Running ZeroTier in a Docker Container

Created by Grant Limberg
Last updated: Nov 05, 2018

ZeroTier One makes ZeroTier virtual networks available as 'tap' virtual network ports. To do this inside a Docker container requires a few elevated permissions and access to the /dev/net/tun device.

Fortunately this is easy:

(SYS_ADMIN is needed because NET_ADMIN does not include the ioctl() required to put /dev/net/tun in tap mode. IMHO this is a bug in Linux's capability model but it would have to be fixed upstream.)

Here's a transcript of an example session where we start a command prompt in a test container, install ZeroTier One, start it (must be done manually here because the container does not run init or systemd), join a test network, and ping something.