Added bridge mode

Added K8S deployment

Dockerfile

@@ -25,14 +25,21 @@ LABEL org.opencontainers.image.title="zerotier" \
 
 COPY --from=builder /src/zerotier-one /usr/sbin/
 
-RUN apk add --no-cache --purge --clean-protected --update libc6-compat libstdc++ \
+RUN apk add --no-cache --purge --clean-protected --update libc6-compat libstdc++ supervisor iptables \
   && mkdir -p /var/lib/zerotier-one \
+  && mkdir -p /var/log/supervisor \
   && ln -s /usr/sbin/zerotier-one /usr/sbin/zerotier-idtool \
   && ln -s /usr/sbin/zerotier-one /usr/sbin/zerotier-cli \
   && rm -rf /var/cache/apk/*
 
+ENV LOG_PATH=/var/log/supervisor \
+    BRIDGE=false
+
+COPY conf /opt
+COPY scripts /opt
+
 EXPOSE 9993/udp
 
-ENTRYPOINT ["zerotier-one"]
+ENTRYPOINT ["/opt/entrypoint.sh"]
 
 CMD ["-U"]

README.md

@@ -32,6 +32,17 @@ or create an empty file with the network as name
 
     /var/lib/zerotier-one/networks.d/8056c2e21c000001.conf
 
+#### Bridge mode
+It is the implementation of the local network bridge [paper](https://zerotier.atlassian.net/wiki/spaces/SD/pages/193134593/Bridge+your+ZeroTier+and+local+network+with+a+RaspberryPi)
+
+To enable it, remove the host network parameter and add `Bridge=true` to environment variables.
+
+    docker run --name zerotier-one --device=/dev/net/tun -e BRIDGE=true \
+      --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
+      -v /var/lib/zerotier-one:/var/lib/zerotier-one zyclonite/zerotier
+
+That will start the zero-one, establish connection and build the bridge once the `zt` interface is up.
+
 #### Source
 
 https://github.com/zyclonite/zerotier-docker

conf/supervisord.conf

@@ -0,0 +1,15 @@
+[supervisord]
+nodaemon=true
+user=root
+logfile=%(ENV_LOG_PATH)s/supervisord.log
+childlogdir=%(ENV_LOG_PATH)s
+priority=1
+
+[program:bridge]
+command=/opt/bridge.sh
+stdout_logfile=%(ENV_LOG_PATH)s/bridge.stdout.log
+stderr_logfile=%(ENV_LOG_PATH)s/bridge.stderr.log
+startsecs=0
+autorestart=false
+exitcodes=0
+priority=1

k8s/deployment.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: zerotier
+spec:
+  selector:
+    matchLabels:
+      app: zerotier
+  template:
+    metadata:
+      labels:
+        app: zerotier
+    spec:
+      initContainers:
+        - name: network-joiner
+          image: busybox
+          env:
+            - name: NETWORK_ID
+              value: "<replace with network id>"
+          command: [ "sh", "-c", "mkdir -p /mnt/networks.d && touch /mnt/networks.d/$(NETWORK_ID).conf" ]
+          volumeMounts:
+            - name: vol
+              subPath: config
+              mountPath: /mnt
+              
+      containers:
+      - name: zerotier
+        image: zyclonite/zerotier
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        ports:
+        - name: net
+          containerPort: 9993
+        volumeMounts:
+          - name: vol
+            subPath: config
+            mountPath: /var/lib/zerotier-one
+          - name: tun
+            readOnly: true
+            mountPath: /dev/net/tun
+      
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - SYS_ADMIN
+      
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 1.1.1.1
+          - 8.8.8.8
+
+      volumes:
+        - name: vol
+          persistentVolumeClaim:
+            claimName: zerotier
+        - name: tun
+          hostPath:
+            path: /dev/net/tun
+            type: ''

scripts/bridge.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o pipefail
+set -o nounset
+# set -o xtrace
+
+echo "Checking if bridge is required..."
+if [ "$BRIDGE" = "false" ]; then
+    echo "Bridge is not required. Exiting..."
+    exit 0
+fi
+echo "Bridge is required. Starting..."
+echo "Waiting for network interface to be ready..."
+
+while ! ifconfig | grep -q zt; do
+    echo -n "."
+    sleep 1
+done
+
+echo "Network interface is ready. Starting bridge..."
+
+PHY_IFACE=eth0
+ZT_IFACE=$(ifconfig | grep zt | awk '{print $1}')
+iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
+iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
+
+echo "Bridge started."

scripts/entrypoint.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+/usr/bin/supervisord --configuration /opt/supervisord.conf &
+zerotier-one $@