Hi @himeose. I don’t have a video yet but I wanted to follow up. I think this is what you’re doing, and I did it in my own lab:
To accomplish this, here’s exactly what I did:
Prerequisites:
- Provisioned two VMs in a single AWS VPC
- Ran the quickstart on one VM and verified it works as expected
- Ran the docker container
crccheck/hello-world
and exposed it on port 80 (this is the web server that shows the docker whale)docker run --rm --name web-test -p 80:8000 crccheck/hello-world
Enable “private.web” access
-
obtain a docker env file and the simplified compose file in whatever folder you like:
curl -sO https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/.env curl -s https://raw.githubusercontent.com/openziti/ziti/release-next/quickstart/docker/simplified-docker-compose.yml > docker-compose.yml
-
update the
.env
file to look similar to this. Hopefully obvious, replace advertised.address with your externally accessible address. like ‘ec2-3-134-108-218.us-east-2.compute.amazonaws.com’ for example etc# OpenZiti Variables ZITI_IMAGE=openziti/quickstart ZITI_VERSION=latest # OpenZiti Variables ZITI_IMAGE=openziti/quickstart ZITI_VERSION=latest # The duration of the enrollment period (in minutes), default if not set # shown - 7days ZITI_EDGE_IDENTITY_ENROLLMENT_DURATION=10080 ZITI_EDGE_ROUTER_ENROLLMENT_DURATION=10080 # controller address/port information ZITI_CONTROLLER_RAWNAME=ziti-controller ZITI_CONTROLLER_HOSTNAME=ec2-3-134-108-218.us-east-2.compute.amazonaws.com ZITI_CTRL_PORT=8440 ZITI_EDGE_CONTROLLER_RAWNAME=ziti-edge-controller ZITI_EDGE_CONTROLLER_HOSTNAME=ec2-3-134-108-218.us-east-2.compute.amazonaws.com ZITI_EDGE_CONTROLLER_PORT=8441 #ZITI_EDGE_CONTROLLER_IP_OVERRIDE=172.17.0.1 # router address/port information ZITI_EDGE_ROUTER_RAWNAME=ec2-3-134-108-218.us-east-2.compute.amazonaws.com ZITI_EDGE_ROUTER_PORT=8442 #ZITI_EDGE_ROUTER_IP_OVERRIDE=172.17.0.1
-
start docker - IMPORTANT: notice I used
-p openziti
to start docker. That produces a predictable name used in step 5 below. Make sure you either understand what the-p
flag is doing here, or just run it exactly as shown!# this removes EVERYTHING: docker-compose -p openziti down -v # start docker here docker-compose -p openziti up
-
optional: If needed, get the latest ziti binaries and have them added to the path for you if needed
source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; getZiti "yes"
-
setup a file to source to make it easy to login to the environment. This pulls information from the container and makes a “docker.env” file that you can source and use to
ziti login
docker exec openziti_ziti-controller_1 grep 'export ZITI_EDGE_CTRL_ADVERTISED' /persistent/ziti.env > docker.env docker exec openziti_ziti-controller_1 grep 'export ZITI_USER' /persistent/ziti.env >> docker.env docker exec openziti_ziti-controller_1 grep 'export ZITI_PWD' /persistent/ziti.env >> docker.env source docker.env ziti edge login $ZITI_EDGE_CTRL_ADVERTISED -u $ZITI_USER -p $ZITI_PWD -y
-
Configure the OpenZiti overlay for the private web service and identity. (notice I used MY ip=172.31.50.50 of my private web server)
service="private.web" private_web_server_ip=172.31.50.50 ziti edge create config "${service}.intercept.v1" intercept.v1 '{"protocols":["tcp"],"addresses":["'${service}'"], "portRanges":[{"low":80, "high":80}]}' ziti edge create config "${service}.host.v1" host.v1 '{"protocol":"tcp", "address":"'${private_web_server_ip}'","port":80}' ziti edge create service ${service} --configs "${service}.intercept.v1","${service}.host.v1" ziti edge create service-policy "${service}.bind" Bind --service-roles "@${service}" --identity-roles "#${service}.binders" ziti edge create service-policy "${service}.dial" Dial --service-roles "@${service}" --identity-roles "#${service}.dialers" ## authorize dialers... ziti edge create identity user awsdockerclint -a "${service}.dialers" -o awsdockerclint.jwt
-
authorize the router identity to bind the service. Notice i used the name of MY edge router here (
ec2-3-134-108-218.us-east-2.compute.amazonaws.com
) - you have to replace with yours:ziti edge update identity ec2-3-134-108-218.us-east-2.compute.amazonaws.com -a "${service}.binders"
I’ll make a video demo’ing all this in a bit