Zerotier Howto?


(Stephen Nesbitt) #1

Can anyone share a recipe for adding a LXD container to a Zerotier network?

I’ve seen an occasional reference, but nothing that describes how. Or for that matter why :slight_smile:

Thx,

-steve


(Jon Clayton) #2

Hi

Go into your container “lxc exec mycontainer bash”
install zerotier-one with usual means :

curl -s 'https://pgp.mit.edu/pks/lookup?op=get&search=0x1657198823E52A61' | gpg --import && \
if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi

Get your network id from my.zerotier.com assuming you signed up, then the id is in the top left of the control panel, it’s like a big long code similar to a mac address with no colons.

then back in your container run: zerotier-cli join myZerotierNetworkId

On the my.zerotier.com control panel for your network, click the “authorize” checkbox next to the new node that has appeared which is your container trying to join

If you do this same procedure with all your containers/nodes/vm’s/hosts that need connectivity, they will all be able to talk to each other on the zerotier network as if on the same flat / bridged LAN. Communication will go via the virtual adaptor ZTX

You can also advertise routes for remote networks so that the next hop is behind zt node X, thus creating a sort of dmvpn.

The other thing you can do is bridge the ZT nodes’ virtual adapter with the physical adapter and you extend the L2 from the ZT network into your physical network. I’ve not done this as I don’t like stretching L2 all over the place its sloppy.

If routing traffic through your container remember to enable ipv4 forwarding in sysctl.conf

I can’t remember exactly but you may need to make the container privileged as the virtual adapter is similar to TUN interface and I don’t think containers can run them by default. I did have to tweak a few things to get OpenVPN to work but ZT from what I recall is much easier.

You can also run your own zerotier controller using ztn-cui in docker in LXD which is what I’m doing. Easiest is to just use the provided free web GUI.

*edit to say create a subnet in the my.zerotier control panel, I think by default it will do this for you and give out addresses to the nodes automatically, they get pushed down on the fly from the controllers. You can if you want, create your own subnet and then give each node specific IP addresses if you want more control, all done via the gui. I just created a /24 which is plenty for me. You can always extend it to whatever size you want.
You can also do IPv6 and 6plane over ZT network. Various other bits of ipv6 schemes I’ve not looked into as of yet.

Cheers!

Jon


#3

An unprivileged container should work fine.

As @bodleytunes showed, you can use the official stock instructions at https://www.zerotier.com/download.shtml to make the container join the Zerotier network.


(Stephen Nesbitt) #4

Jon:

Much obliged for the detailed response.

  One quick question... What was your network setup on the container prior to zerotier install? My test container was on an OVS bridge to my host. For some reason when I added the container to zerotier both the container *and* host ended up with the same zeroconf IP address.

-steve


(Jon Clayton) #5

I have zerotier running on the host and route the lxd bridge subnet over the ZT cloud.

i have a bridge lxdbr99 10.10.99.1/24 which all the containers are connected too and are routable, there is no nat as they egress the LXD bridge which I think is the default.

if you want to put zt in a single container, then you can also do that and make just that single container routable. You can also route through that container to other zt networks if you use it as a next hop for your host and make the host a router for your lan.

It sounds like you might be bridging your host nic to your containers so they are on the same subnet as your host and physical LAN? i have not done this as I don’t like bridging unless I have to but it should also be possible to do that and then bridge into zerotier as well if you wanted to “shudders” stretch l2 across the zt wan/cloud. :slight_smile:

Cheers!

Jon.

Host’s LXD bridge

lxdbr99: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.99.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::d852:1dff:fe3a:c444  prefixlen 64  scopeid 0x20<link>
        ether da:52:1d:3a:c4:44  txqueuelen 1000  (Ethernet)
        RX packets 1412249079  bytes 58291240357 (58.2 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2868228160  bytes 4268323594785 (4.2 TB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Hosts ZT interface

zthi7ftsao: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 2800
        inet 10.56.0.10  netmask 255.255.0.0  broadcast 10.56.255.255
        inet6 fe80::2456:7fff:fec3:8c99  prefixlen 64  scopeid 0x20<link>
        ether 26:56:7f:c3:8c:99  txqueuelen 1000  (Ethernet)
        RX packets 14374707  bytes 21324749009 (21.3 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7270617  bytes 577326821 (577.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

snippet of routes on the host pointing to other ZT nodes on the ZT network

default via 10.10.88.1 dev enp2s0f0 onlink 
10.11.0.0/16 via 10.56.0.11 dev zthi7ftsao 
10.30.0.0/16 via 10.56.0.1 dev zthi7ftsao 
10.42.0.0/16 via 10.56.0.1 dev zthi7ftsao 
10.55.0.0/16 via 10.56.0.1 dev zthi7ftsao 
10.56.0.0/16 dev zthi7ftsao proto kernel scope link src 10.56.0.10 
10.60.0.0/16 via 10.56.0.1 dev zthi7ftsao 
10.65.0.0/16 via 10.56.0.1 dev zthi7ftsao 
10.65.255.254 via 10.56.0.1 dev zthi7ftsao 
10.75.0.0/16 via 10.56.0.1 dev zthi7ftsao 
192.168.10.100 via 10.56.0.1 dev zthi7ftsao 

profile default

description: Default LXD profile
devices:
eth0:
nictype: bridged
parent: lxdbr99
type: nic