How should I run a secure swarm in production?

I want to use a docker swarm in production.

I have already encrypted all overlay networks, but I’m not sure how to secure the ports that are used by the docker engine. Usually I use ufw for managing access to ports, but this does not work as expected for docker.

I have also experimented with adding rule to the DOCKER-USER iptables chains, but the results are a bit confusing. I used a setup with 1 manager and 1 workers. On the worker I dropped all packets on ports 2377, 7946 and 4789.

I expected that from that point onwards the manager should be unaware of the service status for services running on the worker. However, the manager had no problems displaying the service status; when I killed a container on the worker the manager knew (the replication count reported on the manager dropped)

So this leaves me confused as to how I’m supposed to secure these ports, if at all?

Also, what are the risks with exposing these ports to untrusted networks?

First thing is to understand your attack vectors. How could you be hacked?

We use VMs and dedicated servers, they are in a VLAN at a hoster, with an “external” firewall.

Personally I feel there are a lot of bigger risks: what happens if your reverse proxy has a bug and an attacker can take over the container. Does the container run with a restricted user? Is it up to date?

Is the Docker Socket mounted into the container, is it only readable (:ro won’t do!), is access limited? Is a docker-socket-proxy used? Then it’s another attackable component, is the source, code and build pipeline trustworthy?

What about the application? Can a attacker take over the container? Restricted user? Is the user auth working? Is the code correct? Can an attacker see more through additional parameters passed?

In general I think that the Docker ports are pretty secure, not sure if fail2ban is supported, but there are a lot of other risks.

Check this post for further reading.

1 Like