Docker swarm mode overlay network security model
Docker swarm mode overlay network security model
Estimated reading time:
1 minute
Overlay networking for Docker Engine swarm mode comes secure out of the box. The
swarm nodes exchange overlay network information using a gossip protocol. By
default the nodes encrypt and authenticate information they exchange via gossip
using the AES algorithm in
GCM mode. Manager nodes in the swarm rotate the key used to encrypt gossip data
every 12 hours.
You can also encrypt data exchanged between containers on different nodes on the
overlay network. To enable encryption, when you create an overlay network pass
the --opt encrypted flag:
$
docker network create --opt
encrypted --driver
overlay my-multi-host-network
dt0zvqn0saezzinc8a5g4worx
When you enable overlay encryption, Docker creates IPSEC tunnels between all the
nodes where tasks are scheduled for services attached to the overlay network.
These tunnels also use the AES algorithm in GCM mode and manager nodes
automatically rotate the keys every 12 hours.
Do not attach Windows nodes to encrypted overlay networks.
Overlay network encryption is not supported on Windows. If a Windows node
attempts to connect to an encrypted overlay network, no error is detected but
the node will not be able to communicate.
Swarm mode overlay networks and unmanaged containers
It is possible to use the overlay network feature with both --opt encrypted --attachable, and attach unmanaged containers to that network:
$
docker network create --opt
encrypted --driver
overlay --attachable
my-attachable-multi-host-network
9s1p1sfaqtvaibq6yp7e6jsrt
Just like services that are attached to an encrypted network, regular containers can also have the advantage of encrypted traffic when attached to a network created this way.
![Toni Kroos là ai? [ sự thật về tiểu sử đầy đủ Toni Kroos ]](https://evbn.org/wp-content/uploads/New-Project-6635-1671934592.jpg)
