Current AIO talk recording docker container fails: No option 'secret' in section: 'backend'

[JoshuaPettus]

This originally comes from here https://help.nextcloud.com/t/aio-current-talk-recording-docker-containers-fail/176746 but still seems to be happening

I am using the AIO's nextcloud/aio-talk-recording docker container standalone in my NC Talk software stack on a bare metal NC setup. When I first started using it, it was working well, but for the last month's docker container updates it apparently stopped working. NC would try to start the recording service and then fail. This is including the dev release branch.

The last version of the docker container that works for me was
nextcloud/aio-talk-recording:20231113_125854-latest

I invoke the container with:

sudo docker run --restart=always -d --name talk-recording -e ALLOW_ALL=true -e HPB_DOMAIN=signaling.ncdomain.com -e NC_DOMAIN=my.ncdomain.com -e TZ={timezone} -e RECORDING_SECRET={ncsecret} -e INTERNAL_SECRET={signalingsecret} -p 127.0.0.1:1234:1234 nextcloud/aio-talk-recording:latest

On the failed containers, here is the output from the log which looks to be the problem

ERROR:nextcloud.talk.recording.Server:Exception on /api/v1/room/o92sp42b [POST]                                                                                                                                  Traceback (most recent call last):                                                                                                                                                                                 File "/usr/local/lib/python3.12/configparser.py", line 767, in get                                                                                                                                                 value = d[option]
            ~^^^^^^^^                                                                                                                                                                                              File "/usr/local/lib/python3.12/collections/__init__.py", line 1014, in __getitem__                                                                                                                                return self.__missing__(key)            # support subclasses that define __missing__                                                                                                                                    ^^^^^^^^^^^^^^^^^^^^^                                                                                                                                                                                   File "/usr/local/lib/python3.12/collections/__init__.py", line 1006, in __missing__                                                                                                                                raise KeyError(key)                                                                                                                                                                                          KeyError: 'secret'
                                                                                                                                                                                                                 During handling of the above exception, another exception occurred:
                                                                                                                                                                                                                 Traceback (most recent call last):                                                                                                                                                                                 File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1455, in wsgi_app                                                                                                                                response = self.full_dispatch_request()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 869, in full_dispatch_request
    rv = self.handle_user_exception(e)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 867, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 852, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/nextcloud/talk/recording/Server.py", line 49, in handleBackendRequest
    backend, data = _validateRequest()
                    ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/nextcloud/talk/recording/Server.py", line 74, in _validateRequest
    secret = config.getBackendSecret(backend)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/nextcloud/talk/recording/Config.py", line 130, in getBackendSecret
    return self._configParser.get('backend', 'secret')
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/configparser.py", line 770, in get
    raise NoOptionError(option, section)
configparser.NoOptionError: No option 'secret' in section: 'backend'

Looking at the /conf/recording.conf file in the nextcloud/aio-talk-recording:20231113_125854-latest container, I see

[backend]
allowall = true
# TODO: remove secret below when https://github.com/nextcloud/spreed/issues/9580 is fixed
secret = {secret}

And indeed the secret line has been removed in newer containers as per that issue, but there appears to still be some python script that is still expecting the line to be there.

[szaimen]

Hi @SystemKeeper wasn't this resolved with nextcloud/spreed#10022?

[SystemKeeper]

Hi @SystemKeeper wasn't this resolved with nextcloud/spreed#10022?

Hey :-)
Yes it was, the problem is ALLOW_ALL=true and there it’s still needed, because then it’s independent of the backend. I honestly forgot the check after the latest changes. I had an idea a while back (#2880 (comment)), but never followed up 😅

[szaimen]

So where would this need to be fixed then? In talk-recording or in the container itself?

[SystemKeeper]

In the container/the config used. When allow all is set to true, we need to provide a global secret which is used

[SystemKeeper]

@JoshuaPettus Please make sure that you understand the impact of setting allow all to true! For a production deployment this is (or can be) a security issue!

[szaimen]

PR in #3992

[JoshuaPettus]

@JoshuaPettus Please make sure that you understand the impact of setting allow all to true! For a production deployment this is (or can be) a security issue!

I understand that there can be an issue, but I have yet to find any documentation on a working alternative. The sparse amount of guides I can find on how to set it up are with it set to true. If you know of any please let me know!

[SystemKeeper]

If you know of any please let me know!

Its documented at https://github.com/nextcloud/nextcloud-talk-recording/blob/main/docs/installation.md#talk-configuration

[szaimen]

This is now released with v7.9.1 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel

[JoshuaPettus]

If you know of any please let me know!

Its documented at https://github.com/nextcloud/nextcloud-talk-recording/blob/main/docs/installation.md#talk-configuration

Ah Thank you, I appreciate it!

This is now released with v7.9.1 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel

Awesome! I will give it a try and let you know if I have any issues

[JoshuaPettus]

Oh wow, since I was using the secret anyway, I really did not need the allowall=true after all. Oh well, at least I stumbled on a bug for you!