Running ZeroTier in a Docker Container
ZeroTier One makes ZeroTier virtual networks available as 'tap' virtual network ports. To do this inside a Docker container requires a few elevated permissions and access to the /dev/net/tun device.
Fortunately this is easy:
docker run -it --rm --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun centos:7 [... command ...]
(SYS_ADMIN is needed because NET_ADMIN does not include the ioctl() required to put /dev/net/tun in tap mode. IMHO this is a bug in Linux's capability model but it would have to be fixed upstream.)
Here's a transcript of an example session where we start a command prompt in a test container, install ZeroTier One, start it (must be done manually here because the container does not run init or systemd), join a test network, and ping something.
# docker run -it --rm --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun centos:7 /bin/bash [root@5b88595860bc /]# curl https://install.zerotier.com/ | bash % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 12243 100 12243 0 0 18523 0 --:--:-- --:--:-- --:--:-- 18550 *** ZeroTier One Quick Install for Unix-like Systems *** Supported targets for this script: *** MacOS (10.7+) on x86_64 (just installs ZeroTier One.pkg) *** Linux / Debian (wheezy or newer) on i386, x86_64, and armhf (Raspbian/jessie only) *** Linux / Ubuntu (trusty or newer) on i386 and x86_64 *** Linux / SuSE (12+) on i386 and x86_64 *** Linux / CentOS (6+) on i386 and x86_64 *** Linux / Fedora (22+) on i386 and x86_64 *** Linux / Amazon (2016.03+) on x86_64 *** Please report problems to contact@zerotier.com and we will try to fix ASAP! *** Detecting Linux Distribution *** Found RHEL/CentOS, creating /etc/yum.repos.d/zerotier.repo *** Installing zerotier-one package... [ ... snipped a bunch of yum install output ...] *** Enabling and starting zerotier-one service... Created symlink from /etc/systemd/system/multi-user.target.wants/zerotier-one.service to /usr/lib/systemd/system/zerotier-one.service. Failed to get D-Bus connection: Operation not permitted *** Package installed but cannot start service! You may be in a Docker *** container or using a non-standard init service. [root@5b88595860bc /]# /usr/sbin/zerotier-one -d [root@5b88595860bc /]# /usr/sbin/zerotier-cli join 8056c2e21c000001 200 join OK [root@5b88595860bc /]# /usr/sbin/zerotier-cli listnetworks 200 listnetworks 200 listnetworks 8056c2e21c000001 - 02:e6:10:ab:69:33 REQUESTING_CONFIGURATION PRIVATE zt0 - [root@5b88595860bc /]# /usr/sbin/zerotier-cli listnetworks 200 listnetworks 200 listnetworks 8056c2e21c000001 earth.zerotier.net 02:e6:10:ab:69:33 OK PUBLIC zt0 fd80:56c2:e21c:0000:0199:93e6:10b7:8bf1/88,28.183.140.10/7 [root@5b88595860bc /]# ping earth.zerotier.net PING earth.zerotier.net (29.209.112.93) 56(84) bytes of data. 64 bytes from 29.209.112.93: icmp_seq=1 ttl=64 time=12.7 ms 64 bytes from 29.209.112.93: icmp_seq=2 ttl=64 time=13.1 ms 64 bytes from 29.209.112.93: icmp_seq=3 ttl=64 time=17.2 ms 64 bytes from 29.209.112.93: icmp_seq=4 ttl=64 time=17.4 ms ^C --- earth.zerotier.net ping statistics --- 10 packets transmitted, 6 received, +4 errors, 40% packet loss, time 9046ms rtt min/avg/max/mdev = 12.777/15.016/17.444/2.080 ms, pipe 4 [root@5b88595860bc /]# exit
Related articles