diff --git a/engine/swarm/join-nodes.md b/engine/swarm/join-nodes.md index f1e06bb80f..2cc6d95051 100644 --- a/engine/swarm/join-nodes.md +++ b/engine/swarm/join-nodes.md @@ -26,6 +26,10 @@ the `docker swarm join` command. The node only uses the token at join time. If you subsequently rotate the token, it doesn't affect existing swarm nodes. Refer to [Run Docker Engine in swarm mode](swarm-mode.md#view-the-join-command-or-update-a-swarm-join-token). +**NOTE:** Docker allows a non-FIPS enabled worker or manager nodes to a FIPS-enabled +swarm cluster. This can cause issues with upgrading a swarm if nodes are FIPS-enabled and other +nodes are not FIPS-enabled. + ## Join as a worker node To retrieve the join command including the join token for worker nodes, run the diff --git a/install/linux/docker-ee/rhel.md b/install/linux/docker-ee/rhel.md index 0be5a511d9..8b4f529821 100644 --- a/install/linux/docker-ee/rhel.md +++ b/install/linux/docker-ee/rhel.md @@ -50,6 +50,13 @@ On {{ linux-dist-long }}, Docker EE supports storage drivers, `overlay2` and `de With Docker EE Basic license for versions 18.03 and later, Docker provides FIPS 140-2 support in RHEL 7.3, 7.4 and 7.5. This includes a FIPS support cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is automatically enabled in the Docker engine. +To verify the FIPS-140-2 module is enabled in the Linux kernel, confirm the file `/proc/sys/crypto/fips_enabled` contains `1`. + +``` +$ cat /proc/sys/crypto/fips_enabled +1 +``` + **NOTE:** FIPS is only supported in the Docker EE engine. UCP and DTR currently do not have support for FIPS-140-2. To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, do the following: @@ -72,7 +79,13 @@ $ docker info --format '{{ .SecurityOptions }}' [name=selinux name=fips] ``` -**NOTE:** If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance. To disable FIPS 140-2 in Docker but not the operating system, set the value `DOCKER_FIPS=0` in the `/etc/systemd/system/docker.service.d/fips-module`. +### Disabling FIPS-140-2 + +If the system has the FIPS 140-2 cryptographic module installed on the operating system, +it is possible to disable FIPS-140-2 compliance. + +To disable FIPS 140-2 in Docker but not the operating system, set the value `DOCKER_FIPS=0` +in the `/etc/systemd/system/docker.service.d/fips-module`. ### Find your Docker EE repo URL