New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add swarm mode overlay networking security model #25135
add swarm mode overlay networking security model #25135
Conversation
to five nodes that particpate in an overlay network called | ||
`payment-card-net`. | ||
|
||
In this case, only the five nodes on the `payment-card-net` exchange overlay |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mgoelzer , please verify this behavior. Wouldn't at least one manager need to be in that group. Meaning managers know about overlay in addition to any participating nodes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you're correct. All managers know about all overlay networks. What I meant (but phrased poorly) is that of the worker nodes, only those five would know about payment-card-net
.
Managers are like superusers -- they know everything and can do everything. It's very bad if one gets compromised. Maybe we should say that explicitly here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mgoelzer I think this is clearer now. PTAL
d009df5
to
f67ea38
Compare
@@ -1,538 +0,0 @@ | |||
<!--[metadata]> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you git mv
this file, or "copy" and remove? currently it doesn't show that is was renamed from dockernetworks.md
to index.md
, and the git history is more difficult to find because of that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i should have done a git mv. i did a FS rename. is that fixable? rename it back and then git mv?
f67ea38
to
714dd53
Compare
|
||
Two key architectural components provide the enhanced security of swarm mode: | ||
|
||
* **Unidirectional manager to worker communication model.** Swarm mode worker |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We didn't introduce the existence of Workers and Managers. Maybe an image first?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will add a link for more info on workers mgrs.
2f16c37
to
f171ed4
Compare
@sfsmithcha get-started-overlay.md is still referring to the non-swarm mode of overlay network creation with the KV store. I think we should mention the swarm mode first here and move the current content into a section for legacy or non-swarm mode. |
@sanimej that was out of scope of this original PR, but now I have opened it up in the |
1c06795
to
296753d
Compare
@diogomonica , @sanimej , @mavenugo , @nathanleclaire PTAL. Still have an outstanding question about how to resolve the issue with the strongly worded bit about network access. |
|
||
# Encryption and overlay networks | ||
|
||
Overlay networks do not enable encryption between nodes by default. To enable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be Overlay driver does not encrypt the vxlan traffic between the nodes by default
updated @diogomonica @thaJeztah PTAL. Only looking at overlay-security-model.md, and overlay sections of index.md and get-started-overlay.md. |
980d9b5
to
997cc9b
Compare
16f1835
to
cabee9b
Compare
dt0zvqn0saezzinc8a5g4worx | ||
``` | ||
|
||
When you enable overlay encryption, Docker creates IPSEC tunnels between all the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mrjana PTAL at this paragraph
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sfsmithcha this isnt correct. The IPsec tunnels are established between the nodes only on-demand. i.e, only between the nodes where the tasks are scheduled on that particular network.
thanks @sfsmithcha, two minor nits/suggestions, but LGTM otherwise, would like to have @mrjana have a quick peek at #25135 (comment) though |
cabee9b
to
24dd678
Compare
Overlay networks for a swarm are not available to unmanaged containers. For more information refer to [Docker swarm mode overlay network security model](overlay-security-model.md). | ||
|
||
|
||
## Overlay networking with an external key-value store |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we mention the fact that these 2 modes of operations are not compatible with one another ?
Meaning, external key-value store option wont work with swarm-mode.
45a12c4
to
b6b615d
Compare
Signed-off-by: Charles Smith <charles.smith@docker.com>
b6b615d
to
cc5debc
Compare
CI errors not related to this PR. |
Describes the overlay network security model for swarm mode. Also updates the networking user guide to use the new menu.md/index.md model
Signed-off-by: Charles Smith charles.smith@docker.com