Hello, I’m working on some security lab experiments and would like to create an edge tunneler endpoint on a Docker host running various services to set up as an endpoint in CloudZiti. I’ve downloaded the .jwt key for this Docker container and installed the container using PortainerCE. I’d like to pass along the necessary config by editing the image and deploying the configured image with Portainer, but after following the instructions (but using Portainer’s GUI) here: ziti-tunnel-sdk-c/docker at main · openziti/ziti-tunnel-sdk-c · GitHub
it fails. Here is the log: WARN: the identities directory is only available inside this container because /ziti-edge-tunnel is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely. ls: cannot access '/ziti-edge-tunnel/*.json': No such file or directory ERROR: NF_REG_NAME not set and zero identities found in /ziti-edge-tunnel
I have a volume bound with the .jwt file placed there, and I’ve tried adding the environment variables for ZITI_IDENTITY_BASENAME, but that’s the error. Has anyone done this with Portainer who can help me step through it this way? This instance of Docker is running on a NAS device and I don’t normally use Docker Compose or manually set anything up there using the CLI. If I just need to do it that way, please advise. Could be much more accessible for Docker managers who choose not to be Docker experts like myself.
It looks like you need to enroll the jwt to get idenity.json file created. Then, you need to mount the folder where you have your json file to the containers “/ziti-edge-tunnel”
Yes, thanks- I found some other issues which were getting in the way, but now I have some new log results related to exactly that:
WARN: the identities directory is only available inside this container because /ziti-edge-tunnel is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely.
INFO: setting NF_REG_NAME to ${ZITI_IDENTITY_BASENAME} (StandardPro-NAS)
DEBUG: waiting 1s for /ziti-edge-tunnel/StandardPro-NAS.json (or token) to appear
INFO: identity file /ziti-edge-tunnel/StandardPro-NAS.json does not exist
INFO: looking for /var/run/secrets/netfoundry.io/enrollment-token/StandardPro-NAS.jwt
INFO: looking for /enrollment-token/StandardPro-NAS.jwt
INFO: looking for /ziti-edge-tunnel/StandardPro-NAS.jwt
INFO: enrolling /ziti-edge-tunnel/StandardPro-NAS.jwt
(7)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(7)[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2171 enroll() failed to open file /ziti-edge-tunnel/StandardPro-NAS.json: Read-only file system(30)
ERROR: failed to enroll with token from /ziti-edge-tunnel/StandardPro-NAS.jwt (955B)
WARN: the identities directory is only available inside this container because /ziti-edge-tunnel is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely.
INFO: setting NF_REG_NAME to ${ZITI_IDENTITY_BASENAME} (StandardPro-NAS)
DEBUG: waiting 1s for /ziti-edge-tunnel/StandardPro-NAS.json (or token) to appear
INFO: identity file /ziti-edge-tunnel/StandardPro-NAS.json does not exist
INFO: looking for /var/run/secrets/netfoundry.io/enrollment-token/StandardPro-NAS.jwt
INFO: looking for /enrollment-token/StandardPro-NAS.jwt
INFO: looking for /ziti-edge-tunnel/StandardPro-NAS.jwt
INFO: enrolling /ziti-edge-tunnel/StandardPro-NAS.jwt
(8)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(8)[ 0.000] ERROR ziti-edge-tunnel:ziti-edge-tunnel.c:2171 enroll() failed to open file /ziti-edge-tunnel/StandardPro-NAS.json: Read-only file system(30)
ERROR: failed to enroll with token from /ziti-edge-tunnel/StandardPro-NAS.jwt (955B)
WARN: the identities directory is only available inside this container because /ziti-edge-tunnel is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely.
INFO: setting NF_REG_NAME to ${ZITI_IDENTITY_BASENAME} (StandardPro-NAS)
DEBUG: waiting 1s for /ziti-edge-tunnel/StandardPro-NAS.json (or token) to appear
INFO: identity file /ziti-edge-tunnel/StandardPro-NAS.json does not exist
INFO: looking for /var/run/secrets/netfoundry.io/enrollment-token/StandardPro-NAS.jwt
INFO: looking for /enrollment-token/StandardPro-NAS.jwt
INFO: looking for /ziti-edge-tunnel/StandardPro-NAS.jwt
INFO: enrolling /ziti-edge-tunnel/StandardPro-NAS.jwt
(8)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(8)[ 0.000] INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(8)[ 0.000] INFO ziti-sdk:ziti_enroll.c:92 ziti_enroll() Ziti C SDK version 0.32.3 @28b2219(HEAD) starting enrollment at (2023-05-22T20:01:07.167)
/docker-entrypoint.sh: line 152: 8 Segmentation fault ziti-edge-tunnel enroll --jwt "${JWT_FILE}" --identity "${IDENTITY_FILE}"
ERROR: failed to enroll with token from /ziti-edge-tunnel/StandardPro-NAS.jwt (955B)
Yep, if you provide .jwt file it should enroll it for you as well. Also, if you want it to enroll for you, you need to make that mounted folder writable as well. If you do it yourself, then the mounted volume can be read only.
Well, now it fails saying that the supplied token is not valid. Is that because it failed at that first attempt with the seg fault? So do I need to delete the .json and .jwt files and replace it with a new one? Any thoughts on the seg fault? This is not a very powerful bit of hardware.
Looking at my CloudZiti configuration, it now shows this endpoint as registered despite the failed container deployment. Giving up for the day is looking more and more appealing.
Yes, a .json file was created despite the failure of the container. It exited the entrypoint.sh script with a segmentation fault, but somehow created the .json identity file and registered it with CloudZiti. The container won’t run after failing to start completely though. I guess I just can’t do this with Portainer and have to do it manually and learn more about Docker than I ever wanted to.
I started from scratch and get the same segmentation fault error on this host at line 152 of entrypoint.sh. Maybe I’ll re-think my approach and ask a more architecture / design level question here when I can pose it intelligently. My quick and dirty attempt to get things running is going in the wrong direction. Thanks for the help.
but remember that I’m trying to do this through Portainer’s GUI, so that may be the issue. If this isn’t easier with Docker/Portainer for me, I’ll just create a Linux VM for the sole purpose of running Ziti services. I have a feeling that the Docker instance on a low-powered NAS device with 4GB of RAM is not ideal, but that’s where all the web services I wanted to configure with CloudZiti exist, so it seemed a logical starting point.
OK, that’s helpful. On this particular NAS, however, if I can’t do it simply with PortainerCE, it doesn’t make sense to try to manually use Docker due to the strange custom OS on it. As long as the tunneler can be on a separate host, probably best in my use case to just go with a separate VM and not bother with Docker since I’m not trying to be a Docker master and it’s not my comfort zone.
