Situation
I had three demos working
- reflect client / server
- desktop tunneller
- mobile tunneller
So.. I thought to try the zitified ssh for a bit of fun.
I had everything setup.. except for the tunneller.. as this was the error I was getting
FATAL error when dialing service name golang-zssh. unable to dial service 'golang-zssh': dial failed: service J-CGOlxhC has no terminators
Not having much idea this was.. I did some investigation in ZAC..
I saw this terminator.. though I had no idea how it was created.
I noticed that the service was the original service for the reflect example.. not the ssh service that I created
so I tried to change it
You cannot do this..
As it looked a bit funny.. not knowing what the hosted address was... I deleted it. 
This broke everything.. and I needed to start from the top again.. which was ok.. because I wanted to know what created it.
well.. I worked it out.
when you start the server for the reflect example.. guess what.. it was automatically created.. and it assigned the service name provided.
go run simple-server.go "$HOME/golang.http.server.json" "golanghttp"
This gave me the ahah moment..
when you want to create the zitified ssh example.. you need to stop this .. and restart it with a new service name
Well I think that is what you need to do.. I will know more in a few more minutes
Ahh… also… when you stop the server… the terminator is automatically deleted
well.. I must be close.. but it did not work.. I think I have tracked down the problem... but don't know what it all means
This is what the service looks like for the zzh demo
However... when I watched one of the demo videos.. it was configured as follows
I am not really sure what went wrong.. here are the commands that I used..
I am skipping the creation and enrolling of identities as this has all been completed successfully.
ziti edge create config golang-host.v1 host.v1 '{"protocol":"tcp", "address":"localhost","port":22, "listenOptions": {"bindUsingEdgeIdentity":true}}'
ziti edge create service golang-zssh --configs golang-host.v1
ziti edge create service-policy golang-zssh-binding Bind --service-roles '@golang-zssh' --identity-roles '@golang.http.server'
ziti edge create service-policy golang-zssh-dialing Dial --service-roles '@golang-zssh' --identity-roles '@golang.http.ssh.client'
policy advisor
I have run this for both identities and services.. no problems were identified
This is what was returned when I put the zssh into debug
zssh opc@ip -d -s golang-zssh -c …json -i … key
INFO username set to: opc
INFO targetIdentity set to: ip
INFO connection to edge router using api session token 7d0bb8be-1411-4652-825b-4c7d1c7aaf63
FATAL error when dialing service name golang-zssh. unable to dial service ‘golang-zssh’: dial failed: service WufXhXoAg has no terminators for identity ip
I know the terminator exists because I can see it in ZAC
INFO targetIdentity set to: ip
Do you have an identity named "ip"? When you use zssh, you will need to provide the name of the identity as the target. Looking at the commands you ran from above - would expect you to issue this zssh:
zssh opc@golang.http.server -d -s golang-zssh -c …json -i … key
you are instructing zssh to dial the identity named 'ip' in your example. I think you want to tell it to dial the identity named "golang.http.server" instead.
1 Like
further proof is provided in that message. In my experience (and I have a lot of this experience because this is a particularly common problem) if you are seeing a "no terminators" message it means:
- you somehow are instructing openziti to dial the wrong identity
- the identity you correctly specified is actually not online
In this case it's both of these are true. Because you're using the wrong identity in the command - that identity is offline and has no terminators... Makes sense but - it's not "smacking you in the face" obvious what that error means.
1 Like
brilliant.. that has provided some selleys to fill in a few more gaps.
I fixed the dialing of the identity.. but still unable to work out how to debug the terminator..
FATAL error when dialing service name golang-zssh. unable to dial service 'golang-zssh': dial failed: service WufXhXoAg has no terminators for identity golang.http.server
How do you create one..?
I think I have something wrong.. as I am unsure what you need to have configured on the server...
I could not work this bit out.. I have the app installed on the client... but what do you need installed on the server..?
I am taking a closer look through this video… I think my problem starts at 35.40… I am not 100% sure what to enter in those fields
I think I have it… just need another 20 min… watch this space.
What twigged for me… was the need for a separate identity for the server… so almost there
You definitely don't 'need' a different identity. I abuse my identities all the time (using them in different apps just like you are doing before "cleaning up" by making a better/more accurately named identity)
You will not need to create a terminator manually. The ziti-edge-tunnel you run on the target zssh server machine will do that on your behalf. That's actually what the "bind" configuration does....
how that bind config is working
when you run ziti-edge-tunnel, it is an OpenZiti sdk-based application. As we wrote it - it knows to look for those pre-installed config types (intercept.v1/host.v1/etc). In this case it needs to find a "host.v1" config with "bindUsingEdgeIdentity=true". When it finds this config on a given service - like 'zssh' - then the ziti-edge-tunnel will make a "dynamic terminator" for you when the tunneller binds that service... So by simply running ziti-edge-tunnel with a known identity, and giving that identity "bind" access to a service, when the ziti-edge-tunnel comes online you'll see a terminator manifest...
If the terminator is binding "as the identity" you'll see the identity name listed:
ziti edge list terminators
id: 7G1P service: kubeA.prometheus.svc router: ip-172-31-42-64-edge-router binding: edge address: hosted:3e2a3840-7ee4-4f30-8b50-af8abf17b007 identity: kubeA.prometheus cost: 0 precedence: default dynamic-cost: 2
Here you can see my identity that was bound is identity: kubeA.prometheus
If I turn off that application - the terminator will be removed.
Still getting a bit stuck… for some reason… when I enroll an identity… it does not show up as enrolled in ZAC… its worked for everything else… so not sure what I am doing wrong… it says it was successful… and the JSON file was created… but its not showing a green dot?
Any tips?
getting closer… I realised that both identities have been successfully resolved… though I am still getting issues with the terminator… will keep you posted
That indicates it's got an API Session / Session. API session means it's been online in the last "n" minutes (depending on what your config is like, 10m I think is the default). Session means it's sent some kind of traffic (#1 below). If the identity isn't being used they will show up as grey. (#2 below)
To see if it's been enrolled look at the 'token' column (#3 above)
I see you have made a new service: ssh_server. Does this serivce have a config associated to it? Does that config use "bindUsingEdgeIdentity"? Is the ziti-edge-tunnel running using that identity?
I created the config via ZAC… and tried do the same as in the video… I did not see any option to select “bindUsingEdgeIdentity
Also… I am not sure how to check if ziti-edge-tunnel is running
Is this another step… I may have missed this in the video
AAAhhhh. Sometimes the ZAC needs, let’s say, “encouragement” to add a new feature… Things can get missed. I betcha that’s the problem.
Make the service with the ziti cli for now and see
ahh… so you use ziti-edge-tunnel to enrol the server identity
I missed quite a few things… but now have my terminator… but for some reason its not connected to the ssh_server service…
steps missed were
-
download and install the ziti tunneller on the server
-
use the following command to enroll the server identity
sudo ./ziti-edge-tunnel enroll --jwt ssh_server.jwt --identity ./ssh_server.json
- use the following command to run the tunneller service
sudo ./ziti-edge-tunnel run --identity ./ssh_server.json
However… I am still missing something
FATAL error when dialing service name ssh_server. unable to dial service ‘ssh_server’: dial failed: service QOFOXnUf8h has no terminators for identity ssh.client.ziti
