Docker Deployment Router

Hello,
Today I deploy a small test infrastructure.
I use a server that hosts the controller and the router in containers, this server will have an identity.
I also have my workstation.

When I deploy the Controller with ZAC it works smoothly, but when deploying the router, errors start occurring...

First following the official doc, I deploy my router container as a "host" router, but the container keeps restarting. In the logs I found :

{"error":"tunneling not enabled","file":"github.com/openziti/ziti/router/xgress_edge_tunnel/servicepoll.go:105","func":"github.com/openziti/ziti/router/xgress_edge_tunnel.(*servicePoller).pollServices","level":"fatal","msg":"xgress_edge_tunnel unable to authenticate to controller. ensure tunneler mode is enabled for this router or disable tunnel listener. exiting ","time":"2024-12-30T20:05:50.377Z"}

So basically I had to redeploy it as tproxy.

Then I was thinking I'm done but there was no documentation explaining that after installing the RTR and CTRL I should create an EDGE ROUTER POLICIES and an SERVICE EDGE ROUTER POLICIES in order to use my router properly.

Maybe the documentation for deploying the router could be reworked ?

The error means the router's tunneling features are not administratively enabled. You can update the settings like this.

ziti edge update edge-router "router1" --tunneler-enabled

The router process will exit with an error if tunneling is not administratively enabled and the router's configuration YAML file has a tunnel binding mode other than none. I expect you encountered the same issue with modes host and tproxy.


I see what you mean about next steps. The concept docs about authZ are expansive, and you're looking for a step-by-step guide that's suitable for most cases, right?

Here's an overview of my habitual deployment procedure.

  1. Deploy controller(s) - includes generating a PKI
  2. Create router(s)
  3. Deploy router(s) - includes enrollment
  4. Create a default router policy (ERP) like #all/#public. This allows me to identify routers that listen on a public IP with the #public role.
  5. Create a default service router policy (SERP) like #all/#all.

Now that the OpenZiti network is set up, I'll create and authorize identities and services.

Exactly, a step-by-step guide that's suitable for most cases could be interesting to link somewhere in each deployment documentation. In my make case it would have saved me a lot of time.

Your five steps are great and enough for basic deployment, but I never saw something like that in any deployment documentation, I was thinking it could be interesting to mention it in docs ...

1 Like