**Warning this post isn’t finished! there’s also another project to consider now at https://github.com/elestio/nebula-rest-api
From a look at the GitHub issues, it seems that there’s problems getting Slack’s Nebula open source project to run in an Alpine Docker image. But just recently, someone has packaged up, apparently with a new base image. So I downloaded it, and deployed it on a Synology device-
Download the image from
https://github.com/chrisx8/docker-nebula
The Docker run command is
docker run -v <NEBULA_DIR>:/nebula -d -p 4242:4242/udp --cap-add=NET_ADMIN ghcr.io/chrisx8/nebula
Let’s unpack that.
The command is basically saying ‘using Docker, run nebula in this specified volume. Run in detached mode with these ports, and add the docker capability for this container to use network capabilities on the host’
Reference
Create a folder on your Synology for storage, mine is on volume 2 and is at /docker/nebula
You’ll already have the certs and config.yml files created if you’ve been following the previous write up.
So you’ll have a folder structure like this
/volume2/docker/nebula/nebula
ca.crt
config.yml
company.crt
company.key
You can make a script in Synology/ Control Panel/ Task Scheduler with the following details
docker run -d --name=nebula \ -p 4242:4242/udp \ -v /volume2/docker/nebula/nebula:/nebula \ --restart=always \ ghcr.io/chrisx8/nebula
Or In Portainer
Or alternatively, doing this with Portainer, you need to have Portainer Agent running, note the syntax -v /volume2/@docker which describes the actual location of docker on Synology- slightly different to most linux distros
docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /volume2/@docker/volumes:/var/lib/docker/volumes portainer/agent:latest
There’s a Portainer video showing how ‘easy’ it is to migrate from Portainer Server to adding the Agent, this didn’t work for me- I had to manually add the agent connection- however the instructions are in the Portainer docs and are relatively straight forward.
Portainer Settings-
Check ‘Advanced’
Manual port publishing
Host 4242 >> Container 4242
Add the host volume-
Volumes /nebula : /docker/nebula/nebula
Capabilities/ NET_ADMIN < turn on
At this point you should be able to ping your Nebula Docker. But you can’t do anything else because Docker, by default, doesn’t allow connections to the host network.
Can we get around this with an ‘Unsafe route?’