Mesh networking security

Does the mesh network automatically encrypt all network traffic between containers? Or, only between a container and a service? Or, no container to container encryption? Do I need to enable Swarm Mode for automatic encryption? Should I remove the SSL connection between my app and the mysql database since the mesh networking would automatically secure this connection?

I’m very confused about the new mesh networking security other than Docker 1.12 is “secure by default”. Is there any good user documentation that goes into the details of mesh networking and security? I haven’t found much in my searches.

Yes, it’s secure and you can remove ssl connection between your services:
I was confused with that, too! Take a look to @nathanleclaire comment at : Getting pretty frustrated trying to build a swarm

You say “between your services”. Does that mean that traffic between regular containers (launched by docker run) are also encrypted. Or only traffic between a container and a docker service?

well, it’s a good question. because my initial doubt was related with security between hosts and had as premise that the host itself was secure to communicate between it’s own services.
I think that even in your scenario the data will be encrypted, but really don’t know. It’s better to wait for a more assertive answer.

FYI, I don’t think any service to service (i.e., running in containers) communications are encrypted in Docker by default. You can enable encrypted communication between endpoints on an overlay network using the --opt secure flag for docker network create.

$ docker network create -d overlay --opt secure securenet

cc @mavenugo who is a bit more knowledgable on these matters

Interesting. I looked in the docs and couldn’t find anything on the --opt secure network setting.

What does it do? And, does it encrypt/decrypt all traffic on this overlay network?

If so, why isn’t the secure option the default and users that create a network would have to turn off the option? This would be inline with the marketing that the new swarm mode is “secure by default”.

so, and about the network created by docker compose? How could I enable the secure opt?

Yes, I think it’s just an existing documentation hole.

I’m not 100% sure the exact details, but my understanding is that yes, that’s what it will do, encrypt the communication between nodes on the same overlay network. I think it may be a Docker 1.12 (swarm mode) specific feature, but I’m not 100% sure.

Personally I’d advocate for this but I know some feedback from users was collected indicating that they’d rather not have the performance hit. My 2c is that I’d like to see some benchmarks on this and favor safety/security over performance, but as always it’s hard to pick a default which pleases everyone. Feel free to open an issue on docker/docker and CC the network maintainers if you feel strongly, now’s the time (pre-1.12 release) to do so.

I don’t know if it will work with the new Swarm stuff since Compose does some docker network magic of its own – but generally, define a network with driver: overlay and driver_opts of secure in the Compose V2 file ( Networking in Compose | Docker Docs ).

1 Like

I watched the Dockercon 2016 Deep Dive into Networking video today and found out that the developers talk in terms of two networking planes: the control-plane and the data-plane. The control-plane is the one that is “secure by default”. The data-plane for an overlay network has the option to encrypt data going over the network. This encryption is not on by default.

Apparently, you need to use the overlay driver with the secure option to create a secure network. It wasn’t clear whether this requires swarm mode to be on, but I’m betting that the overlay driver now requires swarm mode, but not sure. The other feature I’m unsure about is whether the traffic between two containers on a secure network is only encrypted if the two containers are on separate swarm nodes. If they happen to be on the same node, I’m not sure if the traffic will be encrypted/decrypted (I suspect not).

The final point I got from watching the video is that the “mesh network” really refers to having every node in the swarm cluster forward traffic on a published port to the containers in the service that publishes the port. It wasn’t clear to me what is the difference between a service and a container started by docker run when it comes to published ports. Will the “mesh network” forward traffic received on one of the swarm worker nodes to a container started by docker run even if that container runs on a different node? Or, is this “port forwarding” feature only applicable to services start by docker service create?

No, I don’t think so. It might be possible if you manually attach the container to the (default created) ingress sandbox docker network, but I wouldn’t count on it (i.e., it’d be arbitrary and not intentional).

Yes, this. That’s what the default ingress network is intended for.