zerotierbridge/entrypoint.sh

#!/bin/sh

set -eu

terminate() {
  # Try to terminate zerotier-one gracefully
  if [ -n "${ZT_PID:-}" ]; then
    kill -TERM "$ZT_PID" 2>/dev/null || true
    wait "$ZT_PID" 2>/dev/null || true
  fi
}
trap terminate INT TERM

echo "starting zerotier"
setsid /usr/sbin/zerotier-one &
ZT_PID=$!

# Wait for zerotier to be responsive
until zerotier-cli info >/dev/null 2>&1; do
  echo "zerotier hasn't started, waiting a second"
  sleep 1
done

# Set IPTables to allow NATting
sysctl -w net.ipv4.ip_forward=1 > /dev/null

echo "joining networks: ${ZT_NETWORKS:-}"

for n in ${ZT_NETWORKS:-}; do
  echo "joining $n"

  until zerotier-cli join "$n"; do
    echo "joining $n failed; trying again in 1s"
    sleep 1
  done

  if [ "${ZT_BRIDGE:-true}" = "true" ]; then
    ZT_IFACE=$(zerotier-cli get "$n" portDeviceName)
    PHY_IFACE=eth0
    echo "Configuring iptables on ${ZT_IFACE}"

    # idempotent rules
    iptables -t nat -C POSTROUTING -o "$PHY_IFACE" -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -o "$PHY_IFACE" -j MASQUERADE
    iptables -t nat -C POSTROUTING -o "$ZT_IFACE" -j MASQUERADE 2>/dev/null || iptables -t nat -A POSTROUTING -o "$ZT_IFACE" -j MASQUERADE
    iptables -C FORWARD -i "$PHY_IFACE" -o "$ZT_IFACE" -j ACCEPT 2>/dev/null || iptables -A FORWARD -i "$PHY_IFACE" -o "$ZT_IFACE" -j ACCEPT
    iptables -C FORWARD -i "$ZT_IFACE" -o "$PHY_IFACE" -j ACCEPT 2>/dev/null || iptables -A FORWARD -i "$ZT_IFACE" -o "$PHY_IFACE" -j ACCEPT
  fi
done

# Give ZT a second to realise it's online
sleep 10

# Print Client Info
zerotier-cli info || true

# Keep the container running while zerotier-one is alive
wait "$ZT_PID"
Init Commit 2021-08-12 16:12:07 +01:00			`#!/bin/sh`

chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`set -eu`

			`terminate() {`
			`# Try to terminate zerotier-one gracefully`
			`if [ -n "${ZT_PID:-}" ]; then`
			`kill -TERM "$ZT_PID" 2>/dev/null \|\| true`
			`wait "$ZT_PID" 2>/dev/null \|\| true`
			`fi`
Init Commit 2021-08-12 16:12:07 +01:00			`}`
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`trap terminate INT TERM`
Init Commit 2021-08-12 16:12:07 +01:00
			`echo "starting zerotier"`
			`setsid /usr/sbin/zerotier-one &`
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`ZT_PID=$!`
Init Commit 2021-08-12 16:12:07 +01:00
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`# Wait for zerotier to be responsive`
			`until zerotier-cli info >/dev/null 2>&1; do`
Init Commit 2021-08-12 16:12:07 +01:00			`echo "zerotier hasn't started, waiting a second"`
			`sleep 1`
			`done`

feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`# Set IPTables to allow NATting`
			`sysctl -w net.ipv4.ip_forward=1 > /dev/null`

chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`echo "joining networks: ${ZT_NETWORKS:-}"`
Init Commit 2021-08-12 16:12:07 +01:00
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`for n in ${ZT_NETWORKS:-}; do`
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`echo "joining $n"`
Init Commit 2021-08-12 16:12:07 +01:00
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`until zerotier-cli join "$n"; do`
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`echo "joining $n failed; trying again in 1s"`
Init Commit 2021-08-12 16:12:07 +01:00			`sleep 1`
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`done`

chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`if [ "${ZT_BRIDGE:-true}" = "true" ]; then`
			`ZT_IFACE=$(zerotier-cli get "$n" portDeviceName)`
			`PHY_IFACE=eth0`
			`echo "Configuring iptables on ${ZT_IFACE}"`
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`# idempotent rules`
			`iptables -t nat -C POSTROUTING -o "$PHY_IFACE" -j MASQUERADE 2>/dev/null \|\| iptables -t nat -A POSTROUTING -o "$PHY_IFACE" -j MASQUERADE`
			`iptables -t nat -C POSTROUTING -o "$ZT_IFACE" -j MASQUERADE 2>/dev/null \|\| iptables -t nat -A POSTROUTING -o "$ZT_IFACE" -j MASQUERADE`
			`iptables -C FORWARD -i "$PHY_IFACE" -o "$ZT_IFACE" -j ACCEPT 2>/dev/null \|\| iptables -A FORWARD -i "$PHY_IFACE" -o "$ZT_IFACE" -j ACCEPT`
			`iptables -C FORWARD -i "$ZT_IFACE" -o "$PHY_IFACE" -j ACCEPT 2>/dev/null \|\| iptables -A FORWARD -i "$ZT_IFACE" -o "$PHY_IFACE" -j ACCEPT`
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`fi`
Init Commit 2021-08-12 16:12:07 +01:00			`done`

chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`# Give ZT a second to realise it's online`
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`sleep 10`
Init Commit 2021-08-12 16:12:07 +01:00
feat: support multiple zt network joins feat: add ZT_BRIDGE to control bridge functionality 2021-08-13 12:31:24 +01:00			`# Print Client Info`
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`zerotier-cli info \|\| true`
Init Commit 2021-08-12 16:12:07 +01:00
chore: harden compose + entrypoint; docs refresh; ignore artifacts; dependabot - docker-compose.yml.example: drop privileged; add cap_add (NET_ADMIN, NET_RAW) and sysctls; quote env vars - entrypoint.sh: add strict mode + traps; wait for service; idempotent iptables; graceful shutdown - README.md: update to multi-arch + non-privileged run guidance; fix examples - .gitignore: ignore sbom.spdx.json and results.sarif - .github/dependabot.yml: monitor Dockerfiles weekly No functional changes intended; improves security, robustness, and maintainability. 2025-10-26 15:50:49 +00:00			`# Keep the container running while zerotier-one is alive`
			`wait "$ZT_PID"`