Hello everyone. My team is using OpenZiti in order to provide connectivity across different machines. We're managing a Ziti Controller that is in version: v0.31.4 with ZAC at: 3.0.3.
We provide the following docker-compose.yaml file for the setting up of a Ziti Edge Tunnel, that will connect to our Ziti Controller:
version: "3.9"
services:
ziti-tun:
image: openziti/ziti-edge-tunnel
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- .:/ziti-edge-tunnel
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
environment:
- ZITI_IDENTITY_BASENAME=ziti_id
- PFXLOG_NO_JSON=true # suppress JSON logging
network_mode: host
privileged: true
At first, the Ziti Edge Tunnel connects to our Ziti Controller without issue, and the connection across different machines is properly established. However, we notice that after some time (usually after a few hours or days) the ziti Edge Tunnel container appears to exit, seemingly without reason (thus requiring a manual restart etc).
Is it expected for the ziti-edge-tunnel container to exit abruptly? Have you ever experienced something similar?
The logs don't appear to be the same ones in the exited containers from all of the machines, so they don't offer us much. In any case, I will provide the logs from one of the exited containers:
(9)[ 498561.633] WARN ziti-sdk:bind.c:210 session_cb() server[0.62] failed to get session for service[HOST-tcp-10.10.10.19-6443-INTERCEPTS-tcp-10.10.10.19-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498561.929] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498561.929] WARN ziti-sdk:bind.c:210 session_cb() server[0.71] failed to get session for service[HOST-tcp-10.10.10.52-6443-INTERCEPTS-tcp-10.10.10.52-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498563.428] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498563.428] WARN ziti-sdk:bind.c:210 session_cb() server[0.22] failed to get session for service[tcp-10.10.10.61]: -14/UNAUTHORIZED
(9)[ 498565.290] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498565.290] WARN ziti-sdk:bind.c:210 session_cb() server[0.50] failed to get session for service[tcp-10.10.10.55]: -14/UNAUTHORIZED
(9)[ 498565.650] ERROR ziti-sdk:ziti_ctrl.c:162 ctrl_resp_cb() ctrl[ztc.euprojects.net] request failed: -110(connection timed out)
(9)[ 498565.650] WARN ziti-sdk:ziti.c:1598 api_session_cb() ztx[0] failed to get api session from ctrl[https://ztc.euprojects.net:8441] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] connection timed out
(9)[ 498567.048] ERROR ziti-sdk:channel.c:695 reconnect_cb() ch[0] ziti context is not fully authenticated (api_session_state[0]), delaying re-connect
(9)[ 498567.048] INFO ziti-sdk:channel.c:733 reconnect_channel() ch[0] reconnecting in 123356ms (attempt = 205)
(9)[ 498567.645] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498567.645] WARN ziti-sdk:bind.c:210 session_cb() server[0.71] failed to get session for service[HOST-tcp-10.10.10.52-6443-INTERCEPTS-tcp-10.10.10.52-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498570.650] INFO ziti-sdk:ziti.c:914 ziti_re_auth_with_cb() ztx[0] starting to re-auth with ctrl[https://ztc.euprojects.net:8441] api_session_status[0] api_session_expired[TRUE]
(9)[ 498570.682] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498570.682] WARN ziti-sdk:bind.c:210 session_cb() server[0.5] failed to get session for service[internal-svc-k8s]: -14/UNAUTHORIZED
(9)[ 498571.483] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498571.483] WARN ziti-sdk:bind.c:210 session_cb() server[0.50] failed to get session for service[tcp-10.10.10.55]: -14/UNAUTHORIZED
(9)[ 498573.728] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498573.728] WARN ziti-sdk:bind.c:210 session_cb() server[0.76] failed to get session for service[HOST-tcp-10.10.10.23-6443-INTERCEPTS-tcp-10.10.10.23-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498575.310] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498575.310] WARN ziti-sdk:bind.c:210 session_cb() server[0.96] failed to get session for service[HOST-tcp-10.10.10.54-6443-INTERCEPTS-tcp-10.10.10.54-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498577.490] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498577.490] WARN ziti-sdk:bind.c:210 session_cb() server[0.22] failed to get session for service[tcp-10.10.10.61]: -14/UNAUTHORIZED
(9)[ 498579.145] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498579.145] WARN ziti-sdk:bind.c:210 session_cb() server[0.96] failed to get session for service[HOST-tcp-10.10.10.54-6443-INTERCEPTS-tcp-10.10.10.54-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498584.084] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498584.084] WARN ziti-sdk:bind.c:210 session_cb() server[0.3] failed to get session for service[patras-svc-gw]: -14/UNAUTHORIZED
(9)[ 498584.862] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498584.862] WARN ziti-sdk:bind.c:210 session_cb() server[0.44] failed to get session for service[HOST-tcp-10.10.10.55-6443-INTERCEPTS-tcp-10.10.10.55-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498585.651] ERROR ziti-sdk:ziti_ctrl.c:162 ctrl_resp_cb() ctrl[ztc.euprojects.net] request failed: -110(connection timed out)
(9)[ 498585.651] WARN ziti-sdk:ziti.c:1598 api_session_cb() ztx[0] failed to get api session from ctrl[https://ztc.euprojects.net:8441] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] connection timed out
(9)[ 498585.981] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498585.981] WARN ziti-sdk:bind.c:210 session_cb() server[0.71] failed to get session for service[HOST-tcp-10.10.10.52-6443-INTERCEPTS-tcp-10.10.10.52-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498586.072] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498586.072] WARN ziti-sdk:bind.c:210 session_cb() server[0.22] failed to get session for service[tcp-10.10.10.61]: -14/UNAUTHORIZED
(9)[ 498588.666] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498588.666] WARN ziti-sdk:bind.c:210 session_cb() server[0.76] failed to get session for service[HOST-tcp-10.10.10.23-6443-INTERCEPTS-tcp-10.10.10.23-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498589.138] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498589.138] WARN ziti-sdk:bind.c:210 session_cb() server[0.96] failed to get session for service[HOST-tcp-10.10.10.54-6443-INTERCEPTS-tcp-10.10.10.54-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498589.418] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498589.418] WARN ziti-sdk:bind.c:210 session_cb() server[0.71] failed to get session for service[HOST-tcp-10.10.10.52-6443-INTERCEPTS-tcp-10.10.10.52-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498590.651] INFO ziti-sdk:ziti.c:914 ziti_re_auth_with_cb() ztx[0] starting to re-auth with ctrl[https://ztc.euprojects.net:8441] api_session_status[0] api_session_expired[TRUE]
(9)[ 498592.787] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498592.787] WARN ziti-sdk:bind.c:210 session_cb() server[0.62] failed to get session for service[HOST-tcp-10.10.10.19-6443-INTERCEPTS-tcp-10.10.10.19-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498596.181] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498596.181] WARN ziti-sdk:bind.c:210 session_cb() server[0.62] failed to get session for service[HOST-tcp-10.10.10.19-6443-INTERCEPTS-tcp-10.10.10.19-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498596.374] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498596.374] WARN ziti-sdk:bind.c:210 session_cb() server[0.96] failed to get session for service[HOST-tcp-10.10.10.54-6443-INTERCEPTS-tcp-10.10.10.54-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498596.596] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498596.596] WARN ziti-sdk:bind.c:210 session_cb() server[0.22] failed to get session for service[tcp-10.10.10.61]: -14/UNAUTHORIZED
(9)[ 498597.103] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498597.103] WARN ziti-sdk:bind.c:210 session_cb() server[0.5] failed to get session for service[internal-svc-k8s]: -14/UNAUTHORIZED
(9)[ 498599.817] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498599.817] WARN ziti-sdk:bind.c:210 session_cb() server[0.3] failed to get session for service[patras-svc-gw]: -14/UNAUTHORIZED
(9)[ 498600.392] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498600.392] WARN ziti-sdk:bind.c:210 session_cb() server[0.22] failed to get session for service[tcp-10.10.10.61]: -14/UNAUTHORIZED
(9)[ 498600.969] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498600.969] WARN ziti-sdk:bind.c:210 session_cb() server[0.50] failed to get session for service[tcp-10.10.10.55]: -14/UNAUTHORIZED
(9)[ 498603.425] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498603.425] WARN ziti-sdk:bind.c:210 session_cb() server[0.76] failed to get session for service[HOST-tcp-10.10.10.23-6443-INTERCEPTS-tcp-10.10.10.23-6443-TO-6443]: -14/UNAUTHORIZED
(9)[ 498603.784] WARN ziti-sdk:ziti_ctrl.c:487 verify_api_session() ctrl[ztc.euprojects.net] no API session
(9)[ 498603.784] WARN ziti-sdk:bind.c:210 session_cb() server[0.22] failed to get session for service[tcp-10.10.10.61]: -14/UNAUTHORIZED
error from daemon in stream: Error grabbing logs: invalid character '\x00' looking for beginning of value
Naturally we can use the restart: always option to mitigate this issue, but we would like to know the cause of the problem. I have also added the following logging object in a recently updated docker-compose.yaml file:
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
While this will help reduce the storage size of the ziti container logs (which I assume it is natural for them to fill up after some time), I am not entirely certain if this is the root issue. It is of course a bit difficult to replicate the error, since the exits appear to be quite random. In fact, some machines are rarely, if ever affected.
Any assistance would be greatly appreciated.
Welcome to the OpenZiti community.