Hi guys! I need your help!
I'm exploring Ziti in order to making Zero Trust the communication between two "services". More specifically the context is the following:
- One container runs a python script which should simulate a PLC and it's listening on port 102 for incoming connections;
- Another container runs the client script file and connects to PLC making it "doing something"
Reading Ziti doc i found out i need:
- One Ziti Tunnel to intercept traffic client side;
- One Ziti Tunnel to intercept taffic server side;
- One Ziti Controller to be configured (also default configuration is fine);
- One Ziti Edge Router to be configured in order to be used only by server and client (NO BODY ELSE!)
While reading and searching i also found out the video which explains very well the quickstart with docker compose hello world example, but i still feel not confident on what i'm doing. For this reason i want to ask you: do you think it's better to configure manually the openziti/ziti-controller container (and same for the router)? If so, how? I didn't find too many information about how to configure step by step every single container! In addition, tunnels need a container as well? How can i configure an edge router to be a tunnel too?
Thanks a lot in advance guys and sorry for my english!! I hope you can help me!
Welcome, @dime1897! I'll suggest an overview after clarifying a couple of things.
Before you can build your services, you'll need an OpenZiti network. You can do this with a temporary quickstart or run one of the deployment guides for Linux, Docker, or Kubernetes to set up a network (control plane and router data plane).
Then, to clarify how you need to build the OpenZiti service, the service's client and server will both be running in a Docker container, right?
1 Like
Yes, i've two containers: one runs the server, the other one the client. The idea is to simulate a PLC with one container and the associated HMI with the other!
Let's solidify your plan for setting up the OpenZiti network first. Then, we'll focus on building the service for those client and server containers.
I assume you have a public Docker host with a DNS record like ziti.example.com
.
On that host, you can publish ports 1280,3022/tcp with this all-in-one OpenZiti network quickstart.
You need only the compose.yml
file in that part of the Git repository (https://get.openziti.io/dock/all-in-one/compose.yml).
e.g., create an .env
file with appropriate values for your public Docker host and run docker compose up
.
ZITI_CTRL_ADVERTISED_ADDRESS=ziti.example.com
ZITI_PWD=ziggy123
ZITI_HOME=./config # optionally save state in a folder on the Docker host instead of Docker volume
If you'd prefer a more prod-like Docker setup then we can pair the Docker deploy guides for controller and router on the same public Docker host.
EDIT: I simplified this example to a single DNS record instead of recommending multiple records or a wildcard record. I'm happy to elaborate on those options if interested.
1 Like
I did not understand if the DNS entry must be added in my services or not. In general i seemed to understant that running thi quickstart make me to confiugure correctly the ziti network, right?
Anyway i run docker compose up following your instructions and the quickstart started correctly.
Obviously, i didn't change anything
Great! Now, you should be able to log in to your network with the ziti
CLI or the web console.
You will use one or both of those interfaces to build OpenZiti services.
You don't need to create a DNS record for your OpenZiti service address. Your client will use Ziti DNS to find the service.
1 Like
Ok, so now I only need to deploy my client and server in this network and configuring tunneling and policies through the ziti CLI?
Before we build the service, let's figure out the best way to attach the client and server to the network.
The two main choices are SDK or proxy/tunneler. SDK is best if you can integrate it directly into the client or server application because it avoids the need to manage a separate proxy for each client, server, or both.
Is it an option to use the OpenZiti Python SDK for client or server or both?
If SDK for your client or server's programming language is not an option, then we will use OpenZiti tunnelers as a proxy.
1 Like
SDK is not an option only because i need to simulate “something that exists and become zero trust without touching it”.
Using tunnelers is my main trouble! How can I continue know?
1 Like
OK, now that we've eliminated the possibility of using the OpenZiti SDKs, let's focus on proxying/tunneling your client and server containers in a Docker environment.
The server tunneler is the easiest, so let's start there. I assume you have created the service, and you have the server tunneler's identity enrollment one-time token as a *.jwt file.
You can add a server-side (reverse-proxy) tunneler to your application's compose project like this.
services:
ziti-host:
image: openziti/ziti-host
volumes:
- ziti-identity:/ziti-edge-tunnel
environment:
- ZITI_ENROLL_TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6Im90dCIsImV4cCI6MTY3MDAwEFQ2NywiaXNzIjoiaHR0cHM6Ly83Y2U3ZTQyNC02YTkyLTRmZjItOTQ1OS1lYmJiYTMyMzQ2ZmEucHJvZHVjdGlvbi5uZXRmb3VuZHJ5LmlvOjQ0MyIsImp0aSI6ImQ0YjczZjFlLTRkOWEtNDk0ZC04NGQxLTQ2OWE1MGQyYzhmMCIsInN1YiI6ImdXdkQwaTd5RDkifQ.R5t2hoH0W1vJUn78_O8azoJ05FWLLSh6J3Q1XaDOidaYgDOWcLm7YiV99rymnjSjRC86IjNsAyZK678_D2dqyefR3VBI8LepamZ5jVSAcDFCF3Swk_jszcHDqcYs2YCucr6qrwsv8NTqEdUAJ8NVOiRaZbGhSuBvXTmWilCkCLcL7R4tXpIHakM_2WA4_tmwdbN8i7SGPPAB6pZOK_xDW10nBjg5Fe3Of_-53Gd-3swm9D3Yms1iIPBfMIQUWNzYaOCBa8UvGo8d9JjvJKgTlkMwZHL3hayzAuVEXoR1-LbA1t1Nhd8FgjvuL-YxN0XLaA3koL-FijL7ehWZoyUYPuO3xi63SQpbO-oDtX89jvGLMVercZBscXQsmCkDcj8OAnTb3Czb8HmsHgfydqvT6epUNFxFe_fSGz-CuGIuFBQwygfpBriGBnwVk8dnIJt7Wl75jPR8v-NImIIv1dKCI_ZajlsJ5l8D4OGnj76pBs3Wu7Hq1zxAbJ8HPJmi_ywTHAHVJVghifRTIR6_SyfeZGsHDY9s8YH5ErYvarBvMxwPCmjMMY3SKM_YOPG0u1c-KKByS3m7x7qia6P1ShWwGkbMmY722iFeVvoGN7SD51CkZiqWHClhBtdDv6_1K7y62KEmiX0D4YHXoikNqMCoPwa4yKyDRzoO8DKcAzaVRRg
volumes:
ziti-identity:
1 Like
Ok so steps are:
- Create the service (in this case the service is the container running my PLC simlulation)
- Create and enroll the tunnel with the ziti CLI in the quickstart container getting the .jwt OTT
- Adding ziti-host to compose.yml then running compose uo only for it.
So tunnelers needs to run in their own container, correct? If you confirm this i'll start trying!
Thanks a lot, you're so kind!!
1 Like
I'm trying to create the identity for my server in quickstart container, but it tells me this:
bash-5.1$ ziti edge create identity plcsiemens-nid -o plcsiemens-nid.jwt
New identity plcsiemens-nid created with id: UcWrWUF3jB
Failed to write JWT to file(plcsiemens-nid.jwt)
error: open plcsiemens-nid.jwt: permission denied
I previously logged in with:
ziti edge login -u admin -p ziggy123
I think you're interactively running the CLI inside the quickstart container.
Try setting the JWT output file path in /tmp/plcsiemens-nid.jwt
. That way, you will surely have write permission and can easily locate the file to copy it like this.
docker compose cp quickstart:/tmp/plcsiemens-nid.jwt .
1 Like
You can install the ziti
CLI on the Docker host, too. That way, you can run all the commands on the Docker host instead of inside the container, which will eliminate the need to copy things between them.
Link to Linux downloads: Downloads | OpenZiti
Example:
curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti;
ziti version;
The client and server tunnelers will each be a separate container, yes. So far, we've talked about the server's tunneler only. I suggested the openziti/ziti-host
container image which acts like a reverse-proxy.
When that is working we'll skip to the client tunneler. We'll decide which container image is best: openziti/ziti-router
or openziti/ziti-tunnel
. Both may be used as a "sidecar" proxy that provides Ziti DNS to your client application.
Yes i got it yet, the problem were logging in, but my brain was only in stupid mode. Now i logged in with the docker host like this:
ziti edge login localhost:1280 -u admin -p ziggy123 -y
The problem is: how can i get the JWT for the tunneler via ziti CLI? I didn't find it in the doc.
The simplest way is to re-create the identity with the --jwt-output-file
pointing somewhere you have write permission
The one-time token is still available in the API, and you can parse the JSON of the existing identity with the jq
command. You can install jq
in Linux to follow this example.
ziti edge list identities 'name="plcsiemens-nid"' --output-json | jq --raw-output '.data[].enrollment.ott.jwt'
Ok so the jwt i got before for my server with:
ziti edge create identity plcsiemens-nid -o plcsiemens-nid.jwt
is actually the jwt i need to use for the tunneler? If so, i only have to add the ziti-host to the compose.yml right?
Correct. For this service, you must create an OpenZiti identity for each client (dial) and server (bind) tunneler.
Assign the content of plcsiemens-nid.jwt
as ZITI_ENROLL_TOKEN
in the ziti-host container's environment.
1 Like