-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
turn: add TURN server #163
base: dev
Are you sure you want to change the base?
Changes from 4 commits
0d1baf8
854753f
6c6df2c
656d48b
5753213
cb8552a
d983578
e0e0d81
14d717c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,6 +2,17 @@ admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" } | |
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" } | ||
http_default_host = "{{ .Env.XMPP_DOMAIN }}" | ||
|
||
{{ if .Env.TURN_ENABLE | default "0" | toBool }} | ||
turncredentials_secret = "{{ .Env.TURN_SECRET | default "keepthissecret" }}"; | ||
turncredentials = { | ||
{ type = "turns", | ||
host = "{{ .Env.TURN_HOST | default .Env.DOCKER_HOST_ADDRESS }}", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't the default be TURN_PUBLIC_IP ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. prosody doesn't know about TURN_PUBLIC_IP in case TURN_PUBLIC_IP is not set from env file (got dynamically) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We can detect it in the init file and re-export it, perhaps? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'll try to explain my view on it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. On the other hand, if it's just a single setup. TURN_HOST can be DOCKER_HOST_ADDRESS (if not set) and TURN_PUBLIC_IP is dynamically set. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not completely sure of the latest comment.. I guess, we should remove default set for "TURN_HOST" and make it force needed, because if TURN_PUBLIC_IP and DOCKER_HOST_ADDRESS is different, setup will broken. WDYT? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure I follow you here. I do understand that you could set a hostname. But if you don't, the IP that should be there is the publicc IP of the TURN server, right? On hindsight DOCKER_HOST_ADDRESS was not a great name. I'll probably rename it to JVB_PUBLIC_IP in the future, which is a better name. So, to me, it makes sense that the default is the TURN public IP, and not anything else. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I suggest to use only The @saghul WDYT? |
||
port = {{ .Env.TURN_PORT | default "3478" }}, | ||
transport = "{{ .Env.TURN_TRANSPORT | default "tcp" }}" | ||
} | ||
} | ||
{{ end }} | ||
|
||
{{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }} | ||
{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }} | ||
{{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
version: '3' | ||
|
||
services: | ||
netaskd marked this conversation as resolved.
Show resolved
Hide resolved
|
||
# coturn TURN server project | ||
turn: | ||
image: jitsi/turn | ||
saghul marked this conversation as resolved.
Show resolved
Hide resolved
|
||
restart: always | ||
volumes: | ||
- ${CONFIG}/turn:/config | ||
ports: | ||
- '${TURN_PORT}:${TURN_PORT}/tcp' | ||
- '${TURN_PORT}:${TURN_PORT}/udp' | ||
- '${TURN_RTP_MIN}-${TURN_RTP_MAX}:${TURN_RTP_MIN}-${TURN_RTP_MAX}/udp' | ||
- '${TURN_ADMIN_PORT}:${TURN_ADMIN_PORT}/tcp' | ||
environment: | ||
- DOCKER_HOST_ADDRESS | ||
- TURN_SECRET | ||
- TURN_REALM | ||
- TURN_HOST | ||
- TURN_PORT | ||
- TURN_TRANSPORT | ||
- TURN_RTP_MIN | ||
- TURN_RTP_MAX | ||
- TURN_ADMIN_ENABLE | ||
- TURN_ADMIN_USER | ||
- TURN_ADMIN_SECRET | ||
- TURN_ADMIN_PORT | ||
networks: | ||
meet.jitsi: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
ARG VERSION | ||
FROM instrumentisto/coturn:${VERSION:-latest} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This has been deprecated: instrumentisto/coturn-docker-image@0a4a7f0 It is suggested to switch to the upstream image |
||
|
||
RUN apk add --no-cache openssl | ||
|
||
ADD ./rootfs/defaults/docker-entrypoint.sh /docker-entrypoint.sh | ||
|
||
ENTRYPOINT ["/docker-entrypoint.sh"] | ||
netaskd marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
VOLUME ["/config"] | ||
|
||
EXPOSE 5349 8443 10000:11000/udp | ||
|
||
netaskd marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
build: | ||
docker build $(BUILD_ARGS) -t $(JITSI_REPO)/turn . | ||
|
||
.PHONY: build | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#!/bin/ash | ||
|
||
# make certs if not exist | ||
if [[ ! -f /config/cert.crt || ! -f /config/cert.key ]]; then | ||
openssl req -newkey rsa:2048 -nodes -keyout /config/cert.key -x509 -days 3650 -out /config/cert.crt -subj "/C=US/ST=NY/L=NY/O=IT/CN=${TURN_HOST}" | ||
fi | ||
|
||
# use non empty TURN_PUBLIC_IP variable, othervise set it dynamically. | ||
[ -z "${TURN_PUBLIC_IP}" ] && export TURN_PUBLIC_IP=$(curl -4ks https://icanhazip.com) | ||
[ -z "${TURN_PUBLIC_IP}" ] && echo "ERROR: variable TURN_PUBLIC_IP is not set and can not be set dynamically!" && kill 1 | ||
|
||
# set coturn web-admin access | ||
if [[ "${TURN_ADMIN_ENABLE}" == "1" || "${TURN_ADMIN_ENABLE}" == "true" ]]; then | ||
turnadmin -A -u ${TURN_ADMIN_USER:-admin} -p ${TURN_ADMIN_SECRET:-changeme} | ||
export TURN_ADMIN_OPTIONS="--web-admin --web-admin-ip=$(hostname -i) --web-admin-port=${TURN_ADMIN_PORT:-8443}" | ||
fi | ||
|
||
# run coturn server with API auth method enabled. | ||
turnserver -n ${TURN_ADMIN_OPTIONS} \ | ||
--verbose \ | ||
--prod \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's a good spot! |
||
--no-tlsv1 \ | ||
--no-tlsv1_1 \ | ||
--log-file=stdout \ | ||
--listening-port=${TURN_PORT:-5349} \ | ||
--tls-listening-port=${TURN_PORT:-5349} \ | ||
--alt-listening-port=${TURN_PORT:-5349} \ | ||
--alt-tls-listening-port=${TURN_PORT:-5349} \ | ||
--cert=/config/cert.crt \ | ||
--pkey=/config/cert.key \ | ||
--min-port=${TURN_RTP_MIN:-10000} \ | ||
--max-port=${TURN_RTP_MAX:-11000} \ | ||
--no-stun \ | ||
--use-auth-secret \ | ||
--static-auth-secret=${TURN_SECRET:-keepthissecret} \ | ||
--no-multicast-peers \ | ||
--realm=${TURN_REALM:-realm} \ | ||
--listening-ip=$(hostname -i) \ | ||
--external-ip=${TURN_PUBLIC_IP} \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As per https://hub.docker.com/r/instrumentisto/coturn they recommend using the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, the script There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, should have checked it before. Awesome. I've been testing this and works great. My use case is on kubernetes and Im having some issues with networking, but that is another story. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This has been adopted for the upstream See previous comment https://github.com/jitsi/docker-jitsi-meet/pull/163/files#r802157850 |
||
--cli-password=NotReallyCliUs3d \ | ||
--no-cli | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change needs to be applied to https://github.com/jitsi/handbook/blob/master/docs/devops-guide/docker.md (cf: #601)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there anything I can do to support his PR towards being merged? I'd really like to vacate Zoom with all of its problems for Jitsi Meet...