diff --git a/CHANGELOG.md b/CHANGELOG.md index 45559287..c8546451 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## v0.4.28 -FEATURE: A minimal Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information. +FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information. CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container. diff --git a/docker/compose/quickstart/README.md b/docker/compose/quickstart/README.md index 539cd878..a7fd90a2 100644 --- a/docker/compose/quickstart/README.md +++ b/docker/compose/quickstart/README.md @@ -19,11 +19,11 @@ wget https://get.openziti.io/dock/all-in-one/compose.yml wget -O ./compose.override.yml https://get.openziti.io/zrok-quick/compose.yml ``` -The project files provide these service containers. +These two Compose project files provide different service containers. -- `compose.yml` +- `compose.yml` defines the service containers for Compose profile "ziti" - `quickstart` -- `compose.override.yml` +- `compose.override.yml` defines the service containers for Compose profile "zrok" - `zrok-controller` - `zrok-frontend` - `caddy` @@ -99,18 +99,18 @@ You must enable each device environment with the account token obtained when the Follow [the getting started guide](/docs/getting-started#installing-the-zrok-command) to install the zrok CLI on some device and enable a zrok environment. -1. Enable an environment on this device with the account token from the previous step. - - ```bash - zrok enable heMqncCyxZcx - ``` - 1. Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. `https://zrok.${ZROK_DNS_ZONE}`. ```bash zrok config set apiEndpoint https://zrok.share.example.com ``` +1. Enable an environment on this device with the account token from the previous step. + + ```bash + zrok enable heMqncCyxZcx + ``` + ### Firewall Configuration The `quickstart` and `caddy` containers publish ports to all devices that use zrok shares. The `zrok-controller` and `zrok-frontend` containers expose ports only to the `caddy` container and the Docker host's loopback interface. @@ -185,7 +185,7 @@ The `quickstart` and `caddy` containers publish ports to all devices that use zr 1. Use the Caddy admin API. - You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere. + You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker Compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere. ```bash docker compose exec caddy curl http://localhost:2019/config/ | jq diff --git a/docker/compose/quickstart/compose.override.yml b/docker/compose/quickstart/compose.override.yml index e7f83269..8c43937c 100644 --- a/docker/compose/quickstart/compose.override.yml +++ b/docker/compose/quickstart/compose.override.yml @@ -46,7 +46,8 @@ services: # ports: # - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080} environment: - ZROK_ADMIN_PWD: ${ZROK_ADMIN_PWD} # admin account password (initial user account) + ZROK_USER_PWD: ${ZROK_USER_PWD} # admin account password (initial user account) + CADDY_ACME_EMAIL: ${CADDY_ACME_EMAIL} # login email address (initial user account) zrok-frontend: profiles: @@ -63,7 +64,7 @@ services: ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io" ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080} ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081} - ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY} + ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY-noop} ZROK_OAUTH_GOOGLE_CLIENT_ID: ${ZROK_OAUTH_GOOGLE_CLIENT_ID:-noop} ZROK_OAUTH_GOOGLE_CLIENT_SECRET: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET:-noop} ZROK_OAUTH_GITHUB_CLIENT_ID: ${ZROK_OAUTH_GITHUB_CLIENT_ID:-noop} @@ -113,9 +114,9 @@ services: - 443/udp # Caddy's HTTP/3 (QUIC) (not published) - 2019/tcp # Caddy's admin API (not published) ports: - - ${CADDY_INTERFACE}:80:80 - - ${CADDY_INTERFACE}:443:443 - # - ${CADDY_INTERFACE}:443:443/udp" # future: HTTP/3 (QUIC) + - ${CADDY_INTERFACE:-0.0.0.0}:80:80 + - ${CADDY_INTERFACE:-0.0.0.0}:443:443 + # - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp" # future: HTTP/3 (QUIC) volumes: - caddy_data:/data - caddy_config:/config diff --git a/docker/compose/quickstart/zrok-controller.Dockerfile b/docker/compose/quickstart/zrok-controller.Dockerfile index 84072daa..6f00f934 100644 --- a/docker/compose/quickstart/zrok-controller.Dockerfile +++ b/docker/compose/quickstart/zrok-controller.Dockerfile @@ -19,6 +19,7 @@ ARG ZITI_PWD # render zrok controller config.yml COPY ./envsubst.bash ./bootstrap-controller.bash /usr/local/bin/ +RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-controller.bash COPY ./zrok-controller-config.yml.envsubst /tmp/ RUN mkdir -p /etc/zrok-controller/ RUN envsubst.bash \ diff --git a/docker/compose/quickstart/zrok-frontend.Dockerfile b/docker/compose/quickstart/zrok-frontend.Dockerfile index 4221dc46..c46794a3 100644 --- a/docker/compose/quickstart/zrok-frontend.Dockerfile +++ b/docker/compose/quickstart/zrok-frontend.Dockerfile @@ -21,7 +21,8 @@ ARG ZROK_OAUTH_GITHUB_CLIENT_ID ARG ZROK_OAUTH_GITHUB_CLIENT_SECRET # render zrok frontend config.yml -COPY ./envsubst.bash /usr/local/bin/ +COPY ./envsubst.bash ./bootstrap-frontend.bash /usr/local/bin/ +RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-frontend.bash COPY ./zrok-frontend-config.yml.envsubst /tmp/ RUN mkdir -p /etc/zrok-frontend/ RUN envsubst.bash \ @@ -35,9 +36,6 @@ RUN envsubst.bash \ ZROK_OAUTH_GITHUB_CLIENT_SECRET=${ZROK_OAUTH_GITHUB_CLIENT_SECRET} \ < /tmp/zrok-frontend-config.yml.envsubst > /etc/zrok-frontend/config.yml -# install bootstrapping script as entrypoint -COPY ./bootstrap-frontend.bash /usr/local/bin/ - # run as ziggy (or ZIGGY_UID if set in compose project) USER ziggy ENV HOME=/var/lib/zrok-frontend