Docker ziti-edge-tunnel Allow intercepts WITHOUT Docker network_mode: host

Hi there,

I am looking for a way to deploy ziti-edge-tunnel's as Docker containers being able to intercept without using network_mode: host.
I need to use docker internal networking as I need the ziti-edge-tunnel being used by other containers.

Is there a way to "internalize" all the intercepting? Maybe building a container with systemd etc.?

At this time, I don't think you can do that. You can deploy routers instead within docker and configure them in that way: Deploy the Router with Docker | OpenZiti

Maybe that will work?

2 Likes

I agree the router container is probably the best way. That approach gives you Ziti DNS for each container using the Ziti router as a "sidecar" (a shared Docker bridge network interface and loopback device, and DNS resolver).

The K8s sidecar example uses a different container to the same thing: openziti/ziti-tunnel. The tunnel container does not provide a router, which is often desirable, and is less well documented because ziti-edge-tunnel is the preferred, flagship tunneler for most things.

The openziti/ziti-tunnel container can provide Ziti DNS and transparent sidecar proxy the same way as the openziti/ziti-router container, but is simpler to orchestrate since it's fully autonomous and requires only a JWT, not requiring generating a config YAML.

1 Like