Hello, I’m currently writing a paper on Zero Trust Architectures and OpenZiti.
My use case, for demonstration purposes, is a device streaming video to a video server, to which clients can connect to watch the stream. I made a custom docker compose infrastructure. My Ziti network is working correctly but I have a problem with the tunnelers:
I installed the tunnelers on the streaming device and the video server (docker containers using Debian). I have a service configured and devices are correctly enrolled. But I get an error with the DNS from OpenZiti:
DEBUG ziti-edge-tunnel:resolvers.c:95 init_libsystemd() Dynamically loaded libsystemd
DEBUG ziti-edge-tunnel:resolvers.c:343 try_libsystemd_resolver() Could not detect systemd init system
DEBUG ziti-edge-tunnel:resolvers.c:359 try_libsystemd_resolver() Could not create system DBus client
DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(grep -q '^nameserver 100.64.0.2' /etc/resolv.conf) returned 256
sed: cannot rename /etc/sedGM3hoS: Device or resource busy
ERROR ziti-edge-tunnel:utils.c:31 run_command_va() cmd{sed -z -i 's/nameserver/nameserver 100.64.0.2\nnameserver/' /etc/resolv.conf} failed: 1024
/2/No such file or directory
DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(sed -z -i 's/nameserver/nameserver 100.64.0.2\nnameserver/' /etc/resolv.conf) returned 1024
I have searched the error, and it looks like a Docker issue when trying to modify /etc/resolv.conf with “sed -i …”, sed creates a new file then replaces the destination with the new file, which changes the file inode, which is forbidden by Docker since the file is mounted from the host.
If I manually change the file using vim for example and add “name server 100.64.0.2”, then the Ziti DNS resolver works properly. It also works if I add the DNS entry in the docker compose file.
My question is:
Do you know a workaround this ? Like a Docker option to enable, or a way to modify the sed command called by the Ziti tunneler ?
Using docker and OpenZiti can be done, but it’s important to understand the subtle nuances of how docker networking and OpenZiti work together. To get a better answer to your question, could you provide a diagram of your setup? It sounds to me like you’re trying to use docker for segmentation all on the same machine? Is that the case? I am trying to understand the overall network view of your setup. If everything is on the same machine, I think you’ll going to end up having a harder time than if you use virtual machines instead of docker due to the nuances of docker/containers. Having an overview diagram will help tremendously. I want to make sure we’re giving you the best advice.
I personally have not invested much time in getting intercepts working within docker. Usually, I’m finding myself using docker to host services, so traffic goes into docker, but I’m never using docker to initiate outbound traffic over OpenZiti (outbound toward some other underlay resource happens, just not outbound over OpenZiti)
I will say though, if you are using a single machine, virtual machines will be a much more realisitc excample of how OpenZiti works, particularly if you ‘bridge’ the VMs to the network to get its own IP address.
Could you provide us a diagram of the setup you’re trying to test? Is docker vital to the setup? Thanks
Indeed I am using Docker for segmentation. Everything is on 1 machine. It is not mandatory that I use Docker, I chose this because I followed the docker / docker compose quickstart guide and wanted to use it as a template and add a few things. I’m open to switch to VMs if you think it’s an easier solution.
Right now, this is only to learn OpenZiti and to provide a demonstration, not for production, but I have a usecase that involves an embedded device (running linux) sending a camera stream to a video server.
Basically, I want to tunnel the video stream trough Openziti and to the video server. Right now, this is working only if I manually add the Ziti DNS.
@Meh The Debian streaming device in network A is running container image openziti/ziti-edge-tunnel, but the container is not fully configured to have the necessary devices and privileges to manage DNS and IP routes for the Docker host’s Debian OS. Your alternatives are:
I’ve linked to the relevant docs for each alternative. My guess is that installing the Debian package is the best approach because Ziti will provide the necessary network path, i.e. there’s no need to attach the Debian streaming device directly to the Docker network.
I also added a sleep in my entrypoint script, so that the video stream would wait a bit after the tunneler was launched, so that the DNS and the path to the video server might be updated. Now everything works !
I'm glad you got it working, but I don't quite understand where the Debian package was used. Did you mean that you installed the Debian package in the RTMP client container image and then executed the tunneler with the entrypoint script?