stackoom
  简体   繁体   中英

Docker: How to verify if an overlay network is encrypted

 原文  2020-02-01 13:47:30       docker/ docker-swarm

Question

Is there any way to check whether an overlay network is actually encrypted?

I know that you can create an encrypted overlay network using

docker network create --opt encrypted --driver overlay my-encrypted-network

But since you can specify virtually anything as driver option ( --opt ) you can easily mistype "encrypted" and docker won't complain.

Let's say I type (notice the typo!)

docker network create -d overlay --opt encryptedsd my-encrypted-network

Now using docker network inspect my-encrypted-network I only get the information of what I typed, but I can't see if the network is actually encrypted.

[
    {
        "Name": "my-encrypted-network",
        "Id": "j4jd8dlde9u7rs1crlzbqco4p",
        "Created": "2020-02-01T13:17:39.65392102Z",
        "Scope": "swarm",
        "Driver": "overlay",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "10.0.4.0/24",
                    "Gateway": "10.0.4.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": null,
        "Options": {
            "com.docker.network.driver.overlay.vxlanid_list": "4100",
            "encryptedsd": ""
        },
        "Labels": null
    }
]

Apart from typos, this does not feel reassuring, since I would really like to know whether encryption is actually enabled instead of just knowing what I typed.

Does anyone know if there is a better way to get a reliable answer?

1 answers

solution1
 0  2020-02-03 08:54:37

According to the docs:

When you enable overlay encryption, Docker creates IPSEC tunnels between all the nodes where tasks are scheduled for services attached to the overlay network. These tunnels also use the AES algorithm in GCM mode and manager nodes automatically rotate the keys every 12 hours.

An approach different to the one you mention (which IMO, is valid), would be to check (eg using netstat ) whether those IPSEC tunnels where created.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Docker Swarm Overlay - Encrypted Network and Firewall How to create an overlay network with Docker? How to create docker overlay network? Docker - overlay network on rhel 7 How to use custom name in docker overlay network for containers network name? Docker Swarm Overlay Network Communication run docker on overlay network failed Multicast with Docker Swarm and overlay network How to connect to containers on docker Overlay network from an external machine How to disable external access to an overlay network in a docker swarm
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM