Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is "--cap-add=NET_ADMIN" really needed? #8

Open
fakuivan opened this issue Jul 25, 2019 · 9 comments
Open

is "--cap-add=NET_ADMIN" really needed? #8

fakuivan opened this issue Jul 25, 2019 · 9 comments
Assignees
@key-networks

Comments

@fakuivan
Copy link

The documentation for networks controller suggests that since these don't need to join networks, networking administration capabilities are not necessary.
https://github.com/zerotier/ZeroTierOne/tree/master/controller#dockerizing-controllers

Is this true? If so the setup instructions could be updated to follow the principle of least privilege.
@key-networks key-networks self-assigned this Jul 27, 2019
@key-networks
Copy link
Owner

All that is needed is --cap-add=NET_ADMIN, not --device, nor --privileged. I forget the exact reason why --cap-add=NET_ADMIN was needed, but if you try running the container without that, you will notice certain failures (like the ZeroTier token being inaccessible).

@fakuivan
Copy link
Author

I gave this one another go and it turns out you can tell zerotier to not drop privileges and ignore these sort of errors with the -U flag, for this it is recommended to run the executable with sudo as the zerotier-one user and chown everything inside /var/lib/zerotier-one/ to that user before running it, otherwise the program will not be able to write to files in that directory.

@key-networks
Copy link
Owner

@fakuivan thanks for your feedback.

@fakuivan fakuivan mentioned this issue Mar 13, 2020
Open
@mdPlusPlus
Copy link

I was able to get it to work without --cap-add=NET_ADMIN:

https://gist.github.com/mdPlusPlus/0f6285c6402aa4aff4aa4a9e5dfc38c0
https://hub.docker.com/r/mdplusplus/zerotier-network-controller-ui

@key-networks
Copy link
Owner

That's great! Do you mind if I possibly use your Docker file in the next build?

@key-networks key-networks reopened this Jun 7, 2020
@mdPlusPlus
Copy link

Feel free to do so.
However, keep in mind my Dockerfile had readabílity and maintainability as a goal. The resulting image is not space efficient (unnecessary layers, not removing temporary files) and using a long CMD instead of a entrypoint.sh and choosing a moving target (xxx:latest) as a base image are generally frowned upon by the Docker community.

@key-networks
Copy link
Owner

Great - thanks. I'll keep those points in mind.

@key-networks
Copy link
Owner

The answer to the subject of this thread is - not any more. Thanks to clues from @mdPlusPlus, the requirement for --cap-add=NET_ADMIN and the clash with Ubuntu UID/GIDs have been circumvented.

@key-networks
Copy link
Owner

Try latest version here: https://hub.docker.com/r/keynetworks/ztncui

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@key-networks key-networks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mdPlusPlus @fakuivan @key-networks