Following on from quickstart

Still have a problem, but I am calling it a night on this one.

Client is say โ€œNo edge routers availableโ€

ziti edge policy-advisor identities
ERROR: ziti-edge-router-wss 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-private-red 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-fabric-router-br 
  - Identity does not have access to any services. Adjust service policies.

ERROR: http-client (0) -> http.svc (5) Common Routers: (0/0) Dial: Y Bind: N 
  - Identity has no edge routers assigned. Adjust edge router policies.

OKAY : ziti-private-blue (1) -> http.svc (5) Common Routers: (1/1) Dial: N Bind: Y 

ERROR: ziti-edge-router 
  - Identity does not have access to any services. Adjust service policies.

ERROR: Default Admin 
  - Identity does not have access to any services. Adjust service policies.

And this

ziti edge policy-advisor services
ERROR: http-client (0) -> http.svc (5) Common Routers: (0/0) Dial: Y Bind: N 
  - Identity has no edge routers assigned. Adjust edge router policies.

OKAY : ziti-private-blue (1) -> http.svc (5) Common Routers: (1/1) Dial: N Bind: Y

I added in the two policies commands, and they went in, but appears only the service one worked, and not the identity one.

While it is annoying that it isnโ€™t going yet - this is the way to learn about it all!

Awesome that you ran policy-advisor! I donโ€™t see your โ€œclientโ€ identity in the list though. Is it possible you didnโ€™t โ€˜forgetโ€™ the identity? Since you destroyed the network from before youโ€™ll want to click on the identity in the Ziti Desktop Edge for Windows (ZDEW) and โ€œforget this identityโ€. After you forget the identity, Iโ€™d also recommend you stop/start the ZDEW.
image

Could you issue:

ziti edge list identities
ziti edge list service-edge-router-policies
ziti edge list edge-router-policies
ziti edge list edge-routers

It should look pretty similar to mine:

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                  โ”‚ TYPE   โ”‚ ATTRIBUTES   โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ .MyZjUdeR  โ”‚ http-client           โ”‚ User   โ”‚ http-clients โ”‚
โ”‚ 0Ig-7E7fJ8 โ”‚ ziti-private-blue     โ”‚ Router โ”‚              โ”‚
โ”‚ 3mo-KE7i3  โ”‚ ziti-fabric-router-br โ”‚ Router โ”‚              โ”‚
โ”‚ MKo-KrKiJ8 โ”‚ ziti-edge-router-wss  โ”‚ Router โ”‚              โ”‚
โ”‚ NREyKr7f38 โ”‚ ziti-edge-router      โ”‚ Router โ”‚              โ”‚
โ”‚ UFZQ9r9FU  โ”‚ Default Admin         โ”‚ User   โ”‚              โ”‚
โ”‚ c-t-7EKfJ  โ”‚ ziti-private-red      โ”‚ Router โ”‚              โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-7 of 7
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                     โ”‚ SERVICE ROLES โ”‚ EDGE ROUTER ROLES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ g6D-KE7iJ8 โ”‚ all-routers-all-services โ”‚ #all          โ”‚ #all              โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                          โ”‚ EDGE ROUTER ROLES      โ”‚ IDENTITY ROLES         โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 0Ig-7E7fJ8 โ”‚ edge-router-0Ig-7E7fJ8-system โ”‚ @ziti-private-blue     โ”‚ @ziti-private-blue     โ”‚
โ”‚ 3Hn-KEKiJ  โ”‚ all-endpoints-public-routers  โ”‚ #public                โ”‚ #all                   โ”‚
โ”‚ 3mo-KE7i3  โ”‚ edge-router-3mo-KE7i3-system  โ”‚ @ziti-fabric-router-br โ”‚ @ziti-fabric-router-br โ”‚
โ”‚ MKo-KrKiJ8 โ”‚ edge-router-MKo-KrKiJ8-system โ”‚ @ziti-edge-router-wss  โ”‚ @ziti-edge-router-wss  โ”‚
โ”‚ NREyKr7f38 โ”‚ edge-router-NREyKr7f38-system โ”‚ @ziti-edge-router      โ”‚ @ziti-edge-router      โ”‚
โ”‚ c-t-7EKfJ  โ”‚ edge-router-c-t-7EKfJ-system  โ”‚ @ziti-private-red      โ”‚ @ziti-private-red      โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-6 of 6

โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                  โ”‚ ONLINE โ”‚ ALLOW TRANSIT โ”‚ COST โ”‚ ATTRIBUTES            โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ 0Ig-7E7fJ8 โ”‚ ziti-private-blue     โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-private-blue     โ”‚
โ”‚ 3mo-KE7i3  โ”‚ ziti-fabric-router-br โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-fabric-router-br โ”‚
โ”‚ MKo-KrKiJ8 โ”‚ ziti-edge-router-wss  โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ public                โ”‚
โ”‚ NREyKr7f38 โ”‚ ziti-edge-router      โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ public                โ”‚
โ”‚ c-t-7EKfJ  โ”‚ ziti-private-red      โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-private-red      โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ

The really important parts are the โ€œ#all/#allโ€ service-edge-router policy granting all edge routers the rights to all services and the โ€œ#all/#publicโ€ edge-router policy granting all identities the rights to any public routers

I also walked through the whole thing from start to finish in this newly published video:

Thanks for this Chris. These are the outputs from the command:

ziti@3d0a32a52d06:/openziti$ ziti edge list identities
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                  โ”‚ TYPE   โ”‚ ATTRIBUTES   โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ .hleJj.dgS โ”‚ ziti-edge-router-wss  โ”‚ Router โ”‚              โ”‚
โ”‚ JXBQHh.7gS โ”‚ ziti-private-red      โ”‚ Router โ”‚              โ”‚
โ”‚ KyzeJj.dgS โ”‚ ziti-fabric-router-br โ”‚ Router โ”‚              โ”‚
โ”‚ Ou0DJhkdnS โ”‚ http-client           โ”‚ User   โ”‚ http-clients โ”‚
โ”‚ UmzeHhk7nS โ”‚ ziti-private-blue     โ”‚ Router โ”‚              โ”‚
โ”‚ n.KQHhk7n  โ”‚ ziti-edge-router      โ”‚ Router โ”‚              โ”‚
โ”‚ nD9U7p0Ob  โ”‚ Default Admin         โ”‚ User   โ”‚              โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-7 of 7
ziti@3d0a32a52d06:/openziti$ ziti edge list service-edge-router-policies
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                     โ”‚ SERVICE ROLES โ”‚ EDGE ROUTER ROLES โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ jG1R5ePJGF โ”‚ all-routers-all-services โ”‚ #all          โ”‚ #all              โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-1 of 1
ziti@3d0a32a52d06:/openziti$ ziti edge list edge-router-policies
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                          โ”‚ EDGE ROUTER ROLES      โ”‚ IDENTITY ROLES         โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ .hleJj.dgS โ”‚ edge-router-.hleJj.dgS-system โ”‚ @ziti-edge-router-wss  โ”‚ @ziti-edge-router-wss  โ”‚
โ”‚ JXBQHh.7gS โ”‚ edge-router-JXBQHh.7gS-system โ”‚ @ziti-private-red      โ”‚ @ziti-private-red      โ”‚
โ”‚ KyzeJj.dgS โ”‚ edge-router-KyzeJj.dgS-system โ”‚ @ziti-fabric-router-br โ”‚ @ziti-fabric-router-br โ”‚
โ”‚ UmzeHhk7nS โ”‚ edge-router-UmzeHhk7nS-system โ”‚ @ziti-private-blue     โ”‚ @ziti-private-blue     โ”‚
โ”‚ ZiwR5epJ7F โ”‚ all-endpoints-public-routers  โ”‚ #public                โ”‚ #all                   โ”‚
โ”‚ n.KQHhk7n  โ”‚ edge-router-n.KQHhk7n-system  โ”‚ @ziti-edge-router      โ”‚ @ziti-edge-router      โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-6 of 6
ziti@3d0a32a52d06:/openziti$ ziti edge list edge-routers
โ•ญโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฎ
โ”‚ ID         โ”‚ NAME                  โ”‚ ONLINE โ”‚ ALLOW TRANSIT โ”‚ COST โ”‚ ATTRIBUTES            โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ .hleJj.dgS โ”‚ ziti-edge-router-wss  โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-edge-router-wss  โ”‚
โ”‚ JXBQHh.7gS โ”‚ ziti-private-red      โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-private-red      โ”‚
โ”‚ KyzeJj.dgS โ”‚ ziti-fabric-router-br โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-fabric-router-br โ”‚
โ”‚ UmzeHhk7nS โ”‚ ziti-private-blue     โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-private-blue     โ”‚
โ”‚ n.KQHhk7n  โ”‚ ziti-edge-router      โ”‚ true   โ”‚ true          โ”‚    0 โ”‚ ziti-edge-router      โ”‚
โ•ฐโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ•ฏ
results: 1-5 of 5

All looks the same except for the bottom ones where you attributes are โ€œpublicโ€ and mine arenโ€™t. Not too concerned as this is around the identity that is the problem.

Had a quick look at the video, and sure I forgot the identity. Anyway will look to redo.

In your docker-compose file you should see the following environment variables for the ziti-edge-router and ziti-edge-router-wss services. Are you seeing these values ZITI_EDGE_ROUTER_ROLES=public?

If not, the easiest solution would be to just add them in manually for now until all the changes get propagated to a new โ€œofficialโ€ release.

Just add this line under the environment section of those two router services.
- ZITI_EDGE_ROUTER_ROLES=public

Now that Iโ€™m thinking about it, the reason youโ€™re still having issues is that, while a new docker image was published, this isnโ€™t going to update your docker-compose file.

Honestly, the easiest thing to do at this point, to get you all set up would be to download the docker-compose from the PR that was put up. This should take care of making the routers public and adding those two service policies for you all automatically.

You can find the docker-compose file with the changes here: ziti/docker-compose.yml at quickstart-first-service-fixes ยท openziti/ziti ยท GitHub

By the way, itโ€™s unfortunate that you have to go through all of this but Iโ€™m also we are grateful that youโ€™re working with us to resolve these issues so future users wonโ€™t have such a hard time as this really should not be the experience a first time user encounters.

Thanks. I added the ziti-edge-router into the all-endpoints-public-routers policy and it came alive.

As for the docker-compose file, I grabbed it last night after the changes occurred, as I had issues with versions even after a docker-compose pull. I can confirm that it is not #public.

The problem is that I used the curl link on the page which is still pointing to the incorrect docker-compose, and not the latest one from github. (I am doing this like I am a newbie everytime (which I am).

So, while it is still testing, can you put a note or something on the โ€˜howtoโ€™ as until it goes live, any one who tries to do this is going to fall into the same trap.

Thanks all, I have it working.

@Clint - I think it might be better to make a separate howto specifically for docker-compose to keep it all really simple, and then maybe a generic. Just thinking for those who now nothing, that all the commands are just cut/paste, instead of some of the wording which requires them to think or understand the environment - just my 2c worth.

Just another comment. Since โ€œweโ€ (public) are not sure when the next release of the docker-compose will be, can you update the commands in the * Your First Service - Zero Trust Host Access* to be correct for the current public release. That is adding

# Allow all identities to use any edge router with the "public" attribute
ziti edge create edge-router-policy all-endpoints-public-routers --edge-router-roles "@ziti-edge-router" --identity-roles "#all"

# Allow all edge-routers to access all services
ziti edge create service-edge-router-policy all-routers-all-services --edge-router-roles "#public" --service-roles "#all"

but modified to be correct. I have tried to correct one, but I think I would need to correct the second one as well.

Yahโ€ฆ it was an oversight on my part. I forgot youโ€™d need the updated compose file. That thing changes so rarely, I forgot to mention that. We merge PRs โ€œreally fastโ€ so I sort of expected that weโ€™d have it merged anyway (which it is now) but we had a window where it was out of date. It should all be good to go now though.

I have done that in the past. to be totally honest itโ€™s just a throughput thing. Trying to kill all the birds with the same stone but I can relate as to how that would be an easier experience. Same is true for the ZAC stuff since thatโ€™s all very clicky/clicky. speaking of which - that bug is fixed now. I might take a swing at illustrating how to do all this with the UI.

I believe Iโ€™ve caught all the other feedback from before into the first service quickstart.

So at this point were you finally able to get the docker whale? :slight_smile: You said it โ€œcame aliveโ€?

Are you continuing on to something new on your OpenZiti adventure? I hope so! :slight_smile:

Thank you team. Yes, I have the whale.
Also, I have scrapped the environment and started from scratch. Can confirm I am getting the correct docker file. So, basically I followed all the corrections in here and worked first pop, so can you make those changes permanent (may check after you done that just to make sure).

So, changes needed
a) command corrections to pull the certificates for the ZAC GUI screen as pre previous post
b) update/correction of the commands to be run

Clint - there are a few good tidbits that are in your videos (and also in this discourse) which are not being captured in the documentation, which means these nuggets that would really help are being lost. I am not sure your thoughts about knowledge base articles, but suggestions for these would be:

  1. adjust lifetime of jwt tokens
  2. log file locations
  3. Basic troubleshooting commands like ziti edge policy-advisor... etc

Yes - I am still on the ziti journey. Idea was to test it out. Next on roadmap
a) make ssh server hidden from the internet (but accessible over it)
b) stand up a separate ziti network from the ground up to cement the concepts
c) Look to see how this might scale up

I have a few questions/suggestions to post, so you will see these shortly

Yay!

100% agree. Itโ€™s just a problem of producing the doc - as you can tell from our exercise here it takes a long time to put it onto paper effectively and clearly. Videos and Discourse are a โ€œcheatโ€ of sorts. They are much less formal and the bar of excellence is different. we all absolutely agree though that the discourse and video info is important stuff. Weโ€™re working towards making that all a better experience.

1.) adjusting the token lifetime - we already discussed this internally.
2.) log location - good point. itโ€™s in the github wiki right now not doc siteโ€ฆ yet
3.) this is a great idea. these have been used/floated by discourse and on videos but not codified yet

Nice! Youโ€™ve seen zssh and the video on this topic, right? NetFoundry also wrote up a blog about making our bastion dark. If you havenโ€™t found those yet, Iโ€™ll be happy to point them out to you!