search

openziti / ziti-tunnel-sdk-c

Apache License 2.0
43 stars 16 forks source link

ZET keeps trying to use disabled identity #644

Open qrkourier opened 1 year ago

qrkourier commented 1 year ago

Expectation: disabling an identity suppresses all log activity and outgoing connection attempts related to that identity

Observation: I used the desktop UI on Linux to toggle an identity off, but ZET keeps trying to use the inactive identity, so the log is full of WARN and ERROR messages about the unreachable controller. This doesn't prevent the active identities from functioning, but it adds a lot of noise when working with multiple identities.

Example logs while identity with identifier /opt/openziti/etc/identities/miniziti-client.json is Active: false.

May 04 13:45:27 kpop4 ziti-edge-tunnel[276821]: (276821)[      285.374]   ERROR ziti-sdk:ziti_ctrl.c:155 ctrl_resp_cb() ctrl[minicontroller.ziti] request failed: -113(host is unreachable)
May 04 13:45:27 kpop4 ziti-edge-tunnel[276821]: (276821)[      285.374]    WARN ziti-sdk:ziti.c:1451 api_session_cb() ztx[2] failed to get api session from ctrl[https://minicontroller.ziti:443] api_session_state[1] CONTROLLER_UNAVAILABLE[-15] host is unreachable
❯ ziti-edge-tunnel tunnel_status|sed -E 's/(^received\sresponse\s<|>$)//g'|jq '.Data.Identities[]|{Identifier: .Identifier, Active: .Active}'
{
  "Identifier": "/opt/openziti/etc/identities/miniziti-client.json",
  "Active": false
}
# ... output truncated to highlight the relevant identifier
qrkourier commented 9 months ago

I can still reproduce this in 0.22.20.

$ ziti-edge-tunnel on_off_identity -i /opt/openziti/etc/identities/miniziti-client.json -o f
received response <{"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"Identifier":"/opt/openziti/etc/identities/miniziti-client.json","OnOff":false}},"Code":0}
>

$ ziti-edge-tunnel tunnel_status|sed -E 's/(^received\sresponse\s<|>$)//g'|jq '.Data.Identities[]|select(.Identifier == "/opt/openziti/etc/identities/miniziti-client.json")|.Active'
false

$ jq .ztAPI /opt/openziti/etc/identities/miniziti-client.json                                                               
"https://miniziti-controller.192.168.49.2.sslip.io:443"
Feb 13 10:59:12 mira valgrind[314990]: (314990)[   476791.297]    WARN ziti-sdk:ziti.c:1597 api_session_cb() ztx[9] failed to get api session from ctrl[https://miniziti-controller.192.168.49.2.sslip.io:443] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] host is unreachable
dovholuknf commented 3 months ago

i'm pretty sure this duplicates #630

qrkourier commented 3 months ago

630 is about remembering a disabled status so it stays disabled, but this one's about a disabled identity not really being disabled right away because it keeps talking to the controller, which is similar to #672.

dovholuknf commented 3 months ago

Yes. It's the same thing.