Zrok share reservied in docker container (service not found in ziti network)

zrok
1

Hi!

I was just messing around testing Zrok to share a plex instance via a tcpTunnel which works fine for the most part but I wanted to try using reserves as my token kept changing.

So this works if I run from the command line on the source like this

zrok share reserved **tokengoeshere** --insecure --headless

and then on the remote VPS end I run the usual docker compose up with a reference to that token and it works fine.

The problem comes when running the ``zrok share reserved tokengoeshere --insecure --headless in a docker compose file on the source end, I get this error

[ERROR]: error creating tcpTunnel backend (error listening: service 'tokengoeshere' not found in ziti network)

Its like the container is not aware of it.

this is the compose file on the source that isn't working

services:
  zrok-init:
    image: busybox
    # matches uid:gid of "nobody" in zrok container image
    command: chown -Rc 65534:65534 /mnt/.zrok
    user: root
    volumes:
      - zrok_env:/mnt/.zrok

  # enable zrok environment
  zrok-enable:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
    depends_on:
      zrok-init:
        condition: service_completed_successfully
    entrypoint: zrok-enable.bash
    volumes:
      - zrok_env:/mnt
    environment:
      STATE_DIRECTORY: /mnt
      ZROK_ENABLE_TOKEN: ZROKENABLETOKEN
      ZROK_API_ENDPOINT: http://10.60.0.174:18080
      ZROK_ENVIRONMENT_NAME: plex-tunnel

  zrok-share:
    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
    restart: always
    network_mode: host
    entrypoint:
    - bash
    - -euxc
    - |
      echo "DEBUG: HOME=$${HOME}"
      ls -lA /mnt/.zrok/
      exec zrok $${@}
    #command: -- share public --headless --backend-mode proxy ${ZROK_TARGET:-http://10.12.99.102:32400/}
    #command: -- share private 127.0.0.1:32400 --backend-mode tcpTunnel --insecure --headless
    command: -- share reserved **tokengoeshere** --insecure --headless
    depends_on:
      zrok-enable:
        condition: service_completed_successfully
    volumes:
      - zrok_env:/mnt
    environment:
      HOME: /mnt
      PFXLOG_NO_JSON: "true"


volumes:
  zrok_env:

Previous to running the compose file I get the token by manually running on the source

zrok reserve private 127.0.0.1:32400 --backend-mode tcpTunnel

Also I'm running a self hosted ziti controller/router at the VPS end.

Any ideas as to what could be a way to fix this or what I'm doing wrong?

Thanks!

Jon.

2

Hi @bodleytunes, welcome to the community and to zrok and OpenZiti!

It sounds to me like the docker container is not getting 'enabled' correctly. the zrok-enable container should be doing that. have you looked at the logs from that container? is there any sort of error shown? I'd think there was an error in there that might lead to the actual problem manifesting.

Can you look at the container logs and see if anything helpful is in there?

3

Hey there @bodleytunes. The problem is that the reserved share token belongs to your login user's zrok environment on the Docker host, not the one you enabled inside the container.

WIth Docker and zrok, you have two different approaches to managing your zrok env:

  1. isolated from the Docker host in the container volume like the compose file you're using
  2. mounting your user's zrok env from the Docker host into the container

I think you want the second option here because you already have zrok installed on the Docker host and you've reserved a share token for that enabled zrok environment.

Here's how I'd re-write your compose file to start mounting the existing zrok environment instead of creating a new one.

    services:
      zrok:
        image: openziti/zrok
        user: "${UID}"
        volumes:
          - ${HOME}/.zrok:/.zrok
        environment:
          PFXLOG_NO_JSON: "true"
        command: share reserved "tokengoeshere" --headless
1 Like
4

Thanks I will try mounting and see what happens!

Jon.