3. Now, I am going to build the tunneller for an identity, for example “JAMES-CL-NY”, on a new VM.
4. I downloaded the JAMES-CL-NY’s JWT file, and copy the content.
5. Then, I follow the steps in Linux | OpenZiti
6. However, in a new VM, I cannot successfully build it:
root@cl1:~# sudo systemctl enable --now ziti-edge-tunnel.service
Created symlink /etc/systemd/system/multi-user.target.wants/ziti-edge-tunnel.service → /opt/openziti/share/ziti-edge-tunnel.service.
Created symlink /etc/systemd/system/ziti-edge-tunnel.service → /opt/openziti/share/ziti-edge-tunnel.service.
Job for ziti-edge-tunnel.service failed because the control process exited with error code.
See "systemctl status ziti-edge-tunnel.service" and "journalctl -xeu ziti-edge-tunnel.service" for details.
root@cl1:~# ziti-edge-tunnel -j /opt/openziti/etc/identities/ziti-id.jwt -i /opt/openziti/etc/identities/ziti-id.json
ziti-edge-tunnel: -j: unknown command
ziti-edge-tunnel
enroll enroll Ziti identity
run run Ziti tunnel (required superuser access)
run-host run Ziti tunnel to host services
on_off_identity enable/disable the identities information
enable enable the identities information
dump dump the identities information
enable_mfa Enable MFA function fetches the totp url from the controller
verify_mfa Verify the mfa login using the auth code while enabling mfa
remove_mfa Removes MFA registration from the controller
submit_mfa Submit MFA code to authenticate to the controller
generate_mfa_codes Generate MFA codes
get_mfa_codes Get MFA codes
tunnel_status Get Tunnel Status
delete delete the identities information
add enroll and load the identities information
set_log_level Set log level of the tunneler
update_tun_ip Update tun ip of the tunneler
version show version
help this message
root@cl1:~# ./ziti-edge-tunnel -j /opt/openziti/etc/identities/ziti-id.jwt -i /opt/openziti/etc/identities/ziti-id.json
-bash: ./ziti-edge-tunnel: No such file or directory
root@cl1:~# systemctl status ziti-edge-tunnel.service
● ziti-edge-tunnel.service - Ziti Edge Tunnel
Loaded: loaded (/etc/systemd/system/ziti-edge-tunnel.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Tue 2023-06-06 21:42:04 UTC; 1s ago
Process: 25182 ExecStartPre=/opt/openziti/bin/ziti-edge-tunnel.sh (code=exited, status=1/FAILURE)
CPU: 11ms
Jun 06 21:42:04 cl1 systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status=1/F>
Jun 06 21:42:04 cl1 systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
Jun 06 21:42:04 cl1 systemd[1]: Failed to start Ziti Edge Tunnel.
lines 1-9/9 (END)
^C
root@cl1:~# journalctl -xeu ziti-edge-tunnel.service
Jun 06 21:42:24 cl1 ziti-edge-tunnel.sh[25254]: (25254)[ 0.022] ERROR ziti-edge-tunnel:ziti-edge>
Jun 06 21:42:24 cl1 ziti-edge-tunnel.sh[25250]: ERROR: failed to enroll ziti-id.jwt in /opt/openziti/etc/>
Jun 06 21:42:24 cl1 systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status=1/F>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStartPre= process belonging to unit ziti-edge-tunnel.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jun 06 21:42:24 cl1 systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit ziti-edge-tunnel.service has entered the 'failed' state with result 'exit-code'.
Jun 06 21:42:24 cl1 systemd[1]: Failed to start Ziti Edge Tunnel.
░░ Subject: A start job for unit ziti-edge-tunnel.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has finished with a failure.
░░
░░ The job identifier is 15721 and the job result is failed.
lines 3974-3997/3997 (END)
^C
root@cl1:~#
Is there any idea ?
Or, anyone has the successful experience for using Ziti tunneller on Ubuntu or other linux distribution ?
And, a further question:
if the controller and edge router use public IP address, to achieve the example in Digital Ocean, does each identity machines/devices have to have a public IP address ? Or, it will work with a local IP address for an identity device?
OpenZiti works amazingly behind closed firewalls so no, individual identities do not require ips that are reachable by the controller/router. Because OpenZiti edge components connect outbound from your network to the overlay, you only need outbound Internet access
To answer you other question, the clients does not need to have public IP. As long as it can reach controller, it can successfully enroll and function.
You have:
Jun 06 21:42:24 cl1 ziti-edge-tunnel.sh[25250]: ERROR: failed to enroll ziti-id.jwt in /opt/openziti/etc/>
I looked at my system, it should be:
Jun 06 21:36:45 egress-tunnel ziti-edge-tunnel.sh[1635]: INFO: enrolled ziti-id.jwt in /opt/openziti/etc/identities/ziti-id.json
It could be different output between success and failure.
Do you mind list the content of the directory: “/opt/openziti/etc/identities”?
ls -la /opt/openziti/etc/identities
Another possibility is the jwt file was not pasted correctly.
You can also physically copy the jwt file into that directory: /opt/openziti/etc/identities
the name does not matter, we will enroll any jwt under that directory after you restart the ziti-edge-tunnel service.
I have one more question about the openziti Digital Ocean example. For the same functions with same approaches in the document Services | OpenZiti , if I use AWS EC2 Linux instance, instead of Digital Ocean droplet VM, is there any big differences between these two ? especially in the configuration.
All the cloud provider configuration is different, which shouldn’t be a surprise. That’s all similar, but of course usually quite different from provider to provider. Some operating systems have different commands or sometimes SELinux or firewalls blocking ports, things like that which can get in the way.
Aside from those types of differences, there should be no significant differences in configuration.
I made some changes, however, the Ubuntu Tunneller still not work.
This is what I did in the client VM:
I also hard copy the jwt file through scp. The jwt is from controller’s identity.
root@clny:~# (
set -euo pipefail
curl -sSLf https://get.openziti.io/tun/package-repos.gpg \
| sudo gpg --dearmor --output /usr/share/keyrings/openziti.gpg
echo 'deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable jammy main' \
| sudo tee /etc/apt/sources.list.d/openziti.list >/dev/null
sudo apt update
sudo apt install ziti-edge-tunnel
)
Hit:1 http://mirrors.digitalocean.com/ubuntu jammy InRelease
Hit:2 http://mirrors.digitalocean.com/ubuntu jammy-updates InRelease
Hit:3 http://mirrors.digitalocean.com/ubuntu jammy-backports InRelease
Hit:4 https://repos.insights.digitalocean.com/apt/do-agent main InRelease
Get:5 https://packages.openziti.org/zitipax-openziti-deb-stable jammy InRelease [4264 B]
Hit:6 http://security.ubuntu.com/ubuntu jammy-security InRelease
Hit:7 https://repos-droplet.digitalocean.com/apt/droplet-agent main InRelease
Get:8 https://packages.openziti.org/zitipax-openziti-deb-stable jammy/main amd64 Packages [3356 B]
Fetched 7620 B in 7s (1154 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libatomic1
The following NEW packages will be installed:
libatomic1 ziti-edge-tunnel
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 1950 kB of archives.
After this operation, 4523 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://mirrors.digitalocean.com/ubuntu jammy-updates/main amd64 libatomic1 amd64 12.1.0-2ubuntu1~22.04 [10.4 kB]
Get:2 https://packages.openziti.org/zitipax-openziti-deb-stable jammy/main amd64 ziti-edge-tunnel amd64 0.21.4 [1939 kB]
Fetched 1950 kB in 7s (296 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libatomic1:amd64.
(Reading database ... 93853 files and directories currently installed.)
Preparing to unpack .../libatomic1_12.1.0-2ubuntu1~22.04_amd64.deb ...
Unpacking libatomic1:amd64 (12.1.0-2ubuntu1~22.04) ...
Selecting previously unselected package ziti-edge-tunnel.
Preparing to unpack .../ziti-edge-tunnel_0.21.4_amd64.deb ...
Unpacking ziti-edge-tunnel (0.21.4) ...
Setting up libatomic1:amd64 (12.1.0-2ubuntu1~22.04) ...
Setting up ziti-edge-tunnel (0.21.4) ...
Creating group ziti with gid 997.
Creating user ziti (openziti user) with uid 997 and gid 997.
-------------------------------------------------------------------------------------------------------
ziti-edge-tunnel was installed...
First install an OpenZiti identity or enroll token in: /opt/openziti/etc/identities
then start or restart this systemd service unit.
-------------------------------------------------------------------------------------------------------
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
Scanning processes...
Scanning candidates...
Scanning linux images...
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@clny:~# sudo -u ziti tee /opt/openziti/etc/identities/ziti-id.jwt >/dev/null
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6Im90dCIsImV4cCI6MTY4NjE2NTUwNSwiaXNzIjoiaHR0cHM6Ly8xNDcuMTgyLjI0Ni41NTo4NDQxIiwianRpIjoiOTAxNGYzNWMtOTQxZi00ZjYxLTljN2MtZGU0OWQzZWRlNzI4Iiwic3ViIjoiUTJDV2ZTWmNVIn0.cuTTVVaNSDU36CNvyX_OuVCEKxj58K_StpMnIyJBTA9X2LjGigSbHPQxRmxVCbc3yHtOjwdMNCuyvJVY8RgZpHsizHCAkbA2ET6m3Ng3qahAHm19_lp3DwwylZuX_eNv1eFoM3MCGNHCBwdIA6D9HuyHhYH10wa8zFjqlkb9CkKIvxluwBwG2isYEUD7DgK10QKtBl4_HKRGbIGfP3F76PYBCE9c8S-cpeNCcnyjbO83Vka0Z7TJvMAlUS2IBNqcSg-0xbe7gzaMOGKp88Ofohvmhixcr-LIJbwu0lKCFWBNCb5T2xbxflukESkaGEPs_-c6XUiHboaBtT2hlh3f2g9LbomX_Bm4NqjZls8GpxgMFg796ScZsXrSEr_fJSEMF2AjPY6CXVrgosOlFeLHgsu2RuLzidTTSvzBTbANDc1ar2bhP7uYIgAza0hPlvV3LyLTODdWwdCCujboJPPPOP2db_a95jCrxHo_F_LB5lvWr7FLnXSBgIDbnv__YIZhbdEaUS_yg8aQIu7lQuO722WVqwFkdA2hF1e54DPYr4PR3H7EowDg1A6ZIBcdrOC5uawMhwvHeyaBySKy8q0gkg2XawOF2TmRs0TaEtMu7KK7fRoVTCdYA6UbIU_899517s5qXFq0Tt4mijXstQ_drV2a5yR7aMaVYdbFi_Q5fKs
root@clny:~# ziti-edge-tunnel enroll -j /opt/openziti/etc/identities/ziti-id.jwt -i /opt/openziti/etc/identities/ziti-id.json
(23997)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(23997)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(23997)[ 0.000] INFO ziti-sdk:ziti_enroll.c:90 ziti_enroll() Ziti C SDK version 0.32.6 @2fc3556(HEAD) starting enrollment at (2023-06-07T16:29:20.490)
(23997)[ 0.206] ERROR ziti-sdk:ziti_ctrl.c:154 ctrl_resp_cb() ctrl[147.182.246.55] request failed: -103(software caused connection abort)
(23997)[ 0.206] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:141 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
(23997)[ 0.206] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2116 enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
root@clny:~# sudo systemctl enable --now ziti-edge-tunnel.service
Created symlink /etc/systemd/system/multi-user.target.wants/ziti-edge-tunnel.service → /opt/openziti/share/ziti-edge-tunnel.service.
Created symlink /etc/systemd/system/ziti-edge-tunnel.service → /opt/openziti/share/ziti-edge-tunnel.service.
Job for ziti-edge-tunnel.service failed because the control process exited with error code.
See "systemctl status ziti-edge-tunnel.service" and "journalctl -xeu ziti-edge-tunnel.service" for details.
root@clny:~# systemctl status ziti-edge-tunnel.service
● ziti-edge-tunnel.service - Ziti Edge Tunnel
Loaded: loaded (/etc/systemd/system/ziti-edge-tunnel.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2023-06-07 16:30:25 UTC; 1s ago
Process: 24110 ExecStartPre=/opt/openziti/bin/ziti-edge-tunnel.sh (code=exited, status=1/FAILURE)
CPU: 12ms
Jun 07 16:30:25 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
Jun 07 16:30:25 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
Jun 07 16:30:25 clny systemd[1]: Failed to start Ziti Edge Tunnel.
lines 1-9/9 (END)
^C
root@clny:~# journalctl -xeu ziti-edge-tunnel.service
Jun 07 16:30:38 clny ziti-edge-tunnel.sh[24160]: (24160)[ 0.000] INFO ziti-sdk:ziti_enroll.c>
Jun 07 16:30:38 clny ziti-edge-tunnel.sh[24160]: (24160)[ 0.165] ERROR ziti-sdk:ziti_ctrl.c:1>
Jun 07 16:30:38 clny ziti-edge-tunnel.sh[24160]: (24160)[ 0.165] ERROR ziti-sdk:ziti_enroll.c>
Jun 07 16:30:38 clny ziti-edge-tunnel.sh[24160]: (24160)[ 0.165] ERROR ziti-edge-tunnel:ziti->
Jun 07 16:30:38 clny ziti-edge-tunnel.sh[24156]: ERROR: failed to enroll ziti-id.jwt in /opt/openziti/>
Jun 07 16:30:38 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStartPre= process belonging to unit ziti-edge-tunnel.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jun 07 16:30:38 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit ziti-edge-tunnel.service has entered the 'failed' state with result 'exit-code'.
Jun 07 16:30:38 clny systemd[1]: Failed to start Ziti Edge Tunnel.
░░ Subject: A start job for unit ziti-edge-tunnel.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has finished with a failure.
░░
░░ The job identifier is 7021 and the job result is failed.
lines 585-609/609 (END)
^C
root@clny:~# ls -la /opt/openziti/etc/identities
total 12
drwxrwx--- 2 root ziti 4096 Jun 7 16:31 .
drwxr-xr-x 3 root root 4096 Jun 7 16:26 ..
-rw-rw-r-- 1 ziti ziti 893 Jun 7 16:28 ziti-id.jwt
root@clny:~# ls -la /opt/openziti/etc/identities
total 16
drwxrwx--- 2 root ziti 4096 Jun 7 16:45 .
drwxr-xr-x 3 root root 4096 Jun 7 16:26 ..
-rw-r--r-- 1 root root 892 Jun 7 16:45 JAMES-CL-NY.jwt
-rw-rw-r-- 1 ziti ziti 893 Jun 7 16:28 ziti-id.jwt
root@clny:~# sudo systemctl enable --now ziti-edge-tunnel.service
Job for ziti-edge-tunnel.service failed because the control process exited with error code.
See "systemctl status ziti-edge-tunnel.service" and "journalctl -xeu ziti-edge-tunnel.service" for details.
root@clny:~# cd /opt/openziti/etc/identities/
root@clny:/opt/openziti/etc/identities# ls
JAMES-CL-NY.jwt ziti-id.jwt
root@clny:/opt/openziti/etc/identities# rm -r ziti-id.jwt
root@clny:/opt/openziti/etc/identities# ls
JAMES-CL-NY.jwt
root@clny:/opt/openziti/etc/identities# chmod 777 JAMES-CL-NY.jwt
root@clny:/opt/openziti/etc/identities# ls -la
total 12
drwxrwx--- 2 root ziti 4096 Jun 7 16:50 .
drwxr-xr-x 3 root root 4096 Jun 7 16:26 ..
-rwxrwxrwx 1 root root 892 Jun 7 16:45 JAMES-CL-NY.jwt
root@clny:/opt/openziti/etc/identities# chmod -R 777 JAMES-CL-NY.jwt
root@clny:/opt/openziti/etc/identities# ls -la
total 12
drwxrwx--- 2 root ziti 4096 Jun 7 16:51 .
drwxr-xr-x 3 root root 4096 Jun 7 16:26 ..
-rwxrwxrwx 1 root root 892 Jun 7 16:45 JAMES-CL-NY.jwt
root@clny:/opt/openziti/etc/identities# sudo systemctl enable --now ziti-edge-tunnel.service
Job for ziti-edge-tunnel.service failed because the control process exited with error code.
See "systemctl status ziti-edge-tunnel.service" and "journalctl -xeu ziti-edge-tunnel.service" for details.
root@clny:/opt/openziti/etc/identities# mv JAMES-CL-NY.jwt ziti-id.jwt
root@clny:/opt/openziti/etc/identities# ls -la
total 12
drwxrwx--- 2 root ziti 4096 Jun 7 16:53 .
drwxr-xr-x 3 root root 4096 Jun 7 16:26 ..
-rwxrwxrwx 1 root root 892 Jun 7 16:45 ziti-id.jwt
root@clny:/opt/openziti/etc/identities# sudo systemctl enable --now ziti-edge-tunnel.service
Job for ziti-edge-tunnel.service failed because the control process exited with error code.
See "systemctl status ziti-edge-tunnel.service" and "journalctl -xeu ziti-edge-tunnel.service" for details.
root@clny:/opt/openziti/etc/identities# systemctl status ziti-edge-tunnel.service
● ziti-edge-tunnel.service - Ziti Edge Tunnel
Loaded: loaded (/etc/systemd/system/ziti-edge-tunnel.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2023-06-07 16:53:51 UTC; 658ms ago
Process: 29229 ExecStartPre=/opt/openziti/bin/ziti-edge-tunnel.sh (code=exited, status=1/FAILURE)
CPU: 12ms
Jun 07 16:53:51 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
Jun 07 16:53:51 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
Jun 07 16:53:51 clny systemd[1]: Failed to start Ziti Edge Tunnel.
...skipping...
● ziti-edge-tunnel.service - Ziti Edge Tunnel
Loaded: loaded (/etc/systemd/system/ziti-edge-tunnel.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2023-06-07 16:53:51 UTC; 658ms ago
Process: 29229 ExecStartPre=/opt/openziti/bin/ziti-edge-tunnel.sh (code=exited, status=1/FAILURE)
CPU: 12ms
Jun 07 16:53:51 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
Jun 07 16:53:51 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
Jun 07 16:53:51 clny systemd[1]: Failed to start Ziti Edge Tunnel.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
lines 1-9/9 (END)
^C
root@clny:/opt/openziti/etc/identities# journalctl -xeu ziti-edge-tunnel.service
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.165] ERROR ziti-sdk:ziti_ctrl.c:1>
Jun 07 16:54:03 clny systemd[1]: Starting Ziti Edge Tunnel...
░░ Subject: A start job for unit ziti-edge-tunnel.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has begun execution.
░░
░░ The job identifier is 45324.
Jun 07 16:54:03 clny ziti-edge-tunnel.sh[29279]: (29279)[ 0.000] INFO ziti-sdk:utils.c:188 z>
Jun 07 16:54:03 clny ziti-edge-tunnel.sh[29279]: (29279)[ 0.000] INFO ziti-sdk:utils.c:188 z>
Jun 07 16:54:03 clny ziti-edge-tunnel.sh[29279]: (29279)[ 0.000] INFO ziti-sdk:ziti_enroll.c>
Jun 07 16:54:04 clny ziti-edge-tunnel.sh[29279]: (29279)[ 0.174] ERROR ziti-sdk:ziti_ctrl.c:1>
Jun 07 16:54:04 clny ziti-edge-tunnel.sh[29279]: (29279)[ 0.174] ERROR ziti-sdk:ziti_enroll.c>
Jun 07 16:54:04 clny ziti-edge-tunnel.sh[29279]: (29279)[ 0.174] ERROR ziti-edge-tunnel:ziti->
Jun 07 16:54:04 clny ziti-edge-tunnel.sh[29275]: ERROR: failed to enroll ziti-id.jwt in /opt/openziti/>
Jun 07 16:54:04 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStartPre= process belonging to unit ziti-edge-tunnel.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jun 07 16:54:04 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit ziti-edge-tunnel.service has entered the 'failed' state with result 'exit-code'.
Jun 07 16:54:04 clny systemd[1]: Failed to start Ziti Edge Tunnel.
░░ Subject: A start job for unit ziti-edge-tunnel.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has finished with a failure.
░░
░░ The job identifier is 45324 and the job result is failed.
Jun 07 16:54:07 clny systemd[1]: ziti-edge-tunnel.service: Scheduled restart job, restart counter is a>
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ Automatic restarting of the unit ziti-edge-tunnel.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Jun 07 16:54:07 clny systemd[1]: Stopped Ziti Edge Tunnel.
░░ Subject: A stop job for unit ziti-edge-tunnel.service has finished
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A stop job for unit ziti-edge-tunnel.service has finished.
░░
░░ The job identifier is 45411 and the job result is done.
Jun 07 16:54:07 clny systemd[1]: Starting Ziti Edge Tunnel...
░░ Subject: A start job for unit ziti-edge-tunnel.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has begun execution.
░░
░░ The job identifier is 45411.
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29290]: (29290)[ 0.000] INFO ziti-sdk:utils.c:188 z>
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29290]: (29290)[ 0.000] INFO ziti-sdk:utils.c:188 z>
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29290]: (29290)[ 0.000] INFO ziti-sdk:ziti_enroll.c>
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29290]: (29290)[ 0.163] ERROR ziti-sdk:ziti_ctrl.c:1>
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29290]: (29290)[ 0.163] ERROR ziti-sdk:ziti_enroll.c>
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29290]: (29290)[ 0.163] ERROR ziti-edge-tunnel:ziti->
Jun 07 16:54:07 clny ziti-edge-tunnel.sh[29286]: ERROR: failed to enroll ziti-id.jwt in /opt/openziti/>
Jun 07 16:54:07 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStartPre= process belonging to unit ziti-edge-tunnel.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jun 07 16:54:07 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit ziti-edge-tunnel.service has entered the 'failed' state with result 'exit-code'.
Jun 07 16:54:07 clny systemd[1]: Failed to start Ziti Edge Tunnel.
░░ Subject: A start job for unit ziti-edge-tunnel.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has finished with a failure.
░░
░░ The job identifier is 45411 and the job result is failed.
Jun 07 16:54:10 clny systemd[1]: ziti-edge-tunnel.service: Scheduled restart job, restart counter is a>
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ Automatic restarting of the unit ziti-edge-tunnel.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Jun 07 16:54:10 clny systemd[1]: Stopped Ziti Edge Tunnel.
░░ Subject: A stop job for unit ziti-edge-tunnel.service has finished
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A stop job for unit ziti-edge-tunnel.service has finished.
░░
░░ The job identifier is 45498 and the job result is done.
Jun 07 16:54:10 clny systemd[1]: Starting Ziti Edge Tunnel...
░░ Subject: A start job for unit ziti-edge-tunnel.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has begun execution.
░░
░░ The job identifier is 45498.
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.000] INFO ziti-sdk:utils.c:188 z>
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.000] INFO ziti-sdk:utils.c:188 z>
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.000] INFO ziti-sdk:ziti_enroll.c>
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.165] ERROR ziti-sdk:ziti_ctrl.c:1>
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.165] ERROR ziti-sdk:ziti_enroll.c>
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29301]: (29301)[ 0.165] ERROR ziti-edge-tunnel:ziti->
Jun 07 16:54:10 clny ziti-edge-tunnel.sh[29297]: ERROR: failed to enroll ziti-id.jwt in /opt/openziti/>
Jun 07 16:54:10 clny systemd[1]: ziti-edge-tunnel.service: Control process exited, code=exited, status>
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ An ExecStartPre= process belonging to unit ziti-edge-tunnel.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jun 07 16:54:10 clny systemd[1]: ziti-edge-tunnel.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit ziti-edge-tunnel.service has entered the 'failed' state with result 'exit-code'.
Jun 07 16:54:10 clny systemd[1]: Failed to start Ziti Edge Tunnel.
░░ Subject: A start job for unit ziti-edge-tunnel.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit ziti-edge-tunnel.service has finished with a failure.
░░
░░ The job identifier is 45498 and the job result is failed.
root@clny:/opt/openziti/etc/identities# ^C
root@clny:/opt/openziti/etc/identities# ziti-edge-tunnel enroll -j /opt/openziti/etc/identities/ziti-id.jwt -i /opt/openziti/etc/identities/ziti-id.json
(29497)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(29497)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(29497)[ 0.000] INFO ziti-sdk:ziti_enroll.c:90 ziti_enroll() Ziti C SDK version 0.32.6 @2fc3556(HEAD) starting enrollment at (2023-06-07T16:55:06.349)
(29497)[ 0.177] ERROR ziti-sdk:ziti_ctrl.c:154 ctrl_resp_cb() ctrl[147.182.246.55] request failed: -103(software caused connection abort)
(29497)[ 0.177] ERROR ziti-sdk:ziti_enroll.c:222 well_known_certs_cb() /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:141 - ZITI_JWT_VERIFICATION_FAILED => -7 (JWT verification failed)
(29497)[ 0.177] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2116 enroll_cb() enrollment failed: CONTROLLER_UNAVAILABLE(-7)
root@clny:/opt/openziti/etc/identities#
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# ziti edge list edge-routers
╭───────────┬──────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID │ NAME │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├───────────┼──────────────────────┼────────┼───────────────┼──────┼────────────┤
│ .Bz6OSZcJ │ JAMES-ER-SF2 │ true │ true │ 0 │ │
│ cwFsiwfri │ zcontrol-edge-router │ true │ true │ 0 │ public │
│ y4z4thZcJ │ JAMES-ER-SF1 │ false │ true │ 0 │ │
╰───────────┴──────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-3 of 3
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# ziti edge list identities
╭───────────┬──────────────────────┬────────┬────────────┬─────────────╮
│ ID │ NAME │ TYPE │ ATTRIBUTES │ AUTH-POLICY │
├───────────┼──────────────────────┼────────┼────────────┼─────────────┤
│ .Bz6OSZcJ │ JAMES-ER-SF2 │ Router │ │ Default │
│ cwFsiwfri │ zcontrol-edge-router │ Router │ │ Default │
│ wtER9U.f9 │ Default Admin │ User │ │ Default │
│ y4z4thZcJ │ JAMES-ER-SF1 │ Router │ │ Default │
╰───────────┴──────────────────────┴────────┴────────────┴─────────────╯
results: 1-4 of 4
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# ziti fabric list routers
╭───────────┬──────────────────────┬────────┬──────┬──────────────┬──────────┬────────────────────────┬─────────────────────────────╮
│ ID │ NAME │ ONLINE │ COST │ NO TRAVERSAL │ DISABLED │ VERSION │ LISTENERS │
├───────────┼──────────────────────┼────────┼──────┼──────────────┼──────────┼────────────────────────┼─────────────────────────────┤
│ .Bz6OSZcJ │ JAMES-ER-SF2 │ true │ 0 │ false │ false │ v0.28.0 on linux/amd64 │ │
│ cwFsiwfri │ zcontrol-edge-router │ true │ 0 │ false │ false │ v0.28.0 on linux/amd64 │ 1: tls:147.182.246.55:10080 │
│ y4z4thZcJ │ JAMES-ER-SF1 │ false │ 0 │ false │ false │ │ │
╰───────────┴──────────────────────┴────────┴──────┴──────────────┴──────────┴────────────────────────┴─────────────────────────────╯
results: 1-3 of 3
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# zitiLogin
Token: 546be0f5-e366-4e18-8436-ecc92fb9f4ca
Saving identity 'default' to /root/.ziti/quickstart/zcontrol/ziti-cli.json
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# ziti edge list edge-routers
╭────────────┬──────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID │ NAME │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼──────────────────────┼────────┼───────────────┼──────┼────────────┤
│ cwFsiwfri │ zcontrol-edge-router │ true │ true │ 0 │ public │
│ uypofhZiUO │ JAMES-ER-SF1 │ true │ true │ 0 │ │
╰────────────┴──────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-2 of 2
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# ziti edge list identities
╭────────────┬──────────────────────┬────────┬────────────┬─────────────╮
│ ID │ NAME │ TYPE │ ATTRIBUTES │ AUTH-POLICY │
├────────────┼──────────────────────┼────────┼────────────┼─────────────┤
│ cwFsiwfri │ zcontrol-edge-router │ Router │ │ Default │
│ uypofhZiUO │ JAMES-ER-SF1 │ Router │ │ Default │
│ wtER9U.f9 │ Default Admin │ User │ │ Default │
╰────────────┴──────────────────────┴────────┴────────────┴─────────────╯
results: 1-3 of 3
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# ziti fabric list routers
╭────────────┬──────────────────────┬────────┬──────┬──────────────┬──────────┬────────────────────────┬─────────────────────────────╮
│ ID │ NAME │ ONLINE │ COST │ NO TRAVERSAL │ DISABLED │ VERSION │ LISTENERS │
├────────────┼──────────────────────┼────────┼──────┼──────────────┼──────────┼────────────────────────┼─────────────────────────────┤
│ cwFsiwfri │ zcontrol-edge-router │ true │ 0 │ false │ false │ v0.28.0 on linux/amd64 │ 1: tls:147.182.246.55:10080 │
│ uypofhZiUO │ JAMES-ER-SF1 │ true │ 0 │ false │ false │ v0.28.0 on linux/amd64 │ 1: tls:146.190.122.138:80 │
╰────────────┴──────────────────────┴────────┴──────┴──────────────┴──────────┴────────────────────────┴─────────────────────────────╯
results: 1-2 of 2
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# export EXTERNAL_DNS=“$(curl -s eth0.me)”
root@zcontrol:~/.ziti/quickstart/zcontrol/ziti-console# source ~/.ziti/quickstart/$(hostname -s)/$(hostname -s).env
cat $ZITI_HOME/${ZITI_CONTROLLER_RAWNAME}.yaml
ziti binaries are located at: /root/.ziti/quickstart/zcontrol/ziti-bin/ziti-v0.28.0
add this to your path if you want by executing: export PATH=$PATH:/root/.ziti/quickstart/zcontrol/ziti-bin/ziti-v0.28.0
v: 3
#trace:
# path: "controller.trace"
#profile:
# memory:
# path: ctrl.memprof
db: "/root/.ziti/quickstart/zcontrol/db/ctrl.db"
identity:
cert: "/root/.ziti/quickstart/zcontrol/pki/zcontrol-intermediate/certs/zcontrol-client.cert"
server_cert: "/root/.ziti/quickstart/zcontrol/pki/zcontrol-intermediate/certs/zcontrol-server.chain.pem"
key: "/root/.ziti/quickstart/zcontrol/pki/zcontrol-intermediate/keys/zcontrol-server.key"
ca: "/root/.ziti/quickstart/zcontrol/pki/cas.pem"
# Network Configuration
#
# Configure how the controller will establish and manage the overlay network, and routing operations on top of
# the network.
#
#network:
# routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed.
#routeTimeoutSeconds: 10
# createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it)
# for new circuits.
#createCircuitRetries: 2
# pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where
# there isn't an established link, but a link request has been sent
#pendingLinkTimeoutSeconds: 10
# Defines the period that the controller re-evaluates the performance of all of the circuits
# running on the network.
#
#cycleSeconds: 15
# Sets router minimum cost. Defaults to 10
#minRouterCost: 10
# Sets how often a new control channel connection can take over for a router with an existing control channel connection
# Defaults to 1 minute
#routerConnectChurnLimit: 1m
# Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually
# reported from the routers. Defaults to 65 seconds.
#initialLinkLatency: 65s
#smart:
#
# Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If
# smart routing detects 100 circuits that are underperforming, and `smart.rerouteFraction` is set to `0.02`,
# then the upper limit of circuits that will be re-routed in this `cycleSeconds` period will be limited to
# 2 (2% of 100).
#
#rerouteFraction: 0.02
#
# Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart
# routing detects 100 circuits that are underperforming, and `smart.rerouteCap` is set to `1`, and
# `smart.rerouteFraction` is set to `0.02`, then the upper limit of circuits that will be re-routed in this
# `cycleSeconds` period will be limited to 1.
#
#rerouteCap: 4
# the endpoint that routers will connect to the controller over.
ctrl:
#options:
# (optional) settings
# set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)
#maxQueuedConnects: 1
# the maximum number of connects that have begun hello synchronization (1 to 1000, default 16)
#maxOutstandingConnects: 16
# the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 5000ms)
#connectTimeoutMs: 5000
listener: tls:0.0.0.0:8440
# the endpoint that management tools connect to the controller over.
mgmt:
#options:
# (optional) settings
# set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)
#maxQueuedConnects: 1
# the maximum number of connects that have begun hello synchronization (1 to 1000, default 16)
#maxOutstandingConnects: 16
# the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 5000ms)
#connectTimeoutMs: 5000
listener: tls:0.0.0.0:10000
#metrics:
# influxdb:
# url: http://localhost:8086
# database: ziti
# xctrl_example
#
#example:
# enabled: false
# delay: 5s
healthChecks:
boltCheck:
# How often to try entering a bolt read tx. Defaults to 30 seconds
interval: 30s
# When to time out the check. Defaults to 20 seconds
timeout: 20s
# How long to wait before starting the check. Defaults to 30 seconds
initialDelay: 30s
# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this
# section, commenting out, or altering the name of the section will cause the edge to not run.
edge:
# This section represents the configuration of the Edge API that is served over HTTPS
api:
#(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted
# activityUpdateInterval: 90s
#(optional, default 250) The number of API Sessions updated for last activity per transaction
# activityUpdateBatchSize: 250
# sessionTimeout - optional, default 30m
# The number of minutes before an Edge API session will time out. Timeouts are reset by
# API requests and connections that are maintained to Edge Routers
sessionTimeout: 30m
# address - required
# The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses
# defined in this Controller.WebListener.'s bindPoints.
address: 147.182.246.55:8441
# This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities.
enrollment:
# signingCert - required
# A Ziti Identity configuration section that specifically makes use of the cert and key fields to define
# a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert
# will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller.
signingCert:
cert: /root/.ziti/quickstart/zcontrol/pki/zcontrol-signing-intermediate/certs/zcontrol-signing-intermediate.cert
key: /root/.ziti/quickstart/zcontrol/pki/zcontrol-signing-intermediate/keys/zcontrol-signing-intermediate.key
# edgeIdentity - optional
# A section for identity enrollment specific settings
edgeIdentity:
# duration - optional, default 180m
# The length of time that a Ziti Edge Identity enrollment should remain valid. After
# this duration, the enrollment will expire and no longer be usable.
duration: 180m
# edgeRouter - Optional
# A section for edge router enrollment specific settings.
edgeRouter:
# duration - optional, default 180m
# The length of time that a Ziti Edge Router enrollment should remain valid. After
# this duration, the enrollment will expire and no longer be usable.
duration: 180m
# web
# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many
# bind points.
web:
# name - required
# Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
- name: client-management
# bindPoints - required
# One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
# where on the host machine the webListener will listen and the address (host:port) that should be used to
# publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
# incoming address resolution as well as used in responses in the API.
bindPoints:
#interface - required
# A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
- interface: 0.0.0.0:8441
# address - required
# The public address that external incoming requests will be able to resolve. Used in request processing and
# response content that requires full host:port/path addresses.
address: 147.182.246.55:8441
# identity - optional
# Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
identity:
ca: "/root/.ziti/quickstart/zcontrol/pki/147.182.246.55-intermediate/certs/147.182.246.55-intermediate.cert"
key: "/root/.ziti/quickstart/zcontrol/pki/147.182.246.55-intermediate/keys/147.182.246.55-server.key"
server_cert: "/root/.ziti/quickstart/zcontrol/pki/147.182.246.55-intermediate/certs/147.182.246.55-server.chain.pem"
cert: "/root/.ziti/quickstart/zcontrol/pki/147.182.246.55-intermediate/certs/147.182.246.55-client.cert"
# options - optional
# Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
# used for all http servers started by the current webListener.
options:
# idleTimeoutMs - optional, default 5000ms
# The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
# can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
# will cause clients to reconnect on subsequent HTTPs requests.
idleTimeout: 5000ms #http timeouts, new
# readTimeoutMs - optional, default 5000ms
# The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
# value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
# or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
readTimeout: 5000ms
# writeTimeoutMs - optional, default 100000ms
# The total maximum time in milliseconds that the http server will wait for a single requests to be received and
# responded too. A higher value can allow long-running requests to consume resources on the host. A lower value
# can risk ending requests before the server has a chance to respond.
writeTimeout: 100000ms
# minTLSVersion - optional, default TLS1.2
# The minimum version of TSL to support
minTLSVersion: TLS1.2
# maxTLSVersion - optional, default TLS1.3
# The maximum version of TSL to support
maxTLSVersion: TLS1.3
# apis - required
# Allows one or more APIs to be bound to this webListener
apis:
# binding - required
# Specifies an API to bind to this webListener. Built-in APIs are
# - edge-management
# - edge-client
# - fabric-management
- binding: edge-management
# options - arg optional/required
# This section is used to define values that are specified by the API they are associated with.
# These settings are per API. The example below is for the 'edge-api' and contains both optional values and
# required values.
options: { }
- binding: edge-client
options: { }
- binding: fabric
options: { }
