Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, and Windows. (Also: keep this quiet, but we have an early prototype running on iOS). It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.
Our images support multiple architectures such as x86-64, arm64 and armhf. We utilise the docker manifest for multi-platform awareness. More information is available from docker here.
Simply pulling buildsociety/nebula should retrieve the correct image for your arch.
This image provides various versions that are available via tags. latest
tag
usually provides the latest stable version. Others are considered under
development and caution must be exercised when using them.
Tag | Description |
---|---|
latest | Stable Nebula Releases |
edge | Latest Nebula Releases |
v1.2.0 | Nebula 1.2.0 Release |
Here are some example snippets to help you get started creating a container.
docker pull buildsociety/nebula:latest
and
docker run -td --cap-add=NET_ADMIN --device=/dev/net/tun -v /path/to/config:/config --name nebula buildsociety/nebula:latest
or as a privileged container:
docker run -td --privileged -v /path/to/config:/config --name nebula buildsociety/nebula:latest
User documentation for Nebula can be found at https://github.com/slackhq/nebula#readme
For testing, you can use a ConfigMap, but for production it is better to use secrets.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: 'nebula-conf'
data:
nebula.conf: |
# You can insert your config.yaml here.
# You can/need also insert certificates here,
# as in the example below.
pki:
ca: |
-----BEGIN NEBULA CERTIFICATE-----
certificate data
-----END NEBULA CERTIFICATE-----
cert: |
-----BEGIN NEBULA CERTIFICATE-----
certificate data
-----END NEBULA CERTIFICATE-----
key: |
-----BEGIN NEBULA X25519 PRIVATE KEY-----
certificate data
-----END NEBULA X25519 PRIVATE KEY-----
# the rest of the config file.
and
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ...
spec:
replicas: 1
selector:
matchLabels:
app: ...
template:
metadata:
labels:
app: ...
spec:
containers:
- name: ...
- name: nebula
image: buildsociety/nebula:v1.2.0
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- mountPath: /config/config.yaml
readOnly: true
name: nebula-conf
- mountPath: /dev/net/tun
name: devnet
args: ["-config", "/config/config.yaml" ]
volumes:
- name: nebula-conf
configMap:
name: nebula-conf
items:
- key: nebula.conf
path: config.yaml
- name: devnet
hostPath:
path: /dev/net/tun
or as a privileged container:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ...
spec:
replicas: 1
selector:
matchLabels:
app: ...
template:
metadata:
labels:
app: ...
spec:
containers:
- name: ...
- name: nebula
image: buildsociety/nebula:v1.2.0
securityContext:
privileged: true
volumeMounts:
- mountPath: /config/config.yaml
readOnly: true
name: nebula-conf
args: ["-config", "/config/config.yaml" ]
volumes:
- name: nebula-conf
configMap:
name: nebula-conf
items:
- key: nebula.conf
path: config.yaml
Container images are configured using parameters passed at runtime (such as
those above). These parameters are separated by a colon and indicate
<external>:<internal>
respectively. For example, -p 8080:80
would expose
port 80
from inside the container to be accessible from the host's IP on port
8080
outside the container.
Parameter | Function |
---|---|
-v /config |
Nebula configuration directory. |
- Shell access whilst the container is running:
docker exec -it nebula /bin/sh
- To monitor the logs of the container in realtime:
docker logs -f nebula
- container version number
docker inspect -f '{{ index .Config.Labels "build_version" }}' nebula
- image version number
docker inspect -f '{{ index .Config.Labels "build_version" }}' buildsociety/nebula
Most of our images are static, versioned, and require an image update and container recreation to update the app inside. We do not recommend or support updating apps inside the container.
An automated process for upgrading your container is available via containrrr/watchtower.
By using this image, you agree to the Nebula licence