search

key-networks / ztncui-containerized

A Docker image that contains ZeroTier One and ztncui to set up a standalone ZeroTier network controller with a web user interface in a container.
427 stars 83 forks source link

is "--cap-add=NET_ADMIN" really needed? #8

Open fakuivan opened 5 years ago

fakuivan commented 5 years ago

The documentation for networks controller suggests that since these don't need to join networks, networking administration capabilities are not necessary. https://github.com/zerotier/ZeroTierOne/tree/master/controller#dockerizing-controllers

Is this true? If so the setup instructions could be updated to follow the principle of least privilege.

key-networks commented 5 years ago

All that is needed is --cap-add=NET_ADMIN, not --device, nor --privileged. I forget the exact reason why --cap-add=NET_ADMIN was needed, but if you try running the container without that, you will notice certain failures (like the ZeroTier token being inaccessible).

fakuivan commented 4 years ago

I gave this one another go and it turns out you can tell zerotier to not drop privileges and ignore these sort of errors with the -U flag, for this it is recommended to run the executable with sudo as the zerotier-one user and chown everything inside /var/lib/zerotier-one/ to that user before running it, otherwise the program will not be able to write to files in that directory.

key-networks commented 4 years ago

@fakuivan thanks for your feedback.

mdPlusPlus commented 4 years ago

I was able to get it to work without --cap-add=NET_ADMIN:

https://gist.github.com/mdPlusPlus/0f6285c6402aa4aff4aa4a9e5dfc38c0
https://hub.docker.com/r/mdplusplus/zerotier-network-controller-ui

key-networks commented 4 years ago

That's great! Do you mind if I possibly use your Docker file in the next build?

mdPlusPlus commented 4 years ago

Feel free to do so.
However, keep in mind my Dockerfile had readabílity and maintainability as a goal. The resulting image is not space efficient (unnecessary layers, not removing temporary files) and using a long CMD instead of a entrypoint.sh and choosing a moving target (xxx:latest) as a base image are generally frowned upon by the Docker community.

key-networks commented 4 years ago

Great - thanks. I'll keep those points in mind.

key-networks commented 3 years ago

The answer to the subject of this thread is - not any more. Thanks to clues from @mdPlusPlus, the requirement for --cap-add=NET_ADMIN and the clash with Ubuntu UID/GIDs have been circumvented.

key-networks commented 3 years ago

Try latest version here: https://hub.docker.com/r/keynetworks/ztncui