// UnlockSwarm provides a key to decrypt data that is encrypted at rest.
func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error {
key, err := encryption.ParseHumanReadableKey(req.UnlockKey)
if err != nil {
return err
}
c.Lock()
if c.node != nil || c.locked != true {
c.Unlock()
return errors.New("swarm is not locked")
}
config := *c.lastNodeConfig
config.lockKey = key
n, err := c.startNewNode(config)
if err != nil {
c.Unlock()
return err
}
c.Unlock()
select {
case <-n.Ready():
case <-n.done:
if errors.Cause(c.err) == ErrSwarmLocked {
return errors.New("swarm could not be unlocked: invalid key provided")
}
return fmt.Errorf("swarm component could not be started: %v", c.err)
}
go c.reconnectOnFailure(n)
return nil
}
// UnlockSwarm provides a key to decrypt data that is encrypted at rest.
func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error {
c.controlMutex.Lock()
defer c.controlMutex.Unlock()
c.mu.RLock()
state := c.currentNodeState()
if !state.IsActiveManager() {
// when manager is not active,
// unless it is locked, otherwise return error.
if err := c.errNoManager(state); err != errSwarmLocked {
c.mu.RUnlock()
return err
}
} else {
// when manager is active, return an error of "not locked"
c.mu.RUnlock()
return errors.New("swarm is not locked")
}
// only when swarm is locked, code running reaches here
nr := c.nr
c.mu.RUnlock()
key, err := encryption.ParseHumanReadableKey(req.UnlockKey)
if err != nil {
return err
}
config := nr.config
config.lockKey = key
if err := nr.Stop(); err != nil {
return err
}
nr, err = c.newNodeRunner(config)
if err != nil {
return err
}
c.mu.Lock()
c.nr = nr
c.mu.Unlock()
if err := <-nr.Ready(); err != nil {
if errors.Cause(err) == errSwarmLocked {
return errors.New("swarm could not be unlocked: invalid key provided")
}
return fmt.Errorf("swarm component could not be started: %v", err)
}
return nil
}
func getKRW(swarmdir, unlockKey string) (*ca.KeyReadWriter, error) {
var (
kek []byte
err error
)
if unlockKey != "" {
kek, err = encryption.ParseHumanReadableKey(unlockKey)
if err != nil {
return nil, err
}
}
krw := ca.NewKeyReadWriter(certPaths(swarmdir).Node, kek, manager.RaftDEKData{})
_, _, err = krw.Read() // loads all the key data into the KRW object
if err != nil {
return nil, err
}
return krw, nil
}
// UnlockSwarm provides a key to decrypt data that is encrypted at rest.
func (c *Cluster) UnlockSwarm(req types.UnlockRequest) error {
c.controlMutex.Lock()
defer c.controlMutex.Unlock()
c.mu.RLock()
state := c.currentNodeState()
nr := c.nr
c.mu.RUnlock()
if nr == nil || errors.Cause(state.err) != errSwarmLocked {
return errors.New("swarm is not locked")
}
key, err := encryption.ParseHumanReadableKey(req.UnlockKey)
if err != nil {
return err
}
config := nr.config
config.lockKey = key
if err := nr.Stop(); err != nil {
return err
}
nr, err = c.newNodeRunner(config)
if err != nil {
return err
}
c.mu.Lock()
c.nr = nr
c.mu.Unlock()
if err := <-nr.Ready(); err != nil {
if errors.Cause(err) == errSwarmLocked {
return errors.New("swarm could not be unlocked: invalid key provided")
}
return fmt.Errorf("swarm component could not be started: %v", err)
}
return nil
}
if err != nil {
return err
}
autolockManagers, err := cmd.Flags().GetBool("autolock")
if err != nil {
return err
}
var unlockKey []byte
if cmd.Flags().Changed("unlock-key") {
unlockKeyString, err := cmd.Flags().GetString("unlock-key")
if err != nil {
return err
}
unlockKey, err = encryption.ParseHumanReadableKey(unlockKeyString)
if err != nil {
return err
}
}
// Create a cancellable context for our GRPC call
ctx, cancel := context.WithCancel(ctx)
defer cancel()
client, err := engineapi.NewClient(engineAddr, "", nil, nil)
if err != nil {
return err
}
executor := container.NewExecutor(client)
