Enroll an identity from a controller in a docker container on a remote server.
It did not connect.
Checking if this is possible… maybe there is something that I need to have setup in the Docker container for this to happen.
Let me know if you have any tips.
I don’t quite understand if you are “enrolling an identity from a controller”, IN a docker environment, on a remote server – or – if you are trying to “enroll an identity from a controller in a docker container”, on a remote server. I don’t know if you can see why I’m confused.
Here’s what I feel like you’re doing. I feel like you started the controller in a docker container, and you’re now trying to enroll an identity from that controller on some other server/machine.
This is entirely possible. You will need to expose the controller port. If you look at the compose files which OpenZiti provides, this is done for you. You’ll see port 1280 and port 3022 are exposed in those files. You’ll also need to expose these ports through your host firewall as well.
Where this will break down is in the config of the ziti-controller. You need to inform the controller to advertise a different address. By default, it’ll be using an advertisement of “ziti-edge-controller”. This address is embedded into the jwt which you’re trying to enroll. Then, “remote computer” will try to connect to the controller at “ziti-edge-controller” and it will have no concept of how to resolve “ziti-edge-controller” to the proper ip of “physical machine” (shown below).
Edit the ziti controller config file at /openziti/ziti-edge-controller.yaml and modify
edge:
api:
address: ziti-edge-controller:1280 _____change this_____
and
web:
- name: client-management
bindPoints:
- interface: 0.0.0.0:1280
address: ziti-edge-controller:1280 _____change this_____
You’ll then stop/start this container without destroying the volume and it should work.
Thanks for the details… this is what I needed help with. I am starting to test new ways of working with the controller.
With this in place, I should also be able to access the ZAC panel deep within the Docker container… which is something else I am also going to give a go.
Much appreciated.
The ZAC is also exposed by default in the docker-compose files. If you want to make your docker ZAC dark, you’ll want to “not expose” the UI. glhf
Thanks… also realised the importance of changing the admin password for this scenario 
Quick check in to see if I have missed anything..
I am still unable to enroll an identity on my desktop that was created in a controller in the docker container.
replace host name with IP address of the server
open ports on firewall and VCN
1280
3022
docker-compose down
docker-compose up -d
create identity, copy to desktop and enrol the identity
For some reason, it is still unable to reach the controller..
Any tips
This is what you need to figure out. The best thing you should do is put your jwt into jwt.io and confirm what the address is from the jwt. Once you know the "iss" (the hostname to contact) you might be able to figure out why it's not working
Getting closer… I made the changes to the controller yaml file.
I also realised that the edge router also needed to be updated… which is probably where the issue is now.
however, when I start / stop docker
So… rather than try to delete / recreate this edge router… I will just create a second edge router with the right details… and see if that resolves the issue
I got most of the way through creating a second edge router… but then I started to hit different types of errors when I tried to run it… as it could not find the PKI certificates.
So… I thought to check in
While I find it an interesting configuration… its starting to be more work than its worth…
It would be interesting to know if others have this working… and what changes they needed to make.
this sounds like a bug in the docker compose stuff. i bet it's recreating the router config each time.
That is what I have observed…