Configuring Encryption for Swarm Overlay network in Compose

Docker Engine Compose
2

Hi,

I’m going to answer my own question since, after much additional reading and experimentation, I have been able to solve this compose file configuration issue.

Here is the successful configuration:

networks:
  my-app-backend:
    driver: overlay
    driver_opts:
      encrypted: ""

Using ‘encrypted: “true”’ also works. I stumbled upon this excellent article:
https://github.com/docker/labs/blob/master/networking/concepts/11-security.md the author used “–opt encrypted=true” in his command line example rather than “–opt encrypted”. It works in the compose file, too.

I deployed a swarm that had the visualizer container (dockersamples/visualizer:stable) on the first node and a container, on a second node, that had nslookup and wget included (curl would be fine, too). Both of these containers were hooked to the “my-app-backend” overlay network. I named the visualizer “viz” and did “wget viz:8080” from inside the container on the second node.

I reduced the tcpdump command to the minimum viable command options and had it waiting for traffic, running on the first container. “sudo tcpdump -p esp”.

And presto… encrypted traffic flowed.

sudo tcpdump -p esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:13:27.454802 IP 46.101.xx.xxx > demo-docker-swarm-node01: ESP(spi=0x8e56b83c,seq=0x4), length 180
11:13:27.454897 IP demo-docker-swarm-node01 > 46.101.xx.xxx: ESP(spi=0x02c6bf84,seq=0x3), length 108
11:13:27.498887 IP demo-docker-swarm-node01 > 46.101.xx.xxx: ESP(spi=0x02c6bf84,seq=0x4), length 1480
11:13:27.498935 IP demo-docker-swarm-node01 > 46.101.xx.xxx: ESP(spi=0x02c6bf84,seq=0x5), length 856

Ok, now just a little suggestion (and peeve).

As an example, I modified the configuration key to be ‘"xencrypted: “”’. No error was reported on deployment, but the network traffic was not encrypted, either.

The beauty of all this is you have baked in encryption to the point where it is just part of the fabric. The bad point is it should not be easy for simple configuration errors to go unchecked and result in the network silently reverting to clear text.

I think the encryption switch should be promoted to a first class switch like ‘network_encrypted: “true/false”’. This way the syntax can be accurately checked. So the simple things don’t undo all the hard work you put into implementing security. Possibility, “Secrets and Lies” by Bruce Schneier may be apropos.

4 Likes