Where to learn underlying principles and concepts?

I have a BCS and MSCS but want to refresh and upgrade my knowledge of the networking concepts and principles behind OpenZiti. Can anyone recommend some resources on Coursera or elsewhere?

Hi @nyck33, welcome to the community and to OpenZiti!

Sorry nobody has gotten back to you yet! Sometimes it's hard with all the things going on! We don't have a coursera or anything of that nature.

Here's a rundown of the things that I think would be useful to know and understand, relvant to OpenZiti:

  • layer 3/4 of the OSI Model - OSI model - Wikipedia
  • the "what is" and "why" network segmentation
  • what a VPN is and how it works
  • public key infrastructure - Public key infrastructure - Wikipedia
  • what is zero trust and why are the ideas in zero trust gaining popularity
  • what is an OpenZiti controller and what its role is
  • what is an OpenZiti router and what its role is
  • what is an OpenZiti tunneling app, and what purpose does it serve
  • OpenZiti configurations (host.v1/intercept.v1) for use with tunneling apps
  • OpenZiti service policies (bind and dial)
  • What is application embedded zero trust and why it's a game changer

I think that's a lot of material to get through and if you get through all that, you should have a pretty good understanding of what OpenZiti is, what it does, and why. Hope that helps. Happy to hear from others in the community too if there are other thoughts.

2 Likes

I am still working through that list while watching Youtube videos. Having gone through the first Echo demo service example, I tried to divide up the instructions in that tutorial (that runs in Bash) into a client side and server side:

server side (Node app running that usually runs with npm start on localhost:3000` in which I tried to integrate the SDK but was told here: CJS server side example code? · Issue #71 · openziti/ziti-sdk-nodejs · GitHub that it's in development)

################################################start
loadziti
startController
#at least one Edge Router
startRouter 

ziti edge login --ignore-config

######
ziti edge create service js
ziti edge list services 'name="js"'

#######
ziti edge create terminator js nyck33-ubuntu2304-edge-router tcp:localhost:37935
ziti edge list terminators 'service.name="js"'

###
ziti edge policy-advisor identities -q founder-laptop js

###
ziti edge create service-edge-router-policy js --edge-router-roles '#all' --service-roles '@js'

### sdk embedded 
# delete terminator used for non-embedded sdk
ziti edge delete terminators where 'service.name="js"'

ziti edge create identity service js-server -o js-server.jwt --role-attributes js-server
ziti edge enroll -j js-server.jwt -o js-server.json

# run server, fails here
ziti demo ziti-js-server --identity js-server.json

#########
ziti edge policy-advisor identities -q js-server js

ziti edge create service-policy js-servers Bind --service-roles '@js' --identity-roles '#js-server'
ziti edge list service-policies 'name contains "js"'

ziti edge policy-advisor identities -q js-server js

###########
ziti edge create edge-router-policy js-servers --edge-router-roles '@nyck33-ubuntu2304-edge-router' --identity-roles '#js-server'
ziti edge policy-advisor identities -q js-server js

# start the server and try the client, check for termintors first
# there is a dynamic terminator when server bound service
ziti edge list terminators 'service.name="js"'

# run server, what is each parameter/entity in this command?
ziti demo ziti-js-server --identity js-server.json

client side (in another bash session at the root of a project that has my client, one of the Python SDK examples like urllib or requests)

# ziti demo ziti-js-client --identity founder-laptop.json trees are tall


################################################start
loadziti
startController
#at least one Edge Router
startRouter 

ziti edge login --ignore-config

##########
ziti edge create identity user founder-laptop -o founder-laptop.jwt --role-attributes management

ziti edge list identities 'name="founder-laptop"'

ziti edge enroll -j founder-laptop.jwt -o founder-laptop.json

#######
# dial policy, bind policy for sdk embedded app hosting in addition to dial policy
ziti edge create service-policy js-clients Dial --service-roles '@js' --identity-roles '#management'

ziti edge list service-policies 'name="js-clients"'

ziti edge policy-advisor identities -q founder-laptop js

####
ziti edge create edge-router-policy js-clients --edge-router-roles '@nyck33-ubuntu2304-edge-router' --identity-roles '#management'

ziti edge list edge-router-policies 'name="js-clients"'
ziti edge policy-advisor identities -q founder-laptop js

# start the server in the other terminal and try the client
# also not sure what each entity in this command is
ziti demo ziti-js-client --identity founder-laptop.json trees are tall

I couldn't get it to work so now I am looking at using the tunneler.
Please feel free to comment or advise on any of the above.

If I can try to sum up, you are looking to get a python example working that works with a go-based echo server? I must admit, I've read your post a couple of times but I'm not entirely sure I understand exactly what you're trying to do? I'm sorry, but would you just sum up what the end goal is you're trying to get working?

Is it okay if I refer to a simpler example before tackling that one I mentioned above? I want to run the Python examples so started reading: https://github.com/openziti/ziti-sdk-py/blob/main/sample/README.md

There are many steps involved to get an OpenZiti network up before being able to run any of the Python examples. Can I use any of the scripts in the Quickstart folder of the main Ziti repo located here: https://github.com/openziti/ziti/tree/release-next/quickstart ? I keep fumbling at this step so have not been able to try any of them.

Definitely! :slight_smile:

I'm "familiar" with Python, but not used it much. I'm a good person to go try them out. Is there any particular example you'd want to try first or just any of them ? :slight_smile:

  1. I'd like to see a walk-through of running Flaskz first and foremost then urllib3 in the examples folder.

  2. I'm also having problems setting an identity for OpenZiti Edge on Ubuntu as I thought I could select the resulting .json after enrolling a created identity but the pop-up window when I click "Select Identity" on the Edge GUI only lets me select .jwt's so I do that but it never works.

ziti edge create identity user "PythonTunneler" -o PythonTunneler.jwt 
ziti edge enroll --jwt PythonTunneler.jwt --out PythonTunneler.json

Those commands leave me with

(zitipy) nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti-sdk-py$ ls
CODE_OF_CONDUCT.md  CONTRIBUTING.md  images  LICENSE  MANIFEST.in  PythonTunnelerClient.jwt  PythonTunneler.json  README.md  sample  SECURITY.md  setup.cfg  setup.py  src  tests  versioneer.py

so above you can see a .jwt and .json with names that don't match because I've been trying multiple times to try to get this to work.

  1. Finally I tried running nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti/quickstart/docker/image$ chmod +x ziti-cli-functions.sh nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti/quickstart/docker/image$ ./ziti-cli-functions.sh nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti/quickstart/docker/image$ ./ziti-cli-functions.sh 2> error.log nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti/quickstart/docker/image$ ./ziti-cli-functions.sh echo $? 0 nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti/quickstart/docker/image$ sudo ./ziti-cli-functions.sh

  2. Is there a commands cheat sheet (every single ziti command)?

Alrighty. I updated our sample code a tiny bit, but updating the doc/readmes will take me a bit longer and I wanted to get back to you sooner than later. I'm going to give you "the tl;dr" here for what you're looking to do! :slight_smile: I think this answers most of your questions but for #2 - would you mind starting a wholly separate thread? I'll work on getting this stuff incorporated into our readmes. In the meantime...

Clone the Code and Setup the Overlay

  • clone the ziti-sdk-py repo and change to the sample folder

    git clone https://github.com/openziti/ziti-sdk-py.git
    cd ziti-sdk-py/sample
    
  • download/Install/Add ziti to your path:

    Linux/MacOS:

    source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/quick/ziti-cli-functions.sh)"; getZiti "yes"
    

    Windows Powershell:

    iex(iwr -Uri https://get.openziti.io/quick/getZiti.ps1)
    
  • start a local, ephemeral network. This will generate a locally running overlay network in a single command. It's ephemeral and perfect for quick testing like this:

    ziti edge quickstart
    
  • login to the overlay:

    ziti edge login localhost:1280 -u admin -p admin -y
    
  • create two identities, one for your 'server' and one for your 'client' but use attributes (using -a) for easier policy configuration (used below)

    ziti edge create identity py-server-id -a "server-id" -o ./py-server-id.jwt
    ziti edge create identity py-client-id -a "client-id" -o ./py-client-id.jwt
    
  • use python and enroll each token to create strong identities. Notice two new files exist after running these commands:

    python -m openziti enroll --jwt=./py-server-id.jwt --identity=./py-server-id.json
    python -m openziti enroll --jwt=./py-client-id.jwt --identity=./py-client-id.json
    
  • create two example services, one for the echo server, one for flask. Notice both services get the "python-samples" attribute

    ziti edge create service py-echo-service -a "python-samples"
    ziti edge create service py-flazk-service -a "python-samples"
    
  • authorize any identities with the "server-id" attribute to 'bind' any service that has the "python-samples" attribute. This allows one identity to 'bind' both services (via attributes)

    ziti edge create service-policy service-bind-policy Bind --identity-roles '#server-id' --service-roles "#python-samples"
    
  • authorize any identities with the "client-id" to be able to 'dial' any service that has the "python-samples" attribute. This allows one identity to 'dial' both services (via attributes)

    ziti edge create service-policy service-dial-policy Dial --identity-roles '#client-id' --service-roles "#python-samples"
    
  • run policy-advisor and confirm your services are be authorized as you'd expect. Notice the 'client' can 'dial' both services and the 'server' id can 'bind' both:

    ziti edge policy-advisor services -q
    OKAY : py-client-id (1) -> py-flazk-service (1) Common Routers: (1/1) Dial: Y Bind: N
    OKAY : py-client-id (1) -> py-echo-service (1) Common Routers: (1/1) Dial: Y Bind: N
    OKAY : py-server-id (1) -> py-flazk-service (1) Common Routers: (1/1) Dial: N Bind: Y
    OKAY : py-server-id (1) -> py-echo-service (1) Common Routers: (1/1) Dial: N Bind: Y
    

Run the Echo Sample!

Remember be in the "sample" directory and ensure py-server-id.json and py-client-id.json are in the directory.

  • in one terminal, start the 'echo' server:

    python ziti-echo-server/ziti-echo-server.py ./py-server-id.json py-echo-service
    
  • in a separate terminal, start the 'echo' client:

    python ziti-echo-server/ziti-echo-client.py ./py-client-id.json py-echo-service
    

Run the Flazk Sample!

Remember be in the "sample" directory and ensure py-server-id.json and py-client-id.json are in the directory.
SERVER: the server runs like the echo samples by passing the identity to use into the sample
CLIENT: the client demonstrates the ZITI_IDENTITIES environment variable in use

  • in one terminal, start the 'flazk' server:

    python flask-of-ziti/helloFlazk.py ./py-server-id.json py-flazk-service
    
  • in a separate terminal, start the 'urllib3' client:

    export ZITI_IDENTITIES=/tmp/ziti-sdk-py/sample/py-client-id.json
    python ziti-urllib3/ziti-urllib3.py http://py-flazk-service
    

Here's a Video Walkthrough

1 Like

Thanks for your response but my machine hangs on the quickstart:

(zitipy) nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti-sdk-py$ ziti edge quickstart
creating the tmp dir [/tmp/quickstart3254188694/db] for the database.

emitting a minimal PKI
Success
Using CA name:  root-ca
Success
Using CA name:  intermediate-ca
Success
Using CA name:  intermediate-ca
Success
[   1.699]    INFO storage/boltz.(*migrationManager).Migrate.func1: Migrated fabric datastore from 0 to 5
[   1.699]    INFO storage/boltz.(*migrationManager).Migrate.func1: fabric datastore is up to date at version 5
[   1.707]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {poolType=[pool.router.messaging] minWorkers=[0] maxWorkers=[100] idleTime=[30s] maxQueueSize=[100]} starting goroutine pool
[   1.708]    INFO ziti/controller/network.(*Network).showOptions: network = {
  "CreateCircuitRetries": 2,
  "CycleSeconds": 60,
  "EnableLegacyLinkMgmt": true,
  "InitialLinkLatency": 65000000000,
  "IntervalAgeThreshold": 0,
  "MetricsReportInterval": 60000000000,
  "MinRouterCost": 10,
  "PendingLinkTimeout": 10000000000,
  "RouteTimeout": 10000000000,
  "RouterConnectChurnLimit": 60000000000,
  "RouterComm": {
    "QueueSize": 100,
    "MaxWorkers": 100
  },
  "Smart": {
    "RerouteFraction": 0.02,
    "RerouteCap": 4,
    "MinCostDelta": 15
  }
}
[   1.710]    INFO ziti/controller.(*Controller).showOptions: ctrl = {
  "OutQueueSize": 4,
  "MaxQueuedConnects": 1,
  "MaxOutstandingConnects": 16,
  "ConnectTimeout": 5000000000,
  "DelayRxStart": false,
  "WriteTimeout": 0,
  "NewListener": null,
  "AdvertiseAddress": null,
  "RouterHeartbeatOptions": {
    "sendInterval": 10000000000,
    "checkInterval": 1000000000,
    "closeUnresponsiveTimeout": 30000000000
  },
  "PeerHeartbeatOptions": {
    "sendInterval": 10000000000,
    "checkInterval": 1000000000,
    "closeUnresponsiveTimeout": 30000000000
  }
}
[   2.022]    INFO ziti/controller/server.NewController: edge controller instance id: clo7y8s670000g761nvtnh4dv
[   2.022]    INFO ziti/controller/server.(*Controller).Initialize: initializing edge
[   2.044]    INFO storage/boltz.(*migrationManager).Migrate.func1: Migrated edge datastore from 0 to 35
[   2.044]    INFO storage/boltz.(*migrationManager).Migrate.func1: edge datastore is up to date at version 35
[   2.057]    INFO ziti/controller/internal/policy.NewSessionEnforcer: {sessionTimeout=[30m0s] frequency=[5s]} session enforcer configured
[   2.070]    INFO ziti/controller/server.(*Controller).Shutdown: edge controller: shutting down...
[   2.070]    INFO ziti/controller/server.(*Controller).Shutdown: edge controller: stopped
[   2.070]    INFO ziti/controller/server.(*Controller).Shutdown: fabric controller: shutting down...
[   2.070]    INFO ziti/controller/server.(*Controller).Shutdown: fabric controller: stopped
[   2.070]    INFO ziti/controller/server.(*Controller).Shutdown: shutdown complete
[   2.070]    INFO ziti/controller/subcmd.NewEdgeInitializeCmd.func2: Ziti Edge initialization complete
Controller running... Configuring and starting Router...
[   2.086]    INFO ziti/ziti/controller.run: {build-date=[2023-10-13T20:22:56Z] version=[v0.30.5] revision=[4f324bd22875] nodeId=[client] go-version=[go1.20.8] os=[linux] arch=[amd64]} starting ziti-controller
[   2.086]    INFO storage/boltz.(*migrationManager).Migrate.func1: fabric datastore is up to date at version 5
[   2.089]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {maxWorkers=[100] idleTime=[30s] poolType=[pool.router.messaging] maxQueueSize=[100] minWorkers=[0]} starting goroutine pool
[   2.089]    INFO ziti/controller/network.(*Network).showOptions: network = {
  "CreateCircuitRetries": 2,
  "CycleSeconds": 60,
  "EnableLegacyLinkMgmt": true,
  "InitialLinkLatency": 65000000000,
  "IntervalAgeThreshold": 0,
  "MetricsReportInterval": 60000000000,
  "MinRouterCost": 10,
  "PendingLinkTimeout": 10000000000,
  "RouteTimeout": 10000000000,
  "RouterConnectChurnLimit": 60000000000,
  "RouterComm": {
    "QueueSize": 100,
    "MaxWorkers": 100
  },
  "Smart": {
    "RerouteFraction": 0.02,
    "RerouteCap": 4,
    "MinCostDelta": 15
  }
}
[   2.089]    INFO ziti/controller.(*Controller).showOptions: ctrl = {
  "OutQueueSize": 4,
  "MaxQueuedConnects": 1,
  "MaxOutstandingConnects": 16,
  "ConnectTimeout": 5000000000,
  "DelayRxStart": false,
  "WriteTimeout": 0,
  "NewListener": null,
  "AdvertiseAddress": null,
  "RouterHeartbeatOptions": {
    "sendInterval": 10000000000,
    "checkInterval": 1000000000,
    "closeUnresponsiveTimeout": 30000000000
  },
  "PeerHeartbeatOptions": {
    "sendInterval": 10000000000,
    "checkInterval": 1000000000,
    "closeUnresponsiveTimeout": 30000000000
  }
}
[   2.411]    INFO ziti/controller/server.NewController: edge controller instance id: clo7y8sh10001g761heuhehdx
[   2.412] WARNING ziti/controller/api_impl.OverrideRequestWrapper: requestWrapper overridden more than once
[   2.412]    INFO ziti/controller/server.(*Controller).Initialize: initializing edge
[   2.416]    INFO storage/boltz.(*migrationManager).Migrate.func1: edge datastore is up to date at version 35
[   2.419]    INFO ziti/controller/internal/policy.NewSessionEnforcer: {sessionTimeout=[30m0s] frequency=[5s]} session enforcer configured
[   2.420]    INFO ziti/controller/server.(*Controller).Run: starting edge
[   2.420]    INFO ziti/controller/server.(*Controller).checkEdgeInitialized: edge initialized
[   2.421]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {maxQueueSize=[1] poolType=[pool.listener.ctrl] idleTime=[10s] maxWorkers=[16] minWorkers=[1]} starting goroutine pool
[   2.421]    INFO channel/v2.(*UnderlayDispatcher).Run: started
[   2.431]    INFO ziti/controller/network.(*Network).Run: started
[   2.448]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[tls: client didn't provide a certificate]} handshake failed
[   2.513]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[tls: client didn't provide a certificate]} handshake failed
[   2.524]    INFO xweb/v2.(*Server).Start: starting ApiConfig to listen and serve tls on 0.0.0.0:1280 for server client-management with APIs: [edge-management edge-client fabric]
[   2.578]    INFO ziti/ziti/cmd/edge.(*QuickstartOpts).run: Controller online. Continuing...
[   2.601]   ERROR transport/v2/tls.(*sharedListener).processConn [tls:0.0.0.0:1280]: {error=[remote error: tls: bad certificate]} handshake failed
Comparing remote CA to local. Server cert count: 3, local cert count: 5
WARNING: server supplied certificate authority doesn't match cached certs at /home/nyck33/.config/ziti/certs/nyck33-ubuntu2304
Server certificate chain written to /home/nyck33/.config/ziti/certs/nyck33-ubuntu2304
Token: 9615c8ab-a3a0-439d-9f0a-302be3993f14
Saving identity 'default' to /home/nyck33/.config/ziti/ziti-cli.json
New edge router policy all-endpoints-public-routers created with id: 59IeAU6mu9vaLn9WDLoPE4
New service edge router policy all-routers-all-services created with id: 5D8p1Nhok8HKhsqbUKDeZm
New edge router nyck33-ubuntu2304-edge-router created with id: OnbcJqyOYb
Enrollment expires at 2023-10-27T04:43:22.728Z
[   3.863]    INFO ziti/router/enroll.(*RestEnroller).Enroll: registration complete
[   3.872]    INFO ziti/ziti/router.run: {version=[v0.30.5] go-version=[go1.20.8] build-date=[2023-10-13T20:22:56Z] revision=[4f324bd22875] configFile=[/tmp/quickstart3254188694/nyck33-ubuntu2304-edge-router.yaml] os=[linux] routerId=[OnbcJqyOYb] arch=[amd64]} starting ziti-router
[   3.872]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {idleTime=[30s] poolType=[pool.link.dialer] minWorkers=[0] maxWorkers=[32] maxQueueSize=[1000]} starting goroutine pool
[   3.872]    INFO ziti/router/forwarder.(*Faulter).run: started
[   3.872]    INFO ziti/router/forwarder.(*Scanner).run: started
[   3.872]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {poolType=[pool.route.handler] minWorkers=[0] maxWorkers=[128] idleTime=[30s] maxQueueSize=[1000]} starting goroutine pool
[   3.872] WARNING ziti/router/internal/edgerouter.(*Config).LoadConfigFromMap: Invalid heartbeat interval [0] (min: 60, max: 10), setting to default [60]
[   3.872]   ERROR ziti/ziti/router.run: {error=[gops: agent already listening at: /tmp/gops-agent.78343.sock]} unable to start CLI agent
[   3.872]    INFO ziti/router.(*Router).showOptions: ctrl = {"OutQueueSize":4,"MaxQueuedConnects":1,"MaxOutstandingConnects":16,"ConnectTimeout":5000000000,"DelayRxStart":false,"WriteTimeout":0}
[   3.873]    INFO ziti/router.(*Router).showOptions: metrics = {"ReportInterval":60000000000,"IntervalAgeThreshold":0,"MessageQueueSize":10}
[   3.873]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {minWorkers=[0] maxQueueSize=[5000] maxWorkers=[32] idleTime=[30s] poolType=[pool.link.dialer]} starting goroutine pool
[   3.873]    INFO ziti/router.(*Router).initializeHealthChecks: starting health check with ctrl ping initially after 15s, then every 30s, timing out after 15s
[   3.873]    INFO ziti/router.(*Router).startXlinkDialers: started Xlink dialer with binding [transport]
[   3.873] WARNING ziti/router/xlink_transport.loadListenerConfig: {addr=[tls:0.0.0.0:3022] error=[no network interface found for 0.0.0.0]} unable to get interface for address
[   3.874]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {maxWorkers=[16] maxQueueSize=[1] poolType=[pool.listener.link] minWorkers=[1] idleTime=[10s]} starting goroutine pool
[   3.874]    INFO ziti/router.(*Router).startXlinkListeners: started Xlink listener with binding [transport] advertising [tls:nyck33-ubuntu2304:3022]
[   3.874]    INFO ziti/router/xgress_edge.(*listener).Listen: {address=[tls:0.0.0.0:3022]} starting channel listener
[   3.874]    INFO ziti/common/metrics.GoroutinesPoolMetricsConfigF.func1.1: {poolType=[pool.listener.xgress_edge] minWorkers=[1] maxWorkers=[16] idleTime=[10s] maxQueueSize=[1]} starting goroutine pool
[   3.874]    INFO ziti/router.(*Router).startXgressListeners: created xgress listener [edge] at [tls:0.0.0.0:3022]
[   3.874]    INFO ziti/router.(*Router).startXgressListeners: created xgress listener [tunnel] at []
[   3.874]    INFO ziti/router.(*Router).getInitialCtrlEndpoints: controller endpoints file [/tmp/quickstart3254188694/endpoints] doesn't exist. Using initial endpoints from config
[   3.874]    INFO ziti/router.(*Router).startControlPlane: router configured with 1 controller endpoints
[   3.874]    INFO ziti/router/xgress_edge.(*Acceptor).Run: starting
[   3.874]    INFO ziti/router/env.(*networkControllers).UpdateControllerEndpoints: {endpoint=[map[tls:nyck33-ubuntu2304:1280:{}]]} adding new ctrl endpoint
[   3.874]    INFO ziti/router/env.(*networkControllers).connectToControllerWithBackoff: {endpoint=[tls:nyck33-ubuntu2304:1280]} starting connection attempts
[   3.908]    INFO ziti/router/env.(*networkControllers).connectToControllerWithBackoff.func3: {endpoint=[tls:nyck33-ubuntu2304:1280]} successfully connected to controller
[   3.909]    INFO ziti/controller/handler_ctrl.(*CtrlAccepter).Bind: {routerId=[OnbcJqyOYb]} accepted new router connection [r/OnbcJqyOYb]
[   3.909]    INFO ziti/controller/network.(*routerChangedEvent).handle: calculating router updates for router OnbcJqyOYb, connected=true
[   3.909]    INFO ziti/controller/env.(*Broker).RouterConnected.func1: {routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0] routerName=[nyck33-ubuntu2304-edge-router] routerId=[OnbcJqyOYb]} broker detected edge router with id OnbcJqyOYb connecting
[   3.909]    INFO ziti/controller/sync_strats.(*InstantStrategy).RouterConnected: {syncStatus=[SYNC_QUEUED] routerId=[OnbcJqyOYb] routerName=[nyck33-ubuntu2304-edge-router] sync_strategy=[instant] routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0]} edge router connected, adding to sync routerConnectedQueue
[   3.909]    INFO ziti/controller/sync_strats.(*InstantStrategy).hello: {routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0] routerChannelIsOpen=[true] strategy=[instant] routerTxId=[PM9cJqJfR] routerId=[OnbcJqyOYb] routerName=[nyck33-ubuntu2304-edge-router]} edge router sync starting
[   3.909]    INFO ziti/controller/sync_strats.(*InstantStrategy).hello: {routerId=[OnbcJqyOYb] routerName=[nyck33-ubuntu2304-edge-router] syncStatus=[SYNC_HELLO] routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0] routerChannelIsOpen=[true] strategy=[instant] routerTxId=[PM9cJqJfR]} sending edge router hello
[   3.910]    INFO ziti/router/handler_edge_ctrl.(*helloHandler).HandleReceive.func1: received server hello, replying
[   3.910]    INFO ziti/router/fabric.(*StateManagerImpl).AddSignerPublicCert: {received=[1] added=[1] ignored=[0]} received signer public certificates
[   3.910]    INFO ziti/controller/sync_strats.(*InstantStrategy).ReceiveClientHello: {data=[map[]] routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0] routerName=[nyck33-ubuntu2304-edge-router] revision=[4f324bd22875] os=[linux] arch=[amd64] buildDate=[2023-10-13T20:22:56Z] strategy=[instant] protocols=[[tls]] routerChannelIsOpen=[true] version=[v0.30.5] routerId=[OnbcJqyOYb] routerTxId=[PM9cJqJfR] listeners=[[address:{value:"tls:0.0.0.0:3022"  protocol:"tls"  hostname:"0.0.0.0"  port:3022}  advertise:{value:"nyck33-ubuntu2304:3022"  protocol:"tls"  hostname:"nyck33-ubuntu2304"  port:3022}]] protocolPorts=[[3022]]} edge router sent hello with version [v0.30.5] to controller with version [v0.30.5]
[   3.910]    INFO ziti/controller/sync_strats.(*InstantStrategy).synchronize: {routerTxId=[PM9cJqJfR] routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0] routerChannelIsOpen=[true] routerId=[OnbcJqyOYb] routerName=[nyck33-ubuntu2304-edge-router] strategy=[instant]} started synchronizing edge router
[   3.911]    INFO ziti/controller/sync_strats.(*InstantStrategy).synchronize.func1: {strategy=[instant] routerTxId=[PM9cJqJfR] routerId=[OnbcJqyOYb] routerName=[nyck33-ubuntu2304-edge-router] routerFingerprint=[06058680154175b459f93a24776bf2457a7b8fe0] routerChannelIsOpen=[true]} exiting synchronization, final status: SYNC_DONE
[   3.911]    INFO ziti/router/handler_edge_ctrl.(*apiSessionAddedHandler).instantSync: {strategy=[instant]} first api session syncId [clo7y8tmo0004g761asrvnxox], starting
[   3.911]    INFO ziti/router/handler_edge_ctrl.(*apiSessionSyncTracker).Add: received api session sync chunk 0, isLast=true
[   3.945]    INFO ziti/router/fabric.(*StateManagerImpl).StartHeartbeat: heartbeat starting
[   3.945]    INFO ziti/router/xgress_edge_tunnel.(*tunneler).Start: {mode=[host]} creating interceptor
[   3.945]    INFO ziti/router/xgress_edge.(*CertExpirationChecker).Run: waiting 8615h59m59.060304265s to renew certificates
[   3.953]    INFO ziti/tunnel/dns.flushDnsCaches: dns caches flushed
[   4.160]    INFO ziti/controller/network.(*Network).Run: {routerId=[OnbcJqyOYb]} changed router
[   4.307]    INFO ziti/tunnel/intercept.SetDnsInterceptIpRange: dns intercept IP range: 100.64.0.1 - 100.127.255.254
[   4.912]    INFO ziti/router/handler_edge_ctrl.(*apiSessionAddedHandler).applySync: finished sychronizing api sessions [count: 1, syncId: clo7y8tmo0004g761asrvnxox, duration: 26.681µs]

I have in my .bashrc

#for ziti cli
export PATH=$PATH:/home/nyck33/.ziti/quickstart/nyck33-ubuntu2304/ziti-bin/ziti-v0.30.5
# load ziti env vars and cli
alias loadziti="source $HOME/.ziti/quickstart/$(hostname)/$(hostname).env"
# source the script that ensures CLI functions and env vars are loaded each time
source /dev/stdin <<< "$(wget -qO- https://get.openziti.io/ziti-cli-functions.sh)"

I am unable to post long responses on here, when I push the Reply button, everything I wrote disappears (I'm not over the character limit if there is one). But I am hanging on the quickstart command on Ubuntu.

ugh. that's the "new user limit" from discourse. Sorry about that. I see the message/s I'll click one of them through...

That's actually what it should do. It'll sit there and "run" until you ctrl-c it, then it'll go away. It's running a full overlay network, usable from 'localhost' until you cancel it. :slight_smile:

If you peep the video, you'll see I use three different terminals.

  • one for the quickstart
  • one for the 'server' app (whatever it is)
  • one for the corresponding 'client' app

As for the .bashrc changes, those seem fine to me and shouldn't cause issues as is.

I apologize I just started watching the video so now know that is not hanging but is running. Would you by any chance have a lnk for the ziti edge quickstart script because I want to try to dissect it and refactor it for my own use cases?

1 Like

sure. it's this go file here:https://github.com/openziti/ziti/blob/release-next/ziti/cmd/edge/quickstart.go

If you look in that file for comments, you'll see all the corresponding ziti CLI commands it runs:

// ziti edge create edge-router-policy all-endpoints-public-routers --edge-router-roles "#public" --identity-roles "#all"
// ziti edge create service-edge-router-policy all-routers-all-services --edge-router-roles "#all" --service-roles "#all"
// ziti edge create edge-router ${ZITI_HOSTNAME}-edge-router -o ${ZITI_HOME}/${ZITI_HOSTNAME}-edge-router.jwt -t -a public
// ziti create config router edge --routerName ${ZITI_HOSTNAME}-edge-router >${ZITI_HOME}/${ZITI_HOSTNAME}-edge-router.yaml
// ziti router enroll ${ZITI_HOME}/${ZITI_HOSTNAME}-edge-router.yaml --jwt ${ZITI_HOME}/${ZITI_HOSTNAME}-edge-router.jwt
// ziti router run ${ZITI_HOME}/${ZITI_HOSTNAME}-edge-router.yaml &> ${ZITI_HOME}/${ZITI_HOSTNAME}-edge-router.log &

etc. etc....

You can review this discourse post too, and associated video in there where I basically review all the steps the "host it anywhere" quickstart does, which is pretty much what this command does (just one is with bash and ziti-cli-functions.sh and one is in go) What does the quickstart do that I need to do myself? it also has a pared down "gist" linked too that shows all the commands the quickstart accomplishes: https://raw.githubusercontent.com/dovholuknf/openziti-compose/main/from-scratch.sh

I think that might help too

1 Like

Are there any plans to have a certification system for OpenZiti architects/developers/engineers? I'm off to a slow start but want something I can show people over here in Asia where I am in a few months time that I am able to zitify networks for businesses.

We don't have any type of certification thing just yet. You're not the first person to ask, it's just "work" that needs to get prioritized, and hasn't been yet. OpenZiti is still evolving rapidly too but the basics certainly haven't changed substantially for a while now.

The one thing that I can think of right now that might fit, would be to use OpenZiti in a 'production' environment (if applicable). Once you do that, you could then get your project added to our ADOPTERS.md page https://github.com/openziti/ziti/blob/release-next/ADOPTERS.md. Oh that reminds me, I think we were going to add a section for "open source projects" using OpenZIti too (not just production)...

I believe there are others in the forum have created "poc/demonstration" type of environments that demonstrate to potential clients the fact that you can indeed deliver a solution via OpenZiti and challenge them to access a dark service. Demonstrate to them there are no firewall holes open and let them marvel at the technology. :slight_smile: That sort of demonstration is particularly powerful (imo) as an application embedded example since they can see the code (if it's simple and you keep it open source).

OpenZiti leadership and devs see most of these posts on discourse and we take user feedback like this very seriously so I'm sure this will be a topic of discussion. For the immediate 'now' though, those are a couple of thoughts that come to mind.

1 Like

The nfconsole and free tier are so awesome, I just ran the Python Flazk example from a local Flask server running like (zitipy) nyck33@nyck33-ubuntu2304:~/Documents/cybersec/openziti/ziti-sdk-py/sample/flask-of-ziti$ python helloFlazk.py ./py-nf-server-id.json Python-Flazk-Service where that is the identity json created by running the enroll command show above by @TheLumberjack then that service is the name I see in my console:

I installed the Ziti Edge app on my Zte phone from Google Play, scanned the QR code I get from nfconsole.io to get an identity on my phone, created the service, a Bind and Dial Policy at nfconsole.io then from my Android was able to connect to my local Flazk service! This is unbelievable stuff, it's completely hidden I believe and zero-code.
Hats off to OpenZiti right now.

1 Like

@TheLumberjack This link died: https://kubezt.com/ on the Adopters' page.

fyi, it also worked with this fastapi Hello World.

from fastapi import FastAPI
import uvicorn
import openziti
import sys

app = FastAPI()
bind_opts = {}  # populated in main

@openziti.zitify(bindings={':8000': bind_opts})
def runApp():
    print("starting server on OpenZiti overlay")
    # FastAPI uses Uvicorn as the ASGI server, so we start it with Uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8000)

@app.get('/')
def hello_world():
    print("received a request to /")
    return 'Have some Ziti!'

if __name__ == '__main__':
    bind_opts['ztx'] = sys.argv[1]
    bind_opts['service'] = sys.argv[2]
    runApp()

my console

and I access http://py-flazk-service:18080 on my smartphone where I have a Ziti identity saved for the Ziti Edge App to use.

3 Likes