-
Notifications
You must be signed in to change notification settings - Fork 2
docker
Pre-Alpha. This page describes behavior that may change.
Run Ze in a Docker container for evaluation, lab testing, or lightweight deployments where you don't need interface configuration or kernel-level features (VPP, L2TP, nftables).
For production on bare metal or a dedicated VM, see Appliance.
make ze-dockerThis produces ze:<YY.MM.DD> and ze:latest. Override the image name or tag:
make ze-docker ZE_DOCKER_IMAGE=myregistry/ze ZE_DOCKER_TAG=v1To include optional build tags (e.g. maprib):
make ze-docker ZE_TAGS=mapribThe image is ~89 MB: a static binary on a scratch base with no shell, no libc, no package manager.
Ze needs a config file. Mount one from the host:
docker run --rm -v ./example.conf:/etc/ze/ze.conf ze:latest /etc/ze/ze.confExpose the ports you need:
| Port | Service |
|---|---|
| 179 | BGP |
| 1790 | SSH CLI |
| 8080 | Web UI / API |
docker run -d \
--name ze \
-p 179:179 \
-p 1790:1790 \
-p 8080:8080 \
-v ./myconfig.conf:/etc/ze/ze.conf \
-v ./ze-data:/etc/ze \
ze:latest /etc/ze/ze.confZe requires SSH credentials for CLI access. Initialize them before starting the daemon:
docker run --rm -v ./ze-data:/etc/ze ze:latest initThis prompts for username and password. For scripting:
echo -e "admin\nsecret" | docker run --rm -i -v ./ze-data:/etc/ze ze:latest initA ready-made docker/compose.yaml is included in the repo:
cp docker/compose.yaml .
docker compose up -dThe compose file builds the image from source using docker/Dockerfile.
The container runs on a scratch base. Features that require kernel access need extra privileges:
| Feature | Requirement |
|---|---|
| Interface configuration |
--cap-add NET_ADMIN or --privileged
|
| VPP data plane | Not supported in containers (use Appliance) |
| L2TP tunnels |
--cap-add NET_ADMIN + host networking |
| nftables / firewall |
--cap-add NET_ADMIN + --cap-add NET_RAW
|
| Binding port 179 | Works by default (container runs as root) |
For BGP peering without interface management (route server, looking glass, policy testing), no extra capabilities are needed.
Container exits immediately: Ze needs a config file argument. Check docker logs ze.
Cannot connect to CLI: Make sure you ran ze init first and that port 1790 is published.
Peer won't connect: If peering with the host, use --network host or the Docker bridge gateway IP. Container-to-container peering works on a shared Docker network.
- Install for native installation.
- Appliance for the gokrazy VM appliance.
- Quick Start for first-time setup.
Adapted from main/docs/guide/docker.md.
Unreviewed draft. This wiki was authored in bulk and has not been reviewed. File corrections on the issue tracker.
- Overview
- YANG Model
- Editor Workflow
- Archive and Rollback
- System
- Interfaces
- BFD
- FIB
- MPLS / LDP / RSVP-TE
- RSVP-TE
- SRv6
- Static Routes
- Policy Routing
- Firewall
- Traffic Control
- L2TP/PPP
- PPPoE
- VPP Data Plane
- RPKI
- IPsec VPN
- TACACS+ AAA
- Fleet
- BGP
- Starting and Stopping
- Show Commands
- Monitoring
- Flow Export
- Health Checks
- Audit Trail
- Production Diagnostics
- Logging
- Operational Reports
- Healthcheck
- Self-Update
- Zero-Touch Provisioning
- MRT Analysis
- Upgrade and Restart
- Storage
- Policy
- Core
- Resilience
- Validation
- Capabilities
- Address Families
- Protocol
- Subsystems
- Infrastructure
- Route Server at an IXP
- Transit Edge with RPKI
- Public Looking Glass
- ExaBGP Migration Walkthrough
- FlowSpec Injection
- Chaos-Tested Peering
- AS Path Topology