I think OpenZiti is really cool and I want to build something beyond the docker compose quickstart. I have a couple machines running macOS and I want to create an OpenZiti network with a service running the open-webui for ollama in docker compose, so that others in my network can access it. I am here because I got stuck trying to set it up
I already have a controller set up in AWS and am able to access the admin console.
What I am not sure how to do is set up the service machine in docker compose such that the docker tunneler gives access to open-webui also running in the same docker compose.
I started by trying to following these instructions to set up the tunneler using the ZITI_ENROLL_TOKEN but the container couldn't initialize properly and just kept restarting citing the following errors:
2024-11-25 17:04:33 ERROR: failed to enroll with token from /ziti-edge-tunnel/ziti_id.jwt (1033B)
2024-11-25 17:04:40 WARN: clobbering non-empty Ziti enrollment token file /ziti-edge-tunnel/ziti_id.jwt with contents of env var ZITI_ENROLL_TOKEN
2024-11-25 17:04:40 (7)[ 0.000] INFO ziti-sdk:utils.c:198 ziti_log_set_level() set log level: root=3/INFO
2024-11-25 17:04:40 (7)[ 0.000] INFO ziti-sdk:utils.c:169 ziti_log_init() Ziti C SDK version 1.2.0 @g6f3ae93(HEAD) starting at (2024-11-26T00:04:40.080)
2024-11-25 17:04:40 (7)[ 0.000] INFO ziti-sdk:ziti_enroll.c:141 ziti_enroll() Ziti C SDK version 1.2.0 @g6f3ae93(HEAD) starting enrollment at (2024-11-26T00:04:40.080)
2024-11-25 17:05:18 DEBUG: waiting 3s for /ziti-edge-tunnel/ziti_id.json (or token) to appear
2024-11-25 17:05:18 DEBUG: identity file /ziti-edge-tunnel/ziti_id.json not found
I'll follow up here on your other thread, if that's ok? You started it here, Ken replied and you replied back... If you don't mind, let's pick it up from here.
Sorry about Discourse blocking your post! I have cleared the "is this spam" flag. If you write your post "too fast" Discourse thinks you're a bot. I understand though, I often compose my text in a different/bigger window first too...
As to that question you asked over there, that i think is relevant here, you had asked:
Could you give an example of a docker compose yaml file demonstrating this?
referring to using one docker container as another containers 'network' and melding them together, kubernetes "pod-like".
It'll take me a bit but I'll cook up an example and follow up tonight or tomorrow. Welcome to OpenZiti and to the community! I'll follow up shortly
I was rereading your post and this caught my eye. Yes, this makes me think the deployment has a problem. Generally, this is caused by not having the proper variables set when doing the "Host It Anywhere" installation. Notably these variables:
How do you install the cli without setting up a local network? That is one of the things that has confused me a bit too. It seems like the cli is useful for configuring any ziti network that I could authenticate to, but the installation docs that I have seen all show that installing the cli includes setting up a local test network, which I may not want every time.
Oh there are a myriad of ways. Ranging from "you don't", just download the exe from the releases page and run it, to install the package for your os if you're on linux.
You're on macOS, we don't have a brew command for that yet. You can source the ziti-cli-functions.sh helper script if you want (standard disclosure: you should read the script first, as a best-practice of course)
Then you can run getZiti. for example, I often will run:
Okay, so I tried the above and it failed with a bunch of errors like this:
RESTY 2024/11/26 10:46:10 ERROR Post "https://ec2-3-142-189-241.us-east-2.compute.amazonaws.com:8441/edge/management/v1/identities/KCRBwLJ09/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-31-21-181.us-east-2.compute.internal, localhost, not ec2-3-142-189-241.us-east-2.compute.amazonaws.com, Attempt 1
I think that somewhere in the expressInstall script, it is using hostname instead of the EXTERNAL_DNS value I set.
hostname produces the ip-172-31-21-181.us-east-2.compute.internal
but my public DNS in AWS is ec2-3-142-189-241.us-east-2.compute.amazonaws.com
I'm confident you didn't set the environment variables correctly. I would say "start over". it's quick enough...
You can reset the quickstart pretty easily...
Those instructions should also start with "if you enabled systemd, stop the units: sudo systemctl stop ziti-controller; sudo systemctl stop ziti-router"
Ok, I nuked my install. However, I am still not sure what to do about the EXTERNAL_DNS. In my AWS console, they give me a public dns that is slightly different from what hostname produces like I commented above. Which one do I use?
I should have expanded... You really need to restart. The setting of the PKI is a vital first step. If it's not done correctly, it all needs to be redone and starting over is the easiest way...
Since you're using AWS it's actually quite easy. AWS provides a handy url you can curl to set it:
I put that in all my AWS .bashrc files so the moment i log in it tells me:
Last login: Tue Nov 26 18:09:05 2024 from 67.246.244.61
This server external DNS: ec2-3-18-113-172.us-east-2.compute.amazonaws.com
adding /home/ubuntu/.ziti/quickstart/ip-172-31-47-200/ziti-bin/ziti-v1.1.15 to the path
Edit: Ah, I just had to turn it on at Instance > Actions > Instance Settings > Modify instance metadata options > Instance metata data service enabled and IMDSv2 set to optional.
Often, it's easy to exit a shell and forget you exited the shell, only to ssh back there expecting the variables to be set... but they aren't any more. I've done that countless times... It's equally easy to have more than one shell open and do a thing in one shell, move to the other and forget you moved... One of those two things would be my guess. Remove the environment and then run the quickstart again as you have it set. When it's done, enable/restart systemd if you are using it and then run the verify-traffic command again. It should pass.
That's a bummer! I wonder if it's only on certain instance types? I found the information back in the day from Use instance metadata to manage your EC2 instance - Amazon Elastic Compute Cloud but I didn't see anything about it not being available. ChatGPT thinks perhap a network ACL blocked it. It's not important really, you can just set it manually like you did. It's just convinient imo
RESTY 2024/11/26 11:50:53 ERROR Post "https://ec2-3-142-189-241.us-east-2.compute.amazonaws.com:8441/edge/management/v1/identities/KCRBwLJ09/authenticate?method=password": tls: failed to verify certificate: x509: certificate is valid for ip-172-31-21-181.us-east-2.compute.internal, localhost, not ec2-3-142-189-241.us-east-2.compute.amazonaws.com, Attempt 1
Strange.... Will you capture the full output from the expressInstall and DM them to me here on discourse? Do you maybe have two different instances running? Before running the expressInstall, can you verify there are no processes?
sudo ps -ef | grep ziti
Should return no results.
Maybe there's something going on with the linux version you're using, what version is the OS? I tend to use ubuntu for the OS, what are you using?
Thanks for the help fixing my controller installation! I am back to trying to configure the network.
What is meant by "variable" here? Is that an environment variable?
This variable represents the location of the HTTP server relative to the OpenZiti tunneler you're using.
My http server is running in a docker compose project that defines a bridge network. For my tunneler, I am using the openziti:/ziti-host:latest image. If http_server from the linked doc is an environment variable, then do I just need to define it in the compose.yaml and provide the docker compose network identifier for my server as the value?
I put that in all my AWS .bashrc files so the moment i log in it tells me:
