Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for swarm mode service creation and updates #769

Open
kevtainer opened this issue May 2, 2017 · 6 comments
Open

support for swarm mode service creation and updates #769

kevtainer opened this issue May 2, 2017 · 6 comments
Labels
feature waiting on feedback

Comments

@kevtainer
Copy link

kevtainer commented May 2, 2017
edited
Loading

Description

Add support for connecting to swarm manager nodes and UCP and create/update services.

  • Docker version : 17.04-EE (CE?)
  • If it's a feature request, what is your use case :
    • The ability to leverage docker-maven-plugin for the creation of swarm services and subsequent swarm updates/deployments

Roadmap

  1. Update security / ssl cert handling to support the host:port used by Docker EE UCP (tcp://manager-node:443), ECDSA certificates. I've solved this issue, but need to figure out how to keep support for RSA key pair. Eg:
KeyPair pair = new org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter().getKeyPair((org.bouncycastle.openssl.PEMKeyPair)readObject);

if (pair instanceof KeyPair) {
  BCECPrivateKey privateKey = (BCECPrivateKey) pair.getPrivate();
  ECPrivateKeySpec keySpec = new ECPrivateKeySpec(privateKey.getD(), privateKey.getParams());
  return KeyFactory.getInstance("ECDSA").generatePrivate(keySpec);
}
  1. Determine the impact of updating the minimum API to version 1.20 as required by the server.
  2. Add mojos for the commands and parameters available in docker service create and docker service update. (this is the bulk of the work).
@rhuss
Copy link
Collaborator

rhuss commented May 16, 2017

Thanks a lot for the idea and the task breakdown!

However, before we start to think of the technical realisation I'd like to go a step back and learn about your use case:

  • How can support for Docker swarm mode in d-m-p makes your life easier?
  • What is the value-add compared to plain Docker CLI usage? E.g which kind of build information which we need anyway can be reused?
  • Can it help for creating integration tests? How would such integration tests look like?
  • Do you have a concrete use case at hand which would need such a feature?

@gesellix
Copy link
Contributor

gesellix commented Jul 21, 2017
edited
Loading

Regardless of Docker swarm mode, the support for ECDSA encoded certs seems to be a relevant feature. I had a similar issue when clients wanted to access UCP, but I suppose the issue isn't specific to UCP or even Docker swarm mode.

So, to give input to @KCrawley's question how to keep RSA key pairs support: one simply can delegate the PrivateKey generation to the JcaPEMKeyConverter like this (example from https://github.com/docker-client/docker-engine/blob/1422cfb5d83b48e3120b085a22747fd9ebdef0e1/engine/src/main/groovy/de/gesellix/docker/ssl/KeyStoreUtil.groovy#L54):


    static PrivateKey loadPrivateKey(String keyPath) throws IOException, GeneralSecurityException {
        PEMParser parser = new PEMParser(new BufferedReader(new FileReader(keyPath)))
        def parsedObject = parser.readObject()
        if (parsedObject instanceof PEMKeyPair) {
            PEMKeyPair keyPair = (PEMKeyPair) parsedObject
            return generatePrivateKey(keyPair.getPrivateKeyInfo())
        }
        else if (parsedObject instanceof PrivateKeyInfo) {
            return generatePrivateKey((PrivateKeyInfo) parsedObject)
        }
        throw new GeneralSecurityException("Cannot generate private key from file: " + keyPath)
    }

    static PrivateKey generatePrivateKey(PrivateKeyInfo keyInfo) throws IOException, NoSuchAlgorithmException,
                                                                        InvalidKeySpecException {
        try {
            return new JcaPEMKeyConverter().getPrivateKey(keyInfo)
        }
        catch (InvalidKeySpecException e) {
            log.error("couldn't create private key for asn1oid '${keyInfo.getPrivateKeyAlgorithm().algorithm.id}'", e)
            throw e
        }
    }

In other words: I suggest to implement task 1. as described by @KCrawley - if you like I can submit a PR.

@rhuss
Copy link
Collaborator

rhuss commented Jul 24, 2017

Actually we do something similar in the KeyStoreUtil class, however for PKCS8 encoded certs. This came in with PR #730

As I'm not that deep in SSL and don't know (yet) the difference between PKCS8 and ECDSA encoded certs, I'm not sure how to combine both approaches. (e.g. can the encoding be detected during runtime ?

Any PR is highly appreciated, as I'm quite a bit work loaded these days.

@gesellix
Copy link
Contributor

can the encoding be detected during runtime?

Yes, that's possible via ASN.1 object identifiers and that's exactly what JcaPEMKeyConverter can encapsulate for us.

I'll look into a PR soonish.

@rhuss
Copy link
Collaborator

rhuss commented Jul 24, 2017

@gesellix thanks !

@gesellix gesellix mentioned this issue Jul 24, 2017
Merged
@josephtaylor
Copy link

I think the main use case we have for this is for projects that are designed to be run as a replicated service in swarm. It would be nice to be able to test issues that only crop up in a replicated scenario locally by being able to deploy multiple instances of the container to a local swarm. Of course we can always cook up a docker-compose file for such scenarios and use the CLI, but it'd be awesome to be able to do it with ./mvnw docker:start

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature waiting on feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rhuss @gesellix @josephtaylor @kevtainer