7d6ab6974d
'keys' does not handle special keys (like ^J) anymore. Instead, we should use `key`, which will pass its entire argument to tmux, without any processing. It is therefore possible to do something like: ```key ^C``` Or ```key Escape``` Most (if not all) calls to special keys have been converted to use 'key' instead of 'keys'. Action ```copypaste``` has been deprecated in favor of three separate actions: ```copy REGEX``` (searches the regex in the active pane, and if found, places it in an internal clipboard) ```paste``` (inserts the content of the clipboard as keystrokes) ```check``` (forces a status check) Also, a 'tmux' command has been added. It allows to do stuff like: ```tmux split-pane -v```
3.0 KiB
Securing overlay networks
-
By default, overlay networks are using plain VXLAN encapsulation
(~Ethernet over UDP, using SwarmKit's control plane for ARP resolution)
-
Encryption can be enabled on a per-network basis
(It will use IPSEC encryption provided by the kernel, leveraging hardware acceleration)
-
This is only for the
overlaydriver(Other drivers/plugins will use different mechanisms)
Creating two networks: encrypted and not
- Let's create two networks for testing purposes
.exercise[
-
Create an "insecure" network:
docker network create insecure --driver overlay --attachable -
Create a "secure" network:
docker network create secure --opt encrypted --driver overlay --attachable
]
.warning[Make sure that you don't typo that option; errors are silently ignored!]
Deploying a dual-homed web server
-
Let's use good old NGINX
-
We will attach it to both networks
-
We will use a placement constraint to make sure that it is on a different node
.exercise[
- Create a web server running somewhere else:
docker service create --name web \ --network secure --network insecure \ --constraint node.hostname!=node1 \ nginx
]
Sniff HTTP traffic
-
We will use
ngrep, which allows to grep for network traffic -
We will run it in a container, using host networking to access the host's interfaces
.exercise[
- Sniff network traffic and display all packets containing "HTTP":
docker run --net host nicolaka/netshoot ngrep -tpd eth0 HTTP
]
--
Seeing tons of HTTP request? Shutdown your DockerCoins workers:
docker service update dockercoins_worker --replicas=0
Check that we are, indeed, sniffing traffic
- Let's see if we can intercept our traffic with Google!
.exercise[
-
Open a new terminal
-
Issue an HTTP request to Google (or anything you like):
curl google.com
]
The ngrep container will display one # per packet traversing the network interface.
When you do the curl, you should see the HTTP request in clear text in the output.
class: extra-details
If you are using Play-With-Docker, Vagrant, etc.
-
You will probably have two network interfaces
-
One interface will be used for outbound traffic (to Google)
-
The other one will be used for internode traffic
-
You might have to adapt/relaunch the
ngrepcommand to specify the right one!
Try to sniff traffic across overlay networks
- We will run
curl webthrough both secure and insecure networks
.exercise[
-
Access the web server through the insecure network:
docker run --rm --net insecure nicolaka/netshoot curl web -
Now do the same through the secure network:
docker run --rm --net secure nicolaka/netshoot curl web
]
When you run the first command, you will see HTTP fragments.
However, when you run the second one, only # will show up.