chore 🤖: Release v1.0.10 [skip ci] [skip ci]

Integrate Grype for Scanning

.github/workflows/docker-build.yml

@@ -0,0 +1,84 @@
+name: Publish Docker Image
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "main"
+
+jobs:
+  DockerBuildAndRelease:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Registry
+        id: registry_push
+        uses: docker/login-action@v3
+        with:
+          registry: registry.dangerous.tech
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and Push
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        id: sbom
+        with:
+          image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+          registry-username: ${{ secrets.REGISTRY_USERNAME }}
+          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+          format: spdx-json
+          output-file: ./sbom.spdx.json
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          sbom: sbom.spdx.json
+          fail-build: false
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Changelog
+        uses: TriPSs/conventional-changelog-action@v3
+        id: changelog
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          git-message: "chore 🤖: Release {version} [skip ci]"
+          output-file: "CHANGELOG.md"
+          tag-prefix: "v"
+          fallback-version: "1.0.0"
+          release-count: 0 # preserve all versions in changelog
+          skip-on-empty: false # otherwise we don't publish fixes
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        id: release
+        if: ${{ steps.changelog.outputs.skipped == 'false' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.github_token }}
+        with:
+          tag_name: ${{ steps.changelog.outputs.tag }}
+          name: ${{ steps.changelog.outputs.tag }}
+          body: ${{ steps.changelog.outputs.clean_changelog }}
+          files: |
+            sbom.spdx.json

CHANGELOG.md

@@ -0,0 +1,71 @@
+## [1.0.10](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.9...v1.0.10) (2023-09-22)
+
+
+### Bug Fixes
+
+* upload sarif file ([89e2953](https://github.com/dangeroustech/ZeroTierBridge/commit/89e29531f070539935a93b6f55d791170ea42e72))
+
+
+
+## [1.0.9](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.8...v1.0.9) (2023-09-22)
+
+
+
+## [1.0.8](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.7...v1.0.8) (2023-09-22)
+
+
+
+## [1.0.7](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.6...v1.0.7) (2023-09-22)
+
+
+
+## [1.0.6](https://github.com/dangeroustech/ZeroTierBridge/compare/v0.0.1...v1.0.6) (2023-09-22)
+
+
+
+## [1.0.5](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.4...v1.0.5) (2023-09-22)
+
+
+
+## [1.0.4](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.3...v1.0.4) (2023-09-22)
+
+
+
+## [1.0.3](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.2...v1.0.3) (2023-09-22)
+
+
+
+## [1.0.2](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.1...v1.0.2) (2023-09-22)
+
+
+### Bug Fixes
+
+* quick filter to not release on PRs ([c34324b](https://github.com/dangeroustech/ZeroTierBridge/commit/c34324b998690edeadd3d680987587c0fe93c525))
+
+
+
+## [1.0.1](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.0...v1.0.1) (2023-09-22)
+
+
+
+# [1.0.0](https://github.com/dangeroustech/ZeroTierBridge/compare/f902dcc0c4615801fb65e6c90342efe96789319f...v1.0.0) (2023-09-22)
+
+
+### Bug Fixes
+
+* add openssl dep and remove pinning ([1298cea](https://github.com/dangeroustech/ZeroTierBridge/commit/1298cea4fa1bad3141754e5218f449ec15e8469a))
+* allow bi-directional traffic initiation ([90cf5b1](https://github.com/dangeroustech/ZeroTierBridge/commit/90cf5b1684b6221797b39af306c3fee9ce5bdb9e))
+* ci: lowercase tag names ([fc24b78](https://github.com/dangeroustech/ZeroTierBridge/commit/fc24b78d4a1046ebc2b01560ed4b67e33418c30e))
+* ci: use correct registry ([3b29bee](https://github.com/dangeroustech/ZeroTierBridge/commit/3b29bee4c642cf04c3af89a7c16f004531f83622))
+* ci: use full registry name ([3a5eb50](https://github.com/dangeroustech/ZeroTierBridge/commit/3a5eb50b13cf7cab7939c4b49c14093189aae330))
+* set proper workdir ([7f56fec](https://github.com/dangeroustech/ZeroTierBridge/commit/7f56fec6897635e37b3e5aa13e7c3bbfddbce5da))
+* standardise network env again ([3e65156](https://github.com/dangeroustech/ZeroTierBridge/commit/3e65156a3c955fa6c6715a7d9e15a799c6f3f735))
+
+
+### Features
+
+* add docker-compose.yml ([f902dcc](https://github.com/dangeroustech/ZeroTierBridge/commit/f902dcc0c4615801fb65e6c90342efe96789319f))
+* support multiple zt network joins ([556195c](https://github.com/dangeroustech/ZeroTierBridge/commit/556195cd64f33fbbc9244022c8a99af5284ffbb9))
+
+
+

Dockerfile

@@ -1,17 +1,19 @@
 FROM debian:buster as stage
 ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one
 ARG ARCH=amd64
-ARG VERSION=1.6.5
-RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates=20200601~deb10u2 curl=7.64.0-4+deb10u2
+ARG VERSION=1.12.2
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
 RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
 
 FROM debian:buster
+RUN mkdir /app
+WORKDIR /app
 COPY --from=stage zerotier-one.deb .
-RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y procps=2:3.3.15-2 iptables=1.8.2-4 \
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y procps iptables openssl \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 RUN dpkg -i zerotier-one.deb && rm -f zerotier-one.deb
 RUN echo "${VERSION}" >/etc/zerotier-version
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
+COPY entrypoint.sh entrypoint.sh
+RUN chmod 755 entrypoint.sh
+ENTRYPOINT ["/app/entrypoint.sh"]

README.md

@@ -4,9 +4,11 @@ A container to provide out-of-the-box bridging functionality to a ZeroTier netwo
 
 ## Running
 
-`docker build -t zerotierbridge .`
+### Prerequisites
 
-`docker run --privileged -e ZT_NETWORK=NETWORK_ID_HERE zerotierbridge:latest`
+- Docker running as your logged in user (i.e. not having to run `sudo docker-compose xyz`) - [Linux instructions here](https://docs.docker.com/engine/install/linux-postinstall/)
+
+### ZeroTier UI Changes
 
 Once running, log into your ZeroTier interface and approve the new device. Click the wrench next to the name and select 'Allow Ethernet Bridging.'
 
@@ -16,7 +18,33 @@ You also need to add a static route into ZeroTier so that the traffic is routed
 
 ![brave_4wHd9zo193](https://user-images.githubusercontent.com/1135584/129230132-11bcfb72-7d9b-4b40-a4e5-72130c583077.png)
 
-### Caveat: Architecture
+### Docker Compose
+
+**You need to edit the `ZT_NETWORKS` and `ARCH` variable in the `docker-compose.yml` file first to add your networks and make sure your acrhitecture is correct (see [this page](http://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/) for examples, usually either amd64 or arm64)**
+
+Easy one-liner for Docker Compose:
+
+`docker-compose build && docker-compose up -d`
+
+If you want to disable bridging, set `ZT_BRIDGE=false`. This can be done after the initial networks have been joined (just rebuild the container), as the ZeroTier config persists but IPTables forwarding is done on each container startup.
+
+### OG Docker
+
+`docker build -t zerotierbridge .`
+
+`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE -e ZT_BRIDGE=true zerotierbridge:latest`
+
+Add your network ID(s) into the `ZT_NETWORKS` argument, space separated.
+
+Disable bridging by passing `ZT_BRIDGE=false`. This can be done after the initial networks have been joined (just rebuild the container), as the ZeroTier config persists but IPTables forwarding is done on each container startup.
+
+#### Persistent Storage
+
+If you would like the container to retain the same ZeroTier client ID on reboot, attach a volume as per the below.
+
+`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true --volume zt1:/var/lib/zerotier-one/ zerotierbridge:latest`
+
+#### Caveat: Architecture
 
 If you need to run this on a device with different architecture (a raspberry pi, for instance), then just edit line 3 of the Dockerfile.
 
@@ -24,5 +52,4 @@ If you were using a Raspberry Pi 4, you would change this to `ARCH=arm64` and th
 
 ## TODO
 
-- Add docker-compose.yml
 - Add kubernetes deployment YAML

docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3"
+
+services:
+  zerotierbridge:
+    container_name: zerotierbridge
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        ARCH: amd64
+        VERSION: 1.12.2
+    restart: always
+    privileged: true
+    volumes:
+      - zt_config:/var/lib/zerotier-one
+    environment:
+      - ZT_NETWORKS=NETWORK_ID_1 NETWORK_ID_2 NETWORK_ID_3
+      - ZT_BRIDGE=true
+volumes:
+  zt_config:

entrypoint.sh

@@ -14,27 +14,37 @@ do
   sleep 1
 done
 
-echo "joining networks: $ZT_NETWORK"
+# Set IPTables to allow NATting
+sysctl -w net.ipv4.ip_forward=1 > /dev/null
 
-echo "joining $ZT_NETWORK"
+echo "joining networks: $ZT_NETWORKS"
 
-while ! zerotier-cli join "$ZT_NETWORK"
-do 
-    echo "joining $ZT_NETWORK failed; trying again in 1s"
+for n in $ZT_NETWORKS
+do
+  echo "joining $n"
+
+  while ! zerotier-cli join "$n"
+  do 
+    echo "joining $n failed; trying again in 1s"
     sleep 1
+  done
+
+  if [ "$ZT_BRIDGE" = "true" ]
+  then
+    echo "Configuring iptables on $(zerotier-cli get $n portDeviceName)"
+    PHY_IFACE=eth0; ZT_IFACE=$(zerotier-cli get $n portDeviceName)
+
+    iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
+    iptables -t nat -A POSTROUTING -o $ZT_IFACE -j MASQUERADE
+    iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -j ACCEPT
+    iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
+  fi
 done
 
+# Give ZT a second realise it's online
+sleep 10
 
-### Set IPTables to allow NATting
-echo "setting up NATting"
-sysctl -w net.ipv4.ip_forward=1
-PHY_IFACE=eth0; ZT_IFACE=$(ls /sys/class/net | grep ^zt)
-
-iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
-iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
-
-echo "iptables --list-rules"
-echo "$(ip a)"
+# Print Client Info
+echo "$(zerotier-cli info)"
 
 sleep infinity

package.json

@@ -0,0 +1,3 @@
+{
+  "version": "1.0.10"
+}