QuickStart Local Docker example step 7 with tunnelers help request

I was trying to use this: Containers | OpenZiti

but probably not understanding how I'm supposed to wire this up.

I exec'ed into the controller and ran these commands:

(base) nyck33@nyck33-tt:/media/nyck33/1TB-backup/ziti/quickstart/Docker$ docker exec -it 01ee8eb6260d /bin/bash
NOT OVERRIDING: env var ZITI_BIN_DIR already set. using existing value
NOT OVERRIDING: env var ZITI_BIN_ROOT already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_ADVERTISED_ADDRESS already set. using existing value
NOT OVERRIDING: env var ZITI_ENV_FILE already set. using existing value
NOT OVERRIDING: env var ZITI_HOME already set. using existing value
NOT OVERRIDING: env var ZITI_NETWORK already set. using existing value
NOT OVERRIDING: env var ZITI_SCRIPTS already set. using existing value
NOT OVERRIDING: env var ZITI_SHARED already set. using existing value
 
adding /var/openziti/ziti-bin to the path
ziti@01ee8eb6260d:/persistent$ zitiLogin
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 4 certificates
Server certificate chain written to /home/ziti/.config/ziti/certs/ziti-edge-controller
Token: 18848fea-85d6-4a28-8393-29a516ae1460
Saving identity 'default' to /home/ziti/.config/ziti/ziti-cli.json
ziti@01ee8eb6260d:/persistent$ ziti edge list edge-routers
╭────────────┬────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME               │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼────────────────────┼────────┼───────────────┼──────┼────────────┤
│ 8h03TuL-7W │ ziti-edge-router-2 │ true   │ true          │    0 │ public     │
│ kMoLfHS37W │ ziti-edge-router-1 │ true   │ true          │    0 │ public     │
╰────────────┴────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-2 of 2
ziti@01ee8eb6260d:/persistent$ ziti edge create identity user http-client -a 'http-clients' -o http.client.jwt
Command "user" is deprecated, this command is deprecated, specifying identity type is no longer required
error: error creating identities instance in Ziti Edge Controller at https://ziti-edge-controller:1280/edge/management/v1. Status code: 400 Bad Request, Server returned: {
    "error": {
        "cause": {
            "field": "name",
            "reason": "duplicate value 'http-client' in unique index on identities store",
            "value": "http-client"
        },
        "code": "COULD_NOT_VALIDATE",
        "message": "The supplied request contains an invalid document or no valid accept content were available, see cause",
        "requestId": "UQfgZM9EY"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}
ziti@01ee8eb6260d:/persistent$ ziti edge list identities
╭────────────┬────────────────────┬─────────┬──────────────┬─────────────╮
│ ID         │ NAME               │ TYPE    │ ATTRIBUTES   │ AUTH-POLICY │
├────────────┼────────────────────┼─────────┼──────────────┼─────────────┤
│ 1GKMVuS-7W │ http-server        │ Default │              │ Default     │
│ 8h03TuL-7W │ ziti-edge-router-2 │ Router  │              │ Default     │
│ HpbWmuL3aW │ http-client        │ Default │ http-clients │ Default     │
│ kMoLfHS37W │ ziti-edge-router-1 │ Router  │              │ Default     │
│ n5DTYKpVR  │ Default Admin      │ Default │              │ Default     │
╰────────────┴────────────────────┴─────────┴──────────────┴─────────────╯
results: 1-5 of 5
ziti@01ee8eb6260d:/persistent$ ls
db                       ziti-edge-router-1.server.chain.cert
http.client.jwt          ziti-edge-router-1.yaml
http.server.jwt          ziti-edge-router-2.cas
pki                      ziti-edge-router-2.cert
scripts                  ziti-edge-router-2.jwt
ziti-controller.yaml     ziti-edge-router-2.key
ziti-edge-router-1.cas   ziti-edge-router-2.log
ziti-edge-router-1.cert  ziti-edge-router-2.server.chain.cert
ziti-edge-router-1.jwt   ziti-edge-router-2.yaml
ziti-edge-router-1.key   ziti.env
ziti-edge-router-1.log
ziti@01ee8eb6260d:/persistent$ ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
error: error creating configs instance in Ziti Edge Controller at https://ziti-edge-controller:1280/edge/management/v1. Status code: 400 Bad Request, Server returned: {
    "error": {
        "cause": {
            "field": "name",
            "reason": "name is must be unique",
            "value": "http.intercept.v1"
        },
        "code": "COULD_NOT_VALIDATE",
        "message": "The supplied request contains an invalid document or no valid accept content were available, see cause",
        "requestId": "Tydfu5IEY"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}
ziti@01ee8eb6260d:/persistent$ ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"'"${http_server}"'", "port":80}'
error: error creating configs instance in Ziti Edge Controller at https://ziti-edge-controller:1280/edge/management/v1. Status code: 400 Bad Request, Server returned: {
    "error": {
        "cause": {
            "field": "address",
            "reason": "address is invalid: address: Must not validate the schema (not)",
            "value": ""
        },
        "code": "COULD_NOT_VALIDATE",
        "message": "The supplied request contains an invalid document or no valid accept content were available, see cause",
        "requestId": "wl5-k59Eg"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}
ziti@01ee8eb6260d:/persistent$ ziti edge create service http.svc --configs http.intercept.v1,http.host.v1
Found 0 configs with id or name matching http.host.v1
error: no configs with id or name matching http.host.v1
ziti@01ee8eb6260d:/persistent$ 

1. I remove all containers, volumes and networks created but some stuff persists as shown by the errors above. How do I start with a clean slate each time?
   (If this is out of scope and a Docker problem please say so and I'll research)

I have 2 edge routers, a controller and 2 tunnelers running as well as the http server:

CONTAINER ID   IMAGE                       COMMAND                   CREATED          STATUS                    PORTS                                       NAMES
842ed5d09049   openziti/ziti-edge-tunnel   "/docker-entrypoint.…"    18 minutes ago   Up 18 minutes                                                         ziti-tun-server
094c7f1bb137   openziti/ziti-edge-tunnel   "/docker-entrypoint.…"    20 minutes ago   Up 20 minutes                                                         ziti-tun
bca0a6e0a15f   openziti/hello-world        "/bin/sh -c 'echo \"h…"   24 minutes ago   Up 24 minutes (healthy)   0.0.0.0:80->8000/tcp, :::80->8000/tcp       web-test
3416e1777c7d   openziti/quickstart         "/var/openziti/scrip…"    37 minutes ago   Up 37 minutes             0.0.0.0:4022->4022/tcp, :::4022->4022/tcp   ziti-edge-router-2
d783e2229a96   openziti/quickstart         "/var/openziti/scrip…"    37 minutes ago   Up 37 minutes             0.0.0.0:3022->3022/tcp, :::3022->3022/tcp   ziti-edge-router-1
01ee8eb6260d   openziti/quickstart         "/var/openziti/scrip…"    42 minutes ago   Up 42 minutes             0.0.0.0:1280->1280/tcp, :::1280->1280/tcp   ziti-controller

but the way I started the tunneler is most likely wrong as the arguments seem to be generic in the documentation and the only change I made was for the name of the jwt after copying those out of the controller container.

The server tunneler I start like

C(base) nyck33@nyck33-tt:/media/nyck33/1TB-backup/ziti/quickstart/Docker/server$ docker run     --name ziti-tun-server     --network host     --privileged     --volume ${PWD}:/ziti-edge-tunnel/     --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket"     --device "/dev/net/tun:/dev/net/tun"     --env ZITI_IDENTITY_BASENAME=http.server     openziti/ziti-edge-tunnel

My web server

bca0a6e0a15f   openziti/hello-world   "/bin/sh -c 'echo \"h…"   37 minutes ago   Up 37 minutes (healthy)   0.0.0.0:80->8000/tcp, :::80->8000/tcp       web-test

but I don't see that container ID or any identifying entity being used in any of the Docker commands on this page: Containers | OpenZiti

Thus, I am unsure how to get the tunnelers to terminate/intercept except I see these commands in step 7

ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'

#4. Create a host.v1 config. This config is used instruct the server-side tunneler how to offload the traffic from

the overlay, back to the underlay.
ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"'"${http_server}"'", "port":80}'

so the first command is intercepting traffic from http.ziti to feed the client and also to take traffic from my client running on port 80 to http.ziti?

The second command is for the tunnel near the server taking traffic on port 80? Wait, but the traffic from the client is coming through the tunnel on the overlay isn't it? I'm a bit lost here.

I also looked on Youtube for a video for "Local Docker" (not docker-compose) but couldn't find one.

Can I get some help?

I think I am starting to get it now a bit more:

From AI:

The errors you're seeing indicate that certain entities (like the http-client identity and the http.intercept.v1 config) already exist in the Ziti controller. This is why you're getting errors like "duplicate value" and "name must be unique".

To start fresh, you'd typically need to reset the Ziti controller's state. However, simply pruning Docker containers, networks, and volumes won't achieve this if the Ziti controller's state is persisted in a volume.

Here's how you can reset the Ziti controller's state:

1. Stop and Remove the Ziti Controller Container:

   docker stop ziti-controller
   docker rm ziti-controller
   

2. Remove the Persistent Volume:
   The Ziti controller's state is likely stored in a Docker volume to persist across container restarts. You'll need to delete this volume to reset the controller's state.

   docker volume rm myPersistentZitiFiles
   

3. Recreate the Ziti Controller Container:
   You can then recreate the Ziti controller container. This will start with a fresh state since the persistent volume was deleted.

4. Re-run the Initialization Script:
   If you used a script or set of commands to initially set up the Ziti controller, you'll need to run those again to reinitialize the controller.

5. Proceed with Your Setup:
   Once the Ziti controller has been reset and reinitialized, you can proceed with setting up your identities, configs, services, etc., without encountering the "duplicate value" errors.

Remember, this process will erase all existing data in the Ziti controller, so make sure you don't have any important data or configurations that you want to keep before proceeding.

and also from AI:

1. Ziti Edge Tunnel Setup:

   • You have set up a Ziti edge tunnel for both the HTTP client and the HTTP server.
   • The client-side tunnel is configured to intercept traffic destined for http.ziti and route it over the Ziti overlay network.
   • The server-side tunnel is configured to offload traffic from the Ziti overlay network and send it to the actual HTTP server.

2. HTTP Client Request:

   • When you run curl http.ziti from a terminal on the client machine, the request is intercepted by the client-side Ziti edge tunnel because of the http.intercept.v1 config you created.
   • This request is then securely routed over the Ziti overlay network to the appropriate edge router and then to the server-side tunnel.

3. HTTP Server Response:

   • The server-side tunnel offloads the request from the Ziti overlay and sends it to the actual HTTP server running in the Docker container.
   • The HTTP server processes the request and sends a response back. This response travels back through the server-side tunnel, over the Ziti overlay network, and finally through the client-side tunnel to your terminal where you ran the curl command.

4. Secure Communication:

   • The entire communication between the client and server is secured by Ziti. Even if the client and server are on different networks or across the internet, the traffic between them is encrypted and secure.

5. Domain Resolution for http.ziti:

   • The domain http.ziti doesn't need to be resolvable by traditional DNS. The Ziti edge tunnel on the client side is specifically configured to intercept traffic to this domain. So, even though http.ziti isn't a real domain, the Ziti tunnel knows how to handle traffic destined for it.

In summary, yes, running curl http.ziti from a terminal on the client machine should work as you described, provided all the Ziti components (edge tunnels, edge routers, controller, etc.) are correctly configured and running. The request will be securely routed over the Ziti overlay network to the HTTP server running in the Docker container.

I may have confused myself by trying to "simplify" things by running everything locally rather than on separate VM's or machines.

Also since the container is called web-test for the server, ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"web-test", "port":80}'

@nyck33 Hi, so that I can better understand your goal here. Are you trying to set up an example network (using docker no compose) where you have a controller, an HTTP server, and tunnelers for hosting and dialing?

@gberl002 yes, that's correct, just with one edge router.

My server tunnel errors when I try curl http.ziti

(14)[       45.405]   ERROR tunnel-cbs:ziti_hosting.c:430 on_hosted_client_connect() hosted_service[http.svc], client[http-client]: getaddrinfo(web-test,80) failed: Unknown error
(14)[       45.410]   ERROR tunnel-cbs:ziti_hosting.c:430 on_hosted_client_connect() hosted_service[http.svc], client[http-client]: getaddrinfo(web-test,80) failed: Unknown error

and my client tunnel errors:

(14)[       23.381]   ERROR ziti-sdk:connect.c:921 connect_reply_cb() conn[0.0/Connecting] failed to connect, reason=exceeded maximum [2] retries creating circuit [c/efaUp1h2y]: error creating route for [s/efaUp1h2y] on [r/I9-e.EmbC-] (error creating route for [c/efaUp1h2y]: failed to establish connection with terminator address 1vN5SH5cLkgsI7MTfcsmmb. error: (rejected by application))
(14)[       23.381]   ERROR tunnel-cbs:ziti_tunnel_cbs.c:103 on_ziti_connect() ziti dial failed: connection is closed

Inside my controller container:

base) nyck33@nyck33-tt:/media/nyck33/1TB-backup/ziti/quickstart/Docker$ docker exec -it 2769136b0c9a /bin/bash
NOT OVERRIDING: env var ZITI_BIN_DIR already set. using existing value
NOT OVERRIDING: env var ZITI_BIN_ROOT already set. using existing value
NOT OVERRIDING: env var ZITI_CTRL_ADVERTISED_ADDRESS already set. using existing value
NOT OVERRIDING: env var ZITI_ENV_FILE already set. using existing value
NOT OVERRIDING: env var ZITI_HOME already set. using existing value
NOT OVERRIDING: env var ZITI_NETWORK already set. using existing value
NOT OVERRIDING: env var ZITI_SCRIPTS already set. using existing value
NOT OVERRIDING: env var ZITI_SHARED already set. using existing value
 
adding /var/openziti/ziti-bin to the path
ziti@2769136b0c9a:/persistent$ zitiLogin
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 4 certificates
Server certificate chain written to /home/ziti/.config/ziti/certs/ziti-edge-controller
Token: 38b4f08a-91ec-4a69-9d58-4865bf0720d8
Saving identity 'default' to /home/ziti/.config/ziti/ziti-cli.json
ziti@2769136b0c9a:/persistent$ ziti edge list edge-routers
╭────────────┬────────────────────┬────────┬───────────────┬──────┬────────────╮
│ ID         │ NAME               │ ONLINE │ ALLOW TRANSIT │ COST │ ATTRIBUTES │
├────────────┼────────────────────┼────────┼───────────────┼──────┼────────────┤
│ I9-e.EmbC- │ ziti-edge-router-1 │ true   │ true          │    0 │ public     │
╰────────────┴────────────────────┴────────┴───────────────┴──────┴────────────╯
results: 1-1 of 1
ziti@2769136b0c9a:/persistent$ ziti edge create identity user http-client -a 'http-clients' -o http.client.jwt 
Command "user" is deprecated, this command is deprecated, specifying identity type is no longer required
New identity http-client created with id: c3xF.5nbk-
Enrollment expires at 2023-11-02T18:45:49.687Z
ziti@2769136b0c9a:/persistent$ ziti edge create identity user http-server -o http.server.jwt
Command "user" is deprecated, this command is deprecated, specifying identity type is no longer required
New identity http-server created with id: bimT.Enbk-
Enrollment expires at 2023-11-02T18:45:58.919Z
ziti@2769136b0c9a:/persistent$ ziti edge create config http.intercept.v1 intercept.v1 '{"protocols":["tcp"],"addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
New config http.intercept.v1 created with id: gdvhr45EejJJve73gRrjB
ziti@2769136b0c9a:/persistent$ ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"'"${http_server}"'", "port":80}'
error: error creating configs instance in Ziti Edge Controller at https://ziti-edge-controller:1280/edge/management/v1. Status code: 400 Bad Request, Server returned: {
    "error": {
        "cause": {
            "field": "address",
            "reason": "address is invalid: address: Must not validate the schema (not)",
            "value": ""
        },
        "code": "COULD_NOT_VALIDATE",
        "message": "The supplied request contains an invalid document or no valid accept content were available, see cause",
        "requestId": "g7yTtEnbk"
    },
    "meta": {
        "apiEnrollmentVersion": "0.0.1",
        "apiVersion": "0.0.1"
    }
}
ziti@2769136b0c9a:/persistent$ ziti edge list configs
╭───────────────────────┬───────────────────┬──────────────╮
│ ID                    │ NAME              │ CONFIG TYPE  │
├───────────────────────┼───────────────────┼──────────────┤
│ gdvhr45EejJJve73gRrjB │ http.intercept.v1 │ intercept.v1 │
╰───────────────────────┴───────────────────┴──────────────╯
results: 1-1 of 1
ziti@2769136b0c9a:/persistent$ ziti edge create config http.host.v1 host.v1 '{"protocol":"tcp", "address":"web-test", "port":80}'
New config http.host.v1 created with id: 7BXp7RVbrFg1N9z6BgGe09
ziti@2769136b0c9a:/persistent$ ziti edge list configs
╭────────────────────────┬───────────────────┬──────────────╮
│ ID                     │ NAME              │ CONFIG TYPE  │
├────────────────────────┼───────────────────┼──────────────┤
│ 7BXp7RVbrFg1N9z6BgGe09 │ http.host.v1      │ host.v1      │
│ gdvhr45EejJJve73gRrjB  │ http.intercept.v1 │ intercept.v1 │
╰────────────────────────┴───────────────────┴──────────────╯
results: 1-2 of 2
ziti@2769136b0c9a:/persistent$ ziti edge create service http.svc --configs http.intercept.v1,http.host.v1
New service http.svc created with id: 73u4Dco2V2Dy3vt4xw0MaY
ziti@2769136b0c9a:/persistent$ ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@${http_server_id}"
error: no identities found with id or name 
ziti@2769136b0c9a:/persistent$ ziti edge list identities
╭────────────┬────────────────────┬─────────┬──────────────┬─────────────╮
│ ID         │ NAME               │ TYPE    │ ATTRIBUTES   │ AUTH-POLICY │
├────────────┼────────────────────┼─────────┼──────────────┼─────────────┤
│ 7-iCoCBgN  │ Default Admin      │ Default │              │ Default     │
│ I9-e.EmbC- │ ziti-edge-router-1 │ Router  │              │ Default     │
│ bimT.Enbk- │ http-server        │ Default │              │ Default     │
│ c3xF.5nbk- │ http-client        │ Default │ http-clients │ Default     │
╰────────────┴────────────────────┴─────────┴──────────────┴─────────────╯
results: 1-4 of 4
ziti@2769136b0c9a:/persistent$ ziti edge create service-policy http.policy.dial Dial --service-roles "@http.svc" --identity-roles '#http-clients'
New service policy http.policy.dial created with id: 3wSx1nB1YqV3lPW5QeFm2z
ziti@2769136b0c9a:/persistent$ ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles "@${http_server_id}"
error: no identities found with id or name 
ziti@2769136b0c9a:/persistent$ ziti edge create service-policy http.policy.bind Bind --service-roles '@http.svc' --identity-roles '@http-server'
New service policy http.policy.bind created with id: 5BvuuCUji88HGtx3xWmJaz
ziti@2769136b0c9a:/persistent$ ziti edge list identities
╭────────────┬────────────────────┬─────────┬──────────────┬─────────────╮
│ ID         │ NAME               │ TYPE    │ ATTRIBUTES   │ AUTH-POLICY │
├────────────┼────────────────────┼─────────┼──────────────┼─────────────┤
│ 7-iCoCBgN  │ Default Admin      │ Default │              │ Default     │
│ I9-e.EmbC- │ ziti-edge-router-1 │ Router  │              │ Default     │
│ bimT.Enbk- │ http-server        │ Default │              │ Default     │
│ c3xF.5nbk- │ http-client        │ Default │ http-clients │ Default     │
╰────────────┴────────────────────┴─────────┴──────────────┴─────────────╯
results: 1-4 of 4
ziti@2769136b0c9a:/persistent$ 

My client tunnel run command:

^C(base) nyck33@nyck33-tt:/media/nyck33/1TB-backup/ziti/quickstart/Docker/client$ docker run        --name ziti-tun        --network host        --privileged        --volume ${PWD}:/ziti-edge-tunnel/        --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket"        --device "/dev/net/tun:/dev/net/tun"        --env ZITI_IDENTITY_BASENAME=http.client        openziti/ziti-edge-tunnel

My server tunnel run command:

C(base) nyck33@nyck33-tt:/media/nyck33/1TB-backup/ziti/quickstart/Docker/server$ docker run        --name ziti-tun-server        --network host        --privileged        --volume ${PWD}:/ziti-edge-tunnel/        --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket"        --device "/dev/net/tun:/dev/net/tun"        --env ZITI_IDENTITY_BASENAME=http.server        openziti/ziti-edge-tunnel

What containers were running:

(base) nyck33@nyck33-tt:/media/nyck33/1TB-backup/ziti/quickstart/Docker/server$ docker ps
CONTAINER ID   IMAGE                       COMMAND                   CREATED          STATUS                   PORTS                                       NAMES
48049d364d1e   openziti/ziti-edge-tunnel   "/docker-entrypoint.…"    18 seconds ago   Up 18 seconds                                                        ziti-tun
11590cf3806b   openziti/ziti-edge-tunnel   "/docker-entrypoint.…"    40 seconds ago   Up 40 seconds                                                        ziti-tun-server
e8ab2c51932c   openziti/hello-world        "/bin/sh -c 'echo \"h…"   3 minutes ago    Up 3 minutes (healthy)   0.0.0.0:80->8000/tcp, :::80->8000/tcp       web-test
96383c8863c4   openziti/quickstart         "/var/openziti/scrip…"    20 minutes ago   Up 19 minutes            0.0.0.0:3022->3022/tcp, :::3022->3022/tcp   ziti-edge-router-1
2769136b0c9a   openziti/quickstart         "/var/openziti/scrip…"    22 minutes ago   Up 22 minutes            0.0.0.0:1280->1280/tcp, :::1280->1280/tcp   ziti-controller

Okay, that sounds good. I'm going to write up something more detailed but in the meantime, to give you an idea, the process would look something like this.

1. Set up an overlay network (it looks like you've got this part down)
2. Create an identity for the dialer (client)
3. Create an identity for the binder (host)
4. Enroll dialer identity
5. Enroll binder identity
6. Create host config
7. Create intercept config
8. Create a service
9. Create a Dial service policy allowing the dialer to access the service
10. Create a Bind service policy allowing the binder to access the service
11. Start up the tunneler that will host
12. Start up the tunneler that will dial

Okay, here is the process I followed to set up an environment to what I understand you would like. I did slightly change some of the names so obviously adjust those as needed.

1. Create identities

   ziti edge create identity http.client -a 'http-clients' -o http.client.jwt
   ziti edge create identity http.server -a 'http-servers' -o http.server.jwt
   

2. Enroll identities

   ziti edge enroll http.client.jwt
   ziti edge enroll http.server.jwt
   

3. Create configs

   ziti edge create config http.bind host.v1 '{"protocol":"tcp", "address":"web-test-blue", "port":8000}'
   ziti edge create config http.dial intercept.v1 '{"protocols":["tcp"], "addresses":["http.ziti"], "portRanges":[{"low":80, "high":80}]}'
   

4. Create service

   ziti edge create service http.svc --configs "http.dial,http.bind"
   

5. Create the service policies

   ziti edge create service-policy http.dial Dial --service-roles "@http.svc" --identity-roles "#http-clients"
   ziti edge create service-policy http.bind Bind --service-roles "@http.svc" --identity-roles "#http-servers"
   

6. Copy the files out of the docker container

   docker cp ziti-controller:/persistent/http.server.json /Users/geoffberl/identities
   docker cp ziti-controller:/persistent/http.client.json /Users/geoffberl/identities
   

7. Start up server tunnel

   docker run \
     --name ziti-host \
     --rm \
     --network=myFirstZitiNetwork \
     --env ZITI_IDENTITY_BASENAME="http.server" \
     --volume /Users/geoffberl/identities:/ziti-edge-tunnel \
     openziti/ziti-host
   

Now, here's where it is slightly different. I can't use a docker ziti-edge-tunnel as a docker container due to limitations since I'm running on Mac. It looks like you're running on Linux so I think you should be able to take it from here.

I used the Ziti Desktop Edge for Mac and was able to successfully dial the http.ziti service.

EDIT: I should mention, the instructions for using ziti tunnel as an intercepting proxy can be found here. Out of curiosity, is there a reason you prefer the intercepting proxy in a container over using the Linux package?

Hi @gberl002 , I used the container because the Linux tunneler was just having 23.10 Mantic added. Also when I deploy to a cloud service somewhere, since I was planning to have my web app, Postgres, Morpheus, Triton inference server containerized, I wanted to practice using all containers but that is most likely poor logic. Can you provide a brief explanation on the pros and cons of using the Linux tunneler vs. container tunneler?

@gberl002

This tip was very useful for me:

docker cp ziti-controller:/persistent/http.server.json /Users/geoffberl/identities
docker cp ziti-controller:/persistent/http.client.json /Users/geoffberl/identities

then both tunnelers are run with an argument that says look in this folder for identities and the server tunnel although the server tunnel only needs the server identity json.

But I still cannot connect. I noticed you used web-test-blue here:

ziti edge create config http.bind host.v1 '{"protocol":"tcp", "address":"web-test-blue", "port":8000}'

so I ran the test server like

docker run -d --rm --name web-test-blue -p 80:8000 openziti/hello-world

and here is probably where I went wrong. I tried to come up with a command to run the client tunneler container (intercepting proxy):

docker run   --name ziti-tun   --rm   --privileged   --network=myFirstZitiNetwork   --env ZITI_IDENTITY_BASENAME="http.client"   --volume /media/nyck33/1TB-backup/ziti/quickstart/Docker/identities:/ziti-edge-tunnel   --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket"   --device "/dev/net/tun:/dev/net/tun"   openziti/ziti-edge-tunnel

so that gives the container privileged access to the host allowing it to pick up requests from the client and deliver responses to the client.

I have these containers:

CONTAINER ID   IMAGE                  COMMAND                   CREATED          STATUS                    PORTS                                       NAMES
8e0f6a90bd43   openziti/hello-world   "/bin/sh -c 'echo \"h…"   11 minutes ago   Up 11 minutes (healthy)   0.0.0.0:80->8000/tcp, :::80->8000/tcp       web-test-blue
dbb4468574c9   openziti/ziti-host     "/docker-entrypoint.…"    12 minutes ago   Up 12 minutes                                                         ziti-host
7edefd60c878   openziti/quickstart    "/var/openziti/scrip…"    2 hours ago      Up 2 hours                0.0.0.0:3022->3022/tcp, :::3022->3022/tcp   ziti-edge-router-1
5040ffdac6d5   openziti/quickstart    "/var/openziti/scrip…"    2 hours ago      Up 2 hours                0.0.0.0:1280->1280/tcp, :::1280->1280/tcp   ziti-controller

I can just curl 0.0.0.0:80 and get the response so I did not wire up something correctly.

The image I have in my head is:

curl http.ziti from client (a terminal) -> gets picked up by client tunneler container (intercepting proxy) -> on the overlay which in this case is the Docker network -> the edge router routes it to the ziti-host container running the server-side tunneler -> the ziti-host container receives the request and forwards it to the hello server -> hello server responds -> server side ziti-host tunneler receives the response from the server and puts it on the overlay -> edge router routes it back to the intercepting proxy tunneler -> my terminal (the http client) receives the response.

which I am basing on this diagram:

image866×420 55.2 KB

But http server is a bit of a black box so given --env ZITI_IDENTITY_BASENAME="http.server" I cannot tell whether is referring to the hello-server I ran with the command above.

I also tried using the Linux no-Docker tunneler by running:

curl -sSLf https://get.openziti.io/tun/scripts/install-ubuntu.bash | bash
sudo systemctl enable --now ziti-edge-tunnel.service
sudo ziti-edge-tunnel run --identity-dir /media/nyck33/1TB-backup/ziti/quickstart/Docker/identities

but it didn't work for me.

So I looked here: Linux Tunneller | OpenZiti
and see that there is a different command

sudo ziti-edge-tunnel add --jwt "$(< ./in-file.jwt)" --identity myIdentityName

which makes me wonder if I should copy the jwt out of the controller container and use that rather than the json. But those identities were enrolled in the controller container so the jwt's are no longer available.

In conclusion, my best guess is that the hello-server I am running does not have an identity that is tied to the running service and neither does the client, ie. just a terminal I open on the host.

I used web-test-blue there but in order to do that I had to give a network alias. Here is the command I used for starting up the HTTP server.

docker run  --network myFirstZitiNetwork  --network-alias web-test-blue  -p 80:8000  -it  --rm  crccheck/hello-world

Regarding the Linux tunneler, if you're using that then yes, you'd need the JWT which just means that you don't need to enroll that identity through the controller manually. Enrollment will happen through the tunneler and the json will be stored in the default location /opt/openziti/etc/identities.

One thing to note, if you're not using the provided Linux system service be sure to stop that service before running the tunneller manually as it will cause conflicts. If you run it manually, you should run it as user "ziti", for example:
sudo -u ziti ziti-edge-tunnel run ....

@gberl002 Thank you very much for the clarifications.