Documentation ¶
Index ¶
- type Config
- type Manager
- func (m *Manager) Addr() string
- func (m *Manager) BindControl(addr string) error
- func (m *Manager) BindRemote(ctx context.Context, addrs RemoteAddrs) error
- func (m *Manager) IsStateDirty() (bool, error)
- func (m *Manager) RemovedFromRaft() <-chan struct{}
- func (m *Manager) Run(parent context.Context) error
- func (m *Manager) Stop(ctx context.Context, clearData bool)
- type RaftDEKData
- type RaftDEKManager
- func (r *RaftDEKManager) GetKeys() raft.EncryptionKeys
- func (r *RaftDEKManager) MaybeUpdateKEK(candidateKEK ca.KEKData) (bool, bool, error)
- func (r *RaftDEKManager) NeedsRotation() bool
- func (r *RaftDEKManager) RotationNotify() chan struct{}
- func (r *RaftDEKManager) UpdateKeys(newKeys raft.EncryptionKeys) error
- type RemoteAddrs
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { SecurityConfig *ca.SecurityConfig // RootCAPaths is the path to which new root certs should be save RootCAPaths ca.CertPaths // ExternalCAs is a list of initial CAs to which a manager node // will make certificate signing requests for node certificates. ExternalCAs []*api.ExternalCA // ControlAPI is an address for serving the control API. ControlAPI string // RemoteAPI is a listening address for serving the remote API, and // an optional advertise address. RemoteAPI *RemoteAddrs // JoinRaft is an optional address of a node in an existing raft // cluster to join. JoinRaft string // ForceJoin causes us to invoke raft's Join RPC even if already part // of a cluster. ForceJoin bool // StateDir is the top-level state directory StateDir string // ForceNewCluster defines if we have to force a new cluster // because we are recovering from a backup data directory. ForceNewCluster bool // ElectionTick defines the amount of ticks needed without // leader to trigger a new election ElectionTick uint32 // HeartbeatTick defines the amount of ticks between each // heartbeat sent to other members for health-check purposes HeartbeatTick uint32 // AutoLockManagers determines whether or not managers require an unlock key // when starting from a stopped state. This configuration parameter is only // applicable when bootstrapping a new cluster for the first time. AutoLockManagers bool // UnlockKey is the key to unlock a node - used for decrypting manager TLS keys // as well as the raft data encryption key (DEK). It is applicable when // bootstrapping a cluster for the first time (it's a cluster-wide setting), // and also when loading up any raft data on disk (as a KEK for the raft DEK). UnlockKey []byte // Availability allows a user to control the current scheduling status of a node Availability api.NodeSpec_Availability // PluginGetter provides access to docker's plugin inventory. PluginGetter plugingetter.PluginGetter // FIPS is a boolean stating whether the node is FIPS enabled - if this is the // first node in the cluster, this setting is used to set the cluster-wide mandatory // FIPS setting. FIPS bool }
Config is used to tune the Manager.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager is the cluster manager for Swarm. This is the high-level object holding and initializing all the manager subsystems.
func (*Manager) BindControl ¶
BindControl binds a local socket for the control API.
func (*Manager) BindRemote ¶
func (m *Manager) BindRemote(ctx context.Context, addrs RemoteAddrs) error
BindRemote binds a port for the remote API.
func (*Manager) IsStateDirty ¶
IsStateDirty returns true if any objects have been added to raft which make the state "dirty". Currently, the existence of any object other than the default cluster or the local node implies a dirty state.
func (*Manager) RemovedFromRaft ¶
func (m *Manager) RemovedFromRaft() <-chan struct{}
RemovedFromRaft returns a channel that's closed if the manager is removed from the raft cluster. This should be used to trigger a manager shutdown.
type RaftDEKData ¶
type RaftDEKData struct { // EncryptionKeys contain the current and pending raft DEKs raft.EncryptionKeys // NeedsRotation indicates whether another rotation needs to be happen after // the current one. NeedsRotation bool // The FIPS boolean is not serialized, but is internal state which indicates how // the raft DEK headers should be encrypted (e.g. using FIPS compliant algorithms) FIPS bool }
RaftDEKData contains all the data stored in TLS pem headers.
func (RaftDEKData) MarshalHeaders ¶
MarshalHeaders returns new PEM headers given the current KEK - it uses the current KEK to serialize/encrypt the current DEK state that is maintained in the current RaftDEKData object.
func (RaftDEKData) UnmarshalHeaders ¶
func (r RaftDEKData) UnmarshalHeaders(headers map[string]string, kekData ca.KEKData) (ca.PEMKeyHeaders, error)
UnmarshalHeaders loads the current state of the DEKs into a new RaftDEKData object (which is returned) given the current TLS headers and the current KEK.
func (RaftDEKData) UpdateKEK ¶
func (r RaftDEKData) UpdateKEK(oldKEK, candidateKEK ca.KEKData) ca.PEMKeyHeaders
UpdateKEK sets NeedRotation to true if we go from unlocked to locked.
type RaftDEKManager ¶
type RaftDEKManager struct { FIPS bool // contains filtered or unexported fields }
RaftDEKManager manages the raft DEK keys by interacting with KeyReadWriter, calling the necessary functions to update the TLS headers when the raft DEK needs to change, or to re-encrypt everything when the KEK changes.
func NewRaftDEKManager ¶
func NewRaftDEKManager(kw ca.KeyWriter, fips bool) (*RaftDEKManager, error)
NewRaftDEKManager returns a RaftDEKManager that uses the current key writer and header manager
func (*RaftDEKManager) GetKeys ¶
func (r *RaftDEKManager) GetKeys() raft.EncryptionKeys
GetKeys returns the current set of DEKs. If NeedsRotation is true, and there is no existing PendingDEK, it will try to create one. If it successfully creates and writes a PendingDEK, it sets NeedRotation to false. If there are any errors doing so, just return the original set of keys.
func (*RaftDEKManager) MaybeUpdateKEK ¶
MaybeUpdateKEK does a KEK rotation if one is required. Returns whether the kek was updated, whether it went from unlocked to locked, and any errors.
func (*RaftDEKManager) NeedsRotation ¶
func (r *RaftDEKManager) NeedsRotation() bool
NeedsRotation returns a boolean about whether we should do a rotation
func (*RaftDEKManager) RotationNotify ¶
func (r *RaftDEKManager) RotationNotify() chan struct{}
RotationNotify the channel used to notify subscribers as to whether there should be a rotation done
func (*RaftDEKManager) UpdateKeys ¶
func (r *RaftDEKManager) UpdateKeys(newKeys raft.EncryptionKeys) error
UpdateKeys will set the updated encryption keys in the headers. This finishes a rotation, and is expected to set the CurrentDEK to the previous PendingDEK.
type RemoteAddrs ¶
type RemoteAddrs struct { // Address to bind ListenAddr string // Address to advertise to remote nodes (optional). AdvertiseAddr string }
RemoteAddrs provides a listening address and an optional advertise address for serving the remote API.
Directories ¶
Path | Synopsis |
---|---|
Package allocator aims to manage allocation of different cluster-wide resources on behalf of the manager.
|
Package allocator aims to manage allocation of different cluster-wide resources on behalf of the manager. |
Package health provides some utility functions to health-check a server.
|
Package health provides some utility functions to health-check a server. |
raft/transport
Package transport provides grpc transport layer for raft.
|
Package transport provides grpc transport layer for raft. |
store
Package store provides interfaces to work with swarm cluster state.
|
Package store provides interfaces to work with swarm cluster state. |