Your experiences in bringing Zerotier to Docker?

Hi
I have a VPS running public services.
I’m looking for zerotier to access non-public services on this VPS.
Traffic could be both way like:

  • Prometheus pulling exporters on the VPS.
  • Backup jobs (VPS side) pushing alerts on gotify, NTFY, whatever.

All stuffs on the VPS and other machines are running on Ubuntu with Docker.

Few solutions I found to bring zerotier to docker.

  1. install zt on host and bind container ports to ZT ip address.
  2. bring zt interfaces into the container
    a) build custom images with both zt and the wanted service
    b) build compose project and bind networks interfaces with ‘network_mode: service:my_zt_container’
  3. build a container with ZT which act as proxy/routers. And add routes to each containers.

Solution 1 is the easiest but the risky/public services could have access too easy to ZT network.
Solution 2.b is very easy. But makes a lot of nodes onto the ZT networks.
Solution 3 is harder from my point of view. But I think it is the good way. (I haven’t tested yet)

What do you think about it?
What are your experiences with ZT into docker?
I am here to learn.

PS: English is not my native language. Tell me if things are unclear.

Running zerotier in docker can be convenient (less to modify on the system, is cross-platform so can run on Windows, etc).
I’ve built one and used it in the past for ssh access.

This container has zerotier and ssh

ZTID='your zerotier network'
docker run --rm -d -e ZTID=$ZTID \
       -v "$(pwd)":/UPLOADER \
       --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --device=/dev/net/tun \
       toddkaufmann/upload-container

You can copy your public key into /etc/authorized_keys, or login as root (password is the container name / hostname).

Worked fine as a PoC three years ago.