Containers

Run The OpenZiti Tunneler with Docker

Host Services with Docker

The most popular way of using the Linux tunneler in Docker is to "host" an OpenZiti service, meaning as a reverse proxy and exit point from the OpenZiti network toward some target server. You can deploy the container before or after you grant it permission to start hosting the service and it will autonomously obey the OpenZiti controller.

The openziti/ziti-host image simply runs ziti-edge-tunnel run-host with the following helpful conventions for supplying an enrollment token and persisting the identity.

Enroll and Persist Identity in a Volume

Set the enrollment token and run the container. This example saves the identity file in the persistent volume: /ziti-edge-tunnel/ziti_id.json.

services:
    ziti-host:
        image: docker.io/openziti/ziti-host
        volumes:
            - ziti-host:/ziti-edge-tunnel
        environment:
            - ZITI_ENROLL_TOKEN
volumes:
    ziti-host:

Use an Enrolled Identity from the Environment

You may source an existing identity from the environment.

services:
    ziti-host:
        image: docker.io/openziti/ziti-host
        environment:
            - ZITI_IDENTITY_JSON

Mount an Enrolled Identity File

You may mount an existing identity from the host's filesystem. The default path to find the identity during startup is /ziti-edge-tunnel/ziti_id.json. Optionally, set ZITI_IDENTITY_BASENAME to change the filename prefix from ziti_id.

services:
    ziti-host:
        image: docker.io/openziti/ziti-host
        volumes:
            - ./ziti_id.json:/ziti-edge-tunnel/ziti_id.json

Mount a Directory of Enrolled Identity Files

You may mount many existing identities from the host's filesystem. The tunneler will load all valid, readable identities at each startup. The tunneler will look for files matching /ziti-edge-tunnel/*.json.

services:
    ziti-host:
        image: docker.io/openziti/ziti-host
        volumes:
            - ./identities:/ziti-edge-tunnel