I’ve been stepping through the tutorial Networking with overlay networks | Docker Docs. I’m using the section to create an overlay network between stand-alone-containers.
Everything in the tutorial works, however I attempted to take this example farther by creating an encrypted tunnel.
I tested two versions of the following command:
docker network create --driver=overlay --attachable --subnet=10.0.70.1/24 --opt encrypted=true --opt com.docker.network.driver.mtu=1200 openldap-net
docker network create --driver=overlay --attachable --subnet=10.0.70.1/24 --opt encrypted=true openldap-net
I’m testing against two stand-alone containers deployed on two separate VM’s virtualized by the bhyve supervisor on FreeNAS.
After creating the external network, I created two test containers (one on the manager node and the second on the worker node):
sudo docker run -dit --name alpine1 --network openldap-net alpine <----On manager node
sudo docker run -dit --name alpine2 --network openldap-net alpine <----On worker node
I confirmed the open-ldap was recognized and visible both on the manager and worker node:
$ sudo docker network ls
NETWORK ID NAME DRIVER SCOPE
387dcb0447d9 bridge bridge local
a83eff2fd2ec docker-net bridge local
03274edc9e94 docker_gwbridge bridge local
5969c9f024f2 host host local
lt38gs7h9d9q ingress overlay swarm
bde961b8ece2 none null local
k7ukgdb40cdm openldap-net overlay swarm
I shelled into both containers via a docker exec -it <container_name> /bin/sh and attempted to ping the other container. In all cases – with/without altering MTU – each container could not ping the other container. I had 100% packet loss.
When not employing the option when creating the network: --opt encryption=true the two containers could ping one another without a problem.
Is there a trick to creating a DNS-SEC tunnel or using an encrypted overlay network??