mirror of
https://github.com/openziti/zrok.git
synced 2025-01-18 11:58:17 +01:00
correct and document Docker quickstart
This commit is contained in:
parent
a9c87ce1fe
commit
1a4c30a40e
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
## v0.4.28
|
## v0.4.28
|
||||||
|
|
||||||
FEATURE: A minimal Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information.
|
FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information.
|
||||||
|
|
||||||
CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container.
|
CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container.
|
||||||
|
|
||||||
|
@ -19,11 +19,11 @@ wget https://get.openziti.io/dock/all-in-one/compose.yml
|
|||||||
wget -O ./compose.override.yml https://get.openziti.io/zrok-quick/compose.yml
|
wget -O ./compose.override.yml https://get.openziti.io/zrok-quick/compose.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
The project files provide these service containers.
|
These two Compose project files provide different service containers.
|
||||||
|
|
||||||
- `compose.yml`
|
- `compose.yml` defines the service containers for Compose profile "ziti"
|
||||||
- `quickstart`
|
- `quickstart`
|
||||||
- `compose.override.yml`
|
- `compose.override.yml` defines the service containers for Compose profile "zrok"
|
||||||
- `zrok-controller`
|
- `zrok-controller`
|
||||||
- `zrok-frontend`
|
- `zrok-frontend`
|
||||||
- `caddy`
|
- `caddy`
|
||||||
@ -99,18 +99,18 @@ You must enable each device environment with the account token obtained when the
|
|||||||
|
|
||||||
Follow [the getting started guide](/docs/getting-started#installing-the-zrok-command) to install the zrok CLI on some device and enable a zrok environment.
|
Follow [the getting started guide](/docs/getting-started#installing-the-zrok-command) to install the zrok CLI on some device and enable a zrok environment.
|
||||||
|
|
||||||
1. Enable an environment on this device with the account token from the previous step.
|
|
||||||
|
|
||||||
```bash
|
|
||||||
zrok enable heMqncCyxZcx
|
|
||||||
```
|
|
||||||
|
|
||||||
1. Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. `https://zrok.${ZROK_DNS_ZONE}`.
|
1. Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. `https://zrok.${ZROK_DNS_ZONE}`.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
zrok config set apiEndpoint https://zrok.share.example.com
|
zrok config set apiEndpoint https://zrok.share.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
|
1. Enable an environment on this device with the account token from the previous step.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
zrok enable heMqncCyxZcx
|
||||||
|
```
|
||||||
|
|
||||||
### Firewall Configuration
|
### Firewall Configuration
|
||||||
|
|
||||||
The `quickstart` and `caddy` containers publish ports to all devices that use zrok shares. The `zrok-controller` and `zrok-frontend` containers expose ports only to the `caddy` container and the Docker host's loopback interface.
|
The `quickstart` and `caddy` containers publish ports to all devices that use zrok shares. The `zrok-controller` and `zrok-frontend` containers expose ports only to the `caddy` container and the Docker host's loopback interface.
|
||||||
@ -185,7 +185,7 @@ The `quickstart` and `caddy` containers publish ports to all devices that use zr
|
|||||||
|
|
||||||
1. Use the Caddy admin API.
|
1. Use the Caddy admin API.
|
||||||
|
|
||||||
You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere.
|
You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker Compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker compose exec caddy curl http://localhost:2019/config/ | jq
|
docker compose exec caddy curl http://localhost:2019/config/ | jq
|
||||||
|
@ -46,7 +46,8 @@ services:
|
|||||||
# ports:
|
# ports:
|
||||||
# - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080}
|
# - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080}
|
||||||
environment:
|
environment:
|
||||||
ZROK_ADMIN_PWD: ${ZROK_ADMIN_PWD} # admin account password (initial user account)
|
ZROK_USER_PWD: ${ZROK_USER_PWD} # admin account password (initial user account)
|
||||||
|
CADDY_ACME_EMAIL: ${CADDY_ACME_EMAIL} # login email address (initial user account)
|
||||||
|
|
||||||
zrok-frontend:
|
zrok-frontend:
|
||||||
profiles:
|
profiles:
|
||||||
@ -63,7 +64,7 @@ services:
|
|||||||
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
|
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
|
||||||
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
|
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
|
||||||
ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
|
ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
|
||||||
ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY}
|
ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY-noop}
|
||||||
ZROK_OAUTH_GOOGLE_CLIENT_ID: ${ZROK_OAUTH_GOOGLE_CLIENT_ID:-noop}
|
ZROK_OAUTH_GOOGLE_CLIENT_ID: ${ZROK_OAUTH_GOOGLE_CLIENT_ID:-noop}
|
||||||
ZROK_OAUTH_GOOGLE_CLIENT_SECRET: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET:-noop}
|
ZROK_OAUTH_GOOGLE_CLIENT_SECRET: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET:-noop}
|
||||||
ZROK_OAUTH_GITHUB_CLIENT_ID: ${ZROK_OAUTH_GITHUB_CLIENT_ID:-noop}
|
ZROK_OAUTH_GITHUB_CLIENT_ID: ${ZROK_OAUTH_GITHUB_CLIENT_ID:-noop}
|
||||||
@ -113,9 +114,9 @@ services:
|
|||||||
- 443/udp # Caddy's HTTP/3 (QUIC) (not published)
|
- 443/udp # Caddy's HTTP/3 (QUIC) (not published)
|
||||||
- 2019/tcp # Caddy's admin API (not published)
|
- 2019/tcp # Caddy's admin API (not published)
|
||||||
ports:
|
ports:
|
||||||
- ${CADDY_INTERFACE}:80:80
|
- ${CADDY_INTERFACE:-0.0.0.0}:80:80
|
||||||
- ${CADDY_INTERFACE}:443:443
|
- ${CADDY_INTERFACE:-0.0.0.0}:443:443
|
||||||
# - ${CADDY_INTERFACE}:443:443/udp" # future: HTTP/3 (QUIC)
|
# - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp" # future: HTTP/3 (QUIC)
|
||||||
volumes:
|
volumes:
|
||||||
- caddy_data:/data
|
- caddy_data:/data
|
||||||
- caddy_config:/config
|
- caddy_config:/config
|
||||||
|
@ -19,6 +19,7 @@ ARG ZITI_PWD
|
|||||||
|
|
||||||
# render zrok controller config.yml
|
# render zrok controller config.yml
|
||||||
COPY ./envsubst.bash ./bootstrap-controller.bash /usr/local/bin/
|
COPY ./envsubst.bash ./bootstrap-controller.bash /usr/local/bin/
|
||||||
|
RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-controller.bash
|
||||||
COPY ./zrok-controller-config.yml.envsubst /tmp/
|
COPY ./zrok-controller-config.yml.envsubst /tmp/
|
||||||
RUN mkdir -p /etc/zrok-controller/
|
RUN mkdir -p /etc/zrok-controller/
|
||||||
RUN envsubst.bash \
|
RUN envsubst.bash \
|
||||||
|
@ -21,7 +21,8 @@ ARG ZROK_OAUTH_GITHUB_CLIENT_ID
|
|||||||
ARG ZROK_OAUTH_GITHUB_CLIENT_SECRET
|
ARG ZROK_OAUTH_GITHUB_CLIENT_SECRET
|
||||||
|
|
||||||
# render zrok frontend config.yml
|
# render zrok frontend config.yml
|
||||||
COPY ./envsubst.bash /usr/local/bin/
|
COPY ./envsubst.bash ./bootstrap-frontend.bash /usr/local/bin/
|
||||||
|
RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-frontend.bash
|
||||||
COPY ./zrok-frontend-config.yml.envsubst /tmp/
|
COPY ./zrok-frontend-config.yml.envsubst /tmp/
|
||||||
RUN mkdir -p /etc/zrok-frontend/
|
RUN mkdir -p /etc/zrok-frontend/
|
||||||
RUN envsubst.bash \
|
RUN envsubst.bash \
|
||||||
@ -35,9 +36,6 @@ RUN envsubst.bash \
|
|||||||
ZROK_OAUTH_GITHUB_CLIENT_SECRET=${ZROK_OAUTH_GITHUB_CLIENT_SECRET} \
|
ZROK_OAUTH_GITHUB_CLIENT_SECRET=${ZROK_OAUTH_GITHUB_CLIENT_SECRET} \
|
||||||
< /tmp/zrok-frontend-config.yml.envsubst > /etc/zrok-frontend/config.yml
|
< /tmp/zrok-frontend-config.yml.envsubst > /etc/zrok-frontend/config.yml
|
||||||
|
|
||||||
# install bootstrapping script as entrypoint
|
|
||||||
COPY ./bootstrap-frontend.bash /usr/local/bin/
|
|
||||||
|
|
||||||
# run as ziggy (or ZIGGY_UID if set in compose project)
|
# run as ziggy (or ZIGGY_UID if set in compose project)
|
||||||
USER ziggy
|
USER ziggy
|
||||||
ENV HOME=/var/lib/zrok-frontend
|
ENV HOME=/var/lib/zrok-frontend
|
||||||
|
Loading…
Reference in New Issue
Block a user