github.com/dpiddy/docker@v1.12.2-rc1/docs/userguide/networking/overlay-security-model.md

github.com/dpiddy/docker@v1.12.2-rc1/docs/userguide/networking/overlay-security-model.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "Swarm mode overlay network security model"
     4  description = "Docker swarm mode overlay network security model"
     5  keywords = ["network, docker, documentation, user guide, multihost, swarm mode", "overlay"]
     6  [menu.main]
     7  parent = "smn_networking"
     8  weight=-2
     9  +++
    10  <![end-metadata]-->
    11  
    12  # Docker swarm mode overlay network security model
    13  
    14  Overlay networking for Docker Engine swarm mode comes secure out of the box. The
    15  swarm nodes exchange overlay network information using a gossip protocol. By
    16  default the nodes encrypt and authenticate information they exchange via gossip
    17  using the [AES algorithm](https://en.wikipedia.org/wiki/Galois/Counter_Mode) in
    18  GCM mode. Manager nodes in the swarm rotate the key used to encrypt gossip data
    19  every 12 hours.
    20  
    21  You can also encrypt data exchanged between containers on different nodes on the
    22  overlay network. To enable encryption, when you create an overlay network pass
    23  the `--opt encrypted` flag:
    24  
    25  ```bash
    26  $ docker network create --opt encrypted --driver overlay my-multi-host-network
    27  
    28  dt0zvqn0saezzinc8a5g4worx
    29  ```
    30  
    31  When you enable overlay encryption, Docker creates IPSEC tunnels between all the
    32  nodes where tasks are scheduled for services attached to the overlay network.
    33  These tunnels also use the AES algorithm in GCM mode and manager nodes
    34  automatically rotate the keys every 12 hours.
    35  
    36  ## Swarm mode overlay networks and unmanaged containers
    37  
    38  Because the overlay networks for swarm mode use encryption keys from the manager
    39  nodes to encrypt the gossip communications, only containers running as tasks in
    40  the swarm have access to the keys. Consequently, containers started outside of
    41  swarm mode using `docker run` (unmanaged containers) cannot attach to the
    42  overlay network.
    43  
    44  For example:
    45  
    46  ```bash
    47  $ docker run --network my-multi-host-network nginx
    48  
    49  docker: Error response from daemon: swarm-scoped network
    50  (my-multi-host-network) is not compatible with `docker create` or `docker
    51  run`. This network can only be used by a docker service.
    52  ```
    53  
    54  To work around this situation, migrate the unmanaged containers to managed
    55  services. For instance:
    56  
    57  ```bash
    58  $ docker service create --network my-multi-host-network my-image
    59  ```
    60  
    61  Because [swarm mode](../../swarm/index.md) is an optional feature, the Docker
    62  Engine preserves backward compatibility. You can continue to rely on a
    63  third-party key-value store to support overlay networking if you wish.
    64  However, switching to swarm-mode is strongly encouraged. In addition to the
    65  security benefits described in this article, swarm mode enables you to leverage
    66  the substantially greater scalability provided by the new services API.