Inconsistent Docker usage commands

[mitchplze]

Edited for clarity

Hello,

The NetBird management UI seems to provide convenient docker run commands for copy/pasting that are contrary to the current NetBird documentation and other discussions.

Currently in NetBird 'create setup key' wizard ❌

The copy/paste widget provides:

docker run --rm -d \
 --cap-add=NET_ADMIN \
 -e NB_SETUP_KEY=XXXXXX \
 -v netbird-client:/var/lib/netbird \
 -e NB_MANAGEMENT_URL=https://net.mynetwork.com \
 netbirdio/netbird:latest

Currently in NetBird 'add peer' wizard ❌

The copy/paste widget provides:

docker run --rm -d \
 --cap-add=NET_ADMIN \
 -e NB_SETUP_KEY=SETUP_KEY \
 -v netbird-client:/var/lib/netbird \
 -e NB_MANAGEMENT_URL=https://net.mynetwork.com \
 netbirdio/netbird:latest

Currently in NetBird documentation

From: https://docs.netbird.io/how-to/installation/docker

NetBird makes use of eBPF and raw sockets, therefore to guarantee the client software functionality, we recommend adding the flags --cap-add=SYS_ADMIN and --cap-add=SYS_RESOURCE for docker clients. The experience may vary depending on the docker daemon, operating system, or kernel version.

The official example given is:

docker run --rm --name PEER_NAME --hostname PEER_NAME --cap-add=NET_ADMIN --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE -d -e NB_SETUP_KEY=<SETUP KEY> -v netbird-client:/var/lib/netbird netbirdio/netbird:latest

Further, the Docker example linked also references the above usage.

Confusion

The wizards are:

• not adding the SYS_ADMIN capability
• not adding the SYS_RESOURCE capability
• not adding network_mode: host capability
• not adding privileged: true capability
• maybe: not adding [NB_USE_NETSTACK_MODE](NB_USE_NETSTACK_MODE not documented docs#449) capability

The copy/paste value provided by the two wizards are what I have used 95% of the time to deploy a node, and only just realized the official docs are different.

This is undoubtedly possibly causing a degraded experience with my nodes, and I'm sure others have ran into this too.

Less importantly, the wizards are:

• not setting the hostname, so a random name ends up joining your network (this is possibly unavoidable)
• not naming the container, so it cannot be easily found in the future (like with docker rm netbird -f)

IMO there should be consistent Docker usage that is officially documented, to offer the best experience.

I'm super happy to help out if possible!

Thank you.

[mitchplze]

I also just noticed that network_mode: host is provided in the official Compose, but that mode doesn't appear in any other example (docker run --net host).

Can we get some clarification on whether network host mode is needed or not?

[PowershellScripter]

@mitchplze I have netbird setup in my linux docker container host behind traefik reverse proxy and it runs directly on traefik's network. Host mode network is not required, except for coturn which I believe does need to stay as network_mode: host

[mitchplze]

Thanks. I don't think its needed either, but would be nice to confirm.

There is actually yet a third different example given on the same page, further down.

Very confused.

[PowershellScripter]

@mitchplze you know what, I just relaized I was talking about the docker server install, not the client. I believe the client is needed if you want to use that docker client to expose the network the client is on. Otherwise, it can only expose the network inside the container. Network_mode: host exposes the local network to the client instead of the containerized network.

[mitchplze]

I hate to be that guy and ask if there's any update - but is there? The main documentation that users see for NetBird, currently has multiple inconsistent ways of deploying on Docker, and virtually no details or information on any of the flags.