zerotier-docker/scripts/entrypoint-router.sh

#!/usr/bin/env sh
set -Eeo pipefail

echo "$(date) - launching ZeroTier-One in routing mode"

if [ "${1:0:1}" = '-' ]; then
	set -- zerotier-one "$@"
fi

# useful paths
CONFIG_DIR="/var/lib/zerotier-one"
NETWORKS_DIR="$CONFIG_DIR/networks.d"

# set up network auto-join if (a) the networks directory does not exist
# and (b) the ZEROTIER_ONE_NETWORK_ID environment variable is non-null.
if [ ! -d "$NETWORKS_DIR" -a -n "$ZEROTIER_ONE_NETWORK_ID" ] ; then
   echo "Assuming container first run. Configuring auto-join of network ID:"
   echo "   $ZEROTIER_ONE_NETWORK_ID"
   echo "You will need to authorize this host at:"
   echo "   https://my.zerotier.com/network/$ZEROTIER_ONE_NETWORK_ID"
   mkdir -p "$NETWORKS_DIR"
   touch "$NETWORKS_DIR/$ZEROTIER_ONE_NETWORK_ID.conf"
fi

# make sure permissions are correct
PUID="${PUID:-"999"}"
PGID="${PGID:-"994"}"
if [ "$(id -u)" = '0' -a -d "$CONFIG_DIR" ]; then
   chown -Rc "$PUID:$PGID" "$CONFIG_DIR"
fi

# use an appropriate default for a local physical interface
PHY_IFACES="${ZEROTIER_ONE_LOCAL_PHYS:-"eth0"}"

# default to iptables (maintain compatibility for existing systems)
IPTABLES_CMD=iptables
# but support override to use iptables-nft
[ "$ZEROTIER_ONE_USE_IPTABLES_NFT" = "true" ] && IPTABLES_CMD=iptables-nft

# the wildcard for the local zerotier interface is
ZT_IFACE="zt+"

# iterate the local interface(s) and enable NAT services
for PHY_IFACE in $PHY_IFACES ; do
   echo "Using $IPTABLES_CMD to enable NAT services on $PHY_IFACE"
   $IPTABLES_CMD -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
   $IPTABLES_CMD -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
   $IPTABLES_CMD -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
done

# launch zerotier-one
exec "$@"
add entrypoint and define env variables to override local settings 2022-06-12 17:53:02 +02:00			`#!/usr/bin/env sh`
			`set -Eeo pipefail`

Extend router launch script: 1. Support `ZEROTIER_ONE_USE_IPTABLES_NFT` environment variable. If omitted or has any value other than `true`, `iptables` is used (maintains backwards compatibility). If `true`, substitutes `iptables-nft`. This definitely seems to be necessary on Raspberry Pi running Bullseye. 2. Support `ZEROTIER_ONE_LOCAL_PHYS` environment variable. Defaults to `eth0` if omitted (maintains backwards compatibility). Allows for overriding to `wlan0` (eg Raspberry Pi Zero 2W), or both `eth0 wlan0` to support multiple subnets or failover modes, or similar situations (eg extra network interface cards). 3. Support `ZEROTIER_ONE_NETWORK_ID` as an alternative to the `join` command. Means container will always fail safe if its persistent storage is erased - will look like a new identity but can be authorised and will then be reachable for additional configuration. 4. Support `PUID` + `PGID` environment variables. Default to 999 and 994, respectively, mimicking what happens on a "native" install of ZeroTier-One (on a Raspberry Pi). 5. Perform unconditional reset of ownership (PUID:PGID) throughout persistent store on each launch. This avoids many permission problems that can sometimes occur in docker environments. 6. Add launch message with date. Assists in assessing recency of "sendto: Network unreachable" messages that can occur after a reboot where the container resumes before networking is available. Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com> 2022-07-19 10:41:38 +02:00			`echo "$(date) - launching ZeroTier-One in routing mode"`

add entrypoint and define env variables to override local settings 2022-06-12 17:53:02 +02:00			`if [ "${1:0:1}" = '-' ]; then`
			`set -- zerotier-one "$@"`
			`fi`

Extend router launch script: 1. Support `ZEROTIER_ONE_USE_IPTABLES_NFT` environment variable. If omitted or has any value other than `true`, `iptables` is used (maintains backwards compatibility). If `true`, substitutes `iptables-nft`. This definitely seems to be necessary on Raspberry Pi running Bullseye. 2. Support `ZEROTIER_ONE_LOCAL_PHYS` environment variable. Defaults to `eth0` if omitted (maintains backwards compatibility). Allows for overriding to `wlan0` (eg Raspberry Pi Zero 2W), or both `eth0 wlan0` to support multiple subnets or failover modes, or similar situations (eg extra network interface cards). 3. Support `ZEROTIER_ONE_NETWORK_ID` as an alternative to the `join` command. Means container will always fail safe if its persistent storage is erased - will look like a new identity but can be authorised and will then be reachable for additional configuration. 4. Support `PUID` + `PGID` environment variables. Default to 999 and 994, respectively, mimicking what happens on a "native" install of ZeroTier-One (on a Raspberry Pi). 5. Perform unconditional reset of ownership (PUID:PGID) throughout persistent store on each launch. This avoids many permission problems that can sometimes occur in docker environments. 6. Add launch message with date. Assists in assessing recency of "sendto: Network unreachable" messages that can occur after a reboot where the container resumes before networking is available. Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com> 2022-07-19 10:41:38 +02:00			`# useful paths`
			`CONFIG_DIR="/var/lib/zerotier-one"`
			`NETWORKS_DIR="$CONFIG_DIR/networks.d"`

			`# set up network auto-join if (a) the networks directory does not exist`
			`# and (b) the ZEROTIER_ONE_NETWORK_ID environment variable is non-null.`
			`if [ ! -d "$NETWORKS_DIR" -a -n "$ZEROTIER_ONE_NETWORK_ID" ] ; then`
			`echo "Assuming container first run. Configuring auto-join of network ID:"`
			`echo " $ZEROTIER_ONE_NETWORK_ID"`
			`echo "You will need to authorize this host at:"`
			`echo " https://my.zerotier.com/network/$ZEROTIER_ONE_NETWORK_ID"`
			`mkdir -p "$NETWORKS_DIR"`
			`touch "$NETWORKS_DIR/$ZEROTIER_ONE_NETWORK_ID.conf"`
			`fi`

			`# make sure permissions are correct`
			`PUID="${PUID:-"999"}"`
			`PGID="${PGID:-"994"}"`
			`if [ "$(id -u)" = '0' -a -d "$CONFIG_DIR" ]; then`
			`chown -Rc "$PUID:$PGID" "$CONFIG_DIR"`
			`fi`

			`# use an appropriate default for a local physical interface`
			`PHY_IFACES="${ZEROTIER_ONE_LOCAL_PHYS:-"eth0"}"`

			`# default to iptables (maintain compatibility for existing systems)`
			`IPTABLES_CMD=iptables`
			`# but support override to use iptables-nft`
			`[ "$ZEROTIER_ONE_USE_IPTABLES_NFT" = "true" ] && IPTABLES_CMD=iptables-nft`

			`# the wildcard for the local zerotier interface is`
add entrypoint and define env variables to override local settings 2022-06-12 17:53:02 +02:00			`ZT_IFACE="zt+"`

Extend router launch script: 1. Support `ZEROTIER_ONE_USE_IPTABLES_NFT` environment variable. If omitted or has any value other than `true`, `iptables` is used (maintains backwards compatibility). If `true`, substitutes `iptables-nft`. This definitely seems to be necessary on Raspberry Pi running Bullseye. 2. Support `ZEROTIER_ONE_LOCAL_PHYS` environment variable. Defaults to `eth0` if omitted (maintains backwards compatibility). Allows for overriding to `wlan0` (eg Raspberry Pi Zero 2W), or both `eth0 wlan0` to support multiple subnets or failover modes, or similar situations (eg extra network interface cards). 3. Support `ZEROTIER_ONE_NETWORK_ID` as an alternative to the `join` command. Means container will always fail safe if its persistent storage is erased - will look like a new identity but can be authorised and will then be reachable for additional configuration. 4. Support `PUID` + `PGID` environment variables. Default to 999 and 994, respectively, mimicking what happens on a "native" install of ZeroTier-One (on a Raspberry Pi). 5. Perform unconditional reset of ownership (PUID:PGID) throughout persistent store on each launch. This avoids many permission problems that can sometimes occur in docker environments. 6. Add launch message with date. Assists in assessing recency of "sendto: Network unreachable" messages that can occur after a reboot where the container resumes before networking is available. Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com> 2022-07-19 10:41:38 +02:00			`# iterate the local interface(s) and enable NAT services`
			`for PHY_IFACE in $PHY_IFACES ; do`
			`echo "Using $IPTABLES_CMD to enable NAT services on $PHY_IFACE"`
			`$IPTABLES_CMD -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE`
			`$IPTABLES_CMD -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`$IPTABLES_CMD -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT`
			`done`

			`# launch zerotier-one`
add entrypoint and define env variables to override local settings 2022-06-12 17:53:02 +02:00			`exec "$@"`
Extend router launch script: 1. Support `ZEROTIER_ONE_USE_IPTABLES_NFT` environment variable. If omitted or has any value other than `true`, `iptables` is used (maintains backwards compatibility). If `true`, substitutes `iptables-nft`. This definitely seems to be necessary on Raspberry Pi running Bullseye. 2. Support `ZEROTIER_ONE_LOCAL_PHYS` environment variable. Defaults to `eth0` if omitted (maintains backwards compatibility). Allows for overriding to `wlan0` (eg Raspberry Pi Zero 2W), or both `eth0 wlan0` to support multiple subnets or failover modes, or similar situations (eg extra network interface cards). 3. Support `ZEROTIER_ONE_NETWORK_ID` as an alternative to the `join` command. Means container will always fail safe if its persistent storage is erased - will look like a new identity but can be authorised and will then be reachable for additional configuration. 4. Support `PUID` + `PGID` environment variables. Default to 999 and 994, respectively, mimicking what happens on a "native" install of ZeroTier-One (on a Raspberry Pi). 5. Perform unconditional reset of ownership (PUID:PGID) throughout persistent store on each launch. This avoids many permission problems that can sometimes occur in docker environments. 6. Add launch message with date. Assists in assessing recency of "sendto: Network unreachable" messages that can occur after a reboot where the container resumes before networking is available. Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com> 2022-07-19 10:41:38 +02:00