The most popular way of using the Linux tunneler in Docker is to "host" an OpenZiti service, meaning as a reverse proxy and exit point from the OpenZiti network toward some target server. You can deploy the container before or after you grant it permission to start hosting the service and it will autonomously obey the OpenZiti controller.
The openziti/ziti-host image simply runs ziti-edge-tunnel run-host with the following helpful conventions for supplying an enrollment token and persisting the identity.
Set the enrollment token and run the container. This example saves the identity file in the persistent volume: /ziti-edge-tunnel/ziti_id.json.
services:
ziti-host:
image: docker.io/openziti/ziti-host
volumes:
- ziti-host:/ziti-edge-tunnel
environment:
- ZITI_ENROLL_TOKEN
volumes:
ziti-host:You may source an existing identity from the environment.
services:
ziti-host:
image: docker.io/openziti/ziti-host
environment:
- ZITI_IDENTITY_JSONYou may mount an existing identity from the host's filesystem. The default path to find the identity during startup is /ziti-edge-tunnel/ziti_id.json. Optionally, set ZITI_IDENTITY_BASENAME to change the filename prefix from ziti_id.
services:
ziti-host:
image: docker.io/openziti/ziti-host
volumes:
- ./ziti_id.json:/ziti-edge-tunnel/ziti_id.jsonYou may mount many existing identities from the host's filesystem. The tunneler will load all valid, readable identities at each startup. The tunneler will look for files matching /ziti-edge-tunnel/*.json.
services:
ziti-host:
image: docker.io/openziti/ziti-host
volumes:
- ./identities:/ziti-edge-tunnel