hi everyone ı have a some error about my identiy . everything are working with docker and zac. After the create identiy ı tried to connect by identity getting error. Enrollment failed error. And when decode to jwt , ,url is https://ziti-edge-controller:1280 but when ı open this url notthing get. This url also exists at this address : https://localhost:1280 .
Hi @oksanassss, welcome to the community and to OpenZiti!
This behavior is actually expected at this time. When OpenZiti controllers are configured, they need to know what address they are expected to be reached at. This address is REALLY important and you need to have it set correctly when the containers/controller initialize.
This forum user provided a set of steps a while ago that would help you out How-to Start an OpenZiti Simple Instance with Docker Compose
Specifically, setting these variables is really important:
ZITI_CTRL_EDGE_ADVERTISED_ADDRESS=ziti.zititest.biz
ZITI_CTRL_ADVERTISED_ADDRESS=ziti.zititest.biz
ZITI_ROUTER_ADVERTISED_ADDRESS=ziti-edge-router.biz
You will probably want to just down -v
your compose project so you can let the quickstart regenerate the files you need.
Hope that helps
EDIT: I noticed the edge router address isn't in there, I need to find that variable too. I'll find it and edit. That needs to be set too
Found in the default .env file: https://get.openziti.io/dock/.env
ok ı can add identity and ı can connecy from my pc by identity. What is the next step ? ı want to start web service and use with openziti. ı tried add service router vs vs but ı couldnt solve it.
Are you looking to use application embedded zero trust? If that's what you're after, what language are you using? Have you looked at the different sdk repos? All of which have useful samples that might get you going. I'm not exactly sure what/how I can help. If you expand on what you're doing, and where you need help, I can give you a better response.
not now , ı want to use easy example. for example ı runned web service on 8000 port. ı wan to use connect whis web service by windows client
.
Iconnected by identiy and ı can see my service.but I don't know how to redirect this service to my website in zac. I have WEbUi.
Gotcha. Are you following along with this or did you find it? Your First Service | OpenZiti
It'll show you exactly how but it uses the ziti cli not ZAC.
I made this primer on ZAC on ziti tv. Starting at 29:33 I start the tour of using ZAC including showing how to do exactly what you're asking for (well, I think it's what you're after)
Do we write both the host and client IDs when creating the service? He stated two different IDs in the video.
ı added identities to my pc and phone. there are on the same network. but when tried connect to host service from phone(client) , nothing chanced.
ı checked docker console logs and ı have more eror.
docker-ziti-controller-1 | [5694.400] ERROR ziti/controller/handler_edge_ctrl.(*baseRequestHandler).returnError [ch{CJbR3ga1qh}->u{classic}->i{alPa}]: {error=[service 5JnXJbbJ5nQz855NvBrlcw has no terminators] routerId=[CJbR3ga1qh] operation=[create.circuit] token=[ee3835cc-deee-400d-a5f9-eea22e736886]} responded with error
docker-ziti-edge-router-1 | [5689.471] WARNING ziti/router/xgress_edge.(*edgeClientConn).processConnect [ch{edge}->u{classic}->i{vMLQ}]: {token=[ee3835cc-deee-400d-a5f9-eea22e736886] chSeq=[235] edgeSeq=[0] connId=[108] type=[EdgeConnectType] error=[service 5JnXJbbJ5nQz855NvBrlcw has no terminators]} failed to dial fabric
docker-ziti-controller-1 | [5694.403] ERROR ziti/controller/handler_edge_ctrl.(*baseRequestHandler).returnError [ch{CJbR3ga1qh}->u{classic}->i{alPa}]: {error=[service 5JnXJbbJ5nQz855NvBrlcw has no terminators] routerId=[CJbR3ga1qh] operation=[create.circuit] token=[ee3835cc-deee-400d-a5f9-eea22e736886]} responded with error
docker-ziti-edge-router-1 | [5689.474] WARNING ziti/router/xgress_edge.(*edgeClientConn).processConnect [ch{edge}->u{classic}->i{vMLQ}]: {token=[ee3835cc-deee-400d-a5f9-eea22e736886] connId=[109] type=[EdgeConnectType] chSeq=[236] edgeSeq=[0] error=[service 5JnXJbbJ5nQz855NvBrlcw has no terminators]} failed to dial fabric
When using tunnelers, yes you must have two identities. What you've shown appears correct but your missing a port in the accessing/intercepting side. To be safe, that port should be specified.
When you see this error, it usually means there are no identities online for the service you're trying to bind. Look in your phone's logs and look at the hosting side logs and see if there are any errors.
I'll make a very short video showing you exactly the steps today. It looks like you're using a slightly older version of the Zac. 3.1.0 was released and changes that page a little bit. Shouldn't matter much, but FYI.
ok ı will try again untill your video. I checked host(windows) app logs . there. :
[2024-04-25T11:06:39.918Z] ERROR ziti-sdk:channel.c:858 on_channel_connect_internal() ch[2] failed to connect [-3008/unknown node or service]
[2024-04-25T11:06:39.918Z] ERROR ziti-sdk:connect.c:295 on_channel_connected() ztx[2] ch[2] failed to connect [-3008/unknown node or service]
[2024-04-25T11:06:39.918Z] INFO ziti-sdk:channel.c:730 reconnect_channel() ch[2] reconnecting in 110992 ms (attempt = 1487)
[2024-04-25T11:06:39.927Z] ERROR ziti-sdk:channel.c:858 on_channel_connect_internal() ch[0] failed to connect [-3008/unknown node or service]
[2024-04-25T11:06:39.927Z] ERROR ziti-sdk:connect.c:295 on_channel_connected() ztx[2] ch[0] failed to connect [-3008/unknown node or service]
[2024-04-25T11:06:39.927Z] INFO ziti-sdk:channel.c:730 reconnect_channel() ch[0] reconnecting in 20147 ms (attempt = 2184)
[2024-04-25T11:06:43.910Z] WARN ziti-sdk:connect.c:356 connect_timeout() conn[2.2/Binding] bind timeout: no suitable edge router
[2024-04-25T11:06:43.921Z] INFO ziti-sdk:channel.c:733 reconnect_channel() ch[0] reconnecting NOW
[2024-04-25T11:06:43.921Z] INFO ziti-sdk:channel.c:733 reconnect_channel() ch[2] reconnecting NOW
ı cant see anything on the 3008 port but app wants to connenct.
Firstly, this error: "bind timeout: no suitable edge router" makes me think you didn't get the router's advertised address sorted properly. I'll make an entire video for using docker compose with the quickstart...
Here's a whole video showing you how to start docker and offload a service:
Here are the relevant commands used in the video for easy copy/pasting:
curl -s https://get.openziti.io/dock/simplified-docker-compose.yml > docker-compose.yml
curl -s https://get.openziti.io/dock/.env > .env
ZAC_ROOT=$HOME/zac
ZAC_VERSION=3.1.0
rm -rf $ZAC_ROOT/zac/
mkdir -p $ZAC_ROOT
wget -O $ZAC_ROOT/zac-${ZAC_VERSION}.zip https://github.com/openziti/ziti-console/releases/download/app-ziti-console-v${ZAC_VERSION}/ziti-console.zip
unzip $ZAC_ROOT/zac-${ZAC_VERSION}.zip -d $ZAC_ROOT/zac-${ZAC_VERSION}/
echo "ADD this to your docker-compose.yml volume mount: $ZAC_ROOT/zac-${ZAC_VERSION}:/zac"
vi docker-compose.yml
add:
- $ZAC_ROOT/zac-${ZAC_VERSION}:/zac
docker exec -it docker-based-ziti-controller-1
vi /persistent/ziti-controller.yaml
- binding: zac
options: { "location": "/zac", "indexFile":"index.html" }
<html>
<body>
<p>hi</p>
</body>
</html>
python3 \
-m http.server 8080 \
--directory /tmp/web
ı will try. one more .
Isn't the router local instead of amazon? I gave it my own IP address while running it.
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c718ff0ed919 openziti/zac "/usr/src/app/run-za…" 25 hours ago Up 14 seconds 1408/tcp, 0.0.0.0:8443->8443/tcp docker-ziti-console-1
9f30807f68f7 openziti/hello-world "/bin/sh -c 'echo \"h…" 25 hours ago Up 7 seconds (health: starting) 0.0.0.0:8000->8000/tcp docker-web-test-blue-1
56ad9fb48da0 openziti/quickstart:latest "/bin/bash /var/open…" 25 hours ago Up 15 seconds docker-ziti-private-red-1
13370369a945 openziti/quickstart:latest "/bin/bash /var/open…" 25 hours ago Up 14 seconds 0.0.0.0:3022->3022/tcp, 0.0.0.0:10080->10080/tcp docker-ziti-edge-router-1
7f6ef20bef83 openziti/quickstart:latest "/bin/bash /var/open…" 25 hours ago Up 15 seconds docker-ziti-private-blue-1
8461c0d0f291 openziti/quickstart:latest "/bin/bash /var/open…" 25 hours ago Up 15 seconds docker-ziti-fabric-router-br-1
37d0daf271db openziti/quickstart:latest "/bin/bash /var/open…" 25 hours ago Up 15 seconds 0.0.0.0:3023->3023/tcp, 0.0.0.0:10081->10081/tcp docker-ziti-edge-router-wss-1
d6a67b7764ab openziti/quickstart:latest "/var/openziti/scrip…" 25 hours ago Up 17 seconds (healthy) 0.0.0.0:1280->1280/tcp, 0.0.0.0:6262->6262/tcp docker-ziti-controller-1
Are you trying to run everything totally locally? That's fine. The important thing is your clients all need to be able to access a router. I see you're using the complex docker environment, too. That already has a "hello world" service available in it that you could use if you want.
I only used AWS to illustrate how it would work from anywhere. If you're keeping it all local, that's fine.
I guess I couldn't do it. There is a "no has termınator" error. Can't I add it manually?
Edited :
Ohh sory o solved now.It's entirely my fault. I cannot connect because I did not add my router ID to the service. I added my router ID to the service and I can connect now. Thanks for the help.
Oh hey, that's great! I was planned to go over docker and debugging today on Ziti TV for this very reason but I'm glad you got things working! I'll still be going over docker, controllers, routers, services and debugging on the ziti tv though. You might find something interesting. If you have direct questions, you can ask there too. It's a live stream in 2.5 hours from now. (11 AM ET, 1500 UTC)