Skip to main content
Star us on GitHub Star

Controller Deployment

This article is about deploying a controller as a Linux system service. The controller introduction may be helpful to read first.

We'll cover the following topics:

  1. Installation
  2. Configuration
  3. Starting Up

Install the Controller Package

The controller package provides a systemd service unit and bootstrapping script.

One-liner Install Script

curl -sS https://get.openziti.io/install.bash | sudo bash -s openziti-controller

Manual Package Repo Setup

Configure the package repository and install openziti-controller.

Configure the repository for the Debian family of distributions (Ubuntu, Mint, Pop!_OS)

Install the OpenZiti repository key.

curl -sSLf https://get.openziti.io/tun/package-repos.gpg | sudo gpg --dearmor --output /usr/share/keyrings/openziti.gpg

Ensure the key is readable by all users.

sudo chmod a+r /usr/share/keyrings/openziti.gpg

Create the repository file.

sudo tee /etc/apt/sources.list.d/openziti-release.list >/dev/null <<EOF
deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable debian main
EOF

Update the package list.

sudo apt update

Finally, install the package: openziti-controller

The openziti package provides the ziti CLI and is installed as a dependency.

Configuration

You must generate, migrate, or craft a configuration. Configuration consists of a PKI, a config YAML file, and a database.

Generate a Configuration

This is the recommended approach if you are installing a new controller.

Answer Interactively

Run bootstrap.bash to be prompted for the required values.

sudo /opt/openziti/etc/controller/bootstrap.bash

Answer Non-interactively

  1. Set the required values in the answer file /opt/openziti/etc/controller/bootstrap.env.

    1. ZITI_CTRL_ADVERTISED_ADDRESS - control plane permanent DNS name (required)
    2. ZITI_CTRL_ADVERTISED_PORT - listener TCP port (default: 1280)
    3. ZITI_USER - username (default: admin)
    4. ZITI_PWD - password to initialize the database (required)
  2. Run bootstrap.bash

    sudo /opt/openziti/etc/controller/bootstrap.bash

Migrate an Existing Configuration

This example illustrates copying the PKI, configuration, and database from a previous installation to the controller service's working directory.

Craft a Configuration

Craft a new configuration by running ziti create config controller.

Review the environment variables, especially those named like ZITI_CTRL_*, that influence the controller configuration with ziti create config environment.

Here's a link to the controller configuration reference.

Starting Up

Run the service now and after every reboot

sudo systemctl enable --now ziti-controller.service

Firewall

The controller listens on a single configurable TCP port: 1280/tcp. Verify that the controller process is listening on this port and create a firewall exception if necessary.

This will list all TCP listeners for "ziti" commands.

sudo ss -tlnp | grep ziti

If you have only one process named like "ziti" running, you will see output similar to this.

Output
LISTEN 0      4096                          *:1280             *:*    users:(("ziti",pid=2004302,fd=8))

Further Configuration

Customize /var/lib/ziti-controller/config.yml as needed and restart the service.

sudo systemctl restart ziti-controller.service

Here's a link to the configuration reference.

Logging

View the service's output.

journalctl -u ziti-controller.service

Set a different format in the ZITI_ARGS environment variable and restart the service.


ZITI_ARGS='--log-formatter text'


Learn more in the logging reference.

Uninstall

  1. Clean the service state.

    sudo systemctl disable --now ziti-controller.service
    sudo systemctl reset-failed ziti-controller.service
    sudo systemctl clean --what=state ziti-controller.service
  2. Purge the package, including configuration files.

    APT - Debian, Ubuntu, etc.

    sudo apt-get purge openziti-controller

    RPM - RedHat, Fedora, etc.

    sudo dnf remove openziti-controller
  3. Remove any firewall exceptions you created.

Troubleshooting

Verify the control plane is reachable by routers. The control plane must terminate TLS for routers because they will authenticate with a client certificate for all post-erollment interactions.

The server certificate must be issued by the controller's edge signer CA (edge.enrollment.signerCert in /var/lib/ziti-controller/config.yml).

Substitute the value of ctrl.options.advertiseAddress from /var/lib/ziti-controller/config.yml:

openssl s_client -connect {ctrl.options.advertiseAddress} -alpn ziti-ctrl -showcerts <>/dev/null \
|& openssl storeutl -certs -noout -text /dev/stdin \
| grep -E '(Subject|Issuer):'
Output
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=NetFoundry Inc. Intermediate CA 42KvRQxn.
Subject: C=US, ST=NC, L=Charlotte, O=NetFoundry, OU=Ziti, CN=BhCjN2Rkx
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=NetFoundry Inc. Certificate Authority IpcOEkAR6
Subject: C=US, ST=NC, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=NetFoundry Inc. Intermediate CA 42KvRQxn.

Verify the controller's edge-client web API is reachable by identities and routers. This API must terminate TLS for any identities that enroll because they will authenticate with a client certificate for post-enrollment interactions.

Enrollment tokens are signed with the key of the controller's server certificate that matches the edge.api.address in /var/lib/ziti-controller/config.yml.

Substitute the value of edge.api.address from /var/lib/ziti-controller/config.yml:

openssl s_client -connect {edge.api.address} -alpn h2,http/1.1 -showcerts <>/dev/null \
|& openssl storeutl -certs -noout -text /dev/stdin \
| grep -E '(Subject|Issuer):'
Output
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=NetFoundry Inc. Intermediate CA 42KvRQxn.
Subject: C=US, ST=NC, L=Charlotte, O=NetFoundry, OU=Ziti, CN=BhCjN2Rkx
Issuer: C=US, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=NetFoundry Inc. Certificate Authority IpcOEkAR6
Subject: C=US, ST=NC, L=Charlotte, O=NetFoundry, OU=ADV-DEV, CN=NetFoundry Inc. Intermediate CA 42KvRQxn.