This is "dockerized" version of the eduMEET. (Successor of multiparty meeting fork of mediasoup-demo)
Docker hub repository: edumeet
It will setup a production eduMEET instance with or without authentication, and help you with setting up a development environment.
For further (more generic) information take a look at eduMEET repository
- Current stable eduMEET consists of these components:
Setup guide in a video format can be found here:
FAQ is at the bottom of this README.md !
Recommended configuration + introduction
Specs | |
---|---|
CPU | typical modern CPU (8 cores) |
RAM | 8 GB |
HDD | 100GB |
network | 1 network adapter (1Gb/s) |
OS | Ubuntu / Debian |
public IP address (without any NAT) | |
2 FQDN name assigned (for certificates) |
In edumeet-docker components are linked together via the proxy (nginx) docker image.
By default it is using the docker networking hostnames to connect/link components.
Since some components need the hostname / domain name / IP to function it is included in every config and can be changed depending on the use case.
It also makes certificate renewal easy since on a single domain setup you only need to change the cert in the certs folder.
eduMEET client is the frontend, room-server is the backend, management-server is the auth backend, management-client is the frontend for authentication related stuff, media-node is used for everything media related.
Architecture
eduMEET docker uses the following endpoints for components:Components can run on a single machine with docker compose or can be separated.
Media nodes can be selected with GeoIP.
Edumeet-client frontends can run on many different servers.
Management server can host many tenants/domains. The management server database can be clustered.
Keycloak can support a number of Realms.
Installation ⬅ (Without dependencies, edumeet-docker will probably fail!)
sudo apt install jq ack
Install docker V2
https://docs.docker.com/engine/install/debian/#install-using-the-repository
Optional (add current user to docker group )
sudo groupadd docker
sudo usermod -aG docker $USER
git clone https://github.com/edumeet/edumeet-docker.git
cd edumeet-docker
git checkout <branch>
- start
run-me-first.sh
script. This script will download newest Dockerfile(s) and config.example.* files from the repository.
./run-me-first.sh
By running run-me-first.sh your domain names + your IP (you might have to change it it is not your public IP) will be set in the .env file
SET DOMAIN NAME (edumeet.example.com): yourdomain.com
The run-me-first.sh will scan for files with the default example domain/localhost occurances that shoud be changed:
configs/app/config.js:11: managementUrl: 'http://localhost:3030',
...
There are automated steps to change the configs:
Do you want to remove tls option from server/config.json (recommended)? [Y/n] y
done
Do you want to set host configuration to domain name from .env file and docker hostname to mgmt in server/config.json (recommended)? [Y/n] y
done
Do you want to set managementUrl to https://edumeet.sth.sze.hu/mgmt from .env file in app/config.js (recommended)? [Y/n] y
done
Do you want to replace edumeet.example.com domain in management-server config files to edumeet.sth.sze.hu in mgmt/default.json (recommended)?[Y/n] y
done
Do you want to update Keycloak dev realm to your domain : edumeet.sth.sze.hu from .env file in kc/dev.json (recommended)? [Y/n] y
done
Do you want to set up edumeet-management-client to https://edumeet.sth.sze.hu/cli from .env file in mgmt-client/config.js (recommended)? [Y/n] y
done
- Additional configuration documentation is located in edumeet-client and edumeet-room-server repositories.
Branch names (for example 4.0) should match for client and server side.
For example want to separe media node(s) to different servers, or remove the included pgadmin interface.
NOTE! Certficates are selfsigned, for a production service you need to set YOUR signed certificate in nginx and server configuration files:
Certificates are now generated with Let's Encrypt by default with running the gen_cert.sh
Default certficates are in for applications that are behind proxy but still require one to start:
in edumeet-docker/certs/
Default cert files: ( edumeet-demo-cert.pem and edumeet-demo-key.pem)
KC_HTTPS_CERTIFICATE_FILE, KC_HTTPS_CERTIFICATE_KEY_FILE
and
MN_EXTRA_PARAMS='--cert ./certs/edumeet-demo-cert.pem --key ./certs/edumeet-demo-key.pem'
For proxy certs can be changed in the nginx proxy file:
in configs/proxy/nginx.conf.template
:
server_name edumeet.example.com;
ssl_certificate /etc/edumeet/edumeet-demo-cert.pem;
ssl_certificate_key /etc/edumeet/edumeet-demo-key.pem;
Run with docker compose
$ sudo docker compose up --detach
*without the detach option you will see the logs
To build:
- Change TAG in .env file to your desired name.
- In .env file set to your desired BRANCH.
- Build and run:
$ sudo docker compose build
$ sudo docker compose up -d
Authentication (optional)
Supported types: OIDC, SAML, Local DB (KeyCloak)
- Authentication is optional but if you want to enable it, you should remove defualtroom paremeters from the config.json at configs/server/ and follow these steps:
- visit yourdomain/kc/ and set up your keycloak instance By default there is a dev configuration according to https://github.com/edumeet/edumeet-management-server/wiki/Keycloak-setup-(OAuth-openid-connect)
By default there is one test user in dev realm :
- Username: edumeet
- Password: edumeet
- visit yourdomain/cli/ and set up your management server config
- add a tenant
- add a tenant fqdn / domain
- add authetntication
- Credential is located in keycloak admin console/ / clients / / credentials
- Credential is not generated for default dev.json, change it in KeyCloak
- Logout
- Visit your domain (Login)
- Visit yourdomain/cli/ and as the logged in user create a room ( You will be assigned as a room owner and gain all permissions after login, but you can also set permissions for other users too. )
- Join the room
- For auth you can use any OpenID compatible backend. Keycloak is reccomended for testing, integrating with common third party auth sources and deployments without a central authentication (local users).
- For federated login with discovery we reccommend using SATOSA.
- For SATOSA the mgmt service client_secret_basic auth has to be added to oauth tenant auth methods:
"dynamic": [ "key", "secret", "authorize_url", "access_url", "profile_url", "scope_delimiter", "scope", "redirect_uri" ], "token_endpoint_auth_method": "client_secret_basic" }
In SATOSA redirect uri should be: https://edumeet.example.com/mgmt/oauth/tenant/callback
Firewall ports and recommendations
Port | protocol | description | network | path | firewall advice |
---|---|---|---|---|---|
80 | tcp | edumeet-client webserver (redirect to 443) | host network | / | |
443 | tcp | edumeet-client https webserver and signaling proxy | host network | / | |
3000 | edumeet-media-node port | host network | - | should be limited so only the room-server can access it | |
3479 | coturn port | host network | - | ||
40000-49999 | tcp/udp | edumeet-media-node ports | host network | - |
Development
eduMEET development usualy happens in 2 ways:
- Running components manualy
- Running edumeet-docker with components linked into the docker container or passed to the proxy.
*Without valid certs you have to allow localhost/local ip to work without certs in the browser.
edumeet-media-node container works in "host" network mode, because bridge mode has the following issue: "Docker hangs when attempting to bind a large number of ports"
Q: I get "Cannot find module erros" regarding config files
A: You are probably having a relative path issue with docker check if you are in the correct directory. (edumeet-docker folder)
Q: Docker-compose started, but some components are restarting.
A: You are probably having a config or permission problem. Try starting with "docker compose" without the detach parameter to see logs.
Or alternatively with:
docker logs -f <edumeet_container_name>
In the .env file there are a few log variables:
SERVER_DEBUG=
MGMT_DEBUG=
MGMT_CLIENT_DEBUG=
MN_DEBUG=
Changing them to * will provide extended logs that can help debugging problems.
Q: KeyCloak won't start
A: KeyCloak is sensitive to permission settings on cert files. Please check
Q: I get network conflicts with docker
A: You will most likely running an old version of docker, that doesn't handle links between containers
Q: I get network problems with room-server and media node within docker when using ufw
A: ufw by default blocks incoming traffic, and thinks that media control port is accessed outside of the network. Firewall can also cause issues with component internal communication.