </tr> <tr> <td><a href="../swarm_join-token/index">docker swarm join-token</a></td> <td>Manage join tokens</td> </tr> <tr> <td><a href="../swarm_leave/index">docker swarm leave</a></td> <td>Leave the swarm</td> </tr> <tr> <td><a href="../swarm_unlock/index">docker swarm unlock</a></td> <td>Unlock swarm</td> </tr> <tr> <td><a href="../swarm_unlock-key/index">docker swarm unlock-key</a></td> <td>Manage the unlock key</td> </tr> <tr> <td><a href="../swarm_update/index">docker swarm update</a></td> <td>Update the swarm</td> </tr> </tbody> </table> <div class="_attribution"> + <p class="_attribution-p"> + © 2019 Docker, Inc.<br>Licensed under the Apache License, Version 2.0.<br>Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries.<br>Docker, Inc. and other parties may also have trademark rights in other terms used herein.<br> + <a href="https://docs.docker.com/engine/reference/commandline/swarm_ca/" class="_attribution-link">https://docs.docker.com/engine/reference/commandline/swarm_ca/</a> + </p> +</div> |