RIPE Atlas Docker Image

This is the RIPE Atlas software probe packaged as a Docker image.

Requirements

• 1 CPU core (of course)
• 20MiB memory
• 100MiB HDD
• A Linux installation with Docker installed
• Internet access

Tags

The following prebuilt tags are available at Docker Hub. Just use latest tag and Docker will select image variant automatically.

• latest: For all supported devices listed below (multi-arch)
• latest-arm64: For arm64 (aarch64) devices
• latest-armel: For armv6l (armel) devices
• latest-armv7l: For armv7l (armhf) devices
• latest-i386: For i386 devices
• latest-amd64: For amd64 devices

Running

Using docker run

First we start the container:

docker run --detach --restart=always \
	--log-driver json-file --log-opt max-size=10m \
	--cpus=1 --memory=64m --memory-reservation=64m \
	--cap-drop=ALL --cap-add=CHOWN --cap-add=SETUID --cap-add=SETGID --cap-add=DAC_OVERRIDE --cap-add=NET_RAW \
	-v /var/atlas-probe/etc:/var/atlas-probe/etc \
	-v /var/atlas-probe/status:/var/atlas-probe/status \
	-e RXTXRPT=yes \
	--name ripe-atlas --hostname "$(hostname --fqdn)" \
	jamesits/ripe-atlas:latest

Then we fetch the generated public key:

cat /var/atlas-probe/etc/probe_key.pub

Register the probe with your public key. After the registration being manually processed, you'll see your new probe in your account.

Using Docker Compose

An example docker-compose.yaml is provided.

git clone https://github.com/Jamesits/docker-ripe-atlas.git
cd docker-ripe-atlas
docker-compose pull
docker-compose up -d

Building

DOCKER_BUILDKIT=1 docker build -t ripe-atlas .

Note that building this container image requires BuildKit.

Caveats

IPv6

Docker's IPv6 support is still like shit. As a workaround, you can use IPv6 NAT using either docker-ipv6nat or native method (experimental).

First, edit kernel parameters.

cat > /etc/sysctl.d/50-docker-ipv6.conf <<EOF
net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
EOF
sysctl -p /etc/sysctl.d/50-docker-ipv6.conf

Note this might break your network and your mileage may vary. You should swap eth0 with your primary network adapter name, and if you use static IPv6 assignment instead of SLAAC, change accept_ra to 0.

Using robbertkl/docker-ipv6nat

docker network create --ipv6 --subnet=fd00:a1a3::/48 ripe-atlas-network
docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro -v /lib/modules:/lib/modules:ro --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=SYS_MODULE --net=host --name=ipv6nat robbertkl/ipv6nat:latest

Then start the RIPE Atlas container with argument --net=ripe-atlas-network.

Using native method (experimental)

Edit /etc/docker/daemon.json, then restart docker daemon.

{
  "experimental": true,
  "ipv6": true,
  "ip6tables": true,
  "fixed-cidr-v6": "fd00:a1a3::/48"
}

Auto Update

Use this recipe for auto updating the docker container.

docker run --detach --restart=always -v /var/run/docker.sock:/var/run/docker.sock --name watchtower containrrr/watchtower --cleanup --label-enable

Then start the RIPE Atlas container with argument --label=com.centurylinklabs.watchtower.enable=true.

Backup

All the config files are stored at /var/atlas-probe. Just backup it.

sleep command not working

On some systems, syscall clock_nanosleep and clock_nanosleep_time64 are blocked by the default Docker seccomp.

Symptoms:

• During container startup, WARNING: clock_nanosleep or clock_nanosleep_time64 is not available on the system is printed
• Atlas software stops working after a while, printing logs like sleep: cannot read realtime clock: Operation not permitted

Temporary workaround:

Add --security-opt seccomp:unconfined to the docker run commandline.