centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-04-02 09:18:57 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
c16b77e4a204da17037641db2eadff84035cee92
docker-docs/engine/userguide/networking/overlay-security-model.md
Misty Stanley-Jones a4f5e30249 Various copyedits to reduce future tense, wordiness, and use of 'please' (#5788) 
* Reword lots of instances of 'will'

* Reword lots of instances of won't

* Reword lots of instances of we'll

* Eradicate you'll

* Eradicate 'be able to' type of phrases

* Eradicate 'unable to' type of phrases

* Eradicate 'has / have to' type of phrases

* Eradicate 'note that' type of phrases

* Eradicate 'in order to' type of phrases

* Redirect to official Chef and Puppet docs

* Eradicate gratuitous 'please'

* Reduce use of e.g.

* Reduce use of i.e.

* Reduce use of N.B.

* Get rid of 'sexagesimal' and correct some errors
2018-01-25 17:37:23 -08:00

47 lines
2.0 KiB
Markdown
Raw Blame History

---
description: Docker swarm mode overlay network security model
keywords: network, docker, documentation, user guide, multihost, swarm mode, overlay
title: Docker swarm mode overlay network security model
---
Overlay networking for Docker Engine swarm mode comes secure out of the box. The
swarm nodes exchange overlay network information using a gossip protocol. By
default the nodes encrypt and authenticate information they exchange via gossip
using the [AES algorithm](https://en.wikipedia.org/wiki/Galois/Counter_Mode) in
GCM mode. Manager nodes in the swarm rotate the key used to encrypt gossip data
every 12 hours.
You can also encrypt data exchanged between containers on different nodes on the
overlay network. To enable encryption, when you create an overlay network pass
the `--opt encrypted` flag:
```bash
$ docker network create --opt encrypted --driver overlay my-multi-host-network
dt0zvqn0saezzinc8a5g4worx
```
When you enable overlay encryption, Docker creates IPSEC tunnels between all the
nodes where tasks are scheduled for services attached to the overlay network.
These tunnels also use the AES algorithm in GCM mode and manager nodes
automatically rotate the keys every 12 hours.
> **Do not attach Windows nodes to encrypted overlay networks.**
>
> Overlay network encryption is not supported on Windows. If a Windows node
> attempts to connect to an encrypted overlay network, no error is detected but
> the node cannot communicate.
{: .warning }
## Swarm mode overlay networks and unmanaged containers
It is possible to use the overlay network feature with both `--opt encrypted --attachable`, and attach unmanaged containers to that network:
```bash
$ docker network create --opt encrypted --driver overlay --attachable my-attachable-multi-host-network
9s1p1sfaqtvaibq6yp7e6jsrt
```
Just like services that are attached to an encrypted network, regular containers can also have the advantage of encrypted traffic when attached to a network created this way.
Reference in New Issue View Git Blame Copy Permalink