add swarm mode overlay networking security model #25135
Conversation
| to five nodes that particpate in an overlay network called | ||
| `payment-card-net`. | ||
|
|
||
| In this case, only the five nodes on the `payment-card-net` exchange overlay |
There was a problem hiding this comment.
@mgoelzer , please verify this behavior. Wouldn't at least one manager need to be in that group. Meaning managers know about overlay in addition to any participating nodes?
There was a problem hiding this comment.
Yes, you're correct. All managers know about all overlay networks. What I meant (but phrased poorly) is that of the worker nodes, only those five would know about payment-card-net.
Managers are like superusers -- they know everything and can do everything. It's very bad if one gets compromised. Maybe we should say that explicitly here?
There was a problem hiding this comment.
@mgoelzer I think this is clearer now. PTAL
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
4 times, most recently
from
d009df5
to
f67ea38
Compare
| @@ -1,538 +0,0 @@ | |||
| <!--[metadata]> | |||
There was a problem hiding this comment.
did you git mv this file, or "copy" and remove? currently it doesn't show that is was renamed from dockernetworks.md to index.md, and the git history is more difficult to find because of that
There was a problem hiding this comment.
i should have done a git mv. i did a FS rename. is that fixable? rename it back and then git mv?
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
from
f67ea38
to
714dd53
Compare
|
|
||
| Two key architectural components provide the enhanced security of swarm mode: | ||
|
|
||
| * **Unidirectional manager to worker communication model.** Swarm mode worker |
There was a problem hiding this comment.
We didn't introduce the existence of Workers and Managers. Maybe an image first?
There was a problem hiding this comment.
Will add a link for more info on workers mgrs.
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
3 times, most recently
from
2f16c37
to
f171ed4
Compare
|
@sfsmithcha get-started-overlay.md is still referring to the non-swarm mode of overlay network creation with the KV store. I think we should mention the swarm mode first here and move the current content into a section for legacy or non-swarm mode. |
|
@sanimej that was out of scope of this original PR, but now I have opened it up in the |
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
3 times, most recently
from
1c06795
to
296753d
Compare
|
@diogomonica , @sanimej , @mavenugo , @nathanleclaire PTAL. Still have an outstanding question about how to resolve the issue with the strongly worded bit about network access. |
|
|
||
| # Encryption and overlay networks | ||
|
|
||
| Overlay networks do not enable encryption between nodes by default. To enable |
There was a problem hiding this comment.
it should be Overlay driver does not encrypt the vxlan traffic between the nodes by default
|
updated @diogomonica @thaJeztah PTAL. Only looking at overlay-security-model.md, and overlay sections of index.md and get-started-overlay.md. |
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
3 times, most recently
from
980d9b5
to
997cc9b
Compare
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
3 times, most recently
from
16f1835
to
cabee9b
Compare
| dt0zvqn0saezzinc8a5g4worx | ||
| ``` | ||
|
|
||
| When you enable overlay encryption, Docker creates IPSEC tunnels between all the |
There was a problem hiding this comment.
@mrjana PTAL at this paragraph
There was a problem hiding this comment.
@sfsmithcha this isnt correct. The IPsec tunnels are established between the nodes only on-demand. i.e, only between the nodes where the tasks are scheduled on that particular network.
|
thanks @sfsmithcha, two minor nits/suggestions, but LGTM otherwise, would like to have @mrjana have a quick peek at #25135 (comment) though |
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
from
cabee9b
to
24dd678
Compare
sfsmithcha
changed the title
| Overlay networks for a swarm are not available to unmanaged containers. For more information refer to [Docker swarm mode overlay network security model](overlay-security-model.md). | ||
|
|
||
|
|
||
| ## Overlay networking with an external key-value store |
There was a problem hiding this comment.
Can we mention the fact that these 2 modes of operations are not compatible with one another ?
Meaning, external key-value store option wont work with swarm-mode.
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
2 times, most recently
from
45a12c4
to
b6b615d
Compare
Signed-off-by: Charles Smith <charles.smith@docker.com>
sfsmithcha
force-pushed
the
add_overlay_networking_note
branch
from
b6b615d
to
cc5debc
Compare
|
CI errors not related to this PR. |
Describes the overlay network security model for swarm mode. Also updates the networking user guide to use the new menu.md/index.md model
Signed-off-by: Charles Smith charles.smith@docker.com