manager

package
v2.0.0-...-c1c857e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2024 License: Apache-2.0 Imports: 54 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	SecurityConfig *ca.SecurityConfig

	// RootCAPaths is the path to which new root certs should be save
	RootCAPaths ca.CertPaths

	// ExternalCAs is a list of initial CAs to which a manager node
	// will make certificate signing requests for node certificates.
	ExternalCAs []*api.ExternalCA

	// ControlAPI is an address for serving the control API.
	ControlAPI string

	// RemoteAPI is a listening address for serving the remote API, and
	// an optional advertise address.
	RemoteAPI *RemoteAddrs

	// JoinRaft is an optional address of a node in an existing raft
	// cluster to join.
	JoinRaft string

	// ForceJoin causes us to invoke raft's Join RPC even if already part
	// of a cluster.
	ForceJoin bool

	// StateDir is the top-level state directory
	StateDir string

	// ForceNewCluster defines if we have to force a new cluster
	// because we are recovering from a backup data directory.
	ForceNewCluster bool

	// ElectionTick defines the amount of ticks needed without
	// leader to trigger a new election
	ElectionTick uint32

	// HeartbeatTick defines the amount of ticks between each
	// heartbeat sent to other members for health-check purposes
	HeartbeatTick uint32

	// AutoLockManagers determines whether or not managers require an unlock key
	// when starting from a stopped state.  This configuration parameter is only
	// applicable when bootstrapping a new cluster for the first time.
	AutoLockManagers bool

	// UnlockKey is the key to unlock a node - used for decrypting manager TLS keys
	// as well as the raft data encryption key (DEK).  It is applicable when
	// bootstrapping a cluster for the first time (it's a cluster-wide setting),
	// and also when loading up any raft data on disk (as a KEK for the raft DEK).
	UnlockKey []byte

	// Availability allows a user to control the current scheduling status of a node
	Availability api.NodeSpec_Availability

	// PluginGetter provides access to docker's plugin inventory.
	PluginGetter plugin.Getter

	// FIPS is a boolean stating whether the node is FIPS enabled - if this is the
	// first node in the cluster, this setting is used to set the cluster-wide mandatory
	// FIPS setting.
	FIPS bool

	// NetworkConfig stores network related config for the cluster
	NetworkConfig *networkallocator.Config

	NetworkProvider networkallocator.Provider
}

Config is used to tune the Manager.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager is the cluster manager for Swarm. This is the high-level object holding and initializing all the manager subsystems.

func New 

func New(config *Config) (*Manager, error)

New creates a Manager which has not started to accept requests yet.

func (*Manager) Addr 

func (m *Manager) Addr() string

Addr returns tcp address on which remote api listens.

func (*Manager) BindControl 

func (m *Manager) BindControl(addr string) error

BindControl binds a local socket for the control API.

func (*Manager) BindRemote 

func (m *Manager) BindRemote(ctx context.Context, addrs RemoteAddrs) error

BindRemote binds a port for the remote API.

func (*Manager) IsStateDirty 

func (m *Manager) IsStateDirty() (bool, error)

IsStateDirty returns true if any objects have been added to raft which make the state "dirty". Currently, the existence of any object other than the default cluster or the local node implies a dirty state.

func (*Manager) RemovedFromRaft 

func (m *Manager) RemovedFromRaft() <-chan struct{}

RemovedFromRaft returns a channel that's closed if the manager is removed from the raft cluster. This should be used to trigger a manager shutdown.

func (*Manager) Run 

func (m *Manager) Run(parent context.Context) error

Run starts all manager sub-systems and the gRPC server at the configured address. The call never returns unless an error occurs or `Stop()` is called.

func (*Manager) Stop 

func (m *Manager) Stop(ctx context.Context, clearData bool)

Stop stops the manager. It immediately closes all open connections and active RPCs as well as stopping the manager's subsystems. If clearData is set, the raft logs, snapshots, and keys will be erased.

type RaftDEKData 

type RaftDEKData struct {

	// EncryptionKeys contain the current and pending raft DEKs
	raft.EncryptionKeys

	// NeedsRotation indicates whether another rotation needs to be happen after
	// the current one.
	NeedsRotation bool

	// The FIPS boolean is not serialized, but is internal state which indicates how
	// the raft DEK headers should be encrypted (e.g. using FIPS compliant algorithms)
	FIPS bool
}

RaftDEKData contains all the data stored in TLS pem headers.

func (RaftDEKData) MarshalHeaders 

func (r RaftDEKData) MarshalHeaders(kekData ca.KEKData) (map[string]string, error)

MarshalHeaders returns new PEM headers given the current KEK - it uses the current KEK to serialize/encrypt the current DEK state that is maintained in the current RaftDEKData object.

func (RaftDEKData) UnmarshalHeaders 

func (r RaftDEKData) UnmarshalHeaders(headers map[string]string, kekData ca.KEKData) (ca.PEMKeyHeaders, error)

UnmarshalHeaders loads the current state of the DEKs into a new RaftDEKData object (which is returned) given the current TLS headers and the current KEK.

func (RaftDEKData) UpdateKEK 

func (r RaftDEKData) UpdateKEK(oldKEK, candidateKEK ca.KEKData) ca.PEMKeyHeaders

UpdateKEK sets NeedRotation to true if we go from unlocked to locked.

type RaftDEKManager 

type RaftDEKManager struct {
	FIPS bool
	// contains filtered or unexported fields
}

RaftDEKManager manages the raft DEK keys by interacting with KeyReadWriter, calling the necessary functions to update the TLS headers when the raft DEK needs to change, or to re-encrypt everything when the KEK changes.

func NewRaftDEKManager 

func NewRaftDEKManager(kw ca.KeyWriter, fips bool) (*RaftDEKManager, error)

NewRaftDEKManager returns a RaftDEKManager that uses the current key writer and header manager

func (*RaftDEKManager) GetKeys 

func (r *RaftDEKManager) GetKeys() raft.EncryptionKeys

GetKeys returns the current set of DEKs. If NeedsRotation is true, and there is no existing PendingDEK, it will try to create one. If it successfully creates and writes a PendingDEK, it sets NeedRotation to false. If there are any errors doing so, just return the original set of keys.

func (*RaftDEKManager) MaybeUpdateKEK 

func (r *RaftDEKManager) MaybeUpdateKEK(candidateKEK ca.KEKData) (bool, bool, error)

MaybeUpdateKEK does a KEK rotation if one is required. Returns whether the kek was updated, whether it went from unlocked to locked, and any errors.

func (*RaftDEKManager) NeedsRotation 

func (r *RaftDEKManager) NeedsRotation() bool

NeedsRotation returns a boolean about whether we should do a rotation

func (*RaftDEKManager) RotationNotify 

func (r *RaftDEKManager) RotationNotify() chan struct{}

RotationNotify the channel used to notify subscribers as to whether there should be a rotation done

func (*RaftDEKManager) UpdateKeys 

func (r *RaftDEKManager) UpdateKeys(newKeys raft.EncryptionKeys) error

UpdateKeys will set the updated encryption keys in the headers. This finishes a rotation, and is expected to set the CurrentDEK to the previous PendingDEK.

type RemoteAddrs 

type RemoteAddrs struct {
	// Address to bind
	ListenAddr string

	// Address to advertise to remote nodes (optional).
	AdvertiseAddr string
}

RemoteAddrs provides a listening address and an optional advertise address for serving the remote API.

Source Files

View all Source files

Directories

Path Synopsis
Package allocator aims to manage allocation of different cluster-wide resources on behalf of the manager.
 Package allocator aims to manage allocation of different cluster-wide resources on behalf of the manager.
networkallocator
heartbeat
Package health provides some utility functions to health-check a server.
 Package health provides some utility functions to health-check a server.
constraintenforcer
global
jobs
jobs/global
jobs/replicated
replicated
restart
taskinit
taskreaper
testutils
update
volumeenforcer
raft
raft/membership
raft/storage
raft/testutils
raft/transport
Package transport provides grpc transport layer for raft.
 Package transport provides grpc transport layer for raft.
store
Package store provides interfaces to work with swarm cluster state.
 Package store provides interfaces to work with swarm cluster state.
testutils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.