docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revamp install flow based on conatiner

This commit is contained in:
Daniel Hiltgen 2015-07-22 14:06:34 -07:00 committed by Joao Fernandes
parent 1debbd5645
commit 6e5af30036
5 changed files with 971 additions and 273 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
certs.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

428
certs.svg Normal file
View File

@ -0,0 +1,428 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="297mm"
height="210mm"
viewBox="0 0 1052.3622 744.09448"
id="svg2"
version="1.1"
inkscape:version="0.91 r13725"
sodipodi:docname="certs.svg"
inkscape:export-filename="/home/daniel/code/docker/orca/docs/certs.png"
inkscape:export-xdpi="90"
inkscape:export-ydpi="90">
<defs
id="defs4">
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lend"
style="overflow:visible;"
inkscape:isstock="true">
<path
id="path8309"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) rotate(180) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lstart"
orient="auto"
refY="0.0"
refX="0.0"
id="Arrow1Lstart"
style="overflow:visible"
inkscape:isstock="true">
<path
id="path8306"
d="M 0.0,0.0 L 5.0,-5.0 L -12.5,0.0 L 5.0,5.0 L 0.0,0.0 z "
style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1;fill:#000000;fill-opacity:1"
transform="scale(0.8) translate(12.5,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0"
refX="0"
id="Arrow1Lend-6"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8309-7"
d="M 0,0 5,-5 -12.5,0 5,5 0,0 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="matrix(-0.8,0,0,-0.8,-10,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0"
refX="0"
id="Arrow1Lend-5"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8309-4"
d="M 0,0 5,-5 -12.5,0 5,5 0,0 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="matrix(-0.8,0,0,-0.8,-10,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0"
refX="0"
id="Arrow1Lend-3"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8309-0"
d="M 0,0 5,-5 -12.5,0 5,5 0,0 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="matrix(-0.8,0,0,-0.8,-10,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0"
refX="0"
id="Arrow1Lend-0"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8309-3"
d="M 0,0 5,-5 -12.5,0 5,5 0,0 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="matrix(-0.8,0,0,-0.8,-10,0)" />
</marker>
<marker
inkscape:stockid="Arrow1Lend"
orient="auto"
refY="0"
refX="0"
id="Arrow1Lend-4"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8309-76"
d="M 0,0 5,-5 -12.5,0 5,5 0,0 Z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="matrix(-0.8,0,0,-0.8,-10,0)" />
</marker>
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.98994949"
inkscape:cx="496.26316"
inkscape:cy="271.4965"
inkscape:document-units="px"
inkscape:current-layer="layer1"
showgrid="false"
inkscape:window-width="2558"
inkscape:window-height="1438"
inkscape:window-x="2560"
inkscape:window-y="0"
inkscape:window-maximized="0" />
<metadata
id="metadata7">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(0,-308.26772)">
<path
style="fill:#80ffa2;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
d="m 614.17274,689.71744 c 85.86297,-13.13198 84.85282,-45.45686 88.89343,-87.88327 4.04061,-42.42641 -13.13199,-73.74113 -51.51778,-111.11678 C 613.16259,453.34175 502.04581,384.65137 422.24376,372.52954 342.44171,360.40771 141.42135,344.24527 117.17769,375.56 c -24.243658,31.31473 -13.13198,107.07617 12.12183,134.35029 25.25381,27.27412 108.08633,119.198 143.44166,145.46197 35.35534,26.26397 216.32648,31.32727 265.67013,35.35533 49.49747,4.04062 75.76143,-1.01015 75.76143,-1.01015 z"
id="path13131"
inkscape:connector-curvature="0"
sodipodi:nodetypes="csssssssc" />
<g
id="g7274"
transform="translate(-385.87828,-24.243661)">
<rect
ry="5.3662186"
y="413.01773"
x="519.30054"
height="103.88154"
width="259.44501"
id="rect7268"
style="opacity:0.8;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2.16418409;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270"
y="477.69897"
x="648.17712"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="477.69897"
x="648.17712"
id="tspan7272"
sodipodi:role="line">Orca Root CA</tspan></text>
</g>
<g
id="g8188"
transform="translate(-91.923882,164.65486)">
<rect
ry="5.3496757"
y="520.75909"
x="115.90468"
height="103.56129"
width="342.96741"
id="rect7268-0"
style="opacity:0.8;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2.48443413;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270-7"
y="563.71283"
x="287.3371"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="563.71283"
x="287.3371"
id="tspan7272-9"
sodipodi:role="line">Orca intermediate</tspan><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="607.46283"
x="287.3371"
sodipodi:role="line"
id="tspan8182"> CA</tspan></text>
</g>
<g
id="g8253"
transform="translate(661.64992,-330.31988)">
<rect
ry="5.3662186"
y="689.29443"
x="10.688697"
height="103.88154"
width="259.44501"
id="rect7268-8"
style="opacity:0.8;fill:#80f7ff;fill-opacity:1;fill-rule:evenodd;stroke:#0ca3b1;stroke-width:2.16400003;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270-70"
y="732.10071"
x="139.56528"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="732.10071"
x="139.56528"
id="tspan7272-8"
sodipodi:role="line">Orca server</tspan><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="775.85071"
x="139.56528"
sodipodi:role="line"
id="tspan8231">cert</tspan></text>
</g>
<g
id="g8247"
transform="translate(-228.29447,172.73609)">
<rect
ry="5.3662186"
y="685.25385"
x="280.39941"
height="103.88154"
width="259.44501"
id="rect7268-8-2"
style="opacity:0.8;fill:#80f7ff;fill-opacity:1;fill-rule:evenodd;stroke:#0ca3b1;stroke-width:2.16400003;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270-70-4"
y="728.36774"
x="409.276"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="728.36774"
x="409.276"
id="tspan7272-8-5"
sodipodi:role="line">Orca normal</tspan><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="772.11774"
x="409.276"
sodipodi:role="line"
id="tspan8233">User Cert</tspan></text>
</g>
<g
id="g8225"
transform="translate(-287.89348,17.172593)">
<rect
ry="5.3429713"
y="524.86462"
x="560.94177"
height="103.4315"
width="380.21326"
id="rect7268-0-5"
style="opacity:0.8;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2.61422157;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270-7-6"
y="567.75348"
x="750.82623"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="567.75348"
x="750.82623"
id="tspan7272-9-4"
sodipodi:role="line">Swarm intermediate</tspan><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="611.50348"
x="750.82623"
sodipodi:role="line"
id="tspan8182-0"> CA</tspan></text>
</g>
<g
transform="translate(404.06103,29.294419)"
id="g8247-6">
<rect
ry="5.3662186"
y="685.25385"
x="280.39941"
height="103.88154"
width="259.44501"
id="rect7268-8-2-9"
style="opacity:0.8;fill:#80f7ff;fill-opacity:1;fill-rule:evenodd;stroke:#0ca3b1;stroke-width:2.16400003;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270-70-4-4"
y="728.36774"
x="409.276"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="728.36774"
x="409.276"
id="tspan7272-8-5-0"
sodipodi:role="line">swarm server</tspan><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="772.11774"
x="409.276"
sodipodi:role="line"
id="tspan8233-5">Cert</tspan></text>
</g>
<g
transform="translate(431.33515,-209.10159)"
id="g8247-9">
<rect
ry="5.3662186"
y="685.25385"
x="280.39941"
height="103.88154"
width="259.44501"
id="rect7268-8-2-8"
style="opacity:0.8;fill:#80f7ff;fill-opacity:1;fill-rule:evenodd;stroke:#0ca3b1;stroke-width:2.16400003;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text7270-70-4-7"
y="728.36774"
x="409.276"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="728.36774"
x="409.276"
id="tspan7272-8-5-8"
sodipodi:role="line">Orca admin</tspan><tspan
style="font-size:35px;text-align:center;text-anchor:middle"
y="772.11774"
x="409.276"
sodipodi:role="line"
id="tspan8233-0">User Cert</tspan></text>
</g>
<path
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend)"
d="m 185.92803,857.98994 5.44853,-69.0147"
id="path8300"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-start="#g8247"
inkscape:connection-end="#g8188" />
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-6)"
d="M 672.33862,418.08836 392.86726,433.5418"
id="path8300-2"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-end="#g7274"
inkscape:connection-start="#g8253" />
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-5)"
d="M 207.28496,685.41395 251.28775,492.65561"
id="path8300-3"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-end="#g7274"
inkscape:connection-start="#g8188" />
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-3)"
d="M 395.56604,542.03722 331.02772,492.65561"
id="path8300-5"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-end="#g7274"
inkscape:connection-start="#g8225" />
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-0)"
d="M 708.63079,714.54826 568.24982,645.46872"
id="path8300-0"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-start="#g8247-6"
inkscape:connection-end="#g8225" />
<path
style="display:inline;fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Arrow1Lend-4)"
d="m 711.73456,508.49303 -318.8673,-48.1782"
id="path8300-24"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-end="#g7274"
inkscape:connection-start="#g8247-9" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="393.15237"
y="531.00171"
id="text13133"
sodipodi:linespacing="125%"><tspan
sodipodi:role="line"
id="tspan13135"
x="393.15237"
y="531.00171"
style="font-size:25px">Swarm Trusted CAs</tspan></text>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

476
install_upgrade_spec.md
View File

@ -3,14 +3,336 @@
![Components](orca_components.png)
## Open Questions
* Can Swarm talk to consul with TLS enabled?
* ~~Can we use a single root CA and intermediate CA certs for orca/swarm?~~ - Yes!
* ~~Should the bootstrapper container contain the other images within?~~ - no, too bloated
* ~~Should we link all our containers, or wire them up based on the punched through IP/ports?~~ - It's not ready yet
* ~~DB Clustering/HA?~~ - Not for v1
* ~~What KV store (swarm discovery backend) should we use?~~ - Use single node consul for v1
* ~~How far away is core orca from supporting multiple swarms?~~ not for v1
* ~~Does it make sense to append the Orca CA certificates to the local system's trusted certs?~~ Give fingerprint instead
## Assumptions
* Orca will not be HA in v1
* We wont use data volume containers, but instead host volume mounts
* Our goal is to get as close to a full end-to-end deployment as possible (from bare-metal up to orca)
* Advanced customers may be able to cherry-pick, but that's not the focus in v1
* Bare-metal ISO based installer not (yet) covered in this document
* Swarm requires a common single CA "on both sides" (incoming client communication and outgoing engine communication)
* Swarm Managers must have visibility to all the engines (or proxies) and be secured with TLS. All Engines/Proxies must trust the CA who signed the swarm cert
* Swarm manager and docker proxy may fold into one component, but this shouldn't fundamentally change the flow
* We'll "own" an internal root CA with intermediaries for orca/swarm to provide access control
* Admin users certs will be signed by the root so they have swarm access, regular users by the orca intermediate so they do not have swarm access
* Set up so that certs can be replaced post v1
* We'll store the certs in a host volume mount
* The volume could be swapped out for a keywhiz volume mount in the future (unclear if we can write to it though...)
* Laying the groundwork of a central CA for our managed swarm will enable keywhiz for secret management post v1
* Installation logic should be idempotent, and not clobber any pertinent state unless the user asks us to
![Certs](certs.png)
## User Entrypoint
All scenarios described below start with the same user visible action, run on a system with a local docker.sock
```bash
curl https://get.docker.com/orca | bash
```
* This could also be run through notary to verify it wasn't tampered with
* If we meet our stretch goal of the ISO based installer, this script would be bundled there and run after the engine comes up.
* Business logic in this script will be kept to a minimum, most logic resides within the bootstrap container
* Ideally it should be possible to run the container "by hand" (as long as the right flags are passed to docker run) and have it work
* The bootstrap container uses a two-phase model to abstract away the version specific details of volume mounts or other flags required by the system.
* During implementation, if this becomes unwieldy, we'll just have the script launch "phase 2" automatically
## Deploy Orca
Description: Deploy orca+swarm onto a single "local" engine. Once deployed, additional engines can be added to the swarm.
Use-case specific flags:
* --version "label": Specify an exact version to pull, default is "latest"
* --fresh-install: destroy any existing state and orca containers on this node and deploy fresh. Default is to leave any state if detected, and if existing containers are detected, to redeploy them.
* --image-dir "path": Location of local images to load (typically used by ISO installer)
* --help: Basic usage information
* --phase2: If set, indicate we're in phase 2 and all necessary mounts are performed (undocumented in help output)
Steps:
1. (script) Load local images if --image-dir specified
2. (script) Prompt user for the admin password they want
* Implementation details TBD: most likely pre-hash/salt, store in a file, and mount it, then the container removes the file once it's loaded up
3. (script) Launch phase 1 container
* Do:
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/orca-bootstrap [flags]
```
4. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
* Check for available ports for all our services, fail fast if they're taken
* Check for existing orca (fail if --upgrade wasn't passed - see upgrade flows below)
5. Launch phase2 container
* Same image as phase1, with additional mounts so the user doesn't have to get all the extra host mounts right
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
-v $DB_PATH_TBD:... \
-v $CONSUL_DATA_TBD:...
-v ...any other paths... \
docker/orca-bootstrap --phase2 $PHASE1_FLAGS
```
6. Check for images on the engine, pull if missing
* If this fails, inform user to "docker login" using their hub credentials and try again
7. Stop any existing orca containers already running on the host
8. (conditional) clobber existing state if requested
9. Generate Root CA and certs if not present in host volume path: /etc/docker/ssl/orca
* root Orca CA cert
* Intermediat Orca CA cert
* Intermediat Swarm CA cert
10. Generate cert for proxy/swarm manager signed by Swarm CA
11. Deploy proxy with random exposed port
12. Verify we can see the proxy we just deployed using the engines external IP
* if not warn user firewall settings may need to be opened for port XXX (moot in bare metal case - should never fail)
13. Deploy Consul
* Use swarm CA for TLS configuration so it will only allow connections from swarm CA signed certs
* https://www.consul.io/docs/agent/encryption.html
* Map specific pem files, not the whole dir so unnecessary private keys aren't leaked
* Data directory mounted to host (to allow upgrades without loss of context)
* **Recommend mapping to non-standard ports so end-customer consul deployed with default ports on the same node works**
* RPC: 8300 - required
* HTTP API: 8500? - might not be needed
* DNS: 8600? - probably not needed
14. Deploy swarm manager pointed at proxy and consul external port(s)
* Bind to port 2376 so this becomes the "default" way to talk to this node
15. Verify we can see the swarm manager we just deployed
* if not warn user firewall settings may need to be opened for port XXX (moot in baremetal case)
16. Deploy DB with host volume mount for data directory
17. Deploy Orca server
* Linked to DB, pointed at consul external port
* Bind 80/443, use random ports if unavailable
19. Verify the Orca server is up
20. Report the Orca server cert fingerprint (via host path to prevent man-in-the-middle) for later in-browser TOFU
21. Report the URL to connect to Orca
## Add Host To Orca
Description: Used to add a single "local" engine to an existing orca swarm.
Use-case specific flags:
* --join "url": Specify the orca to join
* --swarm "label": Pick a specific swarm (defaul is "swarm0") -- Probably post v1
Steps:
1. (script) TOFU to the URL in question if not already trusted, prompt user to accept
* record CA public cert in /etc/docker/ssl/orca
* **Note: Probably have to run our nested container to accomplish this cross-platform**
2. (script) Prompt user for admin credentials once cert trusted, load into shell environment
3. (script) Load local images if --image-dir specified
4. (script) Launch phase 1
* Do:
```bash
docker run --rm -t \
-e ORCA_ADMIN_USER \
-e ORCA_ADMIN_PASSWORD \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
docker/orca-bootstrap --join https://myorca [--swarm "label"]
```
5. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
* Check for available ports for all our services, fail fast if they're taken
6. (Phase 1) Call some low-cost API on orca to verify admin credentials so we can fail fast
7. (Phase 1) Check for required images on the engine, pull if missing
* If this fails, inform user to "docker login" using their hub credentials and try again
8. Launch phase2 container
* Same image as phase1, with additional mounts
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-e ORCA_ADMIN_USER \
-e ORCA_ADMIN_PASSWORD \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
docker/orca-bootstrap --phase2 $PHASE1_FLAGS
```
9. Generate new key pair and generate CSR for swarm/proxy
10. Call Orca API using admin credentials, request to add host, passing CSR
* Use /etc/docker/ssl/orca CA to verify TLS connection to server
* (server) verifies permissions to add host
* (server) signs CSR using swarm CA
* (server) returns signed cert, swarm number (always 0 in v1?), location of consul (and any other config required...)
11. Plase certs in /etc/docker/ssl/orca -- match swarm number from orca
12. Deploy proxy with random exposed port
13. Verify we can see the proxy we just deployed
* if not warn user firewall settings may need to be opened for port XXX (moot in bare metal case - should never fail)
14. Deploy swarm manager pointed at proxy, with config details returned by orca server
* Bind to port 2376 so this becomes the "default" way to talk to this node
15. Verify we can see the swarm manager we just deployed
* if not warn user firewall settings may need to be opened for port XXX (moot in baremetal case)
16. Verify host appears in Orca
Potential Refinements:
* Consider allowing certificate based auth, might make it easier to generate short-lived certs to use in scripted install/add-host (PXE boot scenarios in the future...)
## Upgrade/Patch a single node deployment
Identical to deployment flow above.
## Upgrade/Patch an Existing multi-node Orca deployment
Description: Pointed at an existing deployment, upgrade all the orca and swarm related components while persisting the configuration state of the system
Use-case specific flags:
* --upgrade: Upgrade an entire orca cluster
Precondition:
* User can run script on the master node, or with DOCKER\_HOST pointed at orca or the swarm with an admin account
Steps:
1. (script) Load local images if --image-dir specified
2. (script) Launch phase 1 (with affinity to the orca server)
* Do:
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
-e affinity:container=orca-server \
docker/orca-bootstrap --update [flags]
```
3. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
* Find orca and/or swarm nodes on this engine, and determine their IP addresses
4. Launch phase2 container
* Same image as phase1, with additional mounts so the user doesn't have to get all the extra host mounts right
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-e affinity:container=orca-server \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
docker/orca-bootstrap --phase2 $PHASE1_FLAGS
```
5. Generate temporary swarm client cert signed by the existing swarm CA (so we can connect to swarm directly)
* Use direct /etc/docker/ssl/swarm# access and cfssl
6. Connect to primary swarm manager
7. distribute/pull images
* Look for images on the local engine, if present, distribute to the swarm
* If images not present on local engine, pull on the swarm
8. Stop consul, rm consul, start consul
9. For each secondary node (skip the primary)
* Deploy new proxy, verify it can be reached
* Shutdown manager on this node
* Deploy new manager, pointed at new proxy, verify it can be reached
* Shutdown old proxy
* Remove old proxy and manager
10. **Can we trigger a manager switch for swarm at this point?**
11. Stop and remove Orca server and db
12. Start Orca db and server
13. Stop primary swarm manager
14. Switch to communicating with secondary swarm manager
15. On old primary node
* Deploy new proxy, verify it can be reached
* Deploy new manager, pointed at new proxy, verify it can be reached
* Shutdown old proxy
* Remove old proxy and manager
16. Health check swarm/orca
17. Discard temporary swarm connection cert
## Remove host from Orca
* Ultimately we should use OCSP and revoke the swarm certificate for the node
* Probably not doable in v1 timeframe
* Uninstall on the individual engine (see below) probably sufficient for v1
* Will destroy the proxy/swarm manager on that node, and wipe the local copy of the swarm certificate
## Uninstall Orca
Description: Run on an engine, clear all orca content from the individual system (will not touch other engines, or customer workloads running on the engine)
Use-case specific flags:
* --uninstall: Remove any orca components running on this engine
Steps:
1. (script) Launch phase 1 container
* Do:
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
docker/orca-bootstrap --uninstall [flags]
```
2. (Phase 1) Pre-flight checks
* Verify that /var/run/docker.sock is present
* Check minimum version of docker engine
* Find ourself running on the engine, determine image in use
3. Launch phase2 container
* Same image as phase1, with additional mounts so the user doesn't have to get all the extra host mounts right
* Phase 1 Blocks until phase 2 finishes or fails, passing output through to user
```bash
docker run --rm -t \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/docker/ssl/orca:/etc/docker/ssl/orca \
-v $DB_PATH_TBD:... \
-v $CONSUL_DATA_TBD:...
-v ...any other paths... \
docker/orca-bootstrap --phase2 $PHASE1_FLAGS
```
4. Stop all orca containers on the host (except the bootstrappers)
5. Clear certs in /etc/docker/ssl/orca
6. Remove any other data directories (consul, db, etc.) if detected on the host
7. Remove all orca containers
8. Remove orca images (except bootstrapper, since it's still running)
## Potential Refinements
* Include another curl|bash style script for "env" like "docker-machine env <machine>"
* eval "$(curl -u myorcauser https://myorca/env | bash)" generate user cert (if not already generated) download it, store it in ~/.docker/orca\_$NAME and echo the eval goop to set up the environment to use it
* Allow pluggable KV store
* Start with single node consul, but let user re-wire post initial deployment with their own HA consul, or alternative
* Have bootstrapper spit out progress reporting information to stdout with a common pattern so GUI installer can generate reasonable progress bars and status messages
* Gather desired initial admin password from user in GUI and feed that through to the bootstrapper via environment variable, then set up orca with that password instead of the static default
## Installation Matrix
This table captures the potential installation scenarios we could support.
All scenarios assume an orca managed swarm. At this time, we do not
plan to support an externally managed swarm in the 1.0 timeframe.
All scenarios assume an orca managed swarm. We do not plan to support
an externally managed swarm in the 1.0 timeframe. Our goal is to focus
on the "Internal self-signed Root CA" model for v1.
||Self signed Swarm cert, unable to sign new certs|Internal self-signed Swarm CA (aka cfssl or equiv)|External Swarm CA, our cert can sign as an intermediary|External Swarm CA, our cert can't sign|
||Self signed Swarm cert, unable to sign new certs|Internal self-signed Root CA (aka cfssl or equiv)|External Root CA, our cert can sign as an intermediary|External Root CA, our cert can't sign|
|---|---|---|---|---|---|
| Install On swarm|N|N|N|N|
| Install On local engine|Y|Y|Y|Y|
@ -25,151 +347,3 @@ plan to support an externally managed swarm in the 1.0 timeframe.
| Add Host external (not through orca), Remote Engine, external CA|N|N|Maybe, via kv?|Maybe, via kv?|
| Upgrade/Patch Orca|Y|Y|Y|Y|
| Upgrade/Patch OrcaSwarm|Y|Y|Y|Y|
## Open Questions
* Should we link all our containers, or wire them up based on the punched through IP/ports?
* If linking works across hosts, can we rely on that for all communication between orca:swarm:proxy? If so, that might eliminate the need for a CA in v1, but how do you "secure" the cross-host communication? Feels like it might be a fallacy/chicken-and-egg problem...
* DB Clustering/HA?
* We might want to fold install/upgrade into one script since there's a lot of overlap
* What KV store (swarm discovery backend) should we use? Can we let the user tweak this?
* ~~How far away is core orca from supporting multiple swarms?~~ not for v1
* Should the install "script" actually be mostly implemented as a golang binary, perhaps with a thin shell script wrapper that downloads the right arch binary?
* Could help us leverage common code between the server and these little external "scripts"
* Should we allow the swarm manager to run on non-standard ports on the engines?
* Possibly include another curl|bash style script for "env" like "docker-machine env <machine>"
* eval "$(curl -u myorcauser https://myorca/env | bash)" generate user cert (if not already generated) download it, store it in ~/.docker/orca and echo the eval goop to set up the environment to use it
* Same as above with https://myorca/swarm/env for admins to get certs to talk directly to swarm (required for upgrade flows below)
* Does it make sense to append the Orca root CA certificate to the local system's trusted certs?
* Docker CLI needs more, browsers can handle one-off acceptance, so maybe this is just a waste of energy...
* How should "redeploy a broken orca/swarm" work? Should they redeploy the single node that has orca, then "upgrade" the cluster from there? If the proxies are busted, they'll likely have to re-add the nodes
## Assumptions
* We wont use data volume containers, but instead host volume mounts
* Most customers do not have swarm (yet), so our primary focus should be on making the Orca+Swarm deployment as clean and simple as possible
* Swarm requires a common single CA “on both sides” (incoming client communication and outgoing engine communication)
* Swarm Managers must have visibility to all the engines (or proxies) and be secured with TLS. All Engines/Proxies must trust the root CA who signed the swarm cert
* Swarm manager and docker proxy may fold into one component, but this shouldn't fundamentally change the flow
* We'll "own" our own root CAs (One for orca, and one for swarm)
* Set up so that certs can be replaced post v1
* We'll store the certs in a host volume mount
* The volume could be swapped out for a keywhiz volume mount in the future (unclear if we can write to it though...)
* Laying the groundwork of a central CA for our managed swarm will enable keywhiz for secret management post v1
* Installation script should be idempotent, and not clobber any pertinent state unless the user asks us to
## Deploy Orca With Swarm
Description: Deploy orca+swarm onto a single existing engine. Once deployed, additional engines can be added to the swarm.
```bash
curl https://get.docker.com/orca | bash
```
(or download a bundle with the script and saved/exported images)
Modes/Flags:
* version: Specify an exact version to pull, default is "latest"
* clobber: destroy any existing state and deploy fresh
Steps:
1. Pre-flight checks of target engine (Version, available ports, etc.)
* Detect if we're pointed at an orca, swarm, or individual engine
* Swarm: Fail deployment -- may support in future
* Orca: Fail deployment -- may support in future
* Engine: This flow
2. (conditional) clobber existing state if requested
3. Pull images
* Detect if saved images are present at the same location as the script (file naming scheme TBD) and if detected load those instead of pulling
* If we don't have them local, and they aren't already on the target system, do a docker login and search for them, and give a good error message if they aren't visible
4. Generate certs if not present in two host volume paths:
* /etc/ssl/orca: root CA cert and private key pair; orca server key pair
* This chain is used for the incoming client requests to the orca server
* We can expose a mechanism for a user account to get a signed key pair using this CA to authenticate CLIs (or other tools) against orca, mapping to their user account
* /etc/ssl/swarm0: root CA cert and private key pair (different from above), swarm server key pair
* This chain is used for communication from orca to swarm, and from swarm to the engines/proxies.
5. Generate cert for proxy and swarm manager signed by /etc/ssl/swarm0
* If DOCKER\_HOST set, use the hostname/ip from there
* If localhost, use IP and attempt to get hostname right (ugh) -- or maybe we force the user to tell us how to reach their localhost?
6. Deploy proxy with random exposed port
* **Q: should we try to use 2375, then fall back to random if unavailable to make firewall updates easier?**
7. Verify we can see the proxy we just deployed (if not warn user firewall settings may need to be opened for port XXX)
8. Deploy swarm manager pointed at proxy (punched through to engine's public IP) - **Fail if swarm official port is taken?**
9. Verify we can see the swarm manager we just deployed (if not warn user firewall settings may need to be opened for port XXX)
11. Deploy DB with host volume mount for data directory
12. Deploy Orca server (prefer 80/443, use random ports if unavailable)
13. Add orca as trusted CA cert on local system:
* Tell user what we're doing before the sudo prompt, instruct them to ^C to skip it
* Linux: Append Orca CA cert in /usr/local/share/ca-certificates/orca.pem and run update-ca-certificates
* Tell the user that they can copy .../orca.pem to other systems and run "update-ca-certificates" to add it as a trusted system
* Mac: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/certs/orca.cer"
* (future) Windows: certmgr.exe -add MyCert.cer -s -r localMachine trustedpublisher
14. Verify the Orca server is up before reporting address to user
15. (bonus round!) Download license key based on the users hub account and license Orca accordingly
## Upgrade/Patch an Existing Orca With Swarm
Description: Pointed at an existing deployment, upgrade all the orca and swarm related components while persisting the configuration state of the system
1. Pre-flight checks of target system (existing version, desired target version)
* Swarm mode: Fail - tell user to point to orca to proceed
* Orca mode:
* Verify at least two managers, get temporary certs to talk to swarm, make sure we can talk to two managers
* If only one, fail and tell user to run deploy script against engine (**or maybe we do this for them...**)
* Engine Mode: Reject, or run the deploy script logic
2. Pull images
* Detect if saved images are present at the same location as the script (file naming scheme TBD) and if detected load those instead of pulling
* If we don't have them local, and they aren't already on the target system, do a docker login and search for them, and give a good error message if they aren't visible
3. Connect to primary swarm manager
4. For each secondary node (not the primary)
* Deploy new proxy, verify it can be reached
* Shutdown manager on this node
* Deploy new manager, pointed at new proxy, verify it can be reached
* Shutdown old proxy
5. **Can we trigger a manager switch for swarm at this point?**
6. Stop and remove Orca server and db
7. Start Orca db and server
8. Stop primary swarm manager
9. Switch to communicating with secondary swarm manager
10. Remove old primary swarm manager
11. Start old primary swarm manager
12. Health check swarm/orca
13. Discard temporary swarm connection cert
## Add Host To Orca Managed Swarm
```bash
curl https://myorca/addhost | bash # Unauthed in GET mode
```
1. Pre-flight checks of target engine (same as install flow)
2. (conditional) pull images matching the existing orca/swarm
3. Prompt user for cred's to orca
4. curl/wget POST to https://myorca/addhost with hostname/IP of the target engine, piping output into the data volume container
* (server) Verify user has proper rights to add hosts (admin)
* (server) swarm CA, generate key pair for the engine using the hostname/IP specified, and return tar bundle with root CA cert (public portion only), and new server key pair
5. Store certs in host volume path: /etc/ssl/swarm
6. Determine port number for engine proxy, deploy with random port if default port taken
* Note: Once proxy is deployed, the remaining steps could be performed server side
7. Deploy swarm manager pointed at proxy (punched through to engine's public IP) - Fail if swarm official port is taken?
* If we already have enough managers, should we skip this step?
8. Use users credentials against orca, verify new host is present, report success
Questions:
* Would it make sense to just deploy a conditional beachhead in the script, and do the rest of the host deployment logic on the server side?
* If the engine already trusts our CA chain, just tell the server the endpoint to talk to
* If the engine is local or doesn't trust our cert chain, deploy a proxy in the script, then tell the server the proxy endpoint
## Uninstall Orca
* TBD - remove all traces so there's no lingering cruft

BIN
orca_components.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 40 KiB

340
orca_components.svg
View File

@ -16,7 +16,7 @@
version="1.1"
inkscape:version="0.91 r13725"
sodipodi:docname="orca_components.svg"
inkscape:export-filename="/home/daniel/orca_components.png"
inkscape:export-filename="/home/daniel/code/docker/orca/docs/orca_components.png"
inkscape:export-xdpi="90"
inkscape:export-ydpi="90">
<defs
@ -168,6 +168,36 @@
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-65-6"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-10-4"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
<marker
inkscape:stockid="SemiCircleIn"
orient="auto"
refY="0"
refX="0"
id="SemiCircleIn-69-3-3"
style="overflow:visible"
inkscape:isstock="true">
<path
inkscape:connector-curvature="0"
id="path8311-8-5-5"
d="m -0.37450702,-0.04569258 c 0,2.75999998 2.24000002,4.99999998 5.00000002,4.99999998 l 0,-10 c -2.76,0 -5.00000002,2.24 -5.00000002,5.00000002 z"
style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1pt;stroke-opacity:1"
transform="scale(0.6,0.6)" />
</marker>
</defs>
<sodipodi:namedview
id="base"
@ -195,7 +225,7 @@
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
<dc:title />
</cc:Work>
</rdf:RDF>
</metadata>
@ -254,7 +284,7 @@
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn)" />
</g>
<g
transform="translate(224.28572,2.6721514)"
transform="translate(224.28572,0.6721514)"
id="g8785-9">
<rect
ry="5.3747001"
@ -288,7 +318,7 @@
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-9"
d="m 260.39435,645.21935 1.03422,99.28571"
d="m 260.37904,645.21935 1.04953,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-6)" />
</g>
<g
@ -368,7 +398,7 @@
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69)" />
</g>
<g
transform="translate(338.57143,135.71429)"
transform="translate(338.57143,133.71429)"
id="g9664-7">
<rect
ry="5.3747001"
@ -402,7 +432,7 @@
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7-7"
d="m 93.251486,512.8915 1.034224,99.28571"
d="m 93.23618,512.8915 1.04953,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-3)" />
</g>
<g
@ -430,6 +460,188 @@
id="tspan8072-5"
sodipodi:role="line">Engine 1</tspan></text>
</g>
<g
id="g7494">
<rect
ry="5.3747001"
y="569.32007"
x="82.85714"
height="75.714287"
width="47.142857"
id="rect8119-2-1"
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-9"
y="101.19175"
x="-607.90594"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan9011-6"
style="font-size:15px;text-align:center;text-anchor:middle"
y="101.19175"
x="-607.90594"
sodipodi:role="line">Orca</tspan><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="119.94175"
x="-607.90594"
sodipodi:role="line"
id="tspan9885">Server</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119-2-1"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7-6"
d="m 106.82291,645.03436 1.03423,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-65)" />
</g>
<g
transform="translate(-150.57143,128)"
id="g9942">
<rect
ry="5.3747001"
y="440.93365"
x="182.14285"
height="75.714287"
width="47.142857"
id="rect8119-2-1-3"
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-9-3"
y="200.47746"
x="-479.51953"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan9011-6-2"
style="font-size:15px;text-align:center;text-anchor:middle"
y="200.47746"
x="-479.51953"
sodipodi:role="line">Orca</tspan><tspan
style="font-size:15px;text-align:center;text-anchor:middle"
y="219.22746"
x="-479.51953"
sodipodi:role="line"
id="tspan9885-8">DB</tspan></text>
</g>
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="12.142857"
y="733.07648"
id="text9948"
sodipodi:linespacing="125%"><tspan
sodipodi:role="line"
id="tspan9950"
x="12.142857"
y="733.07648">Externally</tspan><tspan
sodipodi:role="line"
x="12.142857"
y="748.07648"
id="tspan9952">Visible</tspan><tspan
sodipodi:role="line"
x="12.142857"
y="763.07648"
id="tspan9954">Ports</tspan></text>
<g
id="g7501">
<g
transform="translate(102,0)"
id="g7418">
<rect
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect8119-2-1-3-6"
width="47.142857"
height="75.714287"
x="31.428574"
y="568.93365"
ry="5.3747001" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="-607.51953"
y="60.592041"
id="text8121-4-9-3-7"
sodipodi:linespacing="125%"
transform="matrix(0,-1,1,0,0,0)"><tspan
id="tspan9885-8-7"
sodipodi:role="line"
x="-607.51953"
y="60.592041"
style="font-size:15px;text-align:center;text-anchor:middle">Consul</tspan></text>
</g>
<path
sodipodi:nodetypes="cc"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7-6-6"
d="m 157.42084,643.82528 1.03423,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-65-6)" />
</g>
<g
id="g7485">
<rect
ry="5.3577666"
y="649.6131"
x="32.965164"
height="68.355377"
width="253.35539"
id="rect8068"
style="opacity:0.8;fill:#80d8ff;fill-opacity:1;fill-rule:evenodd;stroke:#0c73b1;stroke-width:2.21604013;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text8070"
y="690.68774"
x="159.25223"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:25px;text-align:center;text-anchor:middle"
y="690.68774"
x="159.25223"
id="tspan8072"
sodipodi:role="line">Engine 0</tspan></text>
</g>
<g
transform="translate(672.85714,134.28572)"
id="g9664-7-1">
<rect
ry="5.3747001"
y="437.17722"
x="69.285713"
height="75.714287"
width="47.142857"
id="rect8119-2-2-1"
style="opacity:1;fill:#80ffa9;fill-opacity:1;fill-rule:evenodd;stroke:#0cb134;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
transform="matrix(0,-1,1,0,0,0)"
sodipodi:linespacing="125%"
id="text8121-4-3-6"
y="87.620323"
x="-475.76309"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
id="tspan8125-58-4-1"
style="font-size:15px;text-align:center;text-anchor:middle"
y="87.620323"
x="-475.76309"
sodipodi:role="line">Swarm</tspan><tspan
id="tspan9011-1-9"
style="font-size:15px;text-align:center;text-anchor:middle"
y="106.37032"
x="-475.76309"
sodipodi:role="line">Manager</tspan></text>
<path
sodipodi:nodetypes="cc"
inkscape:connection-start="#rect8119-2-2-1"
inkscape:connector-curvature="0"
inkscape:connector-type="polyline"
id="path8127-7-7-2"
d="m 93.251486,512.8915 1.034224,99.28571"
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-3-3)" />
</g>
<g
id="g8074-4"
transform="translate(535,36.428571)"
@ -455,121 +667,5 @@
id="tspan8072-8"
sodipodi:role="line">Engine N</tspan></text>
</g>
<g
id="g9664-1"
transform="translate(-17.857143,-42.857142)">
<g
id="g9923"
transform="translate(31.428571,175)">
<rect
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect8119-2-1"
width="47.142857"
height="75.714287"
x="69.285713"
y="437.17722"
ry="5.3747001" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="-475.76309"
y="87.620323"
id="text8121-4-9"
sodipodi:linespacing="125%"
transform="matrix(0,-1,1,0,0,0)"><tspan
sodipodi:role="line"
x="-475.76309"
y="87.620323"
style="font-size:15px;text-align:center;text-anchor:middle"
id="tspan9011-6">Orca</tspan><tspan
id="tspan9885"
sodipodi:role="line"
x="-475.76309"
y="106.37032"
style="font-size:15px;text-align:center;text-anchor:middle">Server</tspan></text>
<path
style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#SemiCircleIn-69-65)"
d="m 93.251486,512.8915 1.034224,99.28571"
id="path8127-7-6"
inkscape:connector-type="polyline"
inkscape:connector-curvature="0"
inkscape:connection-start="#rect8119-2-1"
sodipodi:nodetypes="cc" />
</g>
<g
id="g9942"
transform="translate(-30.714286,170.85714)">
<rect
style="opacity:1;fill:#809cff;fill-opacity:1;fill-rule:evenodd;stroke:#0c32b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect8119-2-1-3"
width="47.142857"
height="75.714287"
x="182.14285"
y="440.93365"
ry="5.3747001" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="-479.51953"
y="200.47746"
id="text8121-4-9-3"
sodipodi:linespacing="125%"
transform="matrix(0,-1,1,0,0,0)"><tspan
sodipodi:role="line"
x="-479.51953"
y="200.47746"
style="font-size:15px;text-align:center;text-anchor:middle"
id="tspan9011-6-2">Orca</tspan><tspan
id="tspan9885-8"
sodipodi:role="line"
x="-479.51953"
y="219.22746"
style="font-size:15px;text-align:center;text-anchor:middle">DB</tspan></text>
</g>
</g>
<g
id="g8074"
transform="translate(-20.714286,36.428571)"
style="opacity:0.8">
<rect
ry="5.3747001"
y="613.07648"
x="101.42857"
height="68.571419"
width="205.71429"
id="rect8068"
style="opacity:1;fill:#80d8ff;fill-opacity:1;fill-rule:evenodd;stroke:#0c73b1;stroke-width:2;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
<text
sodipodi:linespacing="125%"
id="text8070"
y="654.25916"
x="203.7242"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
xml:space="preserve"><tspan
style="font-size:25px;text-align:center;text-anchor:middle"
y="654.25916"
x="203.7242"
id="tspan8072"
sodipodi:role="line">Engine 0</tspan></text>
</g>
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:12px;line-height:125%;font-family:Sans;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
x="12.142857"
y="733.07648"
id="text9948"
sodipodi:linespacing="125%"><tspan
sodipodi:role="line"
id="tspan9950"
x="12.142857"
y="733.07648">Externally</tspan><tspan
sodipodi:role="line"
x="12.142857"
y="748.07648"
id="tspan9952">Visible</tspan><tspan
sodipodi:role="line"
x="12.142857"
y="763.07648"
id="tspan9954">Ports</tspan></text>
</g>
</svg>

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 28 KiB