docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add instructions for external certificates

This commit is contained in:
Daniel Hiltgen 2015-08-26 10:27:33 -07:00 committed by Joao Fernandes
parent 7791ef30c1
commit a717b57327
1 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
quickstart.md
View File

@ -36,6 +36,48 @@ Important notes for first time users:
* Take a look at the env.sh within the zip file for instructions (should be familiar if you've used machine)
## User Supplied Certificates
Orca uses two separate root CAs for access control - one for Swarm,
and one for the Orca server itself. The motivation for the dual root
certificates is to differentiate Docker remote API access to Orca
vs. Swarm. Orca implements ACL and audit logging on a per-users basis
which are not offered in Swarm or the engines. Swarm and the engine
proxies trust only the Swarm Root CA, while the Orca server trusts both
Root CAs. Admins can access Orca, Swarm and the engines while normal
users are only granted access to Orca.
In Orca v1.0 we support user provided externally signed certificates
for the Orca server. This cert is used by the main management web UI
(visible to your browser when you connect) as well as the Docker remote
API (visible to the Docker CLI and friends.) The Swarm Root CA is
always manged by Orca itself in this release. This external Orca Root
CA model supports customers managing their own CA, or purchasing certs
from a commercial CA. When operating in this mode, Orca can not generate
regular user certificates, as those must be managed and signed externally,
however admin account certs can be generated as they are signed by the
internal Swarm Root CA. Normal user accounts should be signed by the
same external Root CA (or a trusted intermediary), and the public keys
manually added through the UI.
To install Orca with an external Root CA, place the following files on the
engine host where you will install Orca **before** running the install:
* /var/lib/docker/orca\_ssl/orca\_ca.pem - Your Root CA Certificate chain (including any intermediaries)
* /var/lib/docker/orca\_ssl/orca\_controller.pem - Your signed Orca server cert
* /var/lib/docker/orca\_ssl/orca\_controller\_key.pem - Your Orca server private key
After setting up these files on the host, you can install with the "--external-orca-ca" flag.
```bash
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
--name orca-bootstrap \
dockerorca/orca-bootstrap \
install --swarm-port 3376 -i --external-orca-ca
```
# Adding Nodes to the Cluster
To add capacity to your cluster, run the following on the engine you want to add (**not** the engine where you installed Orca above)
```bash