I would like to install a self-hosted instance of zrok. I follow the installation guide.
After I have started my ziti-router service and I see these errors.
It is unclear where I should look to fix the error.
{"addr":"tls:0.0.0.0:3022","error":"no network interface found for 0.0.0.0","file":"github.com/openziti/ziti/router/xlink_transport/config.go:76","func":"github.com/openziti/ziti/router/xlink_transport.loadListenerConfig","level":"warning","msg":"unable to get interface for address","time":"2025-04-15T15:13:01.179Z"}
{"action":"Create","entries":1,"error":"out of order event detected, currentIndex: 1, receivedIndex: 0, type :*common.ForgetfulEventCache","file":"github.com/openziti/ziti/common/router_data_model.go:444","func":"github.com/openziti/ziti/common.(*RouterDataModel).ApplyChangeSet","index":0,"level":"error","msg":"could not apply change set","synthetic":false,"time":"2025-04-15T15:13:01.254Z","type":"*edge_ctrl_pb.DataState_Event_PublicKey"}
{"action":"Create","entries":1,"error":"out of order event detected, currentIndex: 1, receivedIndex: 0, type :*common.ForgetfulEventCache","file":"github.com/openziti/ziti/common/router_data_model.go:444","func":"github.com/openziti/ziti/common.(*RouterDataModel).ApplyChangeSet","index":0,"level":"error","msg":"could not apply change set","synthetic":false,"time":"2025-04-15T15:13:01.255Z","type":"*edge_ctrl_pb.DataState_Event_PublicKey"}
/var/lib/private/ziti-router/config.yml:
link:
dialers:
- binding: transport
listeners:
- binding: transport
bind: tls:0.0.0.0:3022
advertise: tls:fqdn:3022
options:
outQueueSize: 4
1 Like
Can you bind anything to 0.0.0.0 at all? for example:
nc -l 0.0.0.0 12345
Is it possible you don't have IPv4 enabled? I would expect 0.0.0.0 to bind both ipv4 and ipv6. Do you need to use sudo for some reason?
Are we diagnosing this error warning?
{
"addr": "tls:0.0.0.0:3022",
"error": "no network interface found for 0.0.0.0",
"file": "github.com/openziti/ziti/router/xlink_transport/config.go:76",
"func": "github.com/openziti/ziti/router/xlink_transport.loadListenerConfig",
"level": "warning",
"msg": "unable to get interface for address",
"time": "2025-04-15T15:13:01.179Z"
}
Is the symptom that ziti-router.service
continually fails to start?
If the service did start, is it listening on port 3022? I expect not, but we can use this command later to verify that the problem was fixed.
❯ sudo lsof -Pnp $(systemctl show -p MainPID --value ziti-router.service ) |& grep 'TCP.*LISTEN'
ziti-router 622312 user 7u IPv4 6797524 0t0 TCP *:3022 (LISTEN)
EDIT: I later realized the log level of this message is "warning," not "error"
No. It is here, regardless the error that I don't understand.
netstat -tnlp | grep 3022
tcp6 0 0 :::3022 :::* LISTEN 533304/ziti
You are right. This is exactly this error. But the router seems to run. Might be I can continue with the installation of zrok.
I think it's safe to ignore this warning-level message if it's functioning as expected.
"level": "warning",
thank you,
what happens with the network if for some reason the host ZROK API ENDPOINT becomes unavailable, unfortunately.
Should I deploy two controllers connected to the same postgres database? Probably the network will be dead.
The second question concerns the access side:
Does zrok access private need ZROK API ENDPOINT to function after the access has been created? The access side needs only edge routers, isn't it?
Well I see that it is used 
$systemctl --user restart zrok-agent.service
$ for i in $(dig api-v1.zrok.io +short); do netstat -tn | grep $i; done
tcp 0 0 192.168.7.12:42716 34.200.133.147:443 ESTABLISHED
tcp 0 0 192.168.7.12:42714 34.200.133.147:443 ESTABLISHED
You'll be unable to manage shares and accesses or access the web console if the zrok controller isn't available.
An array of zrok controllers will behave as a single zrok instance if they share a PostgreSQL data source, which provides table locking.
You may scale out the zrok public frontends at will, optionally cloning a shared public frontend zrok environment since they always have the same authorizations.
The oauth frontend scales with the public frontend.
This PostgreSQL-specific locking configuration may be relevant if you're enforcing limits: Configuring Limits | zrok
This is great. Where I can read about it. It is doable to install two on two hosts.
Do you mean that I can repeat the installation of a controller on another host pointing to the same postgreSQL database in etc/ctrl.yml?
That's how I expect it to work. You may be the first to attempt it. I assume you will need a load balancer or DNS round robin for each array of controllers and frontends.
You will probably have only one, but each public frontend must scale independently behind a LB (or RR) where a wildcard DNS record resolves and wildcard certificate is bound, corresponding to that frontend's public share URL template.