summaryrefslogtreecommitdiff
path: root/examples/docker
diff options
context:
space:
mode:
authorAdam Ierymenko <adam.ierymenko@gmail.com>2015-10-09 10:14:20 -0700
committerAdam Ierymenko <adam.ierymenko@gmail.com>2015-10-09 10:14:20 -0700
commitc2bbec2f050da996f660f2ae28b365330ebff633 (patch)
tree2e4035e44637631c6034a7756ac917fc5d17ae79 /examples/docker
parent0c498556d5b11c101d2b18cf85cff2d53aa97d58 (diff)
downloadinfinitytier-c2bbec2f050da996f660f2ae28b365330ebff633.tar.gz
infinitytier-c2bbec2f050da996f660f2ae28b365330ebff633.zip
Docker example (and useful for testing)
Diffstat (limited to 'examples/docker')
-rw-r--r--examples/docker/Dockerfile19
-rw-r--r--examples/docker/README.md8
-rw-r--r--examples/docker/main.sh25
3 files changed, 52 insertions, 0 deletions
diff --git a/examples/docker/Dockerfile b/examples/docker/Dockerfile
new file mode 100644
index 00000000..a4274924
--- /dev/null
+++ b/examples/docker/Dockerfile
@@ -0,0 +1,19 @@
+FROM centos:7
+
+MAINTAINER https://www.zerotier.com/
+
+RUN yum -y update && yum clean all
+
+EXPOSE 9993/udp
+
+RUN mkdir -p /var/lib/zerotier-one
+RUN mkdir -p /var/lib/zerotier-one/networks.d
+RUN ln -sf /var/lib/zerotier-one/zerotier-one /usr/local/bin/zerotier-cli
+RUN ln -sf /var/lib/zerotier-one/zerotier-one /usr/local/bin/zerotier-idtool
+
+ADD zerotier-one /var/lib/zerotier-one/
+
+ADD main.sh /
+RUN chmod a+x /main.sh
+
+CMD ["./main.sh"]
diff --git a/examples/docker/README.md b/examples/docker/README.md
new file mode 100644
index 00000000..4dae52f3
--- /dev/null
+++ b/examples/docker/README.md
@@ -0,0 +1,8 @@
+Simple Dockerfile Example
+======
+
+This is a simple Docker example using ZeroTier One in normal tun/tap mode. It uses a Dockerfile to build an image containing ZeroTier One and a main.sh that launches it with an identity supplied via the Docker environment via the ZEROTIER\_IDENTITY\_SECRET and ZEROTIER\_NETWORK variables. The Dockerfile assumes that the zerotier-one binary is in the build folder.
+
+This is not a very secure way to load an identity secret, but it's useful for testing since it allows you to repeatedly launch Docker containers with the same identity. For production we'd recommend using something like Hashicorp Vault, or modifying main.sh to leave identities unspecified and allow the container to generate a new identity at runtime. Then you could script approval of containers using the controller API, approving them as they launch, etc. (We are working on better ways of doing mass provisioning.)
+
+To use in normal tun/tap mode with Docker, containers must be run with the options "--device=/dev/net/tun --cap-add=NET_ADMIN". The main.sh script supplied here will complain and exit if these options are not present (no /dev/net/tun device).
diff --git a/examples/docker/main.sh b/examples/docker/main.sh
new file mode 100644
index 00000000..e9febb13
--- /dev/null
+++ b/examples/docker/main.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+export PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
+
+if [ ! -c "/dev/net/tun" ]; then
+ echo 'FATAL: must be docker run with: --device=/dev/net/tun --cap-add=NET_ADMIN'
+ exit 1
+fi
+
+if [ -z "$ZEROTIER_IDENTITY_SECRET" ]; then
+ echo 'FATAL: ZEROTIER_IDENTITY_SECRET not set -- aborting!'
+ exit 1
+fi
+
+if [ -z "$ZEROTIER_NETWORK" ]; then
+ echo 'Warning: ZEROTIER_NETWORK not set, you will need to docker exec zerotier-cli to join a network.'
+else
+ # The existence of a .conf will cause the service to "remember" this network
+ touch /var/lib/zerotier-one/networks.d/$ZEROTIER_NETWORK.conf
+fi
+
+rm -f /var/lib/zerotier-one/identity.*
+echo "$ZEROTIER_IDENTITY_SECRET" >identity.secret
+
+/var/lib/zerotier-one/zerotier-one