I'm seeking some guidance with a self-hosted zrok setup that I've integrated with my existing OpenZiti network. I've followed the "zrok Self-Hosted" documentation and have successfully connected zrok to my OpenZiti instance. However, I'm encountering a couple of issues.
Here are the problems I'm facing:
Identities Appear Offline: After I run the zrok enable <token> command, the identities that are created in my OpenZiti controller appear as offline and are unable to connect.
Missing Terminators for Reserved Shares: When I create the necessary reserved (private) shares for my use case, they are created in OpenZiti without any terminators. This prevents the requests from being routed to their final destination.
I feel like I'm missing a step in the configuration that connects these pieces. Could anyone point me in the right direction? What might I be doing wrong in this setup?
Hi @nathanpaulino. I'm not exactly sure what you're trying to look for with the online/offline status. If the zrok share is not active, it would make perfect sense to me that they show up as offline? Same goes for the missing terminators, if they aren't actively sharing, I wouldn't expect to see any.
zrok is built on and around OpenZiti but it's not meant (at this time) to be deeply integrated with OpenZiti so small things like this might be confusing, but shouldn't affect your zrok installation. If you are successfully sharing using zrok, it sounds like things are working properly.
On this setup, I'm creating a reserved share using zrok reserve share private --backend-mode tcpTunnel <targetEndpoint> --unique-name devcluster command and I'm accessing the share through my local machine using zrok access private devcluster.
After doing these previous commands mentioned earlier, I was able to verify that only one of the identities created by zrok is currently online (the one related to my local machine, the other one - related to the machine that I created the reserved share - is currently offline). I hope that I cleared something for you @TheLumberjack.
When I tried to access the endpoint that I shared through my local machine (in this case 127.0.0.1:9191) however, I'm facing these errors below:
│[ 672.532] ERROR zrok/endpoints/tcpTunnel.(*Frontend).accept: error dialing 'devcluster': unable to dial service 'devcluster' (dial failed: service 2UrOsul9fff1gB12Q7INur │
│has no terminators)
I was thinking that the reason for the terminator not being created is somehow related to my offline identity created by the zrok enable command on the machine that I created the share.
Ok i have a bit more information now. Overall, you're not able to use zrok because you get this no Terminator error and you're trying to troubleshoot why. You have both the zrok share and the zrok access running so they should show up online.
My guess would be that your OpenZiti router has the wrong advertised address and the zrok client can't actually connect to your router.
You should look through the logs of the OpenZiti router and controller for any hints as to what's wrong. You should also try to use verbose logging on the zrok clients along with the --headless option to see the logs and possibly send them to a file as needed.
