Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Docker Integrations

Docker Swarm Integration

search

Docker Swarm Integration

Docker Swarm Integration

You can configure your Docker Container to run in Swarm mode. Swarm mode allows users to manage a cluster of Docker Engines or nodes as a single virtual system. This section demonstrates integrating a Docker Swarm configuration with a Luna Cloud HSM Service.

We recommend you use the Luna Cloud HSM service for this integration.

This integration is supported on the following operating systems:

  • RHEL7
  • Windows 2016 Server

Prerequisites

Before proceeding with the integration complete the following:

Provision Luna Cloud HSM service

Create a Luna Cloud HSM service in DPoD and transfer the Luna Cloud HSM service client to your host machine. Do not initialize the service. This step is included as part of the integration process.

Download and install Docker

You need to download and install Docker to use the Docker command line interface (CLI) to complete the integration. Visit the Docker documentation portal for detailed instructions and procedures for installing Docker on your system.

Setup Java Development Kit (JDK)

The example procedure at the end of the Docker Container Integration Guide uses the Java Development Kit (JDK) to demonstrate the Luna Cloud HSM service's functionality within a Docker Container. If you would like to complete this integration guide fully, install the Java Development Kit inside of the Docker Container.

We recommend you familiarize yourself with the Java Development Kit documentation before beginning the integration.

Integration

Integrate your Luna Cloud HSM Service with Docker Swarm.

Creating the DPoD Docker Image in Docker Registry

Use Docker Registry to configure the Docker Image that you intend to integrate with the Luna Cloud HSM Service and customize the Docker Image for integration with the Luna Cloud HSM Service Client.

Download and unzip the Luna Cloud HSM Service Client package on the Master Node in a directory called /clientfiles. Copy the certificates and configuration files to a directory called /secrets. Verify the contents in each directory.


ls clientfiles
bin etc EULA.zip jsp libs setenv
ls secrets
Chrystoki.conf partition-ca-certificate.pem partition-certificate.pem servercertificate.pem

Create the Docker file in the current working directory and add the following:


FROM ubuntu:xenial
RUN mkdir -p /usr/local/dpod
COPY clientfiles /usr/local/dpod
WORKDIR /usr/local/dpod/
ENV ChrystokiConfigurationPath=/usr/local/dpod
#End of the Dockerfile

Build the Docker Image using the new Docker file.


docker build . -t docker_swarm

Verify the image.


docker images
REPOSITORY      TAG      IMAGE ID        CREATED                SIZE
docker_swarm    latest   f190c59cd551    About a minute ago     245MB
ubuntu          xenial   b9e15a5d1e1a    10 hours ago           115MB

Log in to Docker Hub. Provide username and password when prompted.


docker login

Tag the Docker Image. Replace <username> with your Docker Hub username


docker tag docker_swarm <username>/docker-swarm

Verify the newly tagged image is included in the Docker Images list.


docker images
REPOSITORY              TAG      IMAGE ID        CREATED          SIZE
<username>/docker-swarm latest   f190c59cd551    2 minutes ago    245MB
docker_swarm            latest   f190c59cd551    2 minutes ago    245MB
ubuntu                  xenial   b9e15a5d1e1a    10 hours ago     115MB

Push the image to Docker Hub.


docker push <username>/docker-swarm

You can make the Docker Hub repo private by accessing the following: Details > Settings > Make private > Enter tag name > Confirm on Docker Hub.

Setting up the Docker Swarm Cluster

Set up the nodes in the Docker Swarm cluster for integration wth the Luna Cloud HSM Service.

Create the virtual machines for the Docker Swarm Cluster using the virtualbox driver:


docker-machine create --driver virtualbox myvm1
docker-machine create --driver virtualbox myvm2
docker-machine create --driver virtualbox myvm3

List the virtual machines and their ip addresses.


docker-machine ls
NAME  ACTIVE  DRIVER      STATE   URL  SWARM                DOCKER  ERRORS
myvm1 -       virtualbox  Running tcp://192.168.99.100:2376 v18.06.1-ce
myvm2 -       virtualbox  Running tcp://192.168.99.101:2376 v18.06.1-ce
myvm3 -       virtualbox  Running tcp://192.168.99.102:2376 v18.06.1-ce

Initialize the Docker Swarm and add the node.


docker-machine ssh myvm1 "docker swarm init --advertise-addr 192.168.99.100"

Verify the newly tagged image is included in the Docker Images list.

The first machine, myvm1, acts as the manager, which executes management commands and authenticates workers to join the Swarm. The secondary machines function as workers.

Add the remaining machines to the configuration as workers.


docker-machine ssh myvm2 "docker swarm join --token SWMTKN-1-3vcz1rkswq78s7t5sor3hrlbmzda4z523g8rnwkb8m8nd7tnpt-9uk7csvuieqqdg4b85nkk5ty9 192.168.99.100:2377"
docker-machine ssh myvm3 "docker swarm join --token SWMTKN-1-3vcz1rkswq78s7t5sor3hrlbmzda4z523g8rnwkb8m8nd7tnpt-9uk7csvuieqqdg4b85nkk5ty9 192.168.99.100:2377"

Execute docker node ls on the manager, myvm1, to view the nodes.


docker-machine ssh myvm1 "docker node ls"

Deploying an Application on the Swarm Manager

Execute the following on the Manager Node to configure the Luna Cloud HSM Service for your swarm configuration.

Copy all of the secret files to the swarm manager.


docker-machine scp -r -d secrets/ myvm1:/home/docker/

SSH to the manager myvm1.


docker-machine ssh myvm1

Create a local copy of docker-compose.yml on the manager:


version: '3.1'
services:
test:
image: <username>/docker-swarm:latest
# command: 'cat /run/secrets/luna_secret '
stdin_open: true
tty: true
secrets:
- source: chrystoki-conf
target: /usr/local/dpod/Chrystoki.conf
- source: partition-ca-certificate
target: /usr/local/dpod/partition-ca-certificate.pem
- source: partition-certificate
target: /usr/local/dpod/partition-certificate.pem
- source: server-certificate
target: /usr/local/dpod/server-certificate.pem
deploy:
replicas: 5
resources:
limits:
cpus: "0.1"
memory: 50M
secrets:
chrystoki-conf:
file: ./Chrystoki.conf
partition-ca-certificate:
file: ./partition-ca-certificate.pem
partition-certificate:
file: ./partition-certificate.pem
server-certificate:
file: ./server-certificate.pem

Change the path in the Chrystoki.conf file, on the Manager node, so that it points to the secrets:


sed -i 's#\./#/usr/local/dpod/#g' Chrystoki.conf

Deploy the service.


docker stack deploy -c docker-compose.yml latest

Run Docker.


docker ps -a

Access the Docker Container.


docker exec -it latest_test.1.kot01ixg1oe8he3cixodk4hv7 /bin/bash

Now you are inside the Docker Container.

Access LunaCM from inside the Docker Container.


cd /usr/local/dpod/
./bin/64/lunacm
LunaCM v1.0.0-638. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id -> 3
Label -> dockerswarm
Serial Number -> 1285255181019
Model -> Luna K7
Firmware Version -> 7.1.1
Configuration -> Luna User Partition With SO (PW) Signing With
Cloning Mode
Slot Description -> User Token Slot
Current Slot Id: 3

SSH to the worker node myvm2.


docker-machine ssh myvm2

Run the Docker Image on worker node myvm2.


docker ps -a

Access the worker node myvm2.


docker exec -it latest_test.4.15m3zn8a8606r9zbfmnf3qypb /bin/bash

Now you are inside the container.

Access LunaCM from inside myvm2.


cd /usr/local/dpod/
./bin/64/lunacm

SSH to the worker node myvm3.

Run the Docker Image on worker node myvm3.


docker ps -a

Access the worker node myvm3.


docker exec -it latest_test.3.j9ylpdoiiza71ijdk7y50xfnz /bin/bash

Now you are inside the container.

Access LunaCM from inside myvm3.


cd /usr/local/dpod/
./bin/64/lunacm

This completes the integration of Docker Swarm and a Luna Cloud HSM Service. See Using the Luna Cloud HSM Service inside Docker Container for an application demonstration inside of a Docker Swarm configuration using a DPoD Luna Cloud HSM Service.