OpenZiti and terminators


I had three demos working

  1. reflect client / server
  2. desktop tunneller
  3. mobile tunneller

So… I thought to try the zitified ssh for a bit of fun.

I had everything setup… except for the tunneller… as this was the error I was getting

FATAL error when dialing service name golang-zssh. unable to dial service ‘golang-zssh’: dial failed: service J-CGOlxhC has no terminators

Not having much idea this was… I did some investigation in ZAC…

I saw this terminator… though I had no idea how it was created.

I noticed that the service was the original service for the reflect example… not the ssh service that I created

so I tried to change it

You cannot do this…

As it looked a bit funny… not knowing what the hosted address was… I deleted it. :slight_smile:

This broke everything… and I needed to start from the top again… which was ok… because I wanted to know what created it.

well… I worked it out.

when you start the server for the reflect example… guess what… it was automatically created… and it assigned the service name provided.

go run simple-server.go “$HOME/golang.http.server.json” “golanghttp”

This gave me the ahah moment…

when you want to create the zitified ssh example… you need to stop this … and restart it with a new service name

Well I think that is what you need to do… I will know more in a few more minutes :slight_smile:

Ahh… also… when you stop the server… the terminator is automatically deleted :slight_smile:

well… I must be close… but it did not work… I think I have tracked down the problem… but don’t know what it all means

This is what the service looks like for the zzh demo

However… when I watched one of the demo videos… it was configured as follows

I am not really sure what went wrong… here are the commands that I used…

I am skipping the creation and enrolling of identities as this has all been completed successfully.

ziti edge create config golang-host.v1 host.v1 ‘{“protocol”:“tcp”, “address”:“localhost”,“port”:22, “listenOptions”: {“bindUsingEdgeIdentity”:true}}’

ziti edge create service golang-zssh --configs golang-host.v1

ziti edge create service-policy golang-zssh-binding Bind --service-roles ‘@golang-zssh’ --identity-roles ‘@golang.http.server

ziti edge create service-policy golang-zssh-dialing Dial --service-roles ‘@golang-zssh’ --identity-roles ‘@golang.http.ssh.client

policy advisor
I have run this for both identities and services… no problems were identified

This is what was returned when I put the zssh into debug

zssh opc@ip -d -s golang-zssh -c …json -i … key
INFO username set to: opc
INFO targetIdentity set to: ip
INFO connection to edge router using api session token 7d0bb8be-1411-4652-825b-4c7d1c7aaf63
FATAL error when dialing service name golang-zssh. unable to dial service ‘golang-zssh’: dial failed: service WufXhXoAg has no terminators for identity ip

I know the terminator exists because I can see it in ZAC

INFO targetIdentity set to: ip

Do you have an identity named “ip”? When you use zssh, you will need to provide the name of the identity as the target. Looking at the commands you ran from above - would expect you to issue this zssh:

zssh opc@golang.http.server -d -s golang-zssh -c …json -i … key

you are instructing zssh to dial the identity named ‘ip’ in your example. I think you want to tell it to dial the identity named “golang.http.server” instead.

1 Like

further proof is provided in that message. In my experience (and I have a lot of this experience because this is a particularly common problem) if you are seeing a “no terminators” message it means:

  1. you somehow are instructing openziti to dial the wrong identity
  2. the identity you correctly specified is actually not online

In this case it’s both of these are true. Because you’re using the wrong identity in the command - that identity is offline and has no terminators… Makes sense but - it’s not “smacking you in the face” obvious what that error means.

1 Like

brilliant… that has provided some selleys to fill in a few more gaps.

I fixed the dialing of the identity… but still unable to work out how to debug the terminator…

FATAL error when dialing service name golang-zssh. unable to dial service ‘golang-zssh’: dial failed: service WufXhXoAg has no terminators for identity golang.http.server

How do you create one…?

I think I have something wrong… as I am unsure what you need to have configured on the server…

I could not work this bit out… I have the app installed on the client… but what do you need installed on the server…?

I am taking a closer look through this video… I think my problem starts at 35.40… I am not 100% sure what to enter in those fields

I think I have it… just need another 20 min… watch this space.

What twigged for me… was the need for a separate identity for the server… so almost there

You definitely don’t ‘need’ a different identity. I abuse my identities all the time (using them in different apps just like you are doing before “cleaning up” by making a better/more accurately named identity)

You will not need to create a terminator manually. The ziti-edge-tunnel you run on the target zssh server machine will do that on your behalf. That’s actually what the “bind” configuration does…

how that bind config is working

when you run ziti-edge-tunnel, it is an OpenZiti sdk-based application. As we wrote it - it knows to look for those pre-installed config types (intercept.v1/host.v1/etc). In this case it needs to find a “host.v1” config with “bindUsingEdgeIdentity=true”. When it finds this config on a given service - like ‘zssh’ - then the ziti-edge-tunnel will make a “dynamic terminator” for you when the tunneller binds that service… So by simply running ziti-edge-tunnel with a known identity, and giving that identity “bind” access to a service, when the ziti-edge-tunnel comes online you’ll see a terminator manifest…

If the terminator is binding “as the identity” you’ll see the identity name listed:

ziti edge list terminators
id: 7G1P    service: kubeA.prometheus.svc    router: ip-172-31-42-64-edge-router    binding: edge    address: hosted:3e2a3840-7ee4-4f30-8b50-af8abf17b007    identity: kubeA.prometheus    cost: 0    precedence: default    dynamic-cost: 2

Here you can see my identity that was bound is identity: kubeA.prometheus

If I turn off that application - the terminator will be removed.

Still getting a bit stuck… for some reason… when I enroll an identity… it does not show up as enrolled in ZAC… its worked for everything else… so not sure what I am doing wrong… it says it was successful… and the JSON file was created… but its not showing a green dot?

Any tips?

getting closer… I realised that both identities have been successfully resolved… though I am still getting issues with the terminator… will keep you posted

This is the error

error when dialing service name ssh_server. unable to dial service ‘ssh_server’: dial failed: service QOFOXnUf8h has no terminators

That indicates it’s got an API Session / Session. API session means it’s been online in the last “n” minutes (depending on what your config is like, 10m I think is the default). Session means it’s sent some kind of traffic (#1 below). If the identity isn’t being used they will show up as grey. (#2 below)

To see if it’s been enrolled look at the ‘token’ column (#3 above)

I see you have made a new service: ssh_server. Does this serivce have a config associated to it? Does that config use “bindUsingEdgeIdentity”? Is the ziti-edge-tunnel running using that identity?

I created the config via ZAC… and tried do the same as in the video… I did not see any option to select “bindUsingEdgeIdentity

Also… I am not sure how to check if ziti-edge-tunnel is running

Is this another step… I may have missed this in the video

AAAhhhh. Sometimes the ZAC needs, let’s say, “encouragement” to add a new feature… Things can get missed. I betcha that’s the problem.

Make the service with the ziti cli for now and see

ahh… so you use ziti-edge-tunnel to enrol the server identity

found it…

this is what I am missing… so I download this on the server… and use this to enroll the server identity

I missed quite a few things… but now have my terminator… but for some reason its not connected to the ssh_server service…

steps missed were

  1. download and install the ziti tunneller on the server

  2. use the following command to enroll the server identity

sudo ./ziti-edge-tunnel enroll --jwt ssh_server.jwt --identity ./ssh_server.json

  1. use the following command to run the tunneller service

sudo ./ziti-edge-tunnel run --identity ./ssh_server.json

However… I am still missing something

FATAL error when dialing service name ssh_server. unable to dial service ‘ssh_server’: dial failed: service QOFOXnUf8h has no terminators for identity ssh.client.ziti