Running ZeroTier in a Docker Container

Created by Grant Limberg
Last updated: Nov 05, 2018

ZeroTier One makes ZeroTier virtual networks available as 'tap' virtual network ports. To do this inside a Docker container requires a few elevated permissions and access to the /dev/net/tun device.

Fortunately this is easy:

docker run -it --rm --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun centos:7 [... command ...]

(SYS_ADMIN is needed because NET_ADMIN does not include the ioctl() required to put /dev/net/tun in tap mode. IMHO this is a bug in Linux's capability model but it would have to be fixed upstream.)

Here's a transcript of an example session where we start a command prompt in a test container, install ZeroTier One, start it (must be done manually here because the container does not run init or systemd), join a test network, and ping something.

# docker run -it --rm --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun centos:7 /bin/bash

[root@5b88595860bc /]# curl https://install.zerotier.com/ | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12243  100 12243    0     0  18523      0 --:--:-- --:--:-- --:--:-- 18550

*** ZeroTier One Quick Install for Unix-like Systems

*** Supported targets for this script:
***    MacOS (10.7+) on x86_64 (just installs ZeroTier One.pkg)
***    Linux / Debian (wheezy or newer) on i386, x86_64, and armhf (Raspbian/jessie only)
***    Linux / Ubuntu (trusty or newer) on i386 and x86_64
***    Linux / SuSE (12+) on i386 and x86_64
***    Linux / CentOS (6+) on i386 and x86_64
***    Linux / Fedora (22+) on i386 and x86_64
***    Linux / Amazon (2016.03+) on x86_64

*** Please report problems to contact@zerotier.com and we will try to fix ASAP!

*** Detecting Linux Distribution

*** Found RHEL/CentOS, creating /etc/yum.repos.d/zerotier.repo

*** Installing zerotier-one package...
[ ... snipped a bunch of yum install output ...]

*** Enabling and starting zerotier-one service...
Created symlink from /etc/systemd/system/multi-user.target.wants/zerotier-one.service to /usr/lib/systemd/system/zerotier-one.service.
Failed to get D-Bus connection: Operation not permitted

*** Package installed but cannot start service! You may be in a Docker
*** container or using a non-standard init service.

[root@5b88595860bc /]# /usr/sbin/zerotier-one -d
[root@5b88595860bc /]# /usr/sbin/zerotier-cli join 8056c2e21c000001
200 join OK
[root@5b88595860bc /]# /usr/sbin/zerotier-cli listnetworks         
200 listnetworks       
200 listnetworks 8056c2e21c000001 - 02:e6:10:ab:69:33 REQUESTING_CONFIGURATION PRIVATE zt0 -
[root@5b88595860bc /]# /usr/sbin/zerotier-cli listnetworks
200 listnetworks       
200 listnetworks 8056c2e21c000001 earth.zerotier.net 02:e6:10:ab:69:33 OK PUBLIC zt0 fd80:56c2:e21c:0000:0199:93e6:10b7:8bf1/88,28.183.140.10/7
[root@5b88595860bc /]# ping earth.zerotier.net
PING earth.zerotier.net (29.209.112.93) 56(84) bytes of data.
64 bytes from 29.209.112.93: icmp_seq=1 ttl=64 time=12.7 ms
64 bytes from 29.209.112.93: icmp_seq=2 ttl=64 time=13.1 ms
64 bytes from 29.209.112.93: icmp_seq=3 ttl=64 time=17.2 ms
64 bytes from 29.209.112.93: icmp_seq=4 ttl=64 time=17.4 ms
^C
--- earth.zerotier.net ping statistics ---
10 packets transmitted, 6 received, +4 errors, 40% packet loss, time 9046ms
rtt min/avg/max/mdev = 12.777/15.016/17.444/2.080 ms, pipe 4
[root@5b88595860bc /]# exit