Configuring ziti-tunneler-client.v1

fixed the permissions issue.. as.. you need to run the tproxy mode in admin mode.

./ziti-tunnel tproxy -i /mnt/v/temp/tunneler-id.json private-httpbin:2000 -v

however, this generates the next error

ziti-tunnel runs an internal DNS server which must be first in the host's
resolver configuration. On systems that use NetManager/dhclient, this can
be achieved by adding the following to /etc/dhcp/dhclient.conf:

prepend domain-name-servers 127.0.0.1:53;

I tried updating the file but it did not make any difference..

I am using an Oracle Linux machine that is hosted in the Oracle Cloud.. so it may have something extra to configure..

I will do more searching about this to see what I can find out

Total Awesome <<<

Got it to work..

1. modify the /etc/resolv.conf file
   .. comment out existing nameserver entry
   .. add in new entry: nameserver 127.0.0.1:53;

2. run the following command in su mode

./ziti-tunnel tproxy -i /mnt/v/temp/tunneler-id.json private-httpbin:2000 -v

3. I created another terminal..

curl http://localhost:2000/json

curl: (7) Failed to connect to localhost port 2000: Connection refused

curl http://httpbin.ziti:2000/json

{
  "slideshow": {
    "author": "Yours Truly", 
    "date": "date of publication", 
    "slides": [
      {
        "title": "Wake up to WonderWidgets!", 
        "type": "all"
      }, 
      {
        "items": [
          "Why <em>WonderWidgets</em> are great", 
          "Who <em>buys</em> WonderWidgets"
        ], 
        "title": "Overview", 
        "type": "all"
      }
    ], 
    "title": "Sample Slide Show"
  }
}

Now… I don’t really know what I just did… or how it works… though I will read up on this more… now that I sort of learnt something

Thanks so much for your help

This was one problem that has taken me a week to work through… going around in endless circles… and making so many mistakes… but I eventually get there

Thank you so much for the video and test commands that you're running. That really does help tremendously.

First Tip

I see in your commands you're running docker-compose down. That won't delete your volume, nor your docker networks. If you want to 'start fresh and clean' - you must be running a docker-compose down -v. If you just want to 'stop things', you'd use 'docker-compse down' but to clean house - you gotta add -v on there. I would really recommend when you try to reproduce a problem you start real clean and use docker-compose down -v.

As @gooseleggs writes, you're using ziti-tunnel in proxy mode. Proxy mode does _not_ "intercept". You can use it to test that ziti is configured properly but you need to understand that it will not setup intercepts. I highly, highly recommend you stick to using your ZDE for Mac if you're making sure your 'intercepts' work.

What your'e doing with ziti-tunnel has a couple of problems from my perspective.

1.) using ziti-tunnel at all

The first problem is that you've found and used 'ziti-tunnel'. This was our first linux tunneling app for the command line and we've been trying to replace ziti-tunnel with ziti-edge-tunnel. I know we still have places in our doc or in our old videos that refer to ziti-tunnel which is - unfortunate, but that's the reality of the situation at this time. I'd really prefer to see you not use ziti-tunnel if possible. It's just one fewer piece in the puzzle to worry about.

2.) ziti-tunnel in proxy mode

As @gooseleggs points out - proxy mode means that the tunnel will not intercept and instead it works as a forward proxy. It will listen on the underlay at the port you tell it to (2000 in your case) which is why curl localhost:2000 works, but the intercept doesn't.

You are then throwing another variable into the equation by using curlz which works differently than the other proxy, differently than tproxy, and differently than the python sample does. I'd ask you to stop using that for this issue and make another post about curlz if you want to understand that. I'm going to take curlz out of my response based on that.

Addressing your methodology

Your text file has comments in it. That's really helpful for me to understand what you're doing. I took your comments and convert them into my way of thinking abuot this problem. Here is how I edited your notes... Each heading below will correspond to your notes

setup docker containers (note the addition of -v and -f to specify the file)

1. I chose to use simplified-docker-compose.yml as my base and I modified it. You can get it by downloading it from my gist or using wget like:

   wget https://gist.githubusercontent.com/dovholuknf/d28be2ec890ff247bd3118a56daa3c80/raw/fdaacbd3c3ab2e507848053a3163f9414c649da7/simplified-docker-compose-with-httpbin.yaml

   You can see that it basically just adds these lines to the file:

      httpbin:
       image: "kennethreitz/httpbin"
       networks:
         zitiblue:
         zitired:
       volumes:
         - ziti-fs:/openziti
   

2. Once downloaded, fire up that docker-compose file using this command and you'll have a full, simple env with httpbin in it

   docker-compose -f simplified-docker-compose-with-httpbin.yaml down -v
   docker-compose -f simplified-docker-compose-with-httpbin.yaml up

from local machine curl to make sure controller is running (not in container)

1. curl -k https://ziti-edge-controller:1280

configure ziti with host and intercept

1. What you have is great but it needs one small tweak to work with the simplified example. You need to change service-policy httpbin-bind-policy Bind from using ziti-private-blue to ziti-edge-router.

   ziti edge create service-policy httpbin-bind-policy Bind --identity-roles '@ziti-edge-router' --service-roles '#private-httpbin-services'

test that the host works AND test that the service works

1. First make an identity.

   ziti edge create identity user dockertest -a httpbin-clients -o dockertest.jwt

2. Copy it from the controller to your local machine. (exit from the docker container first. (perhaps obvious) Put the file wherever you want. I use /mnt/v/temp here.

   docker cp docker_ziti-controller_1:/openziti/dockertest.jwt /mnt/v/temp/

3. Then enroll it in your ZDE (for mac)

Test the tunneler from OUTSIDE the container

1. This should work fine now since you enrolled your identity in your ZDEM/ZDEW

   curl http://httpbin.ziti:2000

test the Python script

That's it. That's all you should be doing here to make sure things are working. Everytime you use docker-compose and down -v, just make sure you remove the identity from your local ZDEM/ZDEW. OR, just never use -d and you don't have to worry about that. using -d deltes the PKI for your environment, that will force you to make a new identity.

Recap

Add httpbin to your docker-compose file, it just makes things easier. Don't use too many components. Test using the ZDE for Mac/Windows. If it works in ZDE, the python example should work fine. Don't bring curlz into this - it'll just add confusion.

Thanks for mentioning this... maybe the install script needs to be updated..

When you run the following script... you don't get the ziti-edge-tunnel executable

source /dev/stdin <<< "$(wget -qO- https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/image/ziti-cli-functions.sh)"; getZiti

cd /home/opc/.ziti/quickstart//ziti-bin/ziti-v0.25.10/ziti-bin/ziti-v0.25.13

ls
ziti ziti-controller ziti-router ziti-tunnel

I believe you need to make a pull from this repository...

The root project still builds and ships that binary. Until it's no longer built and part of the download, it'll still be part of the getZiti function. I don't know when it'll be removed, from the packaging. We just continue to encourage people not to use it.