[DOCKER SWARM 1.13]Docker overlay not working with encryption

[fabio-barile]

Description
Hi,
we are now evaluating the impact of docker 1.13 over our application
Our application is composed of several nodejs microservices and mongodb in replicaset mode.
For this evaluation we are executing some load tests, simulating 1400 concurrent users.
Everything worked fine until we enabled the encryption of the overlay network :(
it seems that services are not able to reach each other anymore!

To make it easier to debug for you, we have found a simple way to reproduce the issue

Steps to reproduce the issue:

1. create 2 networks overlay ; one with encryption enabled and the second one without the encryption:

docker network create --driver overlay  --subnet 192.168.1.0/24 --attachable --opt encrypted encrypted_network
docker network create --driver overlay  --subnet 192.168.1.0/24 --attachable clear_network

2. create a image using the following docker file:

FROM ubuntu:14.04
RUN apt-get update
RUN apt-get -y install wget

3. Deploy the image on 2 different hosts using the not encrypted network with the command :
   docker run --network clear_network -t -i <IMAGE_NAME> /bin/bash

4. start a netcat server listening on port 12345 in one of the containers :
   nc -l 12345

5. Send text using netcat from the second container using the command :
   echo "some text"| nc 192.168.1.3 12345
   The IP is the one of the first container

6. The text is sent from the second to the first container.
   If you repeat these steps using the encrypted overlay network it will not work :(

[aboch]

@fabio-barile From your description, it looks like packet send over the encrypted network is a complete blackhole. If that is the case, please make sure your environment allows the ESP packets to be exchanged across hosts. See https://docs.docker.com/engine/swarm/swarm-tutorial/#open-ports-between-the-hosts.

[fabio-barile]

I have just used the nc command to check that port TCP is opened between both nodes . It works

What is strange is that the netstat command doesn't show the TCP port 50 opened !
I was expecting to see a process listening of this port !?!

[fabio-barile]

For the test, we have only one SWARM manager. Does the encryption works if we use only one manager ?

[aboch]

I was not referring to a TCP port, but to the ip protocol 50 (ESP).

If you are on AWS, for example, you need to open that in your security groups.
In other reports, we also saw that if UFW is running in your ubuntu host, you have to add a rule to accept the esp packets.

A tcpdump -p esp on your host will reveil if the encrypted packets are being sent/received on the host.

Yes, the encryption works with only one manager.

Can you add some more information about your environment. Thanks.

[aboch]

I just realized the documentation was mistakenly updated to say port 50 from what it was: protocol 50
I will push a fix for that

[fabio-barile]

Thank Alessandro.
I have just enabled the protocol 50 on my ubuntu servers and it works fine now :)

[fabio-barile]

Hi,
I am reopening this issue because since we have updated our SWARM with docker version 17.03, we are not able to make working the communication between our containers in a encrypted overlay.

so let summarize the issue:
When encryption is disabled communication works fine,
When encryption is enabled :

• some containers are not able to exchange data : Socket seems to be frozen

• ping works fine

• esp is enabled using the following commands on each docker hosts :

  •             sudo iptables -A OUTPUT -p 50 -j ACCEPT
    

  •             sudo iptables -A INPUT  -p 50 -j ACCEPT
    

• when testing protocol with nmap, it seems that this protocol is opened between docker hosts. See below the output of the nmap command :

     	root@mo-890d5f132-router1:~# nmap -sO -v -P0 -p 50 mo-17856b9cc
  
     	Starting Nmap 6.40 ( http://nmap.org ) at 2017-03-06 09:03 UTC
     	Initiating ARP Ping Scan at 09:03
     	Scanning mo-17856b9cc (10.97.148.134) [1 port]
     	Completed ARP Ping Scan at 09:03, 0.20s elapsed (1 total hosts)
     	Initiating Parallel DNS resolution of 1 host. at 09:03
     	Completed Parallel DNS resolution of 1 host. at 09:03, 0.00s elapsed
     	Initiating IPProto Scan at 09:03
     	Scanning mo-17856b9cc (10.97.148.134) [1 port]
     	Completed IPProto Scan at 09:03, 0.22s elapsed (1 total ports)
     	Nmap scan report for mo-17856b9cc (10.97.148.134)
     	Host is up (0.00047s latency).
     	rDNS record for 10.97.148.134: mo-17856b9cc.mo.sap.corp
     	PROTOCOL STATE         SERVICE
     	50       open|filtered esp
     	MAC Address: 00:50:56:B6:06:71 (VMware)
  
     	Read data files from: /usr/bin/../share/nmap
     	Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
     			   Raw packets sent: 3 (68B) | Rcvd: 1 (28B)
  

Is there something we can test or any way to have more logs ?