Change ZEROTIER_ONE_NETWORK_ID to ZEROTIER_ONE_NETWORK_IDS so more

than one network can be specified as defaults.

First cut at improved launch/tear-down so iptables entries do not get
duplicated, especially if the zerotier daemon quits because networking
has not come up properly after a reboot.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
This commit is contained in:
Phill Kelley 2022-07-22 13:50:28 +10:00
parent 7f6239fae4
commit 9b98b470f8
No known key found for this signature in database
GPG Key ID: 73D35B58592A2E98
3 changed files with 100 additions and 29 deletions

View File

@ -99,19 +99,29 @@ The following environment variables are supported:
Defaults to `false` if omitted. Try `true` if NAT does not seem to be working.
* `ZEROTIER_ONE_NETWORK_ID` auto-join network on first launch. Example:
* `ZEROTIER_ONE_NETWORK_IDS` auto-join network(s). This variable is only effective on first launch. There is no default if it is omitted. Examples:
``` yaml
ZEROTIER_ONE_NETWORK_ID=565758596a6b6c44
```
- if using `docker run`:
This variable is only effective on first launch. There is no default if it is omitted. It is the equivalent of running the following command after the container first starts:
``` console
--env ZEROTIER_ONE_NETWORK_IDS="aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb"
```
- if using `docker-compose`:
``` yaml
environment:
- ZEROTIER_ONE_NETWORK_IDS=aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb
```
In each case, it is the equivalent of running the following commands after the container first starts:
```
$ docker exec zerotier zerotier-cli join 565758596a6b6c44
$ docker exec zerotier zerotier-cli join aaaaaaaaaaaaaaaa
$ docker exec zerotier zerotier-cli join bbbbbbbbbbbbbbbb
```
It does not matter whether you use this environment variable or the `join` command, you still need to authorize the computer in ZeroTier Central.
It does not matter whether you use this environment variable or the `join` command, you still need to authorize the computer for each network in ZeroTier Central.
#### Source

View File

@ -19,4 +19,4 @@ services:
- PGID=994
- ZEROTIER_ONE_LOCAL_PHYS=eth0
- ZEROTIER_ONE_USE_IPTABLES_NFT=false
# - ZEROTIER_ONE_NETWORK_ID=yourNetworkID
# - ZEROTIER_ONE_NETWORK_IDS=yourNetworkID

View File

@ -2,6 +2,7 @@
set -Eeo pipefail
echo "$(date) - launching ZeroTier-One in routing mode"
echo "command and args: $@"
if [ "${1:0:1}" = '-' ]; then
set -- zerotier-one "$@"
@ -9,24 +10,26 @@ fi
# useful paths
CONFIG_DIR="/var/lib/zerotier-one"
NETWORKS_DIR="$CONFIG_DIR/networks.d"
NETWORKS_DIR="${CONFIG_DIR}/networks.d"
# set up network auto-join if (a) the networks directory does not exist
# and (b) the ZEROTIER_ONE_NETWORK_ID environment variable is non-null.
if [ ! -d "$NETWORKS_DIR" -a -n "$ZEROTIER_ONE_NETWORK_ID" ] ; then
echo "Assuming container first run. Configuring auto-join of network ID:"
echo " $ZEROTIER_ONE_NETWORK_ID"
echo "You will need to authorize this host at:"
echo " https://my.zerotier.com/network/$ZEROTIER_ONE_NETWORK_ID"
mkdir -p "$NETWORKS_DIR"
touch "$NETWORKS_DIR/$ZEROTIER_ONE_NETWORK_ID.conf"
# and (b) the ZEROTIER_ONE_NETWORK_IDS environment variable is non-null.
if [ ! -d "${NETWORKS_DIR}" -a -n "${ZEROTIER_ONE_NETWORK_IDS}" ] ; then
echo "Assuming container first run."
mkdir -p "${NETWORKS_DIR}"
for NETWORK_ID in ${ZEROTIER_ONE_NETWORK_IDS} ; do
echo "Configuring auto-join of network ID: ${NETWORK_ID}"
touch "${NETWORKS_DIR}/${NETWORK_ID}.conf"
echo "You will need to authorize this host at:"
echo " https://my.zerotier.com/network/${NETWORK_ID}"
done
fi
# make sure permissions are correct
PUID="${PUID:-"999"}"
PGID="${PGID:-"994"}"
if [ "$(id -u)" = '0' -a -d "$CONFIG_DIR" ]; then
chown -Rc "$PUID:$PGID" "$CONFIG_DIR"
if [ "$(id -u)" = '0' -a -d "${CONFIG_DIR}" ]; then
chown -Rc "${PUID}:${PGID}" "${CONFIG_DIR}"
fi
# use an appropriate default for a local physical interface
@ -35,19 +38,77 @@ PHY_IFACES="${ZEROTIER_ONE_LOCAL_PHYS:-"eth0"}"
# default to iptables (maintain compatibility for existing systems)
IPTABLES_CMD=iptables
# but support override to use iptables-nft
[ "$ZEROTIER_ONE_USE_IPTABLES_NFT" = "true" ] && IPTABLES_CMD=iptables-nft
[ "${ZEROTIER_ONE_USE_IPTABLES_NFT}" = "true" ] && IPTABLES_CMD=iptables-nft
# the wildcard for the local zerotier interface is
ZT_IFACE="zt+"
# iterate the local interface(s) and enable NAT services
for PHY_IFACE in $PHY_IFACES ; do
echo "Using $IPTABLES_CMD to enable NAT services on $PHY_IFACE"
$IPTABLES_CMD -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
$IPTABLES_CMD -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES_CMD -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
done
# a script to add and remove the requisite rules - $1 is either "A" or "D"
update_iptables() {
# launch zerotier-one
exec "$@"
# iterate the local interface(s) and enable NAT services
for PHY_IFACE in ${PHY_IFACES} ; do
${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${PHY_IFACE} -j MASQUERADE
${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j ACCEPT
done
}
# add rules to set up routing
echo "Using ${IPTABLES_CMD} to enable NAT services on ${PHY_IFACES}"
update_iptables "A"
# define where the ZeroTier daemon will write its output (if any)
PIPE=$(mktemp /tmp/zerotier-ipc-XXXXXX)
# start listening and echoing anything that appears there into this process
tail -f "${PIPE}" &
# make a note of the process ID for tail
TAIL_PIPE_PID=${!}
# report
echo "tail has started with PID=${TAIL_PIPE_PID} listening to ${PIPE}"
# now start the ZeroTier daemon in detached state
nohup "$@" </dev/null >"${PIPE}" 2>&1 &
# make a note of the process ID
ZEROTIER_DAEMON_PID=${!}
# report
echo "ZeroTier daemon has PID ${ZEROTIER_DAEMON_PID}"
echo "Setting up trap"
trap 'echo "**INT" ; kill -TERM ${ZEROTIER_DAEMON_PID}' INT
trap 'echo "**TERM" ; kill -TERM ${ZEROTIER_DAEMON_PID}' TERM
trap 'echo "**HUP" ; kill -TERM ${ZEROTIER_DAEMON_PID}' HUP
trap 'echo "**EXIT-nohandler"' EXIT
trap 'echo "**ABRT-nohandler"' ABRT
trap 'echo "**QUIT-nohandler"' QUIT
trap 'echo "**TRAP-nohandler"' TRAP
echo "now waiting on ZeroTier daemon"
wait ${ZEROTIER_DAEMON_PID}
echo "the ZeroTier daemon has gone away - cleaning up"
# kill the tail listener
echo "Killing tail listener"
kill -TERM ${TAIL_PIPE_PID}
# wait for it to go away
echo "Waiting for tail listener to go away"
wait ${TAIL_PIPE_PID}
# which means we are done with the pipe
echo "removing pipe"
rm "${PIPE}"
# remove rules used to set up routing
echo "Using ${IPTABLES_CMD} to disable NAT services on ${PHY_IFACES}"
update_iptables "D"
# using the sigterm is a normal exit for us so exit with 0
echo "all done"