correct and document Docker quickstart

This commit is contained in:
Kenneth Bingham 2024-04-26 11:58:14 -04:00
parent a9c87ce1fe
commit 1a4c30a40e
No known key found for this signature in database
GPG Key ID: 31709281860130B6
5 changed files with 20 additions and 20 deletions

View File

@ -2,7 +2,7 @@
## v0.4.28 ## v0.4.28
FEATURE: A minimal Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information. FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompanying Docker guide](https://docs.zrok.io/docs/guides/self-hosting/docker) for more information.
CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container. CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container.

View File

@ -19,11 +19,11 @@ wget https://get.openziti.io/dock/all-in-one/compose.yml
wget -O ./compose.override.yml https://get.openziti.io/zrok-quick/compose.yml wget -O ./compose.override.yml https://get.openziti.io/zrok-quick/compose.yml
``` ```
The project files provide these service containers. These two Compose project files provide different service containers.
- `compose.yml` - `compose.yml` defines the service containers for Compose profile "ziti"
- `quickstart` - `quickstart`
- `compose.override.yml` - `compose.override.yml` defines the service containers for Compose profile "zrok"
- `zrok-controller` - `zrok-controller`
- `zrok-frontend` - `zrok-frontend`
- `caddy` - `caddy`
@ -99,18 +99,18 @@ You must enable each device environment with the account token obtained when the
Follow [the getting started guide](/docs/getting-started#installing-the-zrok-command) to install the zrok CLI on some device and enable a zrok environment. Follow [the getting started guide](/docs/getting-started#installing-the-zrok-command) to install the zrok CLI on some device and enable a zrok environment.
1. Enable an environment on this device with the account token from the previous step.
```bash
zrok enable heMqncCyxZcx
```
1. Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. `https://zrok.${ZROK_DNS_ZONE}`. 1. Configure the environment with the zrok API. Substitute the API endpoint with the one you're using, e.g. `https://zrok.${ZROK_DNS_ZONE}`.
```bash ```bash
zrok config set apiEndpoint https://zrok.share.example.com zrok config set apiEndpoint https://zrok.share.example.com
``` ```
1. Enable an environment on this device with the account token from the previous step.
```bash
zrok enable heMqncCyxZcx
```
### Firewall Configuration ### Firewall Configuration
The `quickstart` and `caddy` containers publish ports to all devices that use zrok shares. The `zrok-controller` and `zrok-frontend` containers expose ports only to the `caddy` container and the Docker host's loopback interface. The `quickstart` and `caddy` containers publish ports to all devices that use zrok shares. The `zrok-controller` and `zrok-frontend` containers expose ports only to the `caddy` container and the Docker host's loopback interface.
@ -185,7 +185,7 @@ The `quickstart` and `caddy` containers publish ports to all devices that use zr
1. Use the Caddy admin API. 1. Use the Caddy admin API.
You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere. You can use the Caddy admin API to check the status of the Caddy instance. The admin API is available on port `2019/tcp` inside the Docker Compose project. You can modify `compose.override.yml` to publish the port if you want to access the admin API from the Docker host or elsewhere.
```bash ```bash
docker compose exec caddy curl http://localhost:2019/config/ | jq docker compose exec caddy curl http://localhost:2019/config/ | jq

View File

@ -46,7 +46,8 @@ services:
# ports: # ports:
# - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080} # - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080}
environment: environment:
ZROK_ADMIN_PWD: ${ZROK_ADMIN_PWD} # admin account password (initial user account) ZROK_USER_PWD: ${ZROK_USER_PWD} # admin account password (initial user account)
CADDY_ACME_EMAIL: ${CADDY_ACME_EMAIL} # login email address (initial user account)
zrok-frontend: zrok-frontend:
profiles: profiles:
@ -63,7 +64,7 @@ services:
ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io" ZROK_DNS_ZONE: ${ZROK_DNS_ZONE} # e.g., "example.com" or "127.0.0.1.sslip.io"
ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080} ZROK_FRONTEND_PORT: ${ZROK_FRONTEND_PORT:-8080}
ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081} ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY} ZROK_OAUTH_HASH_KEY: ${ZROK_OAUTH_HASH_KEY-noop}
ZROK_OAUTH_GOOGLE_CLIENT_ID: ${ZROK_OAUTH_GOOGLE_CLIENT_ID:-noop} ZROK_OAUTH_GOOGLE_CLIENT_ID: ${ZROK_OAUTH_GOOGLE_CLIENT_ID:-noop}
ZROK_OAUTH_GOOGLE_CLIENT_SECRET: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET:-noop} ZROK_OAUTH_GOOGLE_CLIENT_SECRET: ${ZROK_OAUTH_GOOGLE_CLIENT_SECRET:-noop}
ZROK_OAUTH_GITHUB_CLIENT_ID: ${ZROK_OAUTH_GITHUB_CLIENT_ID:-noop} ZROK_OAUTH_GITHUB_CLIENT_ID: ${ZROK_OAUTH_GITHUB_CLIENT_ID:-noop}
@ -113,9 +114,9 @@ services:
- 443/udp # Caddy's HTTP/3 (QUIC) (not published) - 443/udp # Caddy's HTTP/3 (QUIC) (not published)
- 2019/tcp # Caddy's admin API (not published) - 2019/tcp # Caddy's admin API (not published)
ports: ports:
- ${CADDY_INTERFACE}:80:80 - ${CADDY_INTERFACE:-0.0.0.0}:80:80
- ${CADDY_INTERFACE}:443:443 - ${CADDY_INTERFACE:-0.0.0.0}:443:443
# - ${CADDY_INTERFACE}:443:443/udp" # future: HTTP/3 (QUIC) # - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp" # future: HTTP/3 (QUIC)
volumes: volumes:
- caddy_data:/data - caddy_data:/data
- caddy_config:/config - caddy_config:/config

View File

@ -19,6 +19,7 @@ ARG ZITI_PWD
# render zrok controller config.yml # render zrok controller config.yml
COPY ./envsubst.bash ./bootstrap-controller.bash /usr/local/bin/ COPY ./envsubst.bash ./bootstrap-controller.bash /usr/local/bin/
RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-controller.bash
COPY ./zrok-controller-config.yml.envsubst /tmp/ COPY ./zrok-controller-config.yml.envsubst /tmp/
RUN mkdir -p /etc/zrok-controller/ RUN mkdir -p /etc/zrok-controller/
RUN envsubst.bash \ RUN envsubst.bash \

View File

@ -21,7 +21,8 @@ ARG ZROK_OAUTH_GITHUB_CLIENT_ID
ARG ZROK_OAUTH_GITHUB_CLIENT_SECRET ARG ZROK_OAUTH_GITHUB_CLIENT_SECRET
# render zrok frontend config.yml # render zrok frontend config.yml
COPY ./envsubst.bash /usr/local/bin/ COPY ./envsubst.bash ./bootstrap-frontend.bash /usr/local/bin/
RUN chmod 0755 /usr/local/bin/envsubst.bash /usr/local/bin/bootstrap-frontend.bash
COPY ./zrok-frontend-config.yml.envsubst /tmp/ COPY ./zrok-frontend-config.yml.envsubst /tmp/
RUN mkdir -p /etc/zrok-frontend/ RUN mkdir -p /etc/zrok-frontend/
RUN envsubst.bash \ RUN envsubst.bash \
@ -35,9 +36,6 @@ RUN envsubst.bash \
ZROK_OAUTH_GITHUB_CLIENT_SECRET=${ZROK_OAUTH_GITHUB_CLIENT_SECRET} \ ZROK_OAUTH_GITHUB_CLIENT_SECRET=${ZROK_OAUTH_GITHUB_CLIENT_SECRET} \
< /tmp/zrok-frontend-config.yml.envsubst > /etc/zrok-frontend/config.yml < /tmp/zrok-frontend-config.yml.envsubst > /etc/zrok-frontend/config.yml
# install bootstrapping script as entrypoint
COPY ./bootstrap-frontend.bash /usr/local/bin/
# run as ziggy (or ZIGGY_UID if set in compose project) # run as ziggy (or ZIGGY_UID if set in compose project)
USER ziggy USER ziggy
ENV HOME=/var/lib/zrok-frontend ENV HOME=/var/lib/zrok-frontend