Tunneler Container Update

You may have noticed that there are now two tunneler containers (README). Both are released automatically along with the ziti-edge-tunnel executable release in GitHub.

What’s the difference between the two containers?

The original container is openziti/ziti-edge-tunnel and helps with deployment by providing several ways to supply the Ziti identity. This container assumes you want the “run” mode of the tunneler, which provides a proxy and nameserver. We’ll keep releasing this container for stability and compatibility for the time being, but the new container is better suited in most cases. I wouldn’t say the new container deprecates the old.

The new container is openziti/ziti-host and uses the same methods of configuring the Ziti identity and uses the “run-host” mode of the tunneler (service hosting only without a proxy or nameserver). The main reason I started creating another container was to prepare for Red Hat certification. This resulted in a thinner container image focused on the service hosting/terminating use case. This container also complies with container best practices, such as dropping privileges to improve security (no root).

EDIT: struck thinner because the RH base image is in fact approx 2x the size of the Debian image

1 Like

I have done a cursory glance at this. From looking at the readme, there is no indication that there are two container images until you read all the way through, and then you come up to another Container Image … headline (thinking of someone coming along in a few months time).

Could I ask that you summarize what you have written above into that readme? Basically explain at the top that there are two containers now - which one should be chosen and why the differences?

Also, on the Docker-compose file ziti-tunnel-sdk-c/docker-compose.yml at main · openziti/ziti-tunnel-sdk-c · GitHub there are a lot of services in there, and when you run

  1. Run the demo server

docker-compose up --detach hello

Is this not bringing up everything (all the services) including the older ziti-edge-tunneler?

I feel it is a shame that you are going away from the ziti-edge-tunneller name as that is universal, ie run the ziti-edge-tunneller app on all platforms, except for docker where it is now called ziti-host. Will this bring confusion into the mix? I understand that you cannot have two different containers with the same name.

Great idea! describe the differences between the two containers by qrkourier · Pull Request #580 · openziti/ziti-tunnel-sdk-c · GitHub

No, that command only runs the service named “hello”. There should be a separate compose file for each set of things that are run together. That would make the compose projects useful and focused on a particular demonstration or use case. Currently, that compose file is an omnibus of services demonstrating various ways of running the two containers and a few supporting server apps for testing or demos. It’s too confusing this way.

The idea behind this newer container is that it’s name reflects the use case (hosting with Ziti), not the name of the executable (ziti-edge-tunnel). The old container is still the most generic way to run ziti-edge-tunnel. I imagine that we might eventually roll additional tunneler-use-case-centric containers that inherit from either of these two container image lineages.