Dialing a service without creating host.v1 configs?

Hello,

So i have a services called zac and api.
Zac is setup with host.v1 and intercept configs:

zitiEx edge create config zac.host.config host.v1 '{"protocol":"tcp", "address":"'"ziti-console"'", "port":'${ZITI_CONSOLE_PORT}'}'
zitiEx edge create config zac.int.config  intercept.v1 '{"protocols":["tcp"],"addresses":["'"zac.ziti"'"], "portRanges":[{"low":'${ZITI_CONSOLE_PORT}', "high":'${ZITI_CONSOLE_PORT}'}]}'
zitiEx edge create service "zac" --configs "zac.host.config","zac.int.config"
zitiEx edge create service-policy "zac.bind" Bind --service-roles "@zac" --identity-roles "#zac.binders"
zitiEx edge create service-policy "zac.dial" Dial --service-roles "@zac" --identity-roles "#zac.dialers"
zitiEx edge update identity "ziti-edge-router" -a zac.binders

I have an identity technician with has atribute #zac.dialers and when he tries to open url https://zac.ziti:8443 he can connect ok.

The second service api is using golangs sdk. It has it's own identity and zac shows that it connects to openziti.

technician has attribute #api.dial. but it can't ping api.

Is it mandatory to have host.v1 configs?

This tutorial does it without them: ziti/ziti/cmd/demo/tutorials/first-service.md at release-next ยท openziti/ziti ยท GitHub

Heres my terminators:

ziti@6eec14c3cc4e:/persistent$ ziti edge list terminators
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID                     โ”‚ SERVICE โ”‚ ROUTER           โ”‚ BINDING โ”‚ ADDRESS                โ”‚ IDENTITY โ”‚ COST โ”‚ PRECEDENCE โ”‚ DYNAMIC COST โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 24SEo7U67VepCUZxDIi8k0 โ”‚ api     โ”‚ ziti-edge-router โ”‚ edge    โ”‚ 24SEo7U67VepCUZxDIi8k0 โ”‚          โ”‚    0 โ”‚ default    โ”‚            0 โ”‚
โ”‚ 4uYOOAJNMJGhJbRSe5HEhv โ”‚ zac     โ”‚ ziti-edge-router โ”‚ tunnel  โ”‚ 4uYOOAJNMJGhJbRSe5HEhv โ”‚          โ”‚    0 โ”‚ default    โ”‚            0 โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

ziti edge policy-advisor services api:

OKAY : api (1) -> api (1) Common Routers: (1/1) Dial: N Bind: Y 

OKAY : technician (1) -> api (1) Common Routers: (1/1) Dial: Y Bind: N 

OKAY : ziti-edge-router (1) -> api (1) Common Routers: (1/1) Dial: N Bind: Y 

ziti edge policy-advisor identities technician:

OKAY : technician (1) -> api (1) Common Routers: (1/1) Dial: Y Bind: N 

OKAY : technician (1) -> zac (1) Common Routers: (1/1) Dial: Y Bind: N 

Another very weird thing, is when i add tag #api.dial to technician. His Desktop edge app breaks. it doesnt show identities or services anymore.

EDIT: The echo examples work. SDK -> SDK works without configs, but is it possible to have SDK webserver without configs?

No it's not mandatory, but it's mandatory if you use a tunneler on the host/bind side. A host.v1 config is used to inform a tunneler how to offload traffic from the overlay back to the underlay network. If your server uses an sdk and is configured to listen on the overlay network, then you don't need a host.v1 config. So, if you offload traffic with a tunneler it's mandatory. If you're making an application embedded server, the host config isn't needed.

This is quite unexpected. Have you looked at the logs to see if there are any clear errors? Does it happen every time, are you able to reproduce the issue with a new identity? If so, if you have clear steps to reproduce that would be really useful for us.

Just tried creating a new identity, cant ping api and the gui looks weird.

Here's screenshot:

Will give more info tomorrow.

EDIT: There should be 2 services and 2 identities.

I'm not sure what you mean by ping api. If you are issuing a ping command from the command line, you should know that the tunnelers don't properly support icmp ping at this time (tcp/udp).

I see you're using the new UI, cool. You'll want to look at the service logs. I tried my version of that app but the service logs don't seem to be working. You should find them at: %ProgramFiles(x86)%\NetFoundry Inc\Ziti Desktop Edge\logs\service. The symlink/junction named ziti-tunneler.log or the log file dated with "todays" date. Look in there for errors too.

I'm not sure what you mean by ping api . If you are issuing a ping command from the command line, you should know that the tunnelers don't properly support icmp ping at this time (tcp/udp).

I am able to do(from technician pc with desktop edge) ping zac.ziti, i want to be able to ping/curl my api service as well.

I see you're using the new UI, cool. You'll want to look at the service logs. I tried my version of that app but the service logs don't seem to be working. You should find them at: %ProgramFiles(x86)%\NetFoundry Inc\Ziti Desktop Edge\logs\service . The symlink/junction named ziti-tunneler.log or the log file dated with "todays" date. Look in there for errors too.

I am on ubuntu, heres logs from npm start


> zitidesktopedge@3.3.1 start
> electron app.js

/snap/core20/current/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.29' not found (required by /lib/x86_64-linux-gnu/libproxy.so.1)
Failed to load module: /home/carlos/snap/code/common/.cache/gio-modules/libgiolibproxy.so
Settings Loaded: {"width":1530,"height":868,"logDays":7}
[2024-06-23T20:00:39.fff+03:00] DEBUG   AppSettings.init        Settings Loaded: {"width":1530,"height":868,"logDays":7}

Set Icon: /home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/assets/images/ziti-white.png
[2024-06-23T20:00:39.fff+03:00] DEBUG   Application.CreateWindow        Set Icon: /home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/assets/images/ziti-white.png

Configuring Client For: linux Language: en-US
[2024-06-23T20:00:40.fff+03:00] DEBUG   Application.CreateWindow        Configuring Client For: linux Language: en-US

requested connection to  ziti /tmp/.ziti/ziti-edge-tunnel-event.sock
Connecting client on Unix Socket : /tmp/.ziti/ziti-edge-tunnel-event.sock
requested connection to  ZitiSend /tmp/.ziti/ziti-edge-tunnel.sock
Connecting client on Unix Socket : /tmp/.ziti/ziti-edge-tunnel.sock
retrying reset
retrying reset
## received events ##
Data Received from ziti-edge-tunnel-event
[2024-06-23T20:00:40.fff+03:00] TRACE   Application.onData      Data Received from ziti-edge-tunnel-event
[2024-06-23T20:00:40.fff+03:00] TRACE   Log.initLevel   Set Internal Log Level To warn

TypeError: Cannot read properties of undefined (reading 'length')
    at Object.set (file:///home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/assets/scripts/service.js:68:43)
    at Object.refresh (file:///home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/assets/scripts/identity.js:191:25)
    at Object.set (file:///home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/assets/scripts/identity.js:468:22)
    at EventEmitter.onData (file:///home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/app-renderer.js:369:34)
    at EventEmitter.emit (node:events:513:28)
    at Object.onMessage (node:electron/js2c/renderer_init:2:9199)
Logging Error TypeError: messageValue.indexOf is not a function
    at Object.write (/home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/app.js:396:62)
    at /home/carlos/Projects/screen_share/ziti-desktop/desktop-edge-ui/ziti-edge-ui/app.js:558:9
    at node:electron/js2c/browser_init:2:98085
    at EventEmitter.<anonymous> (node:electron/js2c/browser_init:2:81603)
    at EventEmitter.emit (node:events:513:28)
## received events ##
[2332731:0623/200040.428556:ERROR:CONSOLE(1)] "Uncaught (in promise) TypeError: Failed to fetch", source: devtools://devtools/bundled/panels/elements/elements.js (1)
## received events ##
## received events ##
## received events ##

ping zac.ziti does resolve an IP address, but it doesn't actually test the service. It does confirm your identity does have access to that service and it's getting intercepted properly by the tunneler. You should be able to issue curl http(https)://zac.ziti:#### (you need to provide http/https and the proper port)

The logs you want are from the ziti-edge-tunnel service: journalctl -u ziti-edge-tunnel. Look through there for interesting errors/messages

ping zac.ziti does resolve an IP address, but it doesn't actually test the service. It does confirm your identity does have access to that service and it's getting intercepted properly by the tunneler. You should be able to issue curl http(https)://zac.ziti:#### (you need to provide http/https and the proper port)

Okey, let me put it this way: What do i need to do so i can ping api or curl http://api:8080 without using configs(similar to how SDK -> SDK work)?

The logs you want are from the ziti-edge-tunnel service: journalctl -u ziti-edge-tunnel . Look through there for interesting errors/messages
The logs are empty. the service is running.

EDIT: Heres my sdk code:

	log.SetFlags(log.LstdFlags | log.Lshortfile)

	options := ziti.ListenOptions{
		ConnectTimeout: 5 * time.Minute,
	}

	// Get identity config
	cfg, err := ziti.NewConfigFromFile("./api.json")
	if err != nil {
		panic(err)
	}

	serviceName := "api"

	ctx, err := ziti.NewContext(cfg)
	if err != nil {
		panic(err)
	}

	listener, err := ctx.ListenWithOptions(serviceName, &options)
	if err != nil {
		log.Printf("Error binding service %+v", err)
		panic(err)
	}

	r := gin.Default()

	// Auth routes
	r.POST("/auth/login", controllers.Login)

	// V1 global routes
	authorized := r.Group("/v1")
	authorized.Use(middlewares.CheckAuth)
	{
		authorized.GET("/user/profile", controllers.GetUserProfile)
	}

	// Admin
	a := authorized.Group("/admin")
	a.Use(middlewares.CheckAdmin)
	{
		// CRUD users
		a.GET("/users", admin.ListUsers)
	}

	if err := http.Serve(listener, r.Handler()); err != nil {
		log.Fatalf("https servering failed: %v", err)
	}

As I tried to say, ping will literally never work. ping uses ICMP and OpenZiti tunnelers don't support ICMP at this time. The curl command on its own is also not a zitified (OpenZiti native) app. curl cannot access an OpenZiti protected service without a tunneler. The tunneler will intercept underlay traffic, the kind curl would produce, and translate it into OpenZiti traffic. When using a tunneler, you will need at least an intercept.v1 config; meaning you can't use curl without at least one config with a tunneler...

It sounds like what you want is something more like the examples in the sdk project. The sample http server is very much like what your server code looks like. (I'd guess you based your server from it)

The next thing you want is curlz. curlz is basically a simple http client that has an OpenZiti sdk built into it. With curlz you issue an http request to the service by name as I did using the sample server and curlz shown below:

Here you can see I:

  1. made a request using curlz to: http://simpleService?name=clint
  2. deleted all (two) the existing configs
  3. reran the query and it still succeeds

Hopefully, that makes things more clear? I could make a demo video if you want but I hope this will get you to understanding what is going on

1 Like

When using a tunneler, you will need at least an intercept.v1 config; meaning you can't use curl without at least one config with a tunneler...
This answers my question.

Thanks!