/docker-zerotier

Docker + ZeroTier = <3

Primary LanguageShell

Docker + ZeroTier

This github project explores how ZeroTier can be used to simplify the communication with/across Docker containers.

Benefits from ZeroTier to Docker:

- virtual routing between your cloud and on-premises infrastructure
- service discovery mechanisms will all work including the ones relying on multicast/broadcast

Benefits from Docker to ZeroTier:

- connect to open networks without compromising your host (a.k.a. Network Condom)

Running

Let's start off by checking if zerotier image is properly working.

For this we will launch the container in the foreground passing in the docker "--rm" flag to clean things up when we kill the container.

Docker versions before 1.2.0 need the "--privileged" flag to provide access to the Tun module to ZeroTier.

docker run --rm --privileged=true nesrait/zerotier

Docker 1.2.0:

docker run --rm --device=/dev/net/tun --cap-add=NET_ADMIN nesrait/zerotier

More details about docker cap-add here

The output should show that the zerotier-one service is running as expected but it's not very clear how to use it. We could have installed an SSH server inside the container to enable entering the running container and interact with ZeroTier but that would create a more bloated image and an extra attack surface. Check out the "Docker+SSH is Bad" topic.

Instead of connecting to the running container via SSH we will use nsinit. To install it follow these instructions.

Kill off the container running in the foreground and let's now run it as a daemon by passing the "-d" flag.

Docker 1.1.0:

ZTCONTAINER=`docker run -d --privileged=true nesrait/zerotier`

Docker 1.2.0:

ZTCONTAINER=`docker run -d --device=/dev/net/tun --cap-add=NET_ADMIN nesrait/zerotier`

We store the container id on the ZTCONTAINER environment variable because we'll need it ahead while using docker-nsinit.

With the container running go ahead and join the Planet Earth public network:

docker-nsinit $ZTCONTAINER zerotier-cli join 8056c2e21c000001

After a few seconds a new network adapter should show up:

docker-nsinit $ZTCONTAINER ifconfig zt0

Now check out the earth homepage!

docker-nsinit $ZTCONTAINER curl http://earth.zerotier.net/

Note: if you're joining a private network you need to visit your ZeroTier admin backend and Authorize the new nodes. Only then will they receive an IP address and join the network.

Next Steps

  1. Create a wrapper script that checks if the ZTNETWORK environment variable is set (when the container is launched) and joins that network immediately.
  2. ?
  3. Profit

Issues

  1. after joining no new network interface is appearing as expected:

An interface called 'zt0' should appear and should get an IP address in the 28.0.0.0/7 range (28.* or 29.*) within a few seconds or so. Then try pinging earth.zerotier.net or navigating to http://earth.zerotier.net/ in a web browser.

This is related with Linux Gotcha #1:

If you cannot join networks, check to make sure the tun kernel module is available or tun/tap support is compiled into the kernel.

Resources on "TUN/TAP device not available inside docker container"