Docker Community Forums

Share and learn in the Docker community.

Create swarm host without internet access


(Sronsiek) #1

Hi,

We are trying to set up a swarm of hosts in a private, operational network which must be controlled in terms of version numbers of images, tools etc. No internet access is permitted from these hosts. Images can be installed onto hosts via docker save / load.

docker-engine is pre-installed, but docker-machine create attempts to access index.docker.io, resulting in Error creating machine:

docker-machine create -d generic \
   --generic-ip-address 192.168.100.1 \
   --generic-ssh-user <ssh-user> \
   --generic-ssh-key ~/.ssh/swarm \
   --engine-install-url "" \
   --swarm \
   --swarm-master \
   --swarm-discovery token://<swarm token> \
   swarm1
Error creating machine: Error running provisioning: Unable to pull image: Error while pulling image: Get https://index.docker.io/v1/repositories/library/swarm/images: dial tcp: lookup index.docker.io: no such host
s

Note that a swarm image is pre-installed on the host:

root@swarm1# docker images | grep swarm
swarm                                     latest              7dbfc39dd91a        3 weeks ago         19.34 MB

How can we configure machine to not access the web? Setting --engine-install-url to an empty string does not work.

Any help appreciated,

cheers


(Dvohra) #2

Why is image name set to swarm1?


(Sronsiek) #3

@dvohra: The described hosts are physical PCs running Linux. My understanding was that docker-machine create provisions hosts (incl setting the hostname), and that a discovery container plus swarm-containers with manager and / or node roles are subsequently launched on such hosts using docker swarm. The intention is that several hosts/machines (swarm1, swarm2, swarm3) act as both manager and node, thus avoiding a single point of failure / providing high availability.

So to me swarm1 is the hostname of the physical machine & I don’t really understand why you refer to swarm1 as an ‘image’. Please correct if I’m wrong!


(Dvohra) #4

What machines does the docker-machine ls command list?


(Sronsiek) #5

As expected:

docker-machine ls
NAME     ACTIVE   DRIVER    STATE     URL                        SWARM             DOCKER   ERRORS
swarm1   *        generic   Running   tcp://192.168.100.1:2376   swarm1 (master)   v1.9.1

(Dvohra) #6

Auhentication may be required as in the url
https://index.docker.io/v1/repositories/library/swarm/


(Sronsiek) #7

This may be the cause of the error, however the question was how to prevent the attempts to access the internet. The require swarm image is already installed on the host:

$ docker images | grep swarm
docker.xx.xxx.loc/swarm                         latest              90ede5966b52        2 weeks ago         19.34 MB

(Sronsiek) #8

Ok, so the answer is: For a private cluster (no nodes in the cloud) there is no need to create a swarm token, and no need to create anything using docker-machine. In fact docker-machine is not needed at all. We deploy required images (‘swarm’, ‘consul’ & our own apps) via docker save / docker load. The is it possible simply to start consul, manage & node on the hosts.


(Dvohra) #9

Docker Machine is typically used for remote nodes.


(Princeharry) #10

Docker swarm needs a discovery backend and the discovery-token is used when you use the swarm discovery backend provided by hub.docker.com. You can run your own consul discovery backend, just pass consul://ip:port instead of token://token

You’ll always need internet access when using the hosted discovery backend!


(Sronsiek) #11

And that’s the answer I was looking for - I had not realized the token is not required when running my own discovery service! Thanks!