needs a rebase @aaronlehmann

Gah! It's not ready to merge. Super annoying how CI forces a merge against master and then falls over with compilation errors when there are conflicts.

ping @dnephin @thaJeztah @aluzzardi - it would be great to get some early design review

What's the overall workflow UX-wise?

What happens while the swarm in locked?

What's the overall workflow UX-wise?

docker swarm init --autolock or docker swarm update --autolock to turn on manager locking. This prints out a key.

Then on restart docker swarm unlock is necessary to start the manager. This takes the key on stdin.

You can retrieve the current key with docker swarm unlock-key, or rotate it with docker swarm unlock-key --rotate.

What happens while the swarm in locked?

The swarm components do not operate until you run docker swarm unlock.

This needs help reviewing, specifically the UX workflow (see @aaronlehmann comment above).

Some comments:

• autolock seems weird - there is no lock command, so it's not obvious what we're automating. autounlock would maybe make more sense? It's symmetric with docker swarm unlock. /cc @dnephin
• Exposing the CA service and having the Engine talk to it seems weird. We should not talk to anything else but the Control API IMHO. Perhaps we should just return the unlock key in inspect and remove the unlockkey endpoint altogether?
• Consistency: We redact sensitive data from the API (such as secret data), yet we allow retrieving the unlockkey. Does this constitute a security issue? /cc @diogomonica

/cc @icecrime @thaJeztah @vieux @tiborvass

Tested and reviewed this and design LGTM. Previous version had a way to specify lock key and never returned it from remote api. I think it was changed for ease of use and I don't really have a preference about which is better. Current behavior is consistent with join-tokens.

The behavior of the down nodes after rotation/autolock change needs to be clearly documented as it isn't obvious.

@aaronlehmann Maybe in follow-up we could run all swarm tests with encryption enabled. Even if it requires an env switch it would give much more coverage.

@icecrime @thaJeztah @vieux @tiborvass @diogomonica: Any thoughts regarding the comments above?

This is getting merged today, feedback much appreciated.

@aluzzardi --autolock seems ok to me, I don't have a better name

@aaronlehmann could you add API and CLI reference doc ?

Options:
--advertise-addr value Advertised address (format: <ip|interface>[:port])

•  --autolock                        Enable or disable manager autolocking (requiring an unlock key to start a stopped manager)
  

  This one is for init, so it can only "enable" it, so this can be simply;

Enable manager autolocking (requiring an unlock key to start a stopped manager)

The flag is shared between init and update right now. Do you think the phrasing of the description should be different for these connands?

Saw this failure in CI running on an unrelated PR:

02:44:57 ----------------------------------------------------------------------
02:44:57 FAIL: docker_cli_swarm_test.go:952: DockerSwarmSuite.TestSwarmRotateUnlockKey
02:44:57 
02:44:57 [d761dbbbf650b] waiting for daemon to start
02:44:57 [d761dbbbf650b] daemon started
02:44:57 [d761dbbbf650b] exiting daemon
02:44:57 [d761dbbbf650b] waiting for daemon to start
02:44:57 [d761dbbbf650b] daemon started
02:44:57 [d761dbbbf650b] exiting daemon
02:44:57 [d761dbbbf650b] waiting for daemon to start
02:44:57 [d761dbbbf650b] daemon started
02:44:57 docker_cli_swarm_test.go:1020:
02:44:57     c.Assert(err, checker.IsNil, check.Commentf("out: %v", string(out)))
02:44:57 ... value *exec.ExitError = &exec.ExitError{ProcessState:(*os.ProcessState)(0xc421b583c0), Stderr:[]uint8(nil)} ("exit status 1")
02:44:57 ... out: Error response from daemon: swarm could not be unlocked: invalid key provided
02:44:57 
02:44:57 
02:44:57 [d761dbbbf650b] exiting daemon

I'll investigate this and provide a fix.