Cannot create public shares

I am still working on self hosted zrok w/ docker and I am afraid kinks remain.

While I can start private shares, I get an error with public ones on the client:

[ERROR]: unable to create share (unable to create share: [POST /share][500] shareInternalServerError)   

Over at the server I see at zrok-controller:

zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:148","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"error","msg":"error creating dial service policy for service 'xxx' for identities '[xxx]': error creating service policy: [POST /service-policies][400] createServicePolicyBadRequest  \u0026{Error:0xc001594480 Meta:0xc0003cbf40}","time":"2025-08-11T05:11:19.053Z"}

And at zrok-frontend:

zrok-frontend-1  | DEBUG: waiting for default frontend public Ziti identity to be created

Finally, at ziti-quickstart:

ziti-quickstart-1  | [ 561.337]   ERROR ziti/controller/model.(*baseEntityManager[...]).createEntityInTx: {error=[the value '[xxx]' for 'identityRoles' is invalid: no identities found with the given ids]} could not create servicePolicy in bolt storage

Do you have any hint how to fix this?

Thank you.

Johannes

p.s. not sure if this is related but service traefik is unhealthy:

NAME                                IMAGE                                COMMAND                  SERVICE                 CREATED       STATUS                   PORTS
zrok_new2-traefik-1                 zrok_new2-traefik                    "/entrypoint.sh trae…"   traefik                 3 hours ago   Up 3 hours (unhealthy)   80/tcp, 8080/tcp, 443/udp, 0.0.0.0:443->443/tcp
zrok_new2-ziti-quickstart-1         docker.io/openziti/ziti-cli:latest   "bash -euc 'ZITI_CMD…"   ziti-quickstart         3 hours ago   Up 3 hours (healthy)     0.0.0.0:80->80/tcp, 0.0.0.0:3022->3022/tcp
zrok_new2-ziti-quickstart-check-1   busybox                              "echo 'Ziti is cooki…"   ziti-quickstart-check   3 hours ago   Exited (0) 3 hours ago
zrok_new2-ziti-quickstart-init-1    busybox                              "chown -Rc 1000 /hom…"   ziti-quickstart-init    3 hours ago   Exited (0) 3 hours ago
zrok_new2-zrok-controller-1         zrok_new2-zrok-controller            "bootstrap-controlle…"   zrok-controller         3 hours ago   Up 3 hours               127.0.0.1:18080->18080/tcp
zrok_new2-zrok-frontend-1           zrok_new2-zrok-frontend              "bootstrap-frontend.…"   zrok-frontend           3 hours ago   Up 3 hours               127.0.0.1:8080-8081->8080-8081/tcp
zrok_new2-zrok-permissions-1        busybox                              "/bin/sh -euxc 'chow…"   zrok-permissions        3 hours ago   Exited (0) 3 hours ago

When I enter the container with docker compose -it traefik sh and execute traefik healthcheck i get:

/ # traefik healthcheck
INFO[0000] Configuration loaded from environment variables.
Error calling healthcheck: please enable `ping` to use health check

Again, not sure if this helps to chase down the error.

In all cases private shares work.

Ok I have managed to render service traefik healthy by adding the following lines to compose.traefik.yml :

environment:
   # other variables...
   TRAEFIK_PING: "true"
   TRAEFIK_PING_ENTRYPOINT: "web"
   TRAEFIK_ENTRYPOINTS_web_ADDRESS: ":80"

### other specs

expose:
   # other ports
   - 80/tcp

Nevertheless, public shares still do not work. I still get the error:

[ERROR]: unable to create share (unable to create share: [POST /share][500] shareInternalServerError)

Any ideas?

What shows up in the zrok controller log when you try to create a share?

Thank you - I get the following message:

zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/version.go:21","func":"github.com/openziti/zrok/controller.clientVersionCheckHandler","level":"debug","msg":"client sent version 'v1.0.8 [f1a15a4d]'","time":"2025-08-16T16:35:03.107Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/version.go:33","func":"github.com/openziti/zrok/controller.clientVersionCheckHandler","level":"debug","msg":"client version matched previous version stream 'v1.0'","time":"2025-08-16T16:35:03.107Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:37","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"debug","msg":"found identity 'to15KgZTX' for account 'xxx@xxxx'","time":"2025-08-16T16:35:03.136Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:133","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"info","msg":"added frontend selection 'public' with ziti identity 'kMuozSrYb-' for share 'cd8kdawodr5y'","time":"2025-08-16T16:35:03.176Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/config.go:55","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateConfig","level":"info","msg":"created config '1bZggVO9l9grysaSCGUvoR' for environment 'to15KgZTX'","time":"2025-08-16T16:35:03.200Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/service.go:40","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateShareService","level":"info","msg":"created share 'cd8kdawodr5y' (with ziti id '36Scv2TSFjDsaTZ7YDnGB1') for environment 'to15KgZTX'","time":"2025-08-16T16:35:03.204Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/sp.go:27","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateServicePolicyBind","level":"info","msg":"created bind service policy '4pK2ChkXX1gCHSJZ4pnzb7' for service '36Scv2TSFjDsaTZ7YDnGB1' for identity 'to15KgZTX'","time":"2025-08-16T16:35:03.208Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:148","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"error","msg":"error creating dial service policy for service '36Scv2TSFjDsaTZ7YDnGB1' for identities '[kMuozSrYb-]': error creating service policy: [POST /service-policies][400] createServicePolicyBadRequest  \u0026{Error:0xc000d112c0 Meta:0xc0003757c0}","time":"2025-08-16T16:35:03.209Z"}

For some reason zrok is unable to create a dial service policy in the ziti network. You might check the ziti controller logs when this occurs and see if the ziti controller has an error message.

Alright. Now service ziti-quickstart logs the following line of interest:

ziti-quickstart-1  | [14593.623]   ERROR ziti/controller/model.(*baseEntityManager[...]).createEntityInTx: {error=[the value '[kMuozSrYb-]' for 'identityRoles' is invalid: no identities found with the given ids]} could not create servicePolicy in bolt storage

It sounds like the bootstrap process might not have created the identity for the public frontend properly.

Can you try zrok share private and zrok access private?

Sure! And thank you for hanging on.

So I type zrok share private schrott/ -b web (where schrott is a random directory) and get the usual screen informing me how to access the share. Accessing the share from another computer typing zrok access private xxx works fine.

Service ziti-quickstart prints:

johannes@localhost:~/zrok_new2$ docker compose logs --tail 0 -f ziti-quickstart
ziti-quickstart-1  | [46754.689]    INFO ziti/common.syncAllSubscribersEvent.process: {subs=[1]} sync all subscribers
ziti-quickstart-1  | [46754.695]    INFO ziti/common.syncAllSubscribersEvent.process: {subs=[1]} sync all subscribers
ziti-quickstart-1  | [46754.703]    INFO ziti/common.syncAllSubscribersEvent.process: {subs=[1]} sync all subscribers
ziti-quickstart-1  | [46755.112]    INFO ziti/router/xgress_edge.(*edgeClientConn).processBindV2 [ch{edge}->u{classic}->i{to15KgZTX/V410}]: {chSeq=[1] edgeSeq=[0] terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] bindConnId=[1] listenerId=[d0f18e6e-cb72-4bea-a95d-4c64645c646b] connId=[1] routerId=[b5BcEZbmJU] sessionToken=[6f193522-26ce-402e-b13d-315b13914006] type=[EdgeBindType]} establishing terminator
ziti-quickstart-1  | [46755.112]    INFO ziti/router/xgress_edge.(*hostedServiceRegistry).evaluateEstablishQueue: {token=[6f193522-26ce-402e-b13d-315b13914006] terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] state=[establishing]} queuing terminator to send create
ziti-quickstart-1  | [46755.113]    INFO ziti/router/xgress_edge.(*hostedServiceRegistry).establishTerminator: {routerId=[b5BcEZbmJU] terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] token=[6f193522-26ce-402e-b13d-315b13914006]} sending create terminator v2 request
ziti-quickstart-1  | [46755.115]    INFO ziti/controller/handler_edge_ctrl.(*createTerminatorV2Handler).CreateTerminatorV2 [ch{b5BcEZbmJU}->u{classic}->i{b5BcEZbmJU/VyLZ}]: {routerId=[b5BcEZbmJU] service=[w5lde8bsyl25] createTime=[1.122614ms] terminator=[3bL7cZYtUQbNs0dmN0rNDl] terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] serviceId=[3LuFzHn6e8XMJqOfYNbKZt]} created terminator
ziti-quickstart-1  | [46755.115]    INFO ziti/controller/handler_edge_ctrl.(*createTerminatorV2Handler).CreateTerminatorV2 [ch{b5BcEZbmJU}->u{classic}->i{b5BcEZbmJU/VyLZ}]: {terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] serviceId=[3LuFzHn6e8XMJqOfYNbKZt] routerId=[b5BcEZbmJU] service=[w5lde8bsyl25] elapsed=[1.813486ms]} completed create terminator v2 operation
ziti-quickstart-1  | [46755.116]    INFO ziti/router/xgress_edge.(*edgeClientConn).processBindV2.func2 [ch{edge}->u{classic}->i{to15KgZTX/V410}]: {terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] sessionToken=[6f193522-26ce-402e-b13d-315b13914006] edgeSeq=[0] bindConnId=[1] listenerId=[d0f18e6e-cb72-4bea-a95d-4c64645c646b] routerId=[b5BcEZbmJU] connId=[1] type=[EdgeBindType] chSeq=[1]} sdk notified of terminator creation
ziti-quickstart-1  | [46755.116]    INFO ziti/router/xgress_edge.(*edgeTerminator).updateState: {terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] oldState=[establishing] newState=[established] reason=[create notification received]} updated state
ziti-quickstart-1  | [46755.117]    INFO ziti/router/xgress_edge.(*markEstablishedEvent).handle: {terminatorId=[3bL7cZYtUQbNs0dmN0rNDl] lifetime=[4.847388ms] connId=[1] routerId=[b5BcEZbmJU]} terminator established

Service zrok-controller prints:

johannes@localhost:~/zrok_new2$ docker compose logs --tail 0 -f zrok-controller
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/version.go:21","func":"github.com/openziti/zrok/controller.clientVersionCheckHandler","level":"debug","msg":"client sent version 'v1.0.8 [f1a15a4d]'","time":"2025-08-17T05:29:31.612Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/version.go:33","func":"github.com/openziti/zrok/controller.clientVersionCheckHandler","level":"debug","msg":"client version matched previous version stream 'v1.0'","time":"2025-08-17T05:29:31.612Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:37","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"debug","msg":"found identity 'to15KgZTX' for account 'x@x'","time":"2025-08-17T05:29:31.645Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/config.go:55","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateConfig","level":"info","msg":"created config 'y0EpNV1UGH02s2jYNET4C' for environment 'to15KgZTX'","time":"2025-08-17T05:29:31.743Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/service.go:40","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateShareService","level":"info","msg":"created share 'w5lde8bsyl25' (with ziti id '3LuFzHn6e8XMJqOfYNbKZt') for environment 'to15KgZTX'","time":"2025-08-17T05:29:31.748Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/sp.go:27","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateServicePolicyBind","level":"info","msg":"created bind service policy '10ppup0225IXsuoVW45mRD' for service '3LuFzHn6e8XMJqOfYNbKZt' for identity 'to15KgZTX'","time":"2025-08-17T05:29:31.754Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/zrokEdgeSdk/serp.go:28","func":"github.com/openziti/zrok/controller/zrokEdgeSdk.CreateShareServiceEdgeRouterPolicy","level":"info","msg":"created service edge router policy '1MJiCg3aIbPeIaMjFQxo2U' for service '3LuFzHn6e8XMJqOfYNbKZt' for environment 'to15KgZTX'","time":"2025-08-17T05:29:31.759Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:164","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"debug","msg":"allocated share 'w5lde8bsyl25'","time":"2025-08-17T05:29:31.759Z"}
zrok-controller-1  | {"file":"/__w/zrok/zrok/controller/share.go:208","func":"github.com/openziti/zrok/controller.(*shareHandler).Handle","level":"info","msg":"recorded share 'w5lde8bsyl25' with id '9' for 'x@x'","time":"2025-08-17T05:29:31.763Z"}

Ok… that's good. That means your zrok and ziti installations are working. And that confirms that something probably went wrong with the zrok bootstrap process and creating the public frontend for your installation.

I'm not very familiar with how the docker bits work in this case, let me see if I can pull in one of my colleagues…

@qrkourier do you have any ideas about how we can debug the frontend components of this installation?

Although I’m unaware of any known issues with this symptom, I can point out how the zrok self-hosting guide works.

Troubleshoot the frontend by printing the logs from that separate container, usually named “zrok-frontend.”

docker compose logs zrok-frontend --follow --since=20m

The most probable cause is a pre-existing OpenZiti Identity named exactly “public” from a decommissioned zrok instance. If you diagnose this condition in the zrok-frontend log, you can recover by deleting the OpenZiti Identity, allowing the zrok instance to create a new identity during its next startup. This can happen if the state is destroyed for either zrok or ziti, but not both.

Or, if you suspect another life cycle issue, and assuming you do not have any state to preserve, you can destroy the Docker Compose project’s volumes and start fresh.

You may wish to explore the complete, running configuration of the Docker Compose project with docker compose config. This is especially useful when a Docker Compose project definition spans multiple Compose files.

To explore that data structure, I’ve found it helpful to pipe the YAML to a parser like yq and print only the names of the declared services (i.e., containers), like | yq '.services|keys', or the running configuration of a particular service like | yq '.services."zrok-frontend"‘.

Here’s an overview of the expected, scripted bootstrapping steps in the provided self-hosted Docker instance from this part of the zrok repository.

1. zrok-controller and zrok-frontend wait for ziti-quickstart to become healthy.
2. zrok-controller runs the zrok admin bootstrap --skip-frontendcommand to prepare the OpenZiti Network.
3. zrok-frontend creates and enrolls its “public” OpenZiti Identity by calling the ziti-quickstart service, and creates the “public” frontend by calling the zrok-controller service.

Thank you @michael.quigley and @qrkourier for helping me out.

All your hints are greatly appreciated, using yqfor viewing sections of yaml files is a great trick.

@qrkourier I guess you were right, that a pre-existing OpenZiti identity interfered. I can just state that deleting the frontend and the account using zrok admin deletedid not remedy the problem, but then you were specifically talking about “ziti” identities. Removing the docker volumes with docker volume rm probably helped. I say “probably” because I got an error message regarding the upgrade of the zrok-frontend-config.yml.envsusbset file to version 4and so I decided to reinstall using fresh files according to the self-hosting guide and manually update traefik.compose.ymlas stated above.

Long story short: private and public sharing now works.