Closed qrkourier closed 2 years ago
@dovholuknf Following on to our conversation about running ziti-edge-tunnel run
in a non-privileged container for the purpose of hosting services without any Ziti DNS or IP routes. This is what I get when I run it without the tun device mounted on the container. If I mount the device I get the permission denied error and it still exits with a critical error. Did you have some success with ziti-edge-tunnel
running without privileges for only hosting services? Please share this magic.
exit-tun_1 | + ziti-edge-tunnel run --identity /ziti-edge-tunnel/Exit2122.json run exit-tun_1 | About to run tunnel service... ziti-edge-tunnel[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:1413 run_tunnel() failed to open network interface: open /dev/net/tun failed exit-tun_1 | + alldone
I think this could be useful --- what would a simple compose file look like?
version: "3.9"
services:
ziti-host: # tunneler for hosting services without providing DNS or IP routes
image: netfoundry/ziti-edge-tunnel:latest
volumes:
- .:/ziti-edge-tunnel
environment:
- NF_REG_NAME # inherit when run like this: NF_REG_NAME=AcmeIdentity docker-compose up ziti-tun
network_mode: bridge # use the Compose project's Docker bridge network
privileged: false # no special capabilities required for hosting without DNS and IP routes
command:
- --verbose=4
- --disable-intercept
@qrkourier - does run-host
solve this problem now? should this issue be closed?
This issue is resolved by the run-host
mode.
I need a run-mode or option like
--disable-intercept
that changes the behavior ofziti-edge-tunnel
to only host services, not intercept.Characteristics include:
resolvectl
to configure DNS nor manage/dev/net/tun
devices)--disable-intercept
/dev/net/tun
,/var/run/dbus/system_bus_socket
,resolvectl
ziti-edge-tunnel
in this configuration will only perform hosting functions for the services for which its identity(ies) are authorizedziti-edge-tunnel