Docker container - updated, and now it broke

I decided to update my docker containers for the controller, router, and ZAC.

Typically, I just do this by stopping the container, deleting the containers, and images, and then pulling new ones.

I start everything with scripts using docker CLI.

For instance, I run the controller like so:

docker run -d --restart always \
  --name ziti-controller \
  -e ZITI_CTRL_ADVERTISED_ADDRESS=home.nonya.org \
  -e ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=home.nonya.org \
  -e ZITI_USER=admin \
  -e ZITI_PWD=nonya \
  -e ZITI_CTRL_ADVERTISED_PORT=1280 \
  -e ZITI_CTRL_EDGE_ADVERTISED_PORT=1280 \
  --network plexnet \
  --network-alias ziti-controller \
  --network-alias ziti-edge-controller \
  -p 1280:1280 \
  --dns 192.168.345.1 \
  -v /data/containers/ziti:/persistent \
  openziti/quickstart \
  /var/openziti/scripts/run-controller.sh

I have done this a couple times before, and everything just goes. This time, something broke.


system has been initialized. starting the process.
NOT OVERRIDING: env var ZITI_BIN_DIR already set. using existing value
NOT OVERRIDING: env var ZITI_BIN_ROOT already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_ADVERTISED_ADDRESS already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_ADVERTISED_PORT already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_EDGE_ADVERTISED_ADDRESS already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_EDGE_ADVERTISED_PORT already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_NAME already set. using existing value
NOT OVERRIDING: env var ZITI_ENV_FILE already set. using existing value
NOT OVERRIDING: env var ZITI_HOME already set. using existing value
NOT OVERRIDING: env var ZITI_NETWORK already set. using existing value
NOT OVERRIDING: env var ZITI_PWD already set. using existing value
NOT OVERRIDING: env var ZITI_SCRIPTS already set. using existing value
NOT OVERRIDING: env var ZITI_SHARED already set. using existing value
NOT OVERRIDING: env var ZITI_USER already set. using existing value

adding /var/openziti/ziti-bin to the path
controller initialized. unsetting ZITI_USER/ZITI_PWD from env
panic: could not generate default trust domain: error generating default trust domain from root CA: no root CA detected after chain assembly from the root identity server cert and ca bundle

goroutine 1 [running]:
github.com/openziti/ziti/controller/config.LoadConfig({0x7fffdbb3871c?, 0xc0008078c0?})
        github.com/openziti/ziti/controller/config/config.go:383 +0x3445
github.com/openziti/ziti/ziti/controller.run(0xc000c16e00?, {0xc000c0e340, 0x1, 0x3a65226?})
        github.com/openziti/ziti/ziti/controller/run.go:54 +0x54a
github.com/spf13/cobra.(*Command).execute(0xc000138f08, {0xc000c0e310, 0x1, 0x1})
        github.com/spf13/cobra@v1.8.1/command.go:989 +0xab1
github.com/spf13/cobra.(*Command).ExecuteC(0x5a7f5c0)
        github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        github.com/spf13/cobra@v1.8.1/command.go:1041
github.com/openziti/ziti/ziti/cmd.Execute()
        github.com/openziti/ziti/ziti/cmd/cmd.go:81 +0x1a
main.main()
        github.com/openziti/ziti/ziti/main.go:51 +0xf

The certificate errors make me nervous because I have some remote routers and I really do not want to break them.

Thanks for the help

panic: could not generate default trust domain: error generating default trust domain from root CA: no root CA detected after chain assembly from the root identity server cert and ca bundle

This is a new issue. A recent release made this field required.

Find your controller config file and add a top-level-entry such as:

trustDomain: any.value.you.like.here

We're still working through the change to HA controllers and now-a-days, a trust domain needs to be specified. It can be whatever you like it to be. Once we get further along, this config item might become unecessary but for now, you should be able to add that entry and get back running.

same sort of post previously seen here: Controller doesn't start after 1.1.7 update - #2 by qrkourier

Thanks! It was not clear (to me) from the error that there was a missing config option!