Add identity to new conatiner in docker-compose quickstart

This is generally because of edge router policies, or service edge router policies.

You can check whether the overlay thinks you have the proper permissions using policy advisor:

ziti edge policy-advisor identities -q

(or ziti edge policy-advisor services -q)

Verify you have at least one edge router policy and at least one service edge router policy.

Generally, I would recommend your service edge rotuer policy grant #all services access to #all edge routers.

A good edge router policy grants #all identities access to #public edge routers leaving "private" or "otherly" marked edge routers out of the equation.

Then you need to verify your edge routers have at least one matching attribute (in this case, #public would be what I'd recommend, indicating the router is "generally availalbe on the public internet"

Hope that helps?

You'll need at least one router that is online and in-common. Here's how to check.

  1. Is the router online? Run ziti edge list edge-routers. One of the columns in the table is online status.
  2. Is the router in-common? This means that the client identity, the hosting identity, and the service all have permission to use the router. Run ziti edge policy-advisor services --quiet open-webui-service. This will simulate the relevant policies for the service and show you which identities have dial permission and which have bind permission.

Here's an example report from policy-advisor indicating that the correct identities have the right permissions (dial vs. bind), but there are no online routers in-common.

ERROR: open-webui-host (1) -> open-webui-service (1) Common Routers: (0/1) Dial: N Bind: Y 
  - Common edge routers are all off-line. Bring routers back on-line or adjust edge router policies and/or service edge router policies to increase common router pool.

ERROR: bivalve.felt.laptop (1) -> open-webui-service (1) Common Routers: (0/1) Dial: Y Bind: N

Ok, I think I got the router working, although I had to do it from the ZAC. The cli commands didn't work for me locally nor in my controller vm on AWS, which might suggest another configuration problem...

I see in my ziti-host tunneler logs in docker desktop that the edge router is connected now and I configured it loosely like you suggested, giving #all/#public access, etc.

However, I still can't curl the service or navigate to it from my browser, so I am not sure what I did wrong.

This is my docker compose file:

services:
  ziti-host:
    image: openziti/ziti-host:latest
    volumes:
      - ziti-host:/ziti-edge-tunnel
    environment:
      - ZITI_ENROLL_TOKEN
    networks:
      - ziti-network

  open-webui-ziti:
    image: ghcr.io/open-webui/open-webui:main
    container_name: open-webui-ziti
    volumes:
      - open-webui-ziti:/app/backend/data
    restart: always
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    depends_on:
      - ziti-host
    networks:
      - ziti-network

volumes:
  ziti-host:
  open-webui-ziti:

networks:
  ziti-network:
    driver: bridge

and this is the configuration I have on my host.v1

{
  "_links": {
    "self": {
      "href": "./configs/6KxaZLySLBZKB4x5iSbIRt"
    }
  },
  "createdAt": "2024-11-26T23:10:05.214Z",
  "id": "6KxaZLySLBZKB4x5iSbIRt",
  "tags": {},
  "updatedAt": "2024-11-27T16:00:56.035Z",
  "configType": {
    "_links": {
      "self": {
        "href": "./config-types/NH5p4FpGR"
      }
    },
    "entity": "config-types",
    "id": "NH5p4FpGR",
    "name": "host.v1"
  },
  "configTypeId": "NH5p4FpGR",
  "data": {
    "protocol": "tcp",
    "address": "open-webui-ziti",
    "port": 8080,
    "httpChecks": [],
    "portChecks": []
  },
  "name": "ollama.host.v1"
}

I have noticed that when I set the address in the host.v1 config in the ZAC, if I leave and then re-enter the config entry, the address is not persisted... So something seems off there too.

Got it working! The problem turned out to be the address I had configured in my intercept.v1 config. I had set the address to be open-webui-ziti but it didn't like the dashes. I changed it to open.webui.ziti and it started working.

1 Like

Cool glad to hear you got this sorted. FYI, it's not the hyphens causing the issue, its the fact that the intercept is a hostname. DNS resolution can be fickle. It's always best to use a FQDN, something that contains a period. So when you switched over to "open.webui.ziti", the two periods turn it from a hostname to an FQDN. That's the key. If you put back "open-webui.ziti" it'd work too.

Cheers

1 Like

Could you explain how this is implemented to have a new server in the "green" network that is separate from the other networks using this complex docker compose file

I'm trying to understand how to do this using this link but find it confusing:

Does an identity have to be created for both the ziti-host container and the new-ubu-svr to be incorporated into the service ?

Sure. Would you mind if I split your question into a new top-level question? (or just ask a new question) It's different enough where it feels like it could be a whole new forum topic. Thx. If you ask the question yourself just link back here for context (or just let me know and i'll take care of it)

Sure - I've just created a new question for it

1 Like