Closed qrkourier closed 1 year ago
Here's an example invocation using the ziti-tun
service from the Compose project in this repo /docker/docker-compose.yml
. In this case there's another instance of ziti-edge-tunnel
already running in another PID so I selected a discrete dns-ip-range
, but the result is the same when there's only one instance using the default range.
❯ ZITI_IDENTITY_BASENAME=webhookz1-client1 docker compose run ziti-tun run --verbose=6 --dns-ip-range=100.80.0.0/12
INFO: setting NF_REG_NAME to ${ZITI_IDENTITY_BASENAME} (webhookz1-client1) DEBUG: waiting 1s for /ziti-edge-tunnel/webhookz1-client1.json (or token) to appear
INFO: found identity file /ziti-edge-tunnel/webhookz1-client1.json
DEBUG: evaluating positionals: run --verbose=6 --dns-ip-range=100.80.0.0/12
INFO: running ziti-edge-tunnel
+ ZITI_EDGE_TUNNEL_PID=8
+ wait 8
+ ziti-edge-tunnel run --identity /ziti-edge-tunnel/webhookz1-client1.json --verbose=6 --dns-ip-range=100.80.0.0/12
(8)[ 0.000] DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(ip link set tun1 up) returned 0
(8)[ 0.000] DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(ip addr add 100.80.0.0 dev tun1) returned 0
(8)[ 0.000] DEBUG ziti-edge-tunnel:tun.c:295 init_dns_maintainer() setting up NETLINK listener (8)[ 0.000] DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(ip route add 100.80.0.0/12 dev tun1) returned 0
(8)[ 0.000] INFO tunnel-sdk:ziti_tunnel.c:60 create_tunneler_ctx() Ziti Tunneler SDK (v0.20.0) (8)[ 0.000] INFO tunnel-cbs:ziti_dns.c:171 seed_dns() DNS configured with range 100.80.0.0 - 100.95.255.255 (1048574 ips)
(8)[ 0.000] DEBUG tunnel-sdk:ziti_tunnel.c:321 ziti_tunneler_intercept() intercepting address[udp:100.80.0.1/32:53] service[ziti:dns-resolver] (8)[ 0.018] DEBUG ziti-edge-tunnel:tun.c:271 on_dns_update_time() queuing DNS update
(8)[ 0.018] INFO tunnel-cbs:ziti_tunnel_ctrl.c:864 load_ziti_async() attempting to load ziti instance from file[/ziti-edge-tunnel/webhookz1-client1.json] (8)[ 0.018] INFO tunnel-cbs:ziti_tunnel_ctrl.c:871 load_ziti_async() loading ziti instance from /ziti-edge-tunnel/webhookz1-client1.json
(8)[ 0.018] INFO ziti_log_set_level set log level: root=6 (8)[ 0.018] ERROR ziti-edge-tunnel:tun.c:251 find_dns_updater() could not find a way to configure system resolver. Ziti DNS functionality will be impaired
(8)[ 0.018] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:1100 load_id_cb() identity[/ziti-edge-tunnel/webhookz1-client1.json] loaded
(8)[ 0.018] WARN ziti-edge-tunnel:instance.c:38 find_tunnel_identity() Identity ztx[/ziti-edge-tunnel/webhookz1-client1.json] is not loaded yet or already re
moved. (8)[ 0.018] DEBUG ziti-edge-tunnel:utils.c:33 run_command_va() system(grep -q '^nameserver 100.80.0.1' /etc/resolv.conf) returned 256
Relevant portion of the Compose project:
version: "3.9"
x-base-service: &base-service
image: openziti/ziti-edge-tunnel
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- .:/ziti-edge-tunnel
- /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
environment:
- ZITI_IDENTITY_BASENAME # inherit when run like this: ZITI_IDENTITY_BASENAME=AcmeIdentity docker-compose up ziti-tun
- ZITI_ENROLL_TOKEN # ZITI_IDENTITY_BASENAME=AcmeIdentity ZITI_ENROLL_TOKEN={JWT} docker-compose up ziti-tun
- PFXLOG_NO_JSON=true # suppress JSON logging
network_mode: host # use the Docker host's network, not the Docker bridge
privileged: true
services:
ziti-tun: # tunneler for one Ziti identity
<<: *base-service
command:
- --verbose=4
- --dns-ip-range=100.64.64.0/18
It was previously possible to deliver the tunneler to a device and run it in a privileged container as an intercepting proxy with nameserver, but it appears that recent releases always get this error despite having the same run params and environment:
After failing
systemd-resolved
configuration, the tunneler falls back to attempt manipulating/etc/resolv.conf
which is not desirable when running in a container because the container runtime typically provides that file.I'll take the first steps to confirm that this mode of operation is still possible with older releases so we can narrow possible causes.