readonly/docker-ripe-atlas
1
0
Fork 0
mirror of https://github.com/minoplhy/docker-ripe-atlas.git synced 2025-04-21 20:36:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
docker-ripe-atlas/README.md

143 lines
5.4 KiB
Markdown
Raw Blame History

# RIPE Atlas Docker Image
This is the [RIPE Atlas software probe](https://atlas.ripe.net/docs/software-probe/) packaged as a Docker image.
[![Build Status](https://dev.azure.com/nekomimiswitch/General/_apis/build/status/docker-ripe-atlas?branchName=master)](https://dev.azure.com/nekomimiswitch/General/_build/latest?definitionId=83&branchName=master)
## Requirements
* 1 CPU core (of course)
* 20MiB memory
* 100MiB HDD
* A Linux installation with Docker installed
* Internet access
## Tags
The following prebuilt tags are available at [Docker Hub](https://hub.docker.com/r/jamesits/ripe-atlas). The `latest` tag supports [multi-arch](https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/), and should be used by default.
* **`latest`: For all supported devices listed below (multi-arch)**
* `latest-arm64`: For arm64 (aarch64) devices
* `latest-armv7l`: For armv7l (armhf) devices
* `latest-i386`: For i386 devices
* `latest-amd64`: For amd64 devices
## Running
### Using `docker run`
First we start the container:
```shell
docker run --detach --restart=always \
--log-driver json-file --log-opt max-size=10m \
--cpus=1 --memory=64m --memory-reservation=64m \
--cap-drop=ALL --cap-add=CHOWN --cap-add=SETUID --cap-add=SETGID --cap-add=DAC_OVERRIDE --cap-add=NET_RAW \
-v /var/atlas-probe/etc:/var/atlas-probe/etc \
-v /var/atlas-probe/status:/var/atlas-probe/status \
-e RXTXRPT=yes \
--name ripe-atlas --hostname "$(hostname --fqdn)" \
jamesits/ripe-atlas:latest
```
### Using Docker Compose
An example [`docker-compose.yaml`](/docker-compose.yaml) is provided.
```shell
git clone https://github.com/Jamesits/docker-ripe-atlas.git
cd docker-ripe-atlas
docker-compose pull
docker-compose up -d
```
## Registering the Probe
Fetch the generated public key:
```shell
cat /var/atlas-probe/etc/probe_key.pub
```
[Register](https://atlas.ripe.net/apply/swprobe/) the probe with your public key. After the registration being manually processed, you'll see your new probe in your account.
## Building
If you don't want to use the prebuilt image hosted on the Docker Hub, you can build your own image.
```shell
DOCKER_BUILDKIT=1 docker build -t ripe-atlas .
```
Note that building this container image requires [BuildKit](https://docs.docker.com/develop/develop-images/build_enhancements/).
## Caveats
### IPv6
Docker does not enable IPv6 by default. If you want IPv6 support, some level of setup and a basic understanding of IPv6 is required. Swarm mode & some Kubernetes implementation supports IPv6 too with extra configuration.
#### Using native address assignment
If you happened to have a block of static IPv6 addresses routed to your host, you can directly assign one of the addresses to the container. Edit `/etc/docker/daemon.json` and add native IPv6 address blocks, then restart the Docker daemon. An example:
```json
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:a1a3::/48"
}
```
Notes:
- These config work on Docker for Linux only
- If `daemon.json` exists, merge the config lines instead of directly overwriting it; if it doesn't exist, create it manually
- For more info, see [the official doc](https://docs.docker.com/config/daemon/ipv6/)
#### Using NAT (NPTv6)
If your ISP does not conform to [BCOP 690](https://www.ripe.net/publications/docs/ripe-690) (very common), and/or your router cannot route smaller blocks of IPv6 to one server even if it has been assigned a block of valid IPv6 addresses (also very common), the method above might not work for you. As a workaround, you can setup NAT with either [Docker's builtin experimental IPv6 NAT support](https://blog.iphoting.com/blog/2021/02/10/ipv6-docker-docker-compose-and-shorewall6-ip6tables/), `robbertkl/docker-ipv6nat` or similar projects. Manual iptables/nftables NAT setup is also possible, but *hanc marginis exiguitas non caperet*.
Firstly, edit kernel parameters to enable IPv6 routing.
```shell
cat > /etc/sysctl.d/50-docker-ipv6.conf <<EOF
net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
EOF
sysctl -p /etc/sysctl.d/50-docker-ipv6.conf
```
Notes:
- This potentially introduces more attack surface and might require you set up IPv6 firewall rules to make yourself safe
- This might break your network and your mileage may vary
- Swap `eth0` with your primary network adapter name
- If you use static IPv6 assignment instead of SLAAC, change `accept_ra` to `0`
Secondly, create a IPv6 NAT enabled network.
```shell
docker network create --ipv6 --subnet=fd00:a1a3::/48 ripe-atlas-network
docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro -v /lib/modules:/lib/modules:ro --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=SYS_MODULE --net=host --name=ipv6nat robbertkl/ipv6nat:latest
```
Finally, start the RIPE Atlas container with argument `--net=ripe-atlas-network`.
### Auto Update
Use this recipe for auto updating the docker container.
```shell
docker run --detach --restart=always -v /var/run/docker.sock:/var/run/docker.sock --name watchtower containrrr/watchtower --cleanup --label-enable
```
Then start the RIPE Atlas container with argument `--label=com.centurylinklabs.watchtower.enable=true`.
### Backup
All the config files are stored at `/var/atlas-probe`. Just backup it.
### Running under Debian 10
When the host distro is Debian 10 or similarly old ones, you might need to add `--security-opt tseccomp:unconfined` to the `docker run` command to make things work. We don't recommend using EOL'ed distros.
Reference in New Issue View Git Blame Copy Permalink