Still have a problem, but I am calling it a night on this one.
Client is say โNo edge routers availableโ
ziti edge policy-advisor identities
ERROR: ziti-edge-router-wss
- Identity does not have access to any services. Adjust service policies.
ERROR: ziti-private-red
- Identity does not have access to any services. Adjust service policies.
ERROR: ziti-fabric-router-br
- Identity does not have access to any services. Adjust service policies.
ERROR: http-client (0) -> http.svc (5) Common Routers: (0/0) Dial: Y Bind: N
- Identity has no edge routers assigned. Adjust edge router policies.
OKAY : ziti-private-blue (1) -> http.svc (5) Common Routers: (1/1) Dial: N Bind: Y
ERROR: ziti-edge-router
- Identity does not have access to any services. Adjust service policies.
ERROR: Default Admin
- Identity does not have access to any services. Adjust service policies.
And this
ziti edge policy-advisor services
ERROR: http-client (0) -> http.svc (5) Common Routers: (0/0) Dial: Y Bind: N
- Identity has no edge routers assigned. Adjust edge router policies.
OKAY : ziti-private-blue (1) -> http.svc (5) Common Routers: (1/1) Dial: N Bind: Y
I added in the two policies commands, and they went in, but appears only the service one worked, and not the identity one.
While it is annoying that it isnโt going yet - this is the way to learn about it all!
Awesome that you ran policy-advisor! I don't see your "client" identity in the list though. Is it possible you didn't 'forget' the identity? Since you destroyed the network from before you'll want to click on the identity in the Ziti Desktop Edge for Windows (ZDEW) and "forget this identity". After you forget the identity, I'd also recommend you stop/start the ZDEW.
Could you issue:
ziti edge list identities
ziti edge list service-edge-router-policies
ziti edge list edge-router-policies
ziti edge list edge-routers
It should look pretty similar to mine:
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ TYPE โ ATTRIBUTES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโค
โ .MyZjUdeR โ http-client โ User โ http-clients โ
โ 0Ig-7E7fJ8 โ ziti-private-blue โ Router โ โ
โ 3mo-KE7i3 โ ziti-fabric-router-br โ Router โ โ
โ MKo-KrKiJ8 โ ziti-edge-router-wss โ Router โ โ
โ NREyKr7f38 โ ziti-edge-router โ Router โ โ
โ UFZQ9r9FU โ Default Admin โ User โ โ
โ c-t-7EKfJ โ ziti-private-red โ Router โ โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโฏ
results: 1-7 of 7
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ SERVICE ROLES โ EDGE ROUTER ROLES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ g6D-KE7iJ8 โ all-routers-all-services โ #all โ #all โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโฏ
results: 1-1 of 1
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ EDGE ROUTER ROLES โ IDENTITY ROLES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 0Ig-7E7fJ8 โ edge-router-0Ig-7E7fJ8-system โ @ziti-private-blue โ @ziti-private-blue โ
โ 3Hn-KEKiJ โ all-endpoints-public-routers โ #public โ #all โ
โ 3mo-KE7i3 โ edge-router-3mo-KE7i3-system โ @ziti-fabric-router-br โ @ziti-fabric-router-br โ
โ MKo-KrKiJ8 โ edge-router-MKo-KrKiJ8-system โ @ziti-edge-router-wss โ @ziti-edge-router-wss โ
โ NREyKr7f38 โ edge-router-NREyKr7f38-system โ @ziti-edge-router โ @ziti-edge-router โ
โ c-t-7EKfJ โ edge-router-c-t-7EKfJ-system โ @ziti-private-red โ @ziti-private-red โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโฏ
results: 1-6 of 6
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ ONLINE โ ALLOW TRANSIT โ COST โ ATTRIBUTES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโค
โ 0Ig-7E7fJ8 โ ziti-private-blue โ true โ true โ 0 โ ziti-private-blue โ
โ 3mo-KE7i3 โ ziti-fabric-router-br โ true โ true โ 0 โ ziti-fabric-router-br โ
โ MKo-KrKiJ8 โ ziti-edge-router-wss โ true โ true โ 0 โ public โ
โ NREyKr7f38 โ ziti-edge-router โ true โ true โ 0 โ public โ
โ c-t-7EKfJ โ ziti-private-red โ true โ true โ 0 โ ziti-private-red โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโฏ
The really important parts are the "#all/#all" service-edge-router policy granting all edge routers the rights to all services and the "#all/#public" edge-router policy granting all identities the rights to any public routers
I also walked through the whole thing from start to finish in this newly published video:
Thanks for this Chris. These are the outputs from the command:
ziti@3d0a32a52d06:/openziti$ ziti edge list identities
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ TYPE โ ATTRIBUTES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโค
โ .hleJj.dgS โ ziti-edge-router-wss โ Router โ โ
โ JXBQHh.7gS โ ziti-private-red โ Router โ โ
โ KyzeJj.dgS โ ziti-fabric-router-br โ Router โ โ
โ Ou0DJhkdnS โ http-client โ User โ http-clients โ
โ UmzeHhk7nS โ ziti-private-blue โ Router โ โ
โ n.KQHhk7n โ ziti-edge-router โ Router โ โ
โ nD9U7p0Ob โ Default Admin โ User โ โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโฏ
results: 1-7 of 7
ziti@3d0a32a52d06:/openziti$ ziti edge list service-edge-router-policies
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ SERVICE ROLES โ EDGE ROUTER ROLES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโค
โ jG1R5ePJGF โ all-routers-all-services โ #all โ #all โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโฏ
results: 1-1 of 1
ziti@3d0a32a52d06:/openziti$ ziti edge list edge-router-policies
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ EDGE ROUTER ROLES โ IDENTITY ROLES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโค
โ .hleJj.dgS โ edge-router-.hleJj.dgS-system โ @ziti-edge-router-wss โ @ziti-edge-router-wss โ
โ JXBQHh.7gS โ edge-router-JXBQHh.7gS-system โ @ziti-private-red โ @ziti-private-red โ
โ KyzeJj.dgS โ edge-router-KyzeJj.dgS-system โ @ziti-fabric-router-br โ @ziti-fabric-router-br โ
โ UmzeHhk7nS โ edge-router-UmzeHhk7nS-system โ @ziti-private-blue โ @ziti-private-blue โ
โ ZiwR5epJ7F โ all-endpoints-public-routers โ #public โ #all โ
โ n.KQHhk7n โ edge-router-n.KQHhk7n-system โ @ziti-edge-router โ @ziti-edge-router โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโฏ
results: 1-6 of 6
ziti@3d0a32a52d06:/openziti$ ziti edge list edge-routers
โญโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ID โ NAME โ ONLINE โ ALLOW TRANSIT โ COST โ ATTRIBUTES โ
โโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโค
โ .hleJj.dgS โ ziti-edge-router-wss โ true โ true โ 0 โ ziti-edge-router-wss โ
โ JXBQHh.7gS โ ziti-private-red โ true โ true โ 0 โ ziti-private-red โ
โ KyzeJj.dgS โ ziti-fabric-router-br โ true โ true โ 0 โ ziti-fabric-router-br โ
โ UmzeHhk7nS โ ziti-private-blue โ true โ true โ 0 โ ziti-private-blue โ
โ n.KQHhk7n โ ziti-edge-router โ true โ true โ 0 โ ziti-edge-router โ
โฐโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโฏ
results: 1-5 of 5
All looks the same except for the bottom ones where you attributes are โpublicโ and mine arenโt. Not too concerned as this is around the identity that is the problem.
Had a quick look at the video, and sure I forgot the identity. Anyway will look to redo.
In your docker-compose file you should see the following environment variables for the ziti-edge-router and ziti-edge-router-wss services. Are you seeing these values ZITI_EDGE_ROUTER_ROLES=public?
If not, the easiest solution would be to just add them in manually for now until all the changes get propagated to a new โofficialโ release.
Just add this line under the environment section of those two router services.
- ZITI_EDGE_ROUTER_ROLES=public
Now that Iโm thinking about it, the reason youโre still having issues is that, while a new docker image was published, this isnโt going to update your docker-compose file.
Honestly, the easiest thing to do at this point, to get you all set up would be to download the docker-compose from the PR that was put up. This should take care of making the routers public and adding those two service policies for you all automatically.
You can find the docker-compose file with the changes here: ziti/docker-compose.yml at quickstart-first-service-fixes ยท openziti/ziti ยท GitHub
By the way, itโs unfortunate that you have to go through all of this but Iโm also we are grateful that youโre working with us to resolve these issues so future users wonโt have such a hard time as this really should not be the experience a first time user encounters.
Thanks. I added the ziti-edge-router into the all-endpoints-public-routers policy and it came alive.
As for the docker-compose file, I grabbed it last night after the changes occurred, as I had issues with versions even after a docker-compose pull. I can confirm that it is not #public.
The problem is that I used the curl link on the page which is still pointing to the incorrect docker-compose, and not the latest one from github. (I am doing this like I am a newbie everytime (which I am).
So, while it is still testing, can you put a note or something on the โhowtoโ as until it goes live, any one who tries to do this is going to fall into the same trap.
Thanks all, I have it working.
@Clint - I think it might be better to make a separate howto specifically for docker-compose to keep it all really simple, and then maybe a generic. Just thinking for those who now nothing, that all the commands are just cut/paste, instead of some of the wording which requires them to think or understand the environment - just my 2c worth.
Just another comment. Since โweโ (public) are not sure when the next release of the docker-compose will be, can you update the commands in the * Your First Service - Zero Trust Host Access* to be correct for the current public release. That is adding
# Allow all identities to use any edge router with the "public" attribute
ziti edge create edge-router-policy all-endpoints-public-routers --edge-router-roles "@ziti-edge-router" --identity-roles "#all"
# Allow all edge-routers to access all services
ziti edge create service-edge-router-policy all-routers-all-services --edge-router-roles "#public" --service-roles "#all"
but modified to be correct. I have tried to correct one, but I think I would need to correct the second one as well.
Yah... it was an oversight on my part. I forgot you'd need the updated compose file. That thing changes so rarely, I forgot to mention that. We merge PRs "really fast" so I sort of expected that we'd have it merged anyway (which it is now) but we had a window where it was out of date. It should all be good to go now though.
I have done that in the past. to be totally honest it's just a throughput thing. Trying to kill all the birds with the same stone but I can relate as to how that would be an easier experience. Same is true for the ZAC stuff since that's all very clicky/clicky. speaking of which - that bug is fixed now. I might take a swing at illustrating how to do all this with the UI.
I believe I've caught all the other feedback from before into the first service quickstart.
So at this point were you finally able to get the docker whale? 
You said it "came alive"?
Are you continuing on to something new on your OpenZiti adventure? I hope so!
Thank you team. Yes, I have the whale.
Also, I have scrapped the environment and started from scratch. Can confirm I am getting the correct docker file. So, basically I followed all the corrections in here and worked first pop, so can you make those changes permanent (may check after you done that just to make sure).
So, changes needed
a) command corrections to pull the certificates for the ZAC GUI screen as pre previous post
b) update/correction of the commands to be run
Clint - there are a few good tidbits that are in your videos (and also in this discourse) which are not being captured in the documentation, which means these nuggets that would really help are being lost. I am not sure your thoughts about knowledge base articles, but suggestions for these would be:
- adjust lifetime of jwt tokens
- log file locations
- Basic troubleshooting commands like
ziti edge policy-advisor... etc
Yes - I am still on the ziti journey. Idea was to test it out. Next on roadmap
a) make ssh server hidden from the internet (but accessible over it)
b) stand up a separate ziti network from the ground up to cement the concepts
c) Look to see how this might scale up
I have a few questions/suggestions to post, so you will see these shortly
Yay!
100% agree. It's just a problem of producing the doc - as you can tell from our exercise here it takes a long time to put it onto paper effectively and clearly. Videos and Discourse are a "cheat" of sorts. They are much less formal and the bar of excellence is different. we all absolutely agree though that the discourse and video info is important stuff. We're working towards making that all a better experience.
1.) adjusting the token lifetime - we already discussed this internally.
2.) log location - good point. it's in the github wiki right now not doc site... yet
3.) this is a great idea. these have been used/floated by discourse and on videos but not codified yet
Nice! You've seen zssh and the video on this topic, right? NetFoundry also wrote up a blog about making our bastion dark. If you haven't found those yet, I'll be happy to point them out to you!
