dangeroustech/zerotierbridge
1
0
Fork 0
mirror of https://github.com/dangeroustech/ZeroTierBridge.git synced 2025-12-06 00:56:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot

Browse Source 
- docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars
- entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown
- README.md: update to multi-arch + non-privileged run guidance; fix examples
- .gitignore: ignore sbom.spdx.json and results.sarif
- .github/dependabot.yml: monitor Dockerfiles weekly

No functional changes intended; improves security, robustness, and maintainability.
This commit is contained in:
Josh Jacobs
2025-10-26 15:50:49 +00:00
parent efd0c51fcf
commit 2756d3b0c8
4 changed files with 50 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
entrypoint.sh
View File

@@ -1,15 +1,22 @@
#!/bin/sh
grepzt() {
(find /proc -name exe | xargs -I{} readlink {}) 2>/dev/null | grep -q zerotier-one
return $?
set -eu
terminate() {
# Try to terminate zerotier-one gracefully
if [ -n "${ZT_PID:-}" ]; then
kill -TERM "$ZT_PID" 2>/dev/null || true
wait "$ZT_PID" 2>/dev/null || true
fi
}
trap terminate INT TERM
echo "starting zerotier"
setsid /usr/sbin/zerotier-one &
ZT_PID=$!
while ! grepzt
do
# Wait for zerotier to be responsive
until zerotier-cli info >/dev/null 2>&1; do
echo "zerotier hasn't started, waiting a second"
sleep 1
done
@@ -17,34 +24,34 @@ done
# Set IPTables to allow NATting
sysctl -w net.ipv4.ip_forward=1 > /dev/null
echo "joining networks: $ZT_NETWORKS"
echo "joining networks: ${ZT_NETWORKS:-}"
for n in $ZT_NETWORKS
do
for n in ${ZT_NETWORKS:-}; do
echo "joining $n"
while ! zerotier-cli join "$n"
do
until zerotier-cli join "$n"; do
echo "joining $n failed; trying again in 1s"
sleep 1
done
if [ "$ZT_BRIDGE" = "true" ]
then
echo "Configuring iptables on $(zerotier-cli get $n portDeviceName)"
PHY_IFACE=eth0; ZT_IFACE=$(zerotier-cli get $n portDeviceName)
if [ "${ZT_BRIDGE:-true}" = "true" ]; then
ZT_IFACE=$(zerotier-cli get "$n" portDeviceName)
PHY_IFACE=eth0
echo "Configuring iptables on ${ZT_IFACE}"
iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
iptables -t nat -A POSTROUTING -o $ZT_IFACE -j MASQUERADE
iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -j ACCEPT
iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
# idempotent rules
iptables -t nat -C POSTROUTING -o "$PHY_IFACE" -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -o "$PHY_IFACE" -j MASQUERADE
iptables -t nat -C POSTROUTING -o "$ZT_IFACE" -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -o "$ZT_IFACE" -j MASQUERADE
iptables -C FORWARD -i "$PHY_IFACE" -o "$ZT_IFACE" -j ACCEPT 2>/dev/null || iptables -A FORWARD -i "$PHY_IFACE" -o "$ZT_IFACE" -j ACCEPT
iptables -C FORWARD -i "$ZT_IFACE" -o "$PHY_IFACE" -j ACCEPT 2>/dev/null || iptables -A FORWARD -i "$ZT_IFACE" -o "$PHY_IFACE" -j ACCEPT
fi
done
# Give ZT a second realise it's online
# Give ZT a second to realise it's online
sleep 10
# Print Client Info
echo "$(zerotier-cli info)"
zerotier-cli info || true
sleep infinity
# Keep the container running while zerotier-one is alive
wait "$ZT_PID"