A Smart Ethernet Switch for Earth

zerotier.com

#network #mesh #nebula #tailscale #softnetwork #vpn #cpp

Grant Limberg 1c464c2da1 fix potential cstring leaks 3 ani în urmă
.github 59cd2766e3 Shorten issue template. Add docs site to it. 3 ani în urmă
artwork 298e1d5a74 Added 90x90 AppIcon 6 ani în urmă
attic 01bf3b8245 1.8.1 merge of changes in master 3 ani în urmă
ci 20f88b37ef adding drone config 3 ani în urmă
controller 58119598ae comment out some new deauth code 3 ani în urmă
debian 24ec634005 Possible fix for Ubuntu versioning issue on libstdc++6 3 ani în urmă
doc d7b4f24a7a . 8 ani în urmă
dockerbuild de04240ca6 update alpine linux release to current supported (#1599) 3 ani în urmă
ext ffb444dbeb 1.8.8 bump 3 ani în urmă
include 40681328ec Add loongarch64 support (#1614) 3 ani în urmă
java a8dde7b89b update JNI to add new status code 3 ani în urmă
node a7dcfa18a2 Oops forgot last part of that fix for MAC errors. 3 ani în urmă
osdep 56357c077b Merge pull request #1110 from neheb/patch-1 3 ani în urmă
rule-compiler 06730c7d1d BSL date bump 5 ani în urmă
service 1c464c2da1 fix potential cstring leaks 3 ani în urmă
snap 32f49b44b0 Modify snap to use pre-compiled static binaries 3 ani în urmă
synology 0e658828fb Add Synology Docker target to Linux makefile 3 ani în urmă
windows 7efb1cf7d3 Bundle Edge WebView dependency EXE and statically link MSVC DLLs 3 ani în urmă
zeroidc 1c464c2da1 fix potential cstring leaks 3 ani în urmă
.clang-format 63fd2cbaeb Add ZeroTier standard .clang-format -- Keeping tabs for 1.X line. Mostly based on LLVM format. 4 ani în urmă
.dockerignore c9f942f79b can now build centos8 docker container with Redis support 5 ani în urmă
.drone.yml dc9fdb7da8 Merge branch 'notify' into dev 3 ani în urmă
.gitattributes 6cfdd5b2c1 force eol=crlf for driver .inf files 4 ani în urmă
.gitignore cf03996bf2 clangd stuff 3 ani în urmă
AUTHORS.md 52a166a71f Relicense: GPLv3 -> ZeroTier BSL 1.1 6 ani în urmă
CMakeLists.txt 12c621c230 Removed build flag in CMake script 7 ani în urmă
COPYING 52a166a71f Relicense: GPLv3 -> ZeroTier BSL 1.1 6 ani în urmă
Dockerfile.ci a9942ca412 more RELEASE-NOTES 4 ani în urmă
Dockerfile.release da603208b4 Dockerfile: Reduce healthcheck interval to 1s (it's cheap) 3 ani în urmă
Jenkinsfile ba4324f992 Update jenkinsfile for new build process 5 ani în urmă
LICENSE.txt 06730c7d1d BSL date bump 5 ani în urmă
Makefile b984eb2808 Use clang on OpenBSD 4 ani în urmă
OFFICIAL-RELEASE-STEPS.md 2d8a54f05d Version bump -- still pre1.8 4 ani în urmă
README.docker.md 788296ea29 Expand links in a few spots since this'll be used in the docker image 4 ani în urmă
README.md 46387e2f2b Minor Readme updates 4 ani în urmă
RELEASE-NOTES.md bd9c8d65ef Release notes for 1.8.8 3 ani în urmă
cycle_controllers.sh 0da2efa633 add application_name to pgbouncer connectio string 6 ani în urmă
entrypoint.sh.release 8598f34ebf prettify the entrypoint log output 3 ani în urmă
make-bsd.mk 7bb8703bf9 Build osdep/PortMapper on FreeBSD 3 ani în urmă
make-linux.mk 6cddb94509 Merge branch 'dev' of https://github.com/zerotier/zerotierone into dev 3 ani în urmă
make-mac.mk d5a95f9224 Add SSO enable def to macOS 3 ani în urmă
make-netbsd.mk 18c9dc8a06 fix RTF_MULTICAST and g++ -w 8 ani în urmă
objects.mk e1af003e4f Consolidation of multipath logic. Better system separation 4 ani în urmă
one.cpp 8148c658cf Remove bonds for peers that have fully expired. Remove notion of bond health 3 ani în urmă
selftest.cpp 134d33c218 Add a bit of hardening in the network certificate of membership by incorporating a full hash of the identity to which it is issued. This means the recipient need not depend entirely on the root verifying identities properly to make sure impersonation is not occurring. 4 ani în urmă
update_controllers.sh 3d21f0a91f update docker registry used 6 ani în urmă
version.h ffb444dbeb 1.8.8 bump 3 ani în urmă
windows-clean.bat 67beea1e3d Batch file to clean Windows build dir 6 ani în urmă
zerotier-cli-completion.bash c92e030a4b Create a bash completion script. 5 ani în urmă
zerotier-one.spec ffb444dbeb 1.8.8 bump 3 ani în urmă

README.docker.md

ZeroTier One in a container!

NOTE: Most of this information pertains to the docker image only. For more information about ZeroTier, check out the repository: here or the commercial website.

ZeroTier is a smart programmable Ethernet switch for planet Earth. It allows all networked devices, VMs, containers, and applications to communicate as if they all reside in the same physical data center or cloud region.

This is accomplished by combining a cryptographically addressed and secure peer to peer network (termed VL1) with an Ethernet emulation layer somewhat similar to VXLAN (termed VL2). Our VL2 Ethernet virtualization layer includes advanced enterprise SDN features like fine grained access control rules for network micro-segmentation and security monitoring.

All ZeroTier traffic is encrypted end-to-end using secret keys that only you control. Most traffic flows peer to peer, though we offer free (but slow) relaying for users who cannot establish peer to peer connections.

The goals and design principles of ZeroTier are inspired by among other things the original Google BeyondCorp paper and the Jericho Forum with its notion of "deperimeterization."

Visit ZeroTier's site for more information and pre-built binary packages. Apps for Android and iOS are available for free in the Google Play and Apple app stores.

ZeroTier is licensed under the BSL version 1.1. See LICENSE.txt and the ZeroTier pricing page for details. ZeroTier is free to use internally in businesses and academic institutions and for non-commercial purposes. Certain types of commercial use such as building closed-source apps and devices based on ZeroTier or offering ZeroTier network controllers and network management as a SaaS service require a commercial license.

A small amount of third party code is also included in ZeroTier and is not subject to our BSL license. See AUTHORS.md for a list of third party code, where it is included, and the licenses that apply to it. All of the third party code in ZeroTier is liberally licensed (MIT, BSD, Apache, public domain, etc.).

Building the docker image

Due to the network being a substrate for most applications and not an application unto itself, it makes sense that many people would want to build their own image based on our formula.

The image is based on debian:buster.

The Dockerfile.release file contains build instructions for building the described image in the rest of the README. The build is multi-arch and multi-release capable.

These build arguments power the build:

  • PACKAGE_BASEURL: The base URL of the package repository to fetch from. (default: https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/)
  • ARCH: The architecture of the package, in debian format. Must match your image arch. (default: amd64)
  • VERSION: REQUIRED the version of ZeroTier to fetch.

You can build this image like so:

docker build -f Dockerfile.release -t mybuild --build-arg VERSION=1.6.5 .

Using the docker image

The entrypoint.sh in the docker image is a little different; zerotier will be spawned in the background and the "main process" is actually just a sleeping shell script. This allows zerotier-one to gracefully terminate in some situations largely unique to docker.

The zerotier/zerotier image requires the CAP_NET_ADMIN capability and the /dev/net/tun device must be forwarded to it.

To join a network, simply supply it on the command-line; you can supply multiple networks.

docker run --name myzerotier --rm --cap-add NET_ADMIN --device /dev/net/tun zerotier/zerotier:latest abcdefdeadbeef00

Once joining all the networks you have provided, it will sleep until terminated. Note that in ZeroTier, joining a network does not necessarily mean you have an IP or can do anything, really. You will want to probe the control socket:

docker exec myzerotier zerotier-cli listnetworks

To ensure you have a network available before trying to listen on it. Without pre-configuring the identity, this usually means going to the central admin panel and clicking the checkmark against your zerotier identity.

Environment Variables

You can control a few settings including the identity used and the authtoken used to interact with the control socket (which you can forward and access through localhost:9993).

  • ZEROTIER_API_SECRET: replaces the authtoken.secret before booting and allows you to manage the control socket's authentication key.
  • ZEROTIER_IDENTITY_PUBLIC: the identity.public file for zerotier-one. Use zerotier-idtool to generate one of these for you.
  • ZEROTIER_IDENTITY_SECRET: the identity.secret file for zerotier-one. Use zerotier-idtool to generate one of these for you.

Tips

  • Forwarding port <dockerip>:9993 to somewhere outside is probably a good idea for highly trafficked services.
  • Forwarding localhost:9993 to a control network where you can drive it remotely might be a good idea, just be sure to set your authtoken properly through environment variables.
  • Pre-generating your identities could be much simpler to do via our terraform plugin