This is the RIPE Atlas software probe packaged as a Docker image.
- 1 CPU core (of course)
- 20MiB memory
- 100MiB HDD
- A Linux installation with Docker installed
- Internet access
The following prebuilt tags are available at Docker Hub:
latest,latest-probe,latest-anchor: latest stable versionv{version},v{version}-probe,v{version}-anchor: matches upstream versionedge,edge-probe,edge-anchor: whatever from the master branch
Since version 5090, we do not provide -{arch} tags anymore.
You can run the container manually with any OCI container runtime of your choice. There are some templates:
Using Docker Compose
An example docker-compose.yaml is provided.
cd contrib/docker-compose
docker compose pull
docker compose up -dUsing podman-systemd.unit
install --user=root --group=root --target /etc/containers/systemd/ -- contrib/podman-quadlet/*.container
systemctl reload
systemctl start ripe-atlas.serviceFetch the generated public key:
cat /etc/ripe-atlas/probe_key.pubRegister the probe with your public key. After the registration being manually processed, you'll see your new probe in your account.
If you don't want to use the prebuilt image hosted on the Docker Hub, you can build your own image.
DOCKER_BUILDKIT=1 docker build --tag localhost/ripe-atlas:latest-probe --target ripe-atlas-probe .Note that building this container image requires BuildKit.
Docker 27.0.1 enabled IPv6 (incl. ip6tables and NATv6) by default.
If you are on older versions: Docker does not enable IPv6 by default. If you want IPv6 support, some level of setup and a basic understanding of IPv6 is required. Swarm mode & some Kubernetes implementation supports IPv6 too with extra configuration.
If you happened to have a block of static IPv6 addresses routed to your host, you can directly assign one of the addresses to the container. Edit /etc/docker/daemon.json and add native IPv6 address blocks, then restart the Docker daemon. An example:
{
"ipv6": true,
"fixed-cidr-v6": "2001:db8:a1a3::/48"
}Notes:
- These config work on Docker for Linux only
- If
daemon.jsonexists, merge the config lines instead of directly overwriting it; if it doesn't exist, create it manually - For more info, see the official doc
If your ISP does not conform to BCOP 690 (very common), and/or your router cannot route smaller blocks of IPv6 to one server even if it has been assigned a block of valid IPv6 addresses (also very common), the method above might not work for you. As a workaround, you can setup NAT with either Docker's builtin experimental IPv6 NAT support, robbertkl/docker-ipv6nat or similar projects. Manual iptables/nftables NAT setup is also possible, but hanc marginis exiguitas non caperet.
Firstly, edit kernel parameters to enable IPv6 routing.
cat > /etc/sysctl.d/50-docker-ipv6.conf <<EOF
net.ipv6.conf.eth0.accept_ra=2
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
EOF
sysctl -p /etc/sysctl.d/50-docker-ipv6.confNotes:
- This potentially introduces more attack surface and might require you set up IPv6 firewall rules to make yourself safe
- This might break your network and your mileage may vary
- Swap
eth0with your primary network adapter name - If you use static IPv6 assignment instead of SLAAC, change
accept_rato0
Secondly, create a IPv6 NAT enabled network.
docker network create --ipv6 --subnet=fd00:a1a3::/48 ripe-atlas-network
docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro -v /lib/modules:/lib/modules:ro --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=SYS_MODULE --net=host --name=ipv6nat robbertkl/ipv6nat:latestFinally, start the RIPE Atlas container with argument --net=ripe-atlas-network.
Use this recipe for auto updating the docker container.
docker run --detach --restart=always -v /var/run/docker.sock:/var/run/docker.sock --name watchtower containrrr/watchtower --cleanup --label-enableThen start the RIPE Atlas container with argument --label=com.centurylinklabs.watchtower.enable=true.
Back up /etc/ripe-atlas is enough.
If the probe is acting weird or not connecting to the server for a prelonged time without any error logs, you can try resetting the probe's internal state by deleting everything in /var/spool/ripe-atlas and /run/ripe-atlas then restarting the container.
Upstream software does not correctly use Linux capabilities(7) and tries to mess up everything by using setuid executables. So:
| Container Runtime | Container User | Network Namespace | Works | Caveats |
|---|---|---|---|---|
| root | root | separate | YES | |
| root | non-root | separate | NO | daemons does not start |
| root | root | host | ? | |
| root | non-root | host | NO | daemons does not start |
| rootless | root | separate | YES | traceroute might not work |
| rootless | non-root | separate | NO | daemons does not start |
| rootless | root | host | NO | eooqd: socket: Operation not permitted |
| rootless | non-root | host | NO | daemons does not start |
When the host distro is Debian 10 or similarly old ones, you might need to add --security-opt seccomp:unconfined to the docker run command to make things work (#19). You should upgrade your host distro ASAP.
At version 5090, upstream introduced a lot changes that require manual intervention.
- You need to update the container startup arguments. See Running for an example. Note that new permissions are required to make the directory initialization process work.
- The SSH keys are stored at
/etc/ripe-atlasnow. Pleasemv /var/atlas-probe/etc /etc/ripe-atlasand make sure they are owned by101:999(before subuid/subgid mapping, if applicable). /var/atlas-probeis not used anymore and should be removed./var/spool/ripe-atlasand/run/ripe-atlasare now used to store probe runtime info.- If you are still using
latest-{arch}tags, please update to use onlylatest.