Will Zerotier support over 4000 nodes?

alex.zerotier · January 27, 2023, 7:42pm

I would like to replicate Firecracker 4000 VMs demo on a single server (GitHub - firecracker-microvm/firecracker-demo: A demo running 4000 Firecracker microVMs.) with Zerotier client running inside each VM, I looked at other network-based solutions - including wireguard based, docker bridge and CNI bridge/ptp and tc interfaces and they all have shortcomings: bridge would not support over 1048 nodes. Will zerotier handle it? And what is the performance impact - I am planning to take this idea from the demo into production.

zt-joseph · January 27, 2023, 7:54pm

Hello Alex,

This is interesting and I look forward to seeing this happen. Keep us in the loop here! I’m not aware of any limitations that would be an issue as long as you chose a large enough subnet, and I’m not entirely certain how bridging plays a role here but if you do have one node designated as a bridge be sure to give it adequate computing and network resources and you should be good.

If you do run into scalability issues we’re very interested in knowing what they are and can work with you to mitigate them.

Good luck!

alex.zerotier · January 27, 2023, 7:58pm

Thank you, @zt-joseph if you have any hints on how to automate zerotier deployment or use with nomad let me know. So far the biggest obstacle for me to use zerotier consistently inside vms and servers is the interface name (currently ztnpgwep3r on nearest RPI4), can zerotier create consistent interface - like ztoverlay on join?

zt-joseph · January 27, 2023, 8:05pm

Sure,

Check out this SO question and answer on how to use the devicemap file. (I know, we should put this in our docs.)

As for automation, I’ll refer you to @sean.omeara since he wrote our Terraform provider and may have some good advice. I don’t have any knowledge specific to Nomad unfortunately.

zt-grant · January 27, 2023, 8:07pm

The interface name on Linux is consistent for each network. For network A, the interface name on linux will always be the same.

alex.zerotier · January 27, 2023, 8:17pm

Good to know: just checking if I got it right, so if I spin 1000 VMs inside each VM will be a fixed interface ztnpgwep3r, which I can query with the script?

zt-grant · January 27, 2023, 8:18pm

As long as they’re all joined to the same network, yes.

alex.zerotier · January 27, 2023, 8:27pm

Thank you. Maybe there is an easy way to read node IP from zerotier cli? That was the whole point of figuring out the interface name.

zt-grant · January 27, 2023, 8:46pm

each instance has a REST API. That can probably tell you anything you wan to know. You can also use the CLI to get JSON by adding -j to the command line arguments

sean.omeara · January 29, 2023, 11:36am

Hi Alex!
For your use case, I would recommend the following

Calculate and assign IP address through the API (no_auto_assign_ips, ip_assignments) instead of relying on controller provisioned addresses. You’ll have a much easier time rendering information into configuration files and such.
The addressing scheme means you get a lot of packets for free with IPV6 (look into 6PLANE as well)…
If you must use IPV4, use the flow control rules to block broadcast traffic if windows is involved

Pro tip:

Remember that ZeroTier simulates an ethernet switch, so there’s actually nothing stopping you from manually setting arbitrary addresses on the interface if you need to.

sean.omeara · January 29, 2023, 11:49am

Here are automation references

Automatically authorizing a member with curl:

github.com

zerotier/github-action/blob/main/action.yml#L47


      
              ztcli="/c/Program Files (x86)/ZeroTier/One/zerotier-cli.bat"
              member_id=$("${ztcli}" info | awk '{ print $3 }')
              ;;
            *)
              . ${{ github.action_path }}/util/install.sh &>/dev/null
              member_id=$(sudo zerotier-cli info | awk '{ print $3 }')
            ;;
          esac
          
          
echo "⏁  Authorizing Runner to ZeroTier network"
          curl -s -X POST -H "Authorization: token ${{ inputs.auth_token }}" -d '{"config":{"authorized":true}}' "${{ inputs.api_url }}/network/${{ inputs.network_id }}/member/${member_id}"
          
          
echo "⏁  Joining ZeroTier Network ID: ${{ inputs.network_id }}"
          case $(uname -s) in
            MINGW64_NT?*)
              "${ztcli}" join ${{ inputs.network_id }}
              while ! "${ztcli}" listnetworks | grep ${{ inputs.network_id }} | grep OK ; do sleep 0.5 ; done
              ;;
            *)
              sudo zerotier-cli join ${{ inputs.network_id }}
              while ! sudo zerotier-cli listnetworks | grep ${{ inputs.network_id }} | grep OK ; do sleep 0.5 ; done

If you’re using Terraform, here are some examples for creating identities and bootstrapping nodes

-s

alex.zerotier · January 29, 2023, 1:01pm

Amazing reply @sean.omeara, thank you for the advice, I will look into it and the links - I may have to come back in a week.

sean.omeara · January 29, 2023, 2:44pm

One more thing I forgot to mention, re: Nomad

This exists: GitHub - hashicorp/consul-terraform-sync: Consul Terraform Sync is a service-oriented tool for managing network infrastructure near real-time.

This will let you use our Terraform provider to create memberships (network authorizations) in response to changes in the Consul catalog.

I’ve been meaning to find the time to experiment with it… I’d LOVE to talk to you if you get this working =)

-s

system · February 26, 2023, 7:42pm

This topic was automatically closed after 30 days. New replies are no longer allowed.