HowTo: Docker & Zerotier Private

  • I wanted to run Zerotier on a Pi running Libreelec so a remote device (the Pi) could access content stored in another city

    The Zerotier network is "private" ie. every node must be authorised to access the network.

    I found a docker image which delivers Zerotier functionality on a Raspberry Pi --> bltavares zerotier docker image

    After installing the Docker addon and the above docker image, Zerotier is running BUT it will issue a new zerotier address each time Librelec reboots and this is not useable for a private Zerotier network because the new address will have to be authorised (on each reboot) ... not much use for a remote device

    It turns out that -

    1. There are 3 key files in the docker container which need to be "preserved" between boot sessions

    - /var/lib/zerotier-one/identity.public

    - /var/lib/zerotier-one/identity.secret

    - /var/lib/zerotier-one/authtoken.secret

    2. The container needs to "connect" to the network anew on each boot, once the above files are restored and the container has been restarted


    With that understanding we can retain the same ZeroTier node address and authorisation

    Additionally I have a need to mount some directories from a remote host ... so we do that after reconnecting the container to ZT


    The steps are

    * install the docker addon in Libreelec using the menu system

    o  From addons/install from repository/libreelec addons/services/docker 

    * log in via ssh and install the docker container

    > docker pull bltavares/zerotier

    then install the ZeroTier container

    Code
    docker run --device=/dev/net/tun \
                         --net=host \
                         --cap-add=NET_ADMIN \
                         --cap-add=SYS_ADMIN \
                         -v  /var/lib/zerotier-one:/var/lib/zerotier-one \
                         --restart always \
                         --name zerotier-one \
                         -d bltavares/zerotier 

    * Now check and record the ZT node id (referred to as <node-id> later

    > docker exec zerotier-one zerotier-cli info

    * Join your network - and authorise this node using the tools at ZeroTier Central

    > docker exec zerotier-one join <your network id>

    * Then copy the 3 key files off to a new directory

    > mkdir /storage/.kodi/userdata/<your_dir>

    > mkdir /storage/.kodi/userdata/<your_dir>/zerotier

    > TEMP=$(docker exec zerotier-one cat /var/lib/zerotier-one/identity.public);echo $TEMP >  /storage/.kodi/userdata/<your_dir>/zerotier/identity.public

    > TEMP=$(docker exec zerotier-one cat /var/lib/zerotier-one/identity.secret);echo $TEMP >  /storage/.kodi/userdata/<your_dir>/zerotier/identity.secret

    > TEMP=$(docker exec zerotier-one cat /var/lib/zerotier-one/authtoken.secret);echo $TEMP >  /storage/.kodi/userdata/<your_dir>/zerotier/authtoken.secret  

    * Now we need to create/update the Libreelec autostart.sh

    > nano /storage/.config/autostart.sh

    Paste the following after existing code (add "#!/bin/sh" at the first line if this is a new file and execute chown ug+x /storage/.config/autostart.sh after saving it).

    You may wish to improve this code ... I hacked this together with my limited understanding of shell scripts and I left everything really basic and simple to aid understanding (and debugging). The main thing is that it seems to work and was reasonably easy to debug

    You will also need to replace the <node-id> and <network-id> values with your ids and <your-dir> with the name of the directory you created above


    Note that the above code will deliberately slow the boot process with the "sleep" commands. Not an issue for my remove device and it improved the reliability of the network connection and mounts

    You can run the above code from the command line to check that it "compiles" and runs ok .... and that it doesn't make a mess. Then try a reboot to prove that ZT will automagically connect again on reboot.

    * Reboot and check that we are connected back to the ZeroTier network

    > reboot

    Then ssh back into the machine (reboot will have logged you out of the previous session)

    * Check we have the expected node id

    docker exec zerotier-one zerotier-cli info

    * Check there is a "ztb....." adapter listed ... and an appropriate IP address for it
    ifconfig

    If you have the wrong node id or there's no zt adapter you'll need to start debugging to see what's wrong

  • Thanks this is awesome, I will test this out on a AtomicPi, and let you know how it goes here with a update...


    Been meaning to figure this out, glad you did all the hard work. Smart to use autostart script to bring up interface and restore Docker instance.

  • great tutorial! thanxs!!!

    just want to mention that there are a small mistake in your posting, i needed some time to figure out. :)

    Quote

    change

    > docker exec zerotier-one join <your network id>

    into

    > docker exec zerotier-one zerotier-cli join <your network id>

  • Ok... the guide "works", it is just that it is a little bit incomplete on some details

    the first thing is that the command on

    * Join your network - and authorise this node using the tools at ZeroTier Central

    > docker exec zerotier-one join <your network id>

    should be

    docker exec zerotier-one zerotier-cli join <your network id>

    the second thing is that the command on

    Paste the following after existing code (add "#!/bin/sh" at the first line if this is a new file and execute chown ug+x /storage/.config/autostart.sh after saving it).

    the command need to be chmod ug+x /storage/.config/autostart.sh (i'm not even sure of the ug+x or just g+x... but ok, ug+x)

    The third thing is the script...

    A) you need to copy the script to a text editor (I use notepad++, but notepad is good enough)

    B) use the command docker stats --no-stream and copy the container id of zero tier

    C) using the find/replace, replace <your id> with the container id

    D) using the find/replace, replace <your_dir> with the folder that you made (it will need to replace multiple times)

    E) go to the Zero Tier central, look at the authorized libreelec client, copy the mac address AND the Node ID of the zerotier adapter (they both are shown on the cyan column, under the name address, the one above is the node id and the one below is the mac address

    F) using the find/replace, replace <my MAC address (yes, it is missing the > ) with the MAC address that you copied above

    G) using the find/replace, replace <node-id> with the node id that that you copied above

    H) Using the find/replace, replace <ZT network id> with the ID of your network

    I guess that this is it...

    it is working, but it is also adding like 2 minutes on the boot of the raspberry pi. Now i need to investigate a way to make this native and not using the docker.

  • Dont work, i think

    I do not know what you are doing. You have two alternatives to install Zerotier: (1) the thoradia addon, and (2) using some docker service. For different reasons I recommend option (2). How is it done?:

    (1) Install the Docker addon that you have on your LE. Reboot.

    (2) Open an SSH session and run the command

    (3) To make sure the Zerotier service is running run "docker start zerotier"

    (4) To know the ID of your device LE run "docker exec zerotier zerotier-cli status"

    (5) To join your private Zerotier network run "docker exec zerotier zerotier-cli join xyzxyzxyz" (xyzxyzxyz is the name of your zerotier virtual network)

    (6) Go to the Zerotier website to authorize the entry of this new ID device and finish preparing your Zerotier network

  • I have installed docker and the container following your guid

    it ist connected to zerotier

    but if I try to ping a server within my zt-network or try to shh it fails