HowTo: Docker & Zerotier Private

  • I wanted to run Zerotier on a Pi running Libreelec so a remote device (the Pi) could access content stored in another city

    The Zerotier network is "private" ie. every node must be authorised to access the network.

    I found a docker image which delivers Zerotier functionality on a Raspberry Pi --> bltavares zerotier docker image

    After installing the Docker addon and the above docker image, Zerotier is running BUT it will issue a new zerotier address each time Librelec reboots and this is not useable for a private Zerotier network because the new address will have to be authorised (on each reboot) ... not much use for a remote device

    It turns out that -

    1. There are 3 key files in the docker container which need to be "preserved" between boot sessions

    - /var/lib/zerotier-one/identity.public

    - /var/lib/zerotier-one/identity.secret

    - /var/lib/zerotier-one/authtoken.secret

    2. The container needs to "connect" to the network anew on each boot, once the above files are restored and the container has been restarted

    With that understanding we can retain the same ZeroTier node address and authorisation

    Additionally I have a need to mount some directories from a remote host ... so we do that after reconnecting the container to ZT

    The steps are

    * install the docker addon in Libreelec using the menu system

    o  From addons/install from repository/libreelec addons/services/docker 

    * log in via ssh and install the docker container

    > docker pull bltavares/zerotier

    then install the ZeroTier container

    1. docker run --device=/dev/net/tun \
    2. --net=host \
    3. --cap-add=NET_ADMIN \
    4. --cap-add=SYS_ADMIN \
    5. -v /var/lib/zerotier-one:/var/lib/zerotier-one \
    6. --restart always \
    7. --name zerotier-one \
    8. -d bltavares/zerotier

    * Now check and record the ZT node id (referred to as <node-id> later

    > docker exec zerotier-one zerotier-cli info

    * Join your network - and authorise this node using the tools at ZeroTier Central

    > docker exec zerotier-one join <your network id>

    * Then copy the 3 key files off to a new directory

    > mkdir /storage/.kodi/userdata/<your_dir>

    > mkdir /storage/.kodi/userdata/<your_dir>/zerotier

    > TEMP=$(docker exec zerotier-one cat /var/lib/zerotier-one/identity.public);echo $TEMP >  /storage/.kodi/userdata/<your_dir>/zerotier/identity.public

    > TEMP=$(docker exec zerotier-one cat /var/lib/zerotier-one/identity.secret);echo $TEMP >  /storage/.kodi/userdata/<your_dir>/zerotier/identity.secret

    > TEMP=$(docker exec zerotier-one cat /var/lib/zerotier-one/authtoken.secret);echo $TEMP >  /storage/.kodi/userdata/<your_dir>/zerotier/authtoken.secret 

    * Now we need to create/update the Libreelec

    > nano /storage/.config/

    Paste the following after existing code (add "#!/bin/sh" at the first line if this is a new file and execute chown ug+x /storage/.config/ after saving it).

    You may wish to improve this code ... I hacked this together with my limited understanding of shell scripts and I left everything really basic and simple to aid understanding (and debugging). The main thing is that it seems to work and was reasonably easy to debug

    You will also need to replace the <node-id> and <network-id> values with your ids and <your-dir> with the name of the directory you created above

    Note that the above code will deliberately slow the boot process with the "sleep" commands. Not an issue for my remove device and it improved the reliability of the network connection and mounts

    You can run the above code from the command line to check that it "compiles" and runs ok .... and that it doesn't make a mess. Then try a reboot to prove that ZT will automagically connect again on reboot.

    * Reboot and check that we are connected back to the ZeroTier network

    > reboot

    Then ssh back into the machine (reboot will have logged you out of the previous session)

    * Check we have the expected node id

    docker exec zerotier-one zerotier-cli info

    * Check there is a "ztb....." adapter listed ... and an appropriate IP address for it

    If you have the wrong node id or there's no zt adapter you'll need to start debugging to see what's wrong

  • Thanks this is awesome, I will test this out on a AtomicPi, and let you know how it goes here with a update...

    Been meaning to figure this out, glad you did all the hard work. Smart to use autostart script to bring up interface and restore Docker instance.

  • great tutorial! thanxs!!!

    just want to mention that there are a small mistake in your posting, i needed some time to figure out. :)



    > docker exec zerotier-one join <your network id>


    > docker exec zerotier-one zerotier-cli join <your network id>

  • I followed the instructions and managed to connect but every time I restart it gives me a different NODE
    What am i doing wrong?