You can run Tunneler in a Docker container. This article describes how to use
ziti-tunnelfrom the OpenZiti project as a proxy Endpoint for your NetFoundry network.
Why should I run Tunneler in a container?
Running Tunneler in a container yields the same capabilities as running Tunneler natively on the host. The advantages are in the portability and the ability to reproduce every aspect of the installation on any computer. For example, this approach allows you to systematically upgrade or downgrade Tunneler and to encode the environment and parameters for Tunneler in a Docker Compose file and so to run a predictable configuration on any computer.
Your choice: transparent or opaque proxy
ziti-tunnel is an interactive command-line interface (CLI) and works best on Linux as a transparent proxy (
tproxy). Alternatively, Tunneler has an opaque
proxy mode that will bind a specified set of services to the loopback (localhost) interface.
proxy is the only mode of operation on MacOS and Windows.
You will need the enrollment token (JWT) from NetFoundry for the Endpoint you have created for Docker Tunneler. By providing the JWT file, your Endpoint will be enrolled the first time you run the container. This will generate a permanent identity file (JSON) in the same directory as your Docker Compose file.
Create a Docker Compose File
Create a file named
docker-compose.yml. This is the default filename expected by the
docker-composecommand which you may install with the Python Package Index (PyPi) like this:
pip install --upgrade docker-compose. Customize the boldface values to suit.
# uncomment the next line to skip DNS interception
# command: run --resolver none
command: proxy "my example service":8888 "my other example service":9999
Docker Compose Up
Docker Compose uses the
up command to run the container described by the
docker-compose.yml file you created. Now, with your enrollment token file in the same directory with a name that matches the value of
NF_REG_NAME, run one of the following commands.
Linux Transparent Proxy
❯ docker-compose up ziti-tunnel
With the transparent proxy running the Linux host that is running Docker will have intercept rules for the authorized Services added to IPtables chains when the container starts and removed when it exits.
MacOS & Windows Proxy
❯ docker-compose up ziti-proxy
With the proxy running the MacOS or Windows host that is running Docker will have mapped ports from the loopback interface to the bound Service ports on the container. You must send NetFoundry network traffic to the appropriate port for each bound Service.