Hello, I am having a bit of trouble using the Docker Compose setup.
I’m trying to deploy the compose stack on a public Oracle Cloud Instance, for which I followed this tutorial. The OCL firewall configuration looks as follows
I first tried with some custom services but since I had some trouble I decided to try to replicate the Minecraft Tutorial since that worked for me when I tried the non-docker-compose setup, but I’m still having issues.
Im using the following docker-compose.yml
. I took this example and made a couple modifications: i updated compose version to 3.9 and I reduced the networks to just one since this is deployed on a public machine with no other containers)
version: '3.9'
services:
ziti-controller:
image: "${ZITI_IMAGE}:${ZITI_VERSION}"
env_file:
- ./.env
ports:
- ${ZITI_EDGE_CONTROLLER_PORT:-1280}:${ZITI_EDGE_CONTROLLER_PORT:-1280}
- ${ZITI_CTRL_PORT:-6262}:${ZITI_CTRL_PORT:-6262}
environment:
- ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=${ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION}
- ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=${ZITI_EDGE_ROUTER_ENROLLMENT_DURATION}
networks:
ziti:
aliases:
- ziti-edge-controller
volumes:
- ziti-fs:/persistent
entrypoint:
- "/var/openziti/scripts/run-controller.sh"
ziti-controller-init-container:
image: "${ZITI_IMAGE}:${ZITI_VERSION}"
depends_on:
- ziti-controller
environment:
- ZITI_CONTROLLER_RAWNAME="${ZITI_CONTROLLER_RAWNAME}"
- ZITI_EDGE_CONTROLLER_RAWNAME="${ZITI_EDGE_CONTROLLER_RAWNAME}"
env_file:
- ./.env
networks:
ziti:
aliases:
- ziti-edge-controller-init-container
volumes:
- ziti-fs:/persistent
entrypoint:
- "/var/openziti/scripts/run-with-ziti-cli.sh"
command:
- "/var/openziti/scripts/access-control.sh"
ziti-edge-router:
image: "${ZITI_IMAGE}:${ZITI_VERSION}"
depends_on:
- ziti-controller
environment:
- ZITI_CONTROLLER_RAWNAME="${ZITI_CONTROLLER_RAWNAME}"
- ZITI_EDGE_CONTROLLER_RAWNAME="${ZITI_EDGE_CONTROLLER_RAWNAME}"
- ZITI_EDGE_ROUTER_RAWNAME=${ZITI_EDGE_ROUTER_RAWNAME:-ziti-edge-router}
- ZITI_EDGE_ROUTER_ROLES=public
ports:
- ${ZITI_EDGE_ROUTER_PORT:-3022}:${ZITI_EDGE_ROUTER_PORT:-3022}
networks:
- ziti
volumes:
- ziti-fs:/persistent
entrypoint: /bin/bash
command: "/var/openziti/scripts/run-router.sh edge"
ziti-console:
image: openziti/zac
depends_on:
- ziti-controller
working_dir: /usr/src/app
environment:
- ZAC_SERVER_CERT_CHAIN=/persistent/pki/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-intermediate/certs/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-server.cert
- ZAC_SERVER_KEY=/persistent/pki/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-intermediate/keys/${ZITI_EDGE_CONTROLLER_HOSTNAME:-ziti-controller}-server.key
- PORTTLS=8443
ports:
- 1408:1408
- 8443:8443
networks:
- ziti
volumes:
- ziti-fs:/persistent
networks:
ziti:
volumes:
ziti-fs:
I’m using the following .env
file, which is partly modified from this example. Some of the variables are overriden with my Oracle Cloud Instance information, for demonstration purposes let’s say that the public ip is 11.22.33.44
and the address I bought that’s pointing to that IP is ziti.jruiz.com
.
# OpenZiti Variables
ZITI_IMAGE=openziti/quickstart
ZITI_VERSION=latest
# The duration of the enrollment period (in minutes), default if not set
# shown - 7days
ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=10080
ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=10080
# controller address/port information
ZITI_CONTROLLER_RAWNAME=ziti-controller
ZITI_CONTROLLER_HOSTNAME=ziti.jruiz.com
#ZITI_CTRL_PORT=8440
ZITI_EDGE_CONTROLLER_RAWNAME=ziti-edge-controller
ZITI_EDGE_CONTROLLER_HOSTNAME=ziti.jruiz.com
#ZITI_EDGE_CONTROLLER_PORT=8441
ZITI_EDGE_CONTROLLER_IP_OVERRIDE=11.22.33.44
# router address/port information
ZITI_EDGE_ROUTER_RAWNAME=ziti.jruiz.com
#ZITI_EDGE_ROUTER_PORT=8442
ZITI_EDGE_ROUTER_IP_OVERRIDE=11.22.33.44
I first tried using Ziti’s Administration Console, but since it didn’t work, I decided to enter the Ziti Controller container (using the command docker exec -it <containerID> bash
) and run the commands from the Minecraft tutorial manually.
For my tests I’m using my desktop which is acting as the host, running a Minecraft Bedrock Edition Dedicated Server on UDP port 57775 (Bedrock edition uses UDP instead of TCP just fyi)
Following the tutorial’s steps, these are the commands I’m running inside the Controller Container:
export DEVICE_NAME="jruiz.server"
export MY_NAME="jruiz.player"
export PORT=57775
ziti edge create identity device ${DEVICE_NAME} -o ${DEVICE_NAME}.jwt -a "${DEVICE_NAME}.hosts"
ziti edge create identity user ${MY_NAME} -o ${MY_NAME}.jwt -a "${DEVICE_NAME}.clients"
ziti edge create config ${DEVICE_NAME}.hostv1 host.v1 '{"protocol":"udp", "address":"localhost","port":'${PORT}'}'
ziti edge create config ${DEVICE_NAME}.interceptv1 intercept.v1 '{"protocols":["udp"],"addresses":["'${DEVICE_NAME}'.ziti"], "portRanges":[{"low":'${PORT}', "high":'${PORT}'}]}'
ziti edge create service ${DEVICE_NAME} --configs "${DEVICE_NAME}.hostv1,${DEVICE_NAME}.interceptv1"
ziti edge create service-policy "${DEVICE_NAME}.bind" Bind --service-roles "@${DEVICE_NAME}" --identity-roles "#${DEVICE_NAME}.hosts"
ziti edge create service-policy "${DEVICE_NAME}.dial" Dial --service-roles "@${DEVICE_NAME}" --identity-roles "#${DEVICE_NAME}.clients"
After this is done, I log into Ziti’s Administration Console and download the JWT to enroll it on my desktop and scan the QR code to enroll it on my phone (I have Minecraft on my phone to test)
Both edge apps, in desktop and phone, show the service that I created on UDP port 57775. However, I’m not able to connect to the Minecraft server on my desktop from my phone using address jruiz.server.ziti
. (Just for the record, I can perfectly connect using regular LAN IPs)
Apart from the Minecraft Server, I’ve also tried testing with simple http python servers (of course creating their corresponding services/identities/policies, etc) but I’ve also had no luck. Any ideas? I can force delete and re-create all the containers/volumes if we need to test things to debug.