8551038de7
Responses to #35: 1. Revises `docker run` example: * places container in host mode * runs container detached (so it does not appear to stall) * passes the user and group IDs for the local user (so persistent storage is owned by the local user) * changes default mechanism for net-filter rules to `iptables-nft` * places image reference on a separate line 2. Revises `docker compose` service definition: * removes deprecated `version` clause, substituting the "here comes YAML" `---` signature * changes default mechanism for net-filter rules to `iptables-nft` 3. Re-writes explanation of `ZEROTIER_ONE_USE_IPTABLES_NFT` to make it clear that `true` is usually the correct option for all implementations (not just Raspberry Pi). Also adds explicit test to confirm that the container's net-filters are getting into the host's tables. Opportunistic changes: 1. Updates URLs for ZeroTier Knowledge Base article (avoids redirects when following those links). 2. Clarifies that it is the ZeroTier Knowledge Base article which implements a half-router, and summarises the additional capabilities of `zerotier-router`. 3. Adds cross-reference to IOTstack documentation (IMO this is more comprehensive than anything in the ZeroTier Knowledge Base). 4. Removes extraneous `0x09` characters. Fixes #35 Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com> |
||
|---|---|---|
| .github/workflows | ||
| k8s | ||
| patches | ||
| scripts | ||
| docker-compose-router.yml | ||
| docker-compose.yml | ||
| Dockerfile | ||
| Dockerfile.router | ||
| LICENSE | ||
| README-router.md | ||
| README.md | ||
zerotier-docker
Description
This is a container based on a lightweight Alpine Linux image and a copy of ZeroTier One. It's designed to allow you to run ZeroTier One as a service on container-oriented distributions like Fedora CoreOS, though it should work on any Linux system with Docker or Podman.
Run
To run this container in the correct way requires some special options to give it special permissions and allow it to persist its files. Here's an example (tested on Fedora CoreOS):
docker run --name zerotier-one --device=/dev/net/tun --net=host \
--cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
-v /var/lib/zerotier-one:/var/lib/zerotier-one zyclonite/zerotier
This runs zyclonite/zerotier in a container with special network admin permissions and with access to the host's network stack (no network isolation) and /dev/net/tun to create tun/tap devices. This will allow it to create zt# interfaces on the host the way a copy of ZeroTier One running on the host would normally be able to.
In other words that basically does the same thing that running zerotier-one directly on the host would do, except it runs in a container. Since Fedora CoreOS has no package management this is the preferred way of distributing software for it.
It also mounts /var/lib/zerotier-one to /var/lib/zerotier-one inside the container, allowing your service container to persist its state across restarts of the container itself. If you don't do this it'll generate a new identity every time. You can put the actual data somewhere other than /var/lib/zerotier-one if you want.
To join a zerotier network you can use
docker exec zerotier-one zerotier-cli join 8056c2e21c000001
or create an empty file with the network as name
/var/lib/zerotier-one/networks.d/8056c2e21c000001.conf
Router mode
A variation on the container which implements a local network router. See: