Docker settings.json issue

[Berndinox]

docker logs zac /usr/src/app/run-zac.sh: line 34: /usr/src/app/assets/data/settings.json: No such file or directory

https://github.com/openziti/ziti-console/blob/89fc0a40fb2726bc850a0007062c1f57972c121b/run-zac.sh#L34

there is no aassets folder in the container:

root@4fc09cb5a0c5:/usr/src/app# ls -lah
total 132K
drwxr-xr-x   1 root root 4.0K May 14 20:25 .
drwxr-xr-x   1 root root 4.0K May 14 20:25 ..
drwxr-xr-x   5 root root 4.0K May  7 21:23 dist
drwxr-xr-x 727 root root  20K May  7 21:21 node_modules
-rw-r--r--   1 root root 5.2K May  7 21:19 package.json
-rwxr-xr-x   1 root root 2.3K May  7 21:19 run-zac.sh
-rw-r-----   1 root root 6.3K May 14 19:52 server.chain.pem
-rw-r--r--   1 root root  66K May  7 21:19 server.js
-rw-r-----   1 root root 3.2K May 14 19:49 server.key
drwxr-xr-x   2 root root 4.0K May 14 20:25 sessions

after mounting the file pre-created it seems like settings.json is ignored entirely.

[qrkourier]

Hi over here too @Berndinox! I'm sorry you encountered the Node console server that we're in the process of deprecating. :disappointed:

Would you be willing to try the new console deployment?

Here's the doc preview: https://ziti-doc-git-docker-console-openziti.vercel.app/docs/guides/deployments/docker/console

This method will start working with the next controller release. Until then, you can use the container image openziti/ziti-controller:release-next with this method.

Here's some reasons this is better:

• uses the controller container's mgmt port (default: 1280) so you don't need a separate deployment for the console
• it's a single-page (static files only) app, so there's no standalone server to expose zero days, etc.

[Berndinox]

@qrkourier - i tried implementing: https://openziti.io/docs/guides/deployments/linux/console but get an Error when loading: CKR_GENERAL_ERROR

My config (basicly default), following the guides: https://openziti.io/docs/guides/deployments/linux/controller/deploy I also was possible to register the same server as router.

If i add alternate certs for the listener (same certs) i got an error when restarting the controller service..

What did i miss?

v: 3

#trace:
#  path: "ziti.domain.onl.trace"

#profile:
#  memory:
#    path: ctrl.memprof

db:                     "/var/lib/private/ziti-controller/bbolt.db"
# uncomment and configure to enable HA
# raft:
#   dataDir:         "/var/lib/private/ziti-controller/raft"
#   minClusterSize:  1

identity:
  cert:        "pki/intermediate/certs/client.cert"
  server_cert: "pki/intermediate/certs/server.chain.pem"
  key:         "pki/intermediate/keys/server.key"
  ca:          "pki/root/certs/root.cert"
  #alt_server_certs:
  #  - server_cert:  ""
  #    server_key:   ""

# Network Configuration
#
# Configure how the controller will establish and manage the overlay network, and routing operations on top of
# the network.
#
#network:

  # routeTimeoutSeconds controls the number of seconds the controller will wait for a route attempt to succeed.
  #routeTimeoutSeconds:  10

  # createCircuitRetries controls the number of retries that will be attempted to create a path (and terminate it)
  # for new circuits.
  #createCircuitRetries: 2

  # pendingLinkTimeoutSeconds controls how long we'll wait before creating a new link between routers where
  # there isn't an established link, but a link request has been sent
  #pendingLinkTimeoutSeconds: 10

  # Defines the period that the controller re-evaluates the performance of all of the circuits
  # running on the network.
  #
  #cycleSeconds:         15

  # Sets router minimum cost. Defaults to 10
  #minRouterCost: 10

  # Sets how often a new control channel connection can take over for a router with an existing control channel connection
  # Defaults to 1 minute
  #routerConnectChurnLimit: 1m

  # Sets the latency of link when it's first created. Will be overwritten as soon as latency from the link is actually
  # reported from the routers. Defaults to 65 seconds.
  #initialLinkLatency: 65s

  #smart:
    #
    # Defines the fractional upper limit of underperforming circuits that are candidates to be re-routed. If
    # smart routing detects 100 circuits that are underperforming, and `smart.rerouteFraction` is set to `0.02`,
    # then the upper limit of circuits that will be re-routed in this `cycleSeconds` period will be limited to
    # 2 (2% of 100).
    #
    #rerouteFraction:    0.02
    #
    # Defines the hard upper limit of underperforming circuits that are candidates to be re-routed. If smart
    # routing detects 100 circuits that are underperforming, and `smart.rerouteCap` is set to `1`, and
    # `smart.rerouteFraction` is set to `0.02`, then the upper limit of circuits that will be re-routed in this
    # `cycleSeconds` period will be limited to 1.
    #
    #rerouteCap:         4

# the endpoint that routers will connect to the controller over.
ctrl:
  options:
    advertiseAddress: tls:ziti.domain.onl:1280
  # (optional) settings
  # set the maximum number of connect requests that are buffered and waiting to be acknowledged (1 to 5000, default 1)
  #maxQueuedConnects:      1
  # the maximum number of connects that have  begun hello synchronization (1 to 1000, default 16)
  #maxOutstandingConnects: 16
  # the number of milliseconds to wait before a hello synchronization fails and closes the connection (30ms to 60000ms, default: 5000ms)
  #connectTimeoutMs:       5000
  listener:             tls:0.0.0.0:1280

#metrics:
#  influxdb:
#    url:                http://localhost:8086
#    database:           ziti

# xctrl_example
#
#example:
#  enabled:              false
#  delay:                5s

healthChecks:
  boltCheck:
    # How often to try entering a bolt read tx. Defaults to 30 seconds
    interval: 30s
    # When to time out the check. Defaults to 20 seconds
    timeout: 20s
    # How long to wait before starting the check. Defaults to 30 seconds
    initialDelay: 30s

# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this
# section, commenting out, or altering the name of the section will cause the edge to not run.
edge:
  # This section represents the configuration of the Edge API that is served over HTTPS
  api:
    #(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted
    # activityUpdateInterval: 90s
    #(optional, default 250) The number of API Sessions updated for last activity per transaction
    # activityUpdateBatchSize: 250
    # sessionTimeout - optional, default 30m
    # The number of minutes before an Edge API session will time out. Timeouts are reset by
    # API requests and connections that are maintained to Edge Routers
    sessionTimeout: 30m
    # address - required
    # The default address (host:port) to use for enrollment for the Client API. This value must match one of the addresses
    # defined in this Controller.WebListener.'s bindPoints.
    address: ziti.klaus.onl:1280
  # This section is used to define option that are used during enrollment of Edge Routers, Ziti Edge Identities.
  enrollment:
    # signingCert - required
    # A Ziti Identity configuration section that specifically makes use of the cert and key fields to define
    # a signing certificate from the PKI that the Ziti environment is using to sign certificates. The signingCert.cert
    # will be added to the /.well-known CA store that is used to bootstrap trust with the Ziti Controller.
    signingCert:
      cert: pki/intermediate/certs/intermediate.cert
      key:  pki/intermediate/keys/intermediate.key
    # edgeIdentity - optional
    # A section for identity enrollment specific settings
    edgeIdentity:
      # duration - optional, default 180m
      # The length of time that a Ziti Edge Identity enrollment should remain valid. After
      # this duration, the enrollment will expire and no longer be usable.
      duration: 180m
    # edgeRouter - Optional
    # A section for edge router enrollment specific settings.
    edgeRouter:
      # duration - optional, default 180m
      # The length of time that a Ziti Edge Router enrollment should remain valid. After
      # this duration, the enrollment will expire and no longer be usable.
      duration: 180m

# web
# Defines webListeners that will be hosted by the controller. Each webListener can host many APIs and be bound to many
# bind points.
web:
  # name - required
  # Provides a name for this listener, used for logging output. Not required to be unique, but is highly suggested.
  - name: client-management
    # bindPoints - required
    # One or more bind points are required. A bind point specifies an interface (interface:port string) that defines
    # where on the host machine the webListener will listen and the address (host:port) that should be used to
    # publicly address the webListener(i.e. mydomain.com, localhost, 127.0.0.1). This public address may be used for
    # incoming address resolution as well as used in responses in the API.
    bindPoints:
      #interface - required
      # A host:port string on which network interface to listen on. 0.0.0.0 will listen on all interfaces
      - interface: 0.0.0.0:1280
        # address - required
        # The public address that external incoming requests will be able to resolve. Used in request processing and
        # response content that requires full host:port/path addresses.
        address: ziti.klaus.onl:1280
    # identity - optional
    # Allows the webListener to have a specific identity instead of defaulting to the root 'identity' section.
    identity:
      ca:          "pki/root/certs/root.cert"
      key:         "pki/intermediate/keys/server.key"
      server_cert: "pki/intermediate/certs/server.chain.pem"
      cert:        "pki/intermediate/certs/client.cert"
      #alt_server_certs:
      #- server_cert: ""
      #  server_key:  ""

    # options - optional
    # Allows the specification of webListener level options - mainly dealing with HTTP/TLS settings. These options are
    # used for all http servers started by the current webListener.
    options:
      # idleTimeoutMs - optional, default 5000ms
      # The maximum amount of idle time in milliseconds allowed for pipelined HTTP requests. Setting this too high
      # can cause resources on the host to be consumed as clients remain connected and idle. Lowering this value
      # will cause clients to reconnect on subsequent HTTPs requests.
      idleTimeout: 5000ms  #http timeouts, new
      # readTimeoutMs - optional, default 5000ms
      # The maximum amount of time in milliseconds http servers will wait to read the first incoming requests. A higher
      # value risks consuming resources on the host with clients that are acting bad faith or suffering from high latency
      # or packet loss. A lower value can risk losing connections to high latency/packet loss clients.
      readTimeout: 5000ms
      # writeTimeoutMs - optional, default 100000ms
      # The total maximum time in milliseconds that the http server will wait for a single requests to be received and
      # responded too. A higher value can allow long-running requests to consume resources on the host. A lower value
      # can risk ending requests before the server has a chance to respond.
      writeTimeout: 100000ms
      # minTLSVersion - optional, default TLS1.2
      # The minimum version of TSL to support
      minTLSVersion: TLS1.2
      # maxTLSVersion - optional, default TLS1.3
      # The maximum version of TSL to support
      maxTLSVersion: TLS1.3
    # apis - required
    # Allows one or more APIs to be bound to this webListener
    apis:
      # binding - required
      # Specifies an API to bind to this webListener. Built-in APIs are
      #   - edge-management
      #   - edge-client
      #   - fabric-management
      - binding: edge-management
        # options - arg optional/required
        # This section is used to define values that are specified by the API they are associated with.
        # These settings are per API. The example below is for the 'edge-api' and contains both optional values and
        # required values.
        options: { }
      - binding: edge-client
        options: { }
      - binding: fabric
        options: { }
      - binding: zac
        options:
          location: /var/lib/ziti-controller/zac
          indexFile: index.html

[qrkourier]

It looks good at a glance. I assume you unzipped the console's static files in /var/lib/ziti-controller/zac.

This config works, but you get an error message containing the string CKR_GENERAL_ERROR when you modify this config to also bind an alternative server certificate on the web listener's identity for the zac binding?

[qrkourier]

@Berndinox Now I see you mentioned "same certs." Does that mean you are trying to configure the zac binding's web listener's server certificate pki/intermediate/certs/server.chain.pem also as the alternative server certificate?

If so, there's no need to configure an alternative certificate if you wish to use the same certificate because you can visit the console and use it with the certificate that's already configured for that web listener.

You might want an alternative server certifcate for the console so that the web browser will be able to verify the certificate and show a secure HTTPS connection. If so, then you must obtain the alternative certificate from a public CA like Lets Encrypt and the DNS name on the certificate must be distinct from the controller's address.

[Berndinox]

Hy, thanks for your replay. I just tried it, also without alt binding i get a CGK error. How can i troubleshoot?

[qrkourier]

@Berndinox, is this accurate? The controller package is installed on Linux and the service's journal contains a message like CKR_GENERAL_ERROR when you start it, but only when the zac binding is enabled. The controller keeps running after the error, but the console does not work.

Let's enable debug logging for the controller running in a systemd service.

In /etc/systemd/system/ziti-controller.service.d/override.conf, add these three lines including the empty ExecStart assignment and reload with sudo systemctl daemon-reload and restart the service.

[Service]
ExecStart=
ExecStart=/opt/openziti/etc/controller/entrypoint.bash run config.yml --verbose

What is the rest of the error message from the journal?