Could you explain how above is implemented to have a new server in the "green" network that is separate from the other networks using this complex docker compose file

I'm trying to understand how to do this using this link but find it confusing:

Does an identity have to be created for both the ziti-host container and the new-ubu-svr to be incorporated into the service ?

Let me start (officially) by welcoming you to the community! Welcome to the community and to OpenZiti (and zrok/BrowZer)!

You're using the "complex" docker compose environment. Docker adds some layers of complexity to a deployment. Although it's pretty darn good overall, there are just some things it makes difficult more challenging.

Before I get too far just so I understand, you're looking to reach into a NEW, green network. Right? Something like this? Assuming that's what you're trying to do and understand, do you know what you want to do with that green network? Are you looking to have the blue server communicate to the green? Or something else entirely?

image534×505 48 KB

Thanks for the welcome !

I was just trying to deploy a basic webserver in the green network as a start using the host configuration mentioned in the previous post- but as you mention it, how do you further expand that to have connectivity from the blue network into it as well if wanted ?

I didn't see that I had already made this diagram! I looked for it in that thread and missed it! I made this whole second image for nothing.

I'm going to make some decisions on your behalf to just simplify things on my side (wrt docker).

So here is what I would do based on our limited interactions so far (I just need to assume some things and we can refine).

Prerequisites

I'll also assume you found the section on that page about docker and the hosts file and have that complexity all sorted. Local - Docker Compose | OpenZiti... So I'll assume you have the basics sorted (perhaps a bad decision but I'm starting there):

• I'll also assume you have a tunneler installed on your local OS
• you have made an identity for that tunneler
• you have passed traffic before using an OpenZiti overlay

Join the Green Network to the Complex Docker Compose

To join the green network, you'll need to do a couple of things:

• make a docker network named "zitigreen"
• add zitigreen to the ziti-controller container and the ziti-edge-router (this gives the green network, the ability to reach the controller and router which is mandatory)
• deploy a ziti-router into the green network
• deploy your server into the green network
• create an openziti serivce allowing the green router to offload data back to the underlay network towards the green server
• authorize your green network router to 'bind' the green service
• authorize your identity to dial (connect) to the service

I'm glossing over all the details here - I'm not sure if you need them or not yet but figured it's easier to reply and get more details and we can move along together. It's my end of day today so I'll be offline until tomorrow but I'll look for your reply. Maybe that will give you enough information, but if not we can keep moving forward.

Blue Server Dialing Green Server

This is more complex. This requires you to assign the blue router to the blue server as the network of the blue server, effectively melding the two containers networks togethter. You'll also need to enable tproxy on the blue router. This is what I was starting to talk about in this comment. This relies on a feature of docker compose named: network_mode. You assign one container as the network of another. you can see examples of that here:

A very reduced example is:

services:
  ziti-router:
   [stuff redacted for brevity]
    networks:
      - zitigreen
  other-service:
    image: busybox
    network_mode: service:ziti-router # HERE'S THE GOODS

Hopefully that helps. If you're still stuck, this would make another good ziti tv... Maybe I'll do a livestream tomorrow about this topic and you can join if you can (and if you want).

Thanks for the detail - I’ll go over this and come back to you in the morning with some questions. If you could do a live demo on zititv tomorrow it would be really welcome

I'll probably do a second Ziti TV live at 1 pm ET tomorrow. The first one will be covering some application embedded go code so I'll leave that as is. Then I'll just set another one up at 1PM ET, you can join and chat or catch the replay. I'll make it an 'office hours' as well and I'll hang out on the stream in case there's any other random questions, maybe review "this week in discourse" as well

Here's the 1PM stream link:

Will do, thanks for setting this up

Yes Ive done the Prerequisites you described above and created green network and green webserver which I can access as a ziti service on http://green.ziti - i did this by adding on "green" components to what you have in the existing compose file for existing blue/red networks etc.

Interested to see how you Blue Server Dialing Green Server is done

I've watched along on youtube - look forward to seeing the updated video and info on this - thanks for the effort today.

I thought you were going to be looking at this today based on original post:

So Im glad you showed what you did today as I was looking completly at the wrong thing!

Hopefully you can get resolution soon for today to see it

Thanks for hanging in there today. I did eventually get it sorted and of all things -- it came down to WSL on Windows not having the xt_TPROXY module. So -- lesson learned by me to not use WSL for tproxy stuff...

Here's the shortest list of steps that can accomplish the goal and demonstrate a container intercepting a ficticiouis DNS entry and sending it to another container. Hopefully it's clear. I'll record a super short video for this soon.

Terminal 1

curl -so docker-compose.yaml https://get.openziti.io/dock/docker-compose.yml
curl -so .env https://get.openziti.io/dock/.env

edit the ZITI_PWD to admin (or replace the admin password used below)

add this to the docker compose file.

• to ziti-controller service, add this network:

    extranet:
      aliases:
        - ziti-edge-controller
  

• to ziti-edge-router service, add this network:

  - extranet
  

• to networks, declare an external network:

     extranet:
       external: true
  

Then, create the extranet network. This network is just meant to be sort of like 'the internet' or the 'green' network (you could call it zitigreen of course):

docker network create extranet

bring up the compose file:

docker compose up

Terminal 2

establish a name for the intercepting router, login to the ziti controller and create the router (deleting it is not necessary but let's you re-run these steps if you want)

router_name="intercepting-router"
ziti edge login localhost:1280 -u admin -p admin -y
ziti edge delete edge-router "${router_name}"
ziti edge create edge-router "${router_name}" -o "${router_name}.jwt" -t

once that's done, you can run a new container (i didn't use compose to try to keep it simpler, dunno if it makes it easier or not to follow/understand). Note that I use --rm here so when the container terminates, you'll lose the router. again it was to make it so you can run all the commands over and over if you like... Also note the addition of the -e param for the control plane port. You could of simply edit the .env file if you want as well:

docker run --rm \
	--env-file .env \
	--name intercepting-router \
	--user root \
	--dns 127.0.0.1 \
	--dns 1.1.1.1 \
	--env ZITI_ROUTER_MODE=tproxy \
	--env ZITI_CTRL_ADVERTISED_PORT=6262 \
	--cap-add NET_ADMIN \
	--network extranet \
	--env ZITI_ENROLL_TOKEN="$(< intercepting-router.jwt)" \
	openziti/ziti-router

Terminal 3

Configure the new intercepting router to be able to intercept traffic for the web-test-blue http server, configure a service and authorize the dial/bind containers

router_name="intercepting-router"
binder="ziti-private-blue"
dialer="${router_name}"

ziti edge login localhost:1280 -u admin -p admin -y

ziti edge delete service-policy "http-web-test-blue.dial"
ziti edge delete service-policy "http-web-test-blue.binder"
ziti edge delete service "http-web-test-blue.svc"
ziti edge delete config "http-web-test-blue.intercept.v1"
ziti edge delete config "http-web-test-blue.host.v1"

ziti edge create config "http-web-test-blue.intercept.v1" intercept.v1 \
	'{"protocols":["tcp"],"addresses":["http-web-test-blue.ziti"], "portRanges":[{"low":8000, "high":8000}]}'

ziti edge create config "http-web-test-blue.host.v1" host.v1 \
	'{"protocol":"tcp", "address":"web-test-blue","port":8000 }'
	
ziti edge create service "http-web-test-blue.svc" \
	--configs "http-web-test-blue.intercept.v1","http-web-test-blue.host.v1"

ziti edge create service-policy "http-web-test-blue.dial" Dial \
	--service-roles "@http-web-test-blue.svc" \
	--identity-roles "@${dialer}" 
	
ziti edge create service-policy "http-web-test-blue.binder" Bind \
	--service-roles "@http-web-test-blue.svc" \
	--identity-roles "@${binder}" 

Let the containers receive the update (about 15 seconds ish?) and then -- use the intercepting router container in some other container to run a curl:

docker run \
	--rm \
	--name intercepting-client \
	--network container:intercepting-router \
	openziti/quickstart curl -s http://http-web-test-blue.ziti:8000

Assuming everything works, you'll see the ziti logo:

cd@deb12:~/docker-demo/complex$ docker run \
        --rm \
        --name intercepting-client \
        --network container:intercepting-router \
        openziti/quickstart curl -s http://http-web-test-blue.ziti:8000
<pre>
Hello World


                        ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
                        :::::::::::::::::::,::$77777777777777,:,::::::::::::::::::::
                        ::::::::::::::::::77777777777777777777777~,:::::::::::::::::
                        :::::::::::::::77777777777777II7777777777777,:::::::::::::::
                        ::::::::::::$777777777777777I.:7777777777777777,::::::::::::
                        ::::::::::77777777777777777I...I7777777777777777I:::::::::::
                        :::::::::77777777777777777I....?777777777777777777::::::::::
                        :::::::$77777777777777777I......77777777777777777777::::::::
                        ::::::777777777777777777I.......I77777777777777777777,::::::
                        :::::777777777777777777I....?...?777777777777777777777::::::
                        :::,777777777777777777I....I7?...777777777777777777777$:::::
                        :::777777777777777777I....I77I...I777777777777777777777$::::
                        :::77777777777777777I....I7777...?7777777777777777777777::::
                        ::77777777777777777I....I77777?..,77777777777777777777777:::
                        ::7777777777777777I....I777777I...I77777777777777$7$$$$7$,::
                        :$777777777777777I....I77777777...?7777777777777$$77777777::
                        :777777777777777I ...I777II7777?...I.I7777777$777777777777::
                        :77777777777777I....I777I..7777I.......?I777$$$$$77$$$$7$$::
                        :7777777777777I....?I77I...I7777..........I777777$$$$$7$$$,:
                        :77777777777777?..  .??.   ?7777?  ..??.   .?7$7$$$7$$$$$7::
                        ,7777777777777777I..........I$77I...I777?....77777$7$$$$$$,,
                        :7777777777777777777?.......I7$$7..I777I....7$$$$$$$$$$$$$::
                        :777777777777777777777I.I=..?77777777$7....77$$$$$$$$7$$$$::
                        :777777777777777777777777I...I$7777777....77$$$$$$$$$$$$$$::
                        ::77777777777777$7$7$$$$$I...?7$$7$77....7$$$$$$$$$$$$$$$:::
                        ::777777777777777777$$$777+..~77$$7I....77$$$$$$$$$$$$$$$:::
                        :::77777777777777777777$$7I...7$$$I....7$7$$$$$$$$$$$$$$::::
                        :::Z77777777$7777777777$77I...?$77....I$$$$$$$$$$$$$$$$$::::
                        ::::77777$$$$$7777$$$$$$$$7:..+77....I$$$$$$$$$$$$$$$$$:::::
                        :::::77777$777$$$$777$$$$77I...I....I$$$$$$$$$$$$$$$$$::::::
                        ::::::$7777777$7777$$$7$$$$I...... I$$$$$$$$$$$$$$$$7:::::::
                        :::::::?$$$$$$$$$$$$$$$$$$$7=.....I$$$$$$$$$$$$$$$$=::::::::
                        :::::::::7$$$$$7$$$$$$$$$$$$?....77$$$$$$$$$$$$$$$::::::::::
                        ::::::::::,7$$7$$$$$$$$$$$$$7...I$$$$$$$$$$$$$$$::::::::::::
                        ::::::::::::~$$$$$$$$$$$$$$$7?.I$$$$$$$$$$$$$$::::::::::::::
                        :::::::::::::::$$$$$$$$$$$$$$77$$$$$$$$$$$$$::::::::::::::::
                        ::::::::::::::::::7$$$$$$$$$$$$$$$$$$$$$$:::::::::::::::::::
                        :::::::::::::::::::::::$$$$$$$$$$$$$::::::::::::::::::::::::
                        ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


</pre>

Thank you - will remember about WSL!

When you do the video can you do it with docker compose file please as easier follow for me - great you got sorted for us

Ive added below to docker-compose file i downloaded as part of initial setup:

intercepting-router:
image: openziti/ziti-router
container_name: intercepting-router
env_file:
- .env
environment:
- ZITI_ROUTER_MODE=tproxy
- ZITI_CTRL_ADVERTISED_PORT=6262
- ZITI_ENROLL_TOKEN=${ZITI_ENROLL_TOKEN} # Dynamically set from the .env file
user: root
dns:
- 127.0.0.1
- 1.1.1.1
cap_add:
- NET_ADMIN
networks:
- zitigreen
entrypoint: >
sh -c "export ZITI_ENROLL_TOKEN=$(cat intercepting-router.jwt) && exec ziti-router"

zitigreen:
driver: bridge

I have this in .env file:

OpenZiti Variables

ZITI_IMAGE=openziti/quickstart
ZITI_VERSION=1.1.11

the user and password to use

Leave password blank to have a unique value generated or set the password explicitly

ZITI_USER=admin
ZITI_PWD=myziti

ZITI_INTERFACE=0.0.0.0

controller name, address/port information

ZITI_CTRL_NAME=ziti-controller
ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=ziti-edge-controller
ZITI_CTRL_ADVERTISED_ADDRESS=ziti-controller
#ZITI_CTRL_EDGE_IP_OVERRIDE=10.10.10.10
#ZITI_CTRL_EDGE_ADVERTISED_PORT=8441
#ZITI_CTRL_ADVERTISED_PORT=8440

The duration of the enrollment period (in minutes), default if not set. shown - 7days

ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=10080
ZITI_ROUTER_ENROLLMENT_DURATION=10080

router address/port information

#ZITI_ROUTER_NAME=ziti-edge-router
#ZITI_ROUTER_ADVERTISED_ADDRESS=ziti-edge-router
#ZITI_ROUTER_PORT=8442
#ZITI_ROUTER_IP_OVERRIDE=10.10.10.10
#ZITI_ROUTER_LISTENER_BIND_PORT=8444
#ZITI_ROUTER_ROLES=public
ZITI_ENROLL_TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IjkxZjUzNGYyMWY3YTVkODc1OTYwMDRlODM2MWY1MDUyMzI4MmY1ZDMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL3ppdGktZWRnZS1jb250cm9sbGVyOjEyODAiLCJzdWIiOiJ5R3dhYTFxbUEiLCJhdWQiOlsiIl0sImV4cCI6MTczNDgwNDQzOSwianRpIjoiNDkwOTI2OWItZDRiYS00OGRlLWIzN2YtNTc2MzM5N2I1N2UwIiwiZW0iOiJlcm90dCIsImN0cmxzIjpudWxsfQ.qatB2OA7nGO4uVO0D634ZVDpzOFSm-vDlNzjOuTkVX7HbWYUJm65b-z0XEy6fBiqm6Zq6MzM0gv7nUsEeAKA1sOb6S8xb3gvrSjvPFLd-0wbcv8zlaX3YRiYFmB_Td5uMlyPsyHv6nJYcEX918Lo6EWpZbyvlkEjxN6zOUp3xSghPJkuKqrPynmNscZQzeVA5nqQGAu7iAQb-HlV-OgTWmoBTu9lTsKp6ksITd7C94RFiD6QfkrDSxVp_hjdMDdnjyLtcihXQx-a0a61zbpeEQ6wdncyw0kiSEDSJ8csAa7I_03S6uWv_jEI8ffwPNyBQxLIxwDxxC4Qmjtf1y_qf-wACHJh3g34qmzqQ3vTqCuF-LXjUBJIacNg5yUubRYYcJd5FiBhhUEjyija7QDnzd67tccBUjROg8iY5kD0yCcsGvkK-FTdb7XsfoK11woMJc7XvM2IzQqGSkPXtrh4USkzCqSDeNUjC83biS3uLgQg3RsJHwzUmYSP7rEMiAzkQx-QvIBKAEH8PvBags8DUoc1J5t0VbP6CdPgK6ixBYZL72-u6EzoRY3h-W_EmjMlp3qRNOLOMlQgqc8kjyOFzBRvGGDgOsOTWltAlpRD8g3JXuFNXHprkCOxbFgnsTzClkqigDXL9-qCSuY5gjkixA-NE79Uu6VX0AQsaqJcyK0

But when I look in ZAC after bringing all up its not enrolled:

intercept router1398×730 67 KB

Am I missing something in compose for the enrollment ?

My guess is that your intercepting-router wasn't able to contact the controller. Could you look through the logs in that router for some sort of clues as to what went wrong?

Here you go, same thing but with compose and an endless looping curl from the green container to the blue container:

compose.yml

First things first, bring the docker-compose environment up using an externally defined network as before (extranet or zitigreen). Also notice the complex env file is referenced along with a second .env file that will contain the token to enroll with. Here's my compose:

services:
  intercepting-router:
    image: "openziti/ziti-router"
    env_file:
      - ../complex/.env
      - ./intercepting-router.env
    user: root
    dns:
      - 127.0.0.1
      - 1.1.1.1
    cap_add:
      - NET_ADMIN
    environment:
      - ZITI_CTRL_ADVERTISED_ADDRESS=${ZITI_CTRL_ADVERTISED_ADDRESS:-ziti-controller}
      - ZITI_CTRL_ADVERTISED_PORT=${ZITI_CTRL_ADVERTISED_PORT:-6262}
      - ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=${ZITI_CTRL_EDGE_ADVERTISED_ADDRESS:-ziti-edge-controller}
      - ZITI_CTRL_EDGE_ADVERTISED_PORT=${ZITI_CTRL_EDGE_ADVERTISED_PORT:-1280}
      - ZITI_ROUTER_NAME=intercepting-router
      - ZITI_ROUTER_ADVERTISED_ADDRESS=intercepting-router
      - ZITI_ROUTER_ROLES=intercepting-router
      - ZITI_ROUTER_MODE=tproxy
      - ZITI_CTRL_ADVERTISED_PORT=6262
      - ZITI_BOOTSTRAP_CONFIG_ARGS="--private"
    networks:
      - extranet
    volumes:
      - ziti-fs:/persistent

  intercepting-client:
    image: openziti/quickstart
    command: >
      bash -c '
        while true; do
          curl -s http://http-web-test-blue.ziti:8000
          sleep 5
        done
      '
    network_mode: service:intercepting-router

networks:
  extranet:
    external: true

volumes:
  ziti-fs:

Script to rerun the container

These steps will recreate the service/configs/service-policies, recreate the router and save it into a separate .env file (intercepting-router.env) with a single entry -- the token. then call down -v and up

router_name="intercepting-router"
binder="ziti-private-blue"
dialer="${router_name}"

ziti edge login localhost:1280 -u admin -p admin -y
ziti edge delete edge-router "${router_name}"
ziti edge create edge-router "${router_name}" -o "${router_name}.jwt" -t

ziti edge delete service-policy "http-web-test-blue.dial"
ziti edge delete service-policy "http-web-test-blue.binder"
ziti edge delete service "http-web-test-blue.svc"
ziti edge delete config "http-web-test-blue.intercept.v1"
ziti edge delete config "http-web-test-blue.host.v1"

ziti edge create config "http-web-test-blue.intercept.v1" intercept.v1 \
	'{"protocols":["tcp"],"addresses":["http-web-test-blue.ziti"], "portRanges":[{"low":8000, "high":8000}]}'

ziti edge create config "http-web-test-blue.host.v1" host.v1 \
	'{"protocol":"tcp", "address":"web-test-blue","port":8000 }'
	
ziti edge create service "http-web-test-blue.svc" \
	--configs "http-web-test-blue.intercept.v1","http-web-test-blue.host.v1"

ziti edge create service-policy "http-web-test-blue.dial" Dial \
	--service-roles "@http-web-test-blue.svc" \
	--identity-roles "@${dialer}" 
	
ziti edge create service-policy "http-web-test-blue.binder" Bind \
	--service-roles "@http-web-test-blue.svc" \
	--identity-roles "@${binder}" 

echo -n "ZITI_ENROLL_TOKEN=" > intercepting-router.env
cat "${router_name}.jwt" >> intercepting-router.env

docker compose down -v; docker compose up

When done - you'll see the ziti logo over and over

Alright, video is uploaded:

This video demonstrates bringing up a new compose environment along with the complex docker compose environment, demonstrating using an OpenZiti tunneler as the network for a separate docker container, providing intercept capability to another container.

Commands run in the video:

I recorded this narrated tour of the ziti router's tproxy mode to make adopting it in Docker easier.

I'm thinking of refreshing the Docker router deployment guide, or maybe just adding some use case samples so people can pick and choose.