Responses to #35:
1. Revises `docker run` example:
* places container in host mode
* runs container detached (so it does not appear to stall)
* passes the user and group IDs for the local user (so persistent
storage is owned by the local user)
* changes default mechanism for net-filter rules to `iptables-nft`
* places image reference on a separate line
2. Revises `docker compose` service definition:
* removes deprecated `version` clause, substituting the
"here comes YAML" `---` signature
* changes default mechanism for net-filter rules to `iptables-nft`
3. Re-writes explanation of `ZEROTIER_ONE_USE_IPTABLES_NFT` to make it
clear that `true` is usually the correct option for all implementations
(not just Raspberry Pi). Also adds explicit test to confirm that the
container's net-filters are getting into the host's tables.
Opportunistic changes:
1. Updates URLs for ZeroTier Knowledge Base article (avoids redirects
when following those links).
2. Clarifies that it is the ZeroTier Knowledge Base article which
implements a half-router, and summarises the additional capabilities
of `zerotier-router`.
3. Adds cross-reference to IOTstack documentation (IMO this is more
comprehensive than anything in the ZeroTier Knowledge Base).
4. Removes extraneous `0x09` characters.
Fixes#35
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
Resolves issue raised in #15 where `entrypoint-router.sh` exits after
telling the pipe listener process to go away, with the result that the
temporary pipe file does not get cleaned up on a container restart.
> The temporary pipe file is not persisted so it will always get cleaned
up when the container is terminated or recreated.
The pipe listener process exits automatically without needing any signal
from `entrypoint-router.sh` so the script lines doing that are removed.
Instead of creating the pipe file using `mktemp` with a random suffix,
the hard-coded name "/tmp/zerotier-ipc-log" will be used. The pipe file
is:
* still in `/tmp` so it is not persisted and will get cleaned up when
the container is terminated.
* always initalised empty each time the script runs (important if the
container restarts).
Fixes: #15
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
Adds `ZEROTIER_ONE_GATEWAY_MODE` variable. Supported values are
`inbound` (forward traffic from ZeroTier cloud to local interfaces),
`outbound` (forward traffic from local interfaces to ZeroTier cloud)
and `both` (bi-directional). Defaults to `inbound`.
Also checks for `net.ipv4.ip_forward=1`. If not enabled, falls back
to standard client mode.
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
- Remove redundant echo statements
- Improve comments
- Rename `PIPE` to `TAIL_PIPE` to clarify purpose
- Remove traps used during testing and consolidate on INT TERM and HUP
(TERM being the usual case)
- Normal exit when ZeroTier aborts or exits just calls termination
handler
- Termination handler unconditionally removes iptables rules but
conditionally clobbers processes.
- All logging includes date.
Tested combination of waiting on ZeroTier + TERM trap correctly
handling:
1. Docker commands to restart, terminate, recreate, stack down, etc.
2. A reboot while the container is running (assuming restart unless
stopped).
3. External action clobbering the ZeroTier daemon.
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
than one network can be specified as defaults.
First cut at improved launch/tear-down so iptables entries do not get
duplicated, especially if the zerotier daemon quits because networking
has not come up properly after a reboot.
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
1. Support `ZEROTIER_ONE_USE_IPTABLES_NFT` environment variable. If
omitted or has any value other than `true`, `iptables` is used
(maintains backwards compatibility). If `true`, substitutes
`iptables-nft`. This definitely seems to be necessary on Raspberry Pi
running Bullseye.
2. Support `ZEROTIER_ONE_LOCAL_PHYS` environment variable. Defaults to
`eth0` if omitted (maintains backwards compatibility). Allows for
overriding to `wlan0` (eg Raspberry Pi Zero 2W), or both `eth0 wlan0` to
support multiple subnets or failover modes, or similar situations (eg
extra network interface cards).
3. Support `ZEROTIER_ONE_NETWORK_ID` as an alternative to the `join`
command. Means container will always fail safe if its persistent storage
is erased - will look like a new identity but can be authorised and
will then be reachable for additional configuration.
4. Support `PUID` + `PGID` environment variables. Default to 999 and
994, respectively, mimicking what happens on a "native" install of
ZeroTier-One (on a Raspberry Pi).
5. Perform unconditional reset of ownership (PUID:PGID) throughout
persistent store on each launch. This avoids many permission problems
that can sometimes occur in docker environments.
6. Add launch message with date. Assists in assessing recency of
"sendto: Network unreachable" messages that can occur after a reboot
where the container resumes before networking is available.
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
1. Rename files with "bridge" in the name to "router".
2. Edit file contents referring to "bridge" so they refer to "router".
3. Update README to reflect this change, plus point to the relevant
link in the ZeroTier documentation.
Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>