We are in the era of cloud computing. Many customers are rushing to accelerate their digital transformation. In the same time the cloud providers are getting better and better by the minute. Literally!
That leaves a lot of the IT leaders no choice but to think carefully about their strategies to move to the cloud. One of the things that is very popular now is containers.
In the context of digital transformation and cloud migration its appealing for the following reasons:
1- Provides an abstraction layer from the underlying infrastructure layer.
That gives organizations the flexibility of moving their workloads easily and host them in different infrastructure anytime whether it is on-premises or in the cloud. So, you are not locked-in to a specific cloud provider nor to your own on-premises datacenter.
2- Gives you the ability to optimize the usage of your infrastructure by increasing the density of your workloads
3- It’s a great architecture for implement continuous integration, continuous deployment pipeline.
One of the great containers platforms out there is Docker. It’s supported in Azure. You can deploy a Docker DC/OS container cluster leveraging the Azure Container Service.
You also have the option of Deploying the enterprise version of Docker that is available on the Marketplace.
In this article, I will cover how to deploy a Docker EE (Standard/Advanced) cluster in Azure and I will touch on a common error that users fall into that breaks their deployment.
The deployment of a Docker EE cluster in Azure is straight forward.
To deploy a Docker EE cluster, you need the following
- Azure subscription
- Azure Application principal
- RSA SSH Key
This will allow you to leverage the Azure cloud services and create virtual machines, database …etc. You need a subscription to be able to deploy the virtual machines and other resources required to host your Docker cluster. Luckily you can get a free trail one here.
Azure Application principal
Azure App Principal aka Azure AD Application refers to an identity object (resource) that can be created in Azure AD that allows applications (Code or script) to authenticate and be authorized (similar to Azure AD users) to access Azure resources or any resources that Azure AD integrates with.
In simple terms, think of it as a service account used by applications to access resources that are linked with your Azure AD directory. Similar to a service account, an App principal will have the following:
- Principal name –> User Name
- App principal ID or (App ID) –> User ID
- App Secret –> Password
Check the additional resources section at the end of the article for link to a resource with more details.
Why do we need an App Principal for a Docker cluster?
It’s used by the Docker orchestrator to manage your cluster in Azure. Docker uses the App principal (Service principal) to be authorized to access the Azure subscription via the Azure APIs to change your cluster underlying infrastructure when required. For example, scale up or down the number of nodes (VMs) and/or configure the azure load balancer.
RSA SSH Key
Used to SSH to your manager nodes.
Steps to deploy a Docker EE cluster
- Create an Azure resource group
- Create an App Principal
- Assign the App Principal from step #2 a permission on the group created on step #1
- Create your DockerEE cluster using the app principal created in step #2 and select the resource group created in step #1
First: Create a resource group
1- Go to https://Portal.Azure.com
2- Click on the + sign from the left nav to add a new resource | select or type resource group
3- Provide Resource group name, Subscription and Resource group location
Create resource group [Azure CLI]
[email protected]:~$ az group create -n DockerEECDemo --location southcentralus
Second: Create an App principal
- Go to https://Portal.Azure.com
- Click (or search for) the Azure Active Directory icon from the left nav | select or type App registration | New application registration
- Provide a Name, leave the default settings of Application type = “Web app/API” and provide any random URL at Sign-on URL field
- Press Create
Then you need to issue a key for the app principal
- Click on Settings | Keys
- Type a Description for the key and choose the Expires time | Press Save
- Copy the Application ID = [Principal App ID] & Key Value = [Principal App Secret] to somewhere safe as you will need to use them later
Third: Assign permission to the new App Principal to the resource group
This step is forgotten by most people. If this step is not performed and your App principal doesn’t have inherited contribute permissions on the resource group, your DTR portal provisioning will silently fail and will never load.
Steps to grant the App principal contribute permission
- Go to the resource group you have created | Click on Access Control (IAM) from the left nav | Add
- Select the role Contributor | find the created app principal using the field Select | select the right one from the list of results
- Press Save
Forth: Create DockerEE cluster
Now you are ready to create your DockerEE cluster. Assuming you already has an RSA SSH key pair generated. If not, please follow this article for directions on how to get that done.
1- Go to https://Portal.Azure.com
2- Click on the + sign from the left nav to add a new resource | search for Docker EE for Azure (Standard/Advanced)
3- Select Docker EE for Azure (Standard/Advanced) from the search results
4- Press Create
5- Provide the following values
- Swarm Name: dockerswarm
- Service Principal App ID: You should have that from the earlier steps
- Service Principal App Secret: You should have that from the earlier steps
- SSH public key: Your RSA SSH public Key
- Subscription: Your azure subscription name
- Resource group: The resource group created in the steps above
- Location: Select which Azure region you want your cluster deployed to. Usually this defaults to the location settings of the resource group.
6- Press OK
7- Then provide the rest of the values including the Docker Datacenter License Key. Be aware that the key doesn’t get validated, so it will not complain if you put in the wrong key. You need to enter the entire text from the license file you received from Docker. You can update the key after the cluster is created. Check the common issues section at the end of the article for more details.
8- Press OK
9- Go over the summary and if everything looks good press OK
10- Press Purchase
The provisioning time will be different depending on the region and time of provisioning but usually its done between 5-10 minutes. The azure portal will notify you when the cluster has been provisioned successfully.
You may need to wait another 15 minutes or so after the cluster is provisioned to allow for the DTR to be configured.
You can navigate to the resource group where you have created your Docker cluster to inspect all the Azure resources created:
Now you have successfully deployed a DockerEE cluster
- How can I find out what the DTR URL is?
Navigate to the resource group where the cluster is created as shown above and find a resource of type Public IP address with the name dockerswarm-dtrLoadBalancer-public-ip
Click on that resource | then copy the DNS name
You can browse the URL: http://dtrlb-nlo5xsvfj5ty2.southcentralus.cloudapp.azure.com
That should prompt you to login …
2. Which storage account the DTR is using? How can I change it?
You can see the Azure storage account information that is used by DTR and change it from the DTR portal under Settings | Storage
3. Can I script the deployment of the cluster?
Yes. Docker have created an excellent bash script for that.
You run the following command:
$ docker run -ti docker4x/create-sp-azure sp-name [rg-name rg-region]
Then this using the Azure CLI you run this command:
$ az group create --name DockerGroup --location centralus --deployment-name docker.template --template-file
- You get the following error at the homepage of the DTR portal “Warning: Unlicensed copy. Please register your license on the Settings page”
This means your license key is invalid. You need to update the license key as follows:
Navigate to the settings page | General tab| Press on Apply new license
Select the new license key (*.lic) file and press Open
Once its loaded successfully, it should look like this:
3. Trying to load the DTR portal but its not working (getting timeout error)
Make sure you have waited at least 15 mins after the cluster has been deployed to allow Docker to provision and configure the load balancer and IP config for the DTR endpoint.
If it still doesn’t work, make sure you have granted access the App principal used in creating the cluster to the resource group where the cluster has been provisioned.
If not, you can fix the permissions and redeploy a new cluster. Check the steps above for provisioning a new Docker cluster.
4. The Docker cluster deployment job failed due to a VM didn’t start on time
This happens when a VM takes longer than expected to start so the deployment job timesout.
If that happens I would suggest deleting the cluster and re-deploying a new one. Obviously, you can go a restart the VM (that failed to start on time), however, from my experience that results on issues in configuring DTR. So it’s better to re-deploy.
- Docker EE best practices & considerations
- Application and service principal objects in Azure Active Directory
- Docker for Azure Setup & Prerequisites
This post first appeared on MSDN Blogs | Get The Latest Information, Insights, Announcements, And News From Microsoft Experts And Developers In The MSDN Blogs., please read the originial post: here