From a847a9683f6e8be44f40ee92a44416ab6dce14a1 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 19 Jan 2021 17:27:32 +0100 Subject: Cleanup op_guide folder --- op_guide/plume/README.md | 2 + op_guide/update_matrix.md | 89 ---------------------------------------- op_guide/update_matrix/README.md | 89 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+), 89 deletions(-) delete mode 100644 op_guide/update_matrix.md create mode 100644 op_guide/update_matrix/README.md diff --git a/op_guide/plume/README.md b/op_guide/plume/README.md index fa6084d..4a8bbac 100644 --- a/op_guide/plume/README.md +++ b/op_guide/plume/README.md @@ -1,3 +1,5 @@ +## Creating a new Plume user + 1. Bind nomad on your machine with SSH (check the README file at the root of this repo) 2. Go to http://127.0.0.1:4646 3. Select `plume` -> click `exec` button (top right) diff --git a/op_guide/update_matrix.md b/op_guide/update_matrix.md deleted file mode 100644 index 7df588f..0000000 --- a/op_guide/update_matrix.md +++ /dev/null @@ -1,89 +0,0 @@ -How to update Matrix? -===================== - -## 1. Build the new containers - -It starts with this file: `app/build/docker-compose.yml`. -Often, I update Riot Web and Synapse at the same time. -In the file, find the `riot` and `synapse` entries. -The only thing you need to do is to update the `VERSION` argument. -This argument is then used to template the Dockerfile. -The `VERSION` value should match a github release, the link to the corresponding release page is put as a comment next to the variable in the compose file. - -Next, we put tags on our images. -You need to increment it, for example: `superboum/amd64_riotweb:v17` will become `superboum/amd64_riotweb:v18`. -We use the docker hub to store our images, if you are not `superboum` you must change the name with your handle, eg. `john/amd64_riotweb:v18`. - -So, from now we expact you have: - - changed the `VERSION` value and `image` name/tag of `riot` - - changed the `VERSION` value and `image` name/tag of `synapse` - -You can now simply build and push the new images: - -```bash -docker-compose build riot synapse -``` - -And then send them to the docker hub: - -``` -docker-compose push riot synapse -``` - -Don't forget to commit and push your changes before doing anything else! - -## 2. Deploy the new containers - -Now, we will edit the deployment file `app/deployment/im.hcl`. - -Find where the image is defined in the file, for example in Riot, it will look like that: - - -```hcl - group "riotweb" { - count = 1 - - task "server" { - driver = "docker" - config { - image = "superboum/amd64_riotweb:v17" - port_map { - web_port = 8043 - } -``` - -And replace the `image =` entry with your image name. -Do the same thing for `synapse`. - -Now, you need a way to access the cluster to deploy this file. -To do this, you must bind nomad on your machine through a SSH tunnel. -Check the end of `README.md` to do it. -If you have access to the Nomad web UI when entering http://127.0.0.1:4646 -you are ready to go. - -You must have installed the Nomad command line tool on your machine (also explained in `README.md`). - -Now, on your machine, you must be able to run (from the `app/deployment` folder) : - -``` -nomad plan im.hcl -``` - -Check that the proposed diff corresponds to what you have in mind. -If it seems OK, just copy paste the proposed `nomad job run ... im.hcl` command proposed as part of the output of the `nomad plan` command. - -From now, it will take around ~2 minutes to deploy the new images. -You can follow the deployment from the Nomad UI. -Bear in mind that, once the deployment is done on Nomad, you may still need to wait some minutes that Traefik refreshes its configuration. - -If everythings worked as intended, you can commit and push your deployment file. - -If something went wrong, you must rollback your deployment. - - 1. First, find a working deployment with [nomad job history](https://www.nomadproject.io/docs/commands/job/history) - 2. Revert to this deployment with [nomad job revert](https://www.nomadproject.io/docs/commands/job/revert) - -Now, if the deployment failed, you should probably investigate what went wrong offline. -In this case, I build a test stack with docker-compose in `app/integration` (for now, I had to do that only for plume and jitsi). - - diff --git a/op_guide/update_matrix/README.md b/op_guide/update_matrix/README.md new file mode 100644 index 0000000..7df588f --- /dev/null +++ b/op_guide/update_matrix/README.md @@ -0,0 +1,89 @@ +How to update Matrix? +===================== + +## 1. Build the new containers + +It starts with this file: `app/build/docker-compose.yml`. +Often, I update Riot Web and Synapse at the same time. +In the file, find the `riot` and `synapse` entries. +The only thing you need to do is to update the `VERSION` argument. +This argument is then used to template the Dockerfile. +The `VERSION` value should match a github release, the link to the corresponding release page is put as a comment next to the variable in the compose file. + +Next, we put tags on our images. +You need to increment it, for example: `superboum/amd64_riotweb:v17` will become `superboum/amd64_riotweb:v18`. +We use the docker hub to store our images, if you are not `superboum` you must change the name with your handle, eg. `john/amd64_riotweb:v18`. + +So, from now we expact you have: + - changed the `VERSION` value and `image` name/tag of `riot` + - changed the `VERSION` value and `image` name/tag of `synapse` + +You can now simply build and push the new images: + +```bash +docker-compose build riot synapse +``` + +And then send them to the docker hub: + +``` +docker-compose push riot synapse +``` + +Don't forget to commit and push your changes before doing anything else! + +## 2. Deploy the new containers + +Now, we will edit the deployment file `app/deployment/im.hcl`. + +Find where the image is defined in the file, for example in Riot, it will look like that: + + +```hcl + group "riotweb" { + count = 1 + + task "server" { + driver = "docker" + config { + image = "superboum/amd64_riotweb:v17" + port_map { + web_port = 8043 + } +``` + +And replace the `image =` entry with your image name. +Do the same thing for `synapse`. + +Now, you need a way to access the cluster to deploy this file. +To do this, you must bind nomad on your machine through a SSH tunnel. +Check the end of `README.md` to do it. +If you have access to the Nomad web UI when entering http://127.0.0.1:4646 +you are ready to go. + +You must have installed the Nomad command line tool on your machine (also explained in `README.md`). + +Now, on your machine, you must be able to run (from the `app/deployment` folder) : + +``` +nomad plan im.hcl +``` + +Check that the proposed diff corresponds to what you have in mind. +If it seems OK, just copy paste the proposed `nomad job run ... im.hcl` command proposed as part of the output of the `nomad plan` command. + +From now, it will take around ~2 minutes to deploy the new images. +You can follow the deployment from the Nomad UI. +Bear in mind that, once the deployment is done on Nomad, you may still need to wait some minutes that Traefik refreshes its configuration. + +If everythings worked as intended, you can commit and push your deployment file. + +If something went wrong, you must rollback your deployment. + + 1. First, find a working deployment with [nomad job history](https://www.nomadproject.io/docs/commands/job/history) + 2. Revert to this deployment with [nomad job revert](https://www.nomadproject.io/docs/commands/job/revert) + +Now, if the deployment failed, you should probably investigate what went wrong offline. +In this case, I build a test stack with docker-compose in `app/integration` (for now, I had to do that only for plume and jitsi). + + -- cgit v1.2.3 From 9560f8085292e990949c53b4ba964936a3d3b6e5 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 19 Jan 2021 17:29:37 +0100 Subject: mention secretmgr.py in create_database --- op_guide/create_database/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/op_guide/create_database/README.md b/op_guide/create_database/README.md index 7d49c97..fb3bdd9 100644 --- a/op_guide/create_database/README.md +++ b/op_guide/create_database/README.md @@ -8,6 +8,8 @@ Go to guichet.deuxfleurs.fr 4. Hash it with `slappasswd` 5. Add a `userpassword` entry with the hash +This step can also be done using the automated tool `secretmgr.py` in the app folder. + ## 2. Connect to postgres with the admin users ```bash -- cgit v1.2.3 From 1c814f002af3aafa76aced040845d6fdeee7953e Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 19 Jan 2021 17:53:53 +0100 Subject: Add CMD_ONCE secret type and fill in/change secret definitions --- app/im/secrets/chat/easybridge/as_token | 1 + app/im/secrets/chat/easybridge/db_pass | 1 + app/im/secrets/chat/easybridge/db_user | 1 + app/im/secrets/chat/easybridge/hs_token | 1 + app/im/secrets/chat/easybridge/web_session_key | 2 ++ app/im/secrets/chat/fb2mx/as_token | 2 +- app/im/secrets/chat/fb2mx/hs_token | 2 +- app/im/secrets/chat/synapse/homeserver.signing.key | 1 + app/im/secrets/chat/synapse/registration_shared_secret | 2 +- app/plume/secrets/plume/pgsql_pw | 2 +- app/secretmgr.py | 9 +++++++-- 11 files changed, 18 insertions(+), 6 deletions(-) create mode 100644 app/im/secrets/chat/easybridge/as_token create mode 100644 app/im/secrets/chat/easybridge/db_pass create mode 100644 app/im/secrets/chat/easybridge/db_user create mode 100644 app/im/secrets/chat/easybridge/hs_token create mode 100644 app/im/secrets/chat/easybridge/web_session_key create mode 100644 app/im/secrets/chat/synapse/homeserver.signing.key diff --git a/app/im/secrets/chat/easybridge/as_token b/app/im/secrets/chat/easybridge/as_token new file mode 100644 index 0000000..5fa4e3c --- /dev/null +++ b/app/im/secrets/chat/easybridge/as_token @@ -0,0 +1 @@ +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/easybridge/db_pass b/app/im/secrets/chat/easybridge/db_pass new file mode 100644 index 0000000..7e1f94b --- /dev/null +++ b/app/im/secrets/chat/easybridge/db_pass @@ -0,0 +1 @@ +SERVICE_PASSWORD easybridge diff --git a/app/im/secrets/chat/easybridge/db_user b/app/im/secrets/chat/easybridge/db_user new file mode 100644 index 0000000..436267c --- /dev/null +++ b/app/im/secrets/chat/easybridge/db_user @@ -0,0 +1 @@ +CONST easybridge diff --git a/app/im/secrets/chat/easybridge/hs_token b/app/im/secrets/chat/easybridge/hs_token new file mode 100644 index 0000000..5fa4e3c --- /dev/null +++ b/app/im/secrets/chat/easybridge/hs_token @@ -0,0 +1 @@ +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/easybridge/web_session_key b/app/im/secrets/chat/easybridge/web_session_key new file mode 100644 index 0000000..614bed7 --- /dev/null +++ b/app/im/secrets/chat/easybridge/web_session_key @@ -0,0 +1,2 @@ +CMD openssl rand -hex 32 + diff --git a/app/im/secrets/chat/fb2mx/as_token b/app/im/secrets/chat/fb2mx/as_token index 20b76d4..5fa4e3c 100644 --- a/app/im/secrets/chat/fb2mx/as_token +++ b/app/im/secrets/chat/fb2mx/as_token @@ -1 +1 @@ -USER fb2mx API server token +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/fb2mx/hs_token b/app/im/secrets/chat/fb2mx/hs_token index 8808f8f..5fa4e3c 100644 --- a/app/im/secrets/chat/fb2mx/hs_token +++ b/app/im/secrets/chat/fb2mx/hs_token @@ -1 +1 @@ -USER fb2mx homeserver token +CMD openssl rand -hex 32 diff --git a/app/im/secrets/chat/synapse/homeserver.signing.key b/app/im/secrets/chat/synapse/homeserver.signing.key new file mode 100644 index 0000000..099bd18 --- /dev/null +++ b/app/im/secrets/chat/synapse/homeserver.signing.key @@ -0,0 +1 @@ +USER Synapse homeserver ed25519 signing key diff --git a/app/im/secrets/chat/synapse/registration_shared_secret b/app/im/secrets/chat/synapse/registration_shared_secret index 395cccc..b82f191 100644 --- a/app/im/secrets/chat/synapse/registration_shared_secret +++ b/app/im/secrets/chat/synapse/registration_shared_secret @@ -1 +1 @@ -USER Shared secret for homeserver registrations (?) +CMD head -c 32 /dev/urandom | base64 diff --git a/app/plume/secrets/plume/pgsql_pw b/app/plume/secrets/plume/pgsql_pw index 978be54..0f831bb 100644 --- a/app/plume/secrets/plume/pgsql_pw +++ b/app/plume/secrets/plume/pgsql_pw @@ -1 +1 @@ -CMD openssl rand -base64 32 +SERVICE_PASSWORD plume diff --git a/app/secretmgr.py b/app/secretmgr.py index 6af6d13..5cf55dc 100755 --- a/app/secretmgr.py +++ b/app/secretmgr.py @@ -43,6 +43,9 @@ USER_LONG CMD (a secret that is generated by running this command) +CMD_ONCE +(same, but value is not changed when doing a regen) + CONST (the secret has a constant value set here) @@ -81,6 +84,7 @@ consul_server = consul.Consul() USER = "USER" USER_LONG = "USER_LONG" CMD = "CMD" +CMD_ONCE = "CMD_ONCE" CONST = "CONST" CONST_LONG = "CONST_LONG" SERVICE_DN = "SERVICE_DN" @@ -108,7 +112,7 @@ def read_secret(key, file_path): secret = {"type": stype, "key": key} if stype in [USER, USER_LONG]: secret["desc"] = " ".join(l0[1:]) - elif stype == CMD: + elif stype in [CMD, CMD_ONCE]: secret["cmd"] = " ".join(l0[1:]) elif stype == CONST: secret["value"] = " ".join(l0[1:]) @@ -151,6 +155,7 @@ def get_secrets_services(secrets): if svc not in services: services[svc] = { "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX), + "desc": "(not provided)", "pass": None, "dn_at": [], "pass_at": [], @@ -289,7 +294,7 @@ def gen_secrets_base(secrets, regen): consul_server.kv.put(key, secret["value"]) print(bcolors.OKCYAN, "Value set.", bcolors.ENDC) - if secret["type"] == CMD: + if secret["type"] == CMD or (secret["type"] == CMD_ONCE and data is None): print("----") print(key) print("Executing command:", secret["cmd"]) -- cgit v1.2.3 From a2eec38de4acb0a58f22dddc161facf44910085a Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 19 Jan 2021 18:02:00 +0100 Subject: Add a few missing secrets --- app/backup/secrets/backup/id_ed25519 | 1 + app/backup/secrets/backup/id_ed25519.pub | 1 + app/backup/secrets/backup/target_ssh_dir | 1 + app/backup/secrets/backup/target_ssh_fingerprint | 1 + app/backup/secrets/backup/target_ssh_host | 1 + app/backup/secrets/backup/target_ssh_port | 1 + app/backup/secrets/backup/target_ssh_user | 1 + app/garage/secrets/garage/garage-ca.crt | 1 + app/garage/secrets/garage/garage-ca.key | 1 + app/garage/secrets/garage/garage.crt | 1 + app/garage/secrets/garage/garage.key | 1 + 11 files changed, 11 insertions(+) create mode 100644 app/backup/secrets/backup/id_ed25519 create mode 100644 app/backup/secrets/backup/id_ed25519.pub create mode 100644 app/backup/secrets/backup/target_ssh_dir create mode 100644 app/backup/secrets/backup/target_ssh_fingerprint create mode 100644 app/backup/secrets/backup/target_ssh_host create mode 100644 app/backup/secrets/backup/target_ssh_port create mode 100644 app/backup/secrets/backup/target_ssh_user create mode 100644 app/garage/secrets/garage/garage-ca.crt create mode 100644 app/garage/secrets/garage/garage-ca.key create mode 100644 app/garage/secrets/garage/garage.crt create mode 100644 app/garage/secrets/garage/garage.key diff --git a/app/backup/secrets/backup/id_ed25519 b/app/backup/secrets/backup/id_ed25519 new file mode 100644 index 0000000..9d7fd46 --- /dev/null +++ b/app/backup/secrets/backup/id_ed25519 @@ -0,0 +1 @@ +USER_LONG Private ed25519 key of the container doing the backup diff --git a/app/backup/secrets/backup/id_ed25519.pub b/app/backup/secrets/backup/id_ed25519.pub new file mode 100644 index 0000000..0a2ab35 --- /dev/null +++ b/app/backup/secrets/backup/id_ed25519.pub @@ -0,0 +1 @@ +USER Public ed25519 key of the container doing the backup (this key must be in authorized_keys on the backup target host) diff --git a/app/backup/secrets/backup/target_ssh_dir b/app/backup/secrets/backup/target_ssh_dir new file mode 100644 index 0000000..3b2a4da --- /dev/null +++ b/app/backup/secrets/backup/target_ssh_dir @@ -0,0 +1 @@ +USER Directory where to store backups on target host diff --git a/app/backup/secrets/backup/target_ssh_fingerprint b/app/backup/secrets/backup/target_ssh_fingerprint new file mode 100644 index 0000000..608f3ec --- /dev/null +++ b/app/backup/secrets/backup/target_ssh_fingerprint @@ -0,0 +1 @@ +USER SSH fingerprint of the target machine (format: copy here the corresponding line from your known_hosts file) diff --git a/app/backup/secrets/backup/target_ssh_host b/app/backup/secrets/backup/target_ssh_host new file mode 100644 index 0000000..6268f87 --- /dev/null +++ b/app/backup/secrets/backup/target_ssh_host @@ -0,0 +1 @@ +USER Hostname of the backup target host diff --git a/app/backup/secrets/backup/target_ssh_port b/app/backup/secrets/backup/target_ssh_port new file mode 100644 index 0000000..309dd38 --- /dev/null +++ b/app/backup/secrets/backup/target_ssh_port @@ -0,0 +1 @@ +USER SSH port number to connect to the target host diff --git a/app/backup/secrets/backup/target_ssh_user b/app/backup/secrets/backup/target_ssh_user new file mode 100644 index 0000000..98b3046 --- /dev/null +++ b/app/backup/secrets/backup/target_ssh_user @@ -0,0 +1 @@ +USER SSH username to log in as on the target host diff --git a/app/garage/secrets/garage/garage-ca.crt b/app/garage/secrets/garage/garage-ca.crt new file mode 100644 index 0000000..8488ab6 --- /dev/null +++ b/app/garage/secrets/garage/garage-ca.crt @@ -0,0 +1 @@ +USER_LONG garage-ca.crt (generated with Garage's genkeys.sh script) diff --git a/app/garage/secrets/garage/garage-ca.key b/app/garage/secrets/garage/garage-ca.key new file mode 100644 index 0000000..ca3e90c --- /dev/null +++ b/app/garage/secrets/garage/garage-ca.key @@ -0,0 +1 @@ +USER_LONG garage-ca.key (generated with Garage's genkeys.sh script) diff --git a/app/garage/secrets/garage/garage.crt b/app/garage/secrets/garage/garage.crt new file mode 100644 index 0000000..6044ab8 --- /dev/null +++ b/app/garage/secrets/garage/garage.crt @@ -0,0 +1 @@ +USER_LONG garage.crt (generated with Garage's genkeys.sh script) diff --git a/app/garage/secrets/garage/garage.key b/app/garage/secrets/garage/garage.key new file mode 100644 index 0000000..db3cb0e --- /dev/null +++ b/app/garage/secrets/garage/garage.key @@ -0,0 +1 @@ +USER_LONG garage.key (generated with Garage's genkeys.sh script) -- cgit v1.2.3 From 2a0e9720b79313233f7ce7cb4802e6b13c052089 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 10:21:18 +0100 Subject: React to Free changing my IP address --- os/config/production.yml | 18 +++++++++--------- os/config/roles/consul/tasks/main.yml | 2 +- os/config/roles/nomad/tasks/main.yml | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/os/config/production.yml b/os/config/production.yml index 64a7416..210bd35 100644 --- a/os/config/production.yml +++ b/os/config/production.yml @@ -1,39 +1,39 @@ cluster_nodes: hosts: - veterini: + datura: ansible_host: atuin.site.deuxfleurs.fr ansible_port: 110 ansible_become: true ipv4: 192.168.1.2 gatewayv4: 192.168.1.254 - ipv6: 2a01:e35:2fdc:dbe0::2 - gatewayv6: 2a01:e35:2fdc:dbe0::1 + ipv6: 2a01:e34:ec5c:dbe0::2 + gatewayv6: 2a01:e34:ec5c:dbe0::1 interface: eno1 dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 - silicareux: + digitale: ansible_host: atuin.site.deuxfleurs.fr ansible_port: 111 ansible_become: true ipv4: 192.168.1.3 gatewayv4: 192.168.1.254 - ipv6: 2a01:e35:2fdc:dbe0::3 - gatewayv6: 2a01:e35:2fdc:dbe0::1 + ipv6: 2a01:e34:ec5c:dbe0::3 + gatewayv6: 2a01:e34:ec5c:dbe0::1 interface: eno1 dns_1: 212.27.40.240 dns_2: 212.27.40.241 ansible_python_interpreter: python3 - wonse: + drosera: ansible_host: atuin.site.deuxfleurs.fr ansible_port: 112 ansible_become: true ipv4: 192.168.1.4 gatewayv4: 192.168.1.254 - ipv6: 2a01:e35:2fdc:dbe0::4 - gatewayv6: 2a01:e35:2fdc:dbe0::1 + ipv6: 2a01:e34:ec5c:dbe0::4 + gatewayv6: 2a01:e34:ec5c:dbe0::1 interface: eno1 dns_1: 212.27.40.240 dns_2: 212.27.40.241 diff --git a/os/config/roles/consul/tasks/main.yml b/os/config/roles/consul/tasks/main.yml index 994ecd7..340d4d7 100644 --- a/os/config/roles/consul/tasks/main.yml +++ b/os/config/roles/consul/tasks/main.yml @@ -1,6 +1,6 @@ - name: "Set consul version" set_fact: - consul_version: 1.9.0 + consul_version: 1.9.1 - name: "Download and install Consul for x86_64" unarchive: diff --git a/os/config/roles/nomad/tasks/main.yml b/os/config/roles/nomad/tasks/main.yml index 625d7b7..1ddedbe 100644 --- a/os/config/roles/nomad/tasks/main.yml +++ b/os/config/roles/nomad/tasks/main.yml @@ -1,6 +1,6 @@ - name: "Set nomad version" set_fact: - nomad_version: 1.0.1 + nomad_version: 1.0.2 - name: "Download and install Nomad for x86_64" unarchive: -- cgit v1.2.3 From 6b91db048dcbc779fbf02e25fb3ba5cda2495292 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 10:34:16 +0100 Subject: Ajout du postmortem --- op_guide/postmortem/2020-01-20-changement-ip.md | 40 +++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 op_guide/postmortem/2020-01-20-changement-ip.md diff --git a/op_guide/postmortem/2020-01-20-changement-ip.md b/op_guide/postmortem/2020-01-20-changement-ip.md new file mode 100644 index 0000000..57a88f8 --- /dev/null +++ b/op_guide/postmortem/2020-01-20-changement-ip.md @@ -0,0 +1,40 @@ +Le 20 janvier free a changé mon IP, un peu comme partout en France. +Ça concerne l'IPv4 et le préfixe IPv6. +Ici le bon vieux Bortzmoinsbien qui tweet : https://twitter.com/bortzmeyer/status/1351434290916155394 + +Max a update tout de suite l'IPv4 mais avec un TTL de 4h le temps de propagation est grand. +J'ai réduit les entrées sur les IP à 300 secondes, soit 5 minutes, le minimum chez Gandi, à voir si c'est une bonne idée. +Reste à update les IPv6, moins critiques pour le front facing mais utilisées pour le signaling en interne... + +## Le fameux signaling +Ça pose un gros problème avec Nomad (et en moindre mesure avec Consul). +En effet, Nomad utilise l'IPv6 pour communiquer, il faut donc changer les IPs de tous les noeuds. +Problème ! On peut pas faire la migration au fur et à mesure car, changeant d'IP, les noeuds ne seront plus en mesure de communiquer. +On n'a pas envie de supprimer le cluster et d'en créer un nouveau car ça voudrait dire tout redéployer ce qui est long également (tous les fichiers HCL pour Nomad, tout le KV pour consul). +On ne peut pas non plus la faire à la bourrin en stoppant tous les cluster, changer son IP, puis redémarrer. +Enfin si, Consul accepte mais pas Nomad, qui lui va chercher à communiquer avec les anciennes IP et n'arrivera jamais à un consensus. + +Au passage j'en ai profité pour changer le nom des noeuds car la dernière fois, Nomad n'avait PAS DU TOUT apprécié qu'un noeud ayant le même nom change d'IP. Ceci dit, si on utilise de facto le `peers.json` c'est peut être pas problématique. À tester. + +Du coup, après moult réflexions, la silver bullet c'est la fonction outage recovery de nomad (consul l'a aussi au besoin). +Elle est ici : https://learn.hashicorp.com/tutorials/consul/recovery-outage +En gros, il faut arrêter tous les nodes. +Ensuite créer un fichier à ce path : `/var/lib/nomad/server/raft/peers.json` +Ne vous laissez pas perturber par le fichier `peers.info` à côté, il ne faut pas le toucher. +Après la grande question c'est de savoir si le cluster est en Raft v2 ou Raft v3. +Bon ben nous on était en Raft v2. Si vous vous trompez, au redémarrage Nomad va crasher avec une sale erreur : + +``` +nomad: failed to start Raft: error="recovery failed to parse peers.json: json: cannot unmarshal string into Go value of type raft.configEntry" +``` + +(je me suis trompé bien sûr). +Voilà, après il ne vous reste plus qu'à redémarrer et suivre les logs, cherchez bien la ligne où il dit qu'il a trouvé le peers.json. + +## Ce qui reste à faire + + - Mettre à jour les entrées DNS IPv6, ce qui devrait créer : + - digitale.machine.deuxfleurs.fr + - datura.machine.deuxfleurs.fr + - drosera.machine.deuxfleurs.fr + - Mettre à jour l'instance garage sur io -- cgit v1.2.3 From 46dce5d917a68d9602a7ea4b4731f8ffa498709f Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 10:34:53 +0100 Subject: fix indent postmortem --- op_guide/postmortem/2020-01-20-changement-ip.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/op_guide/postmortem/2020-01-20-changement-ip.md b/op_guide/postmortem/2020-01-20-changement-ip.md index 57a88f8..ca793f5 100644 --- a/op_guide/postmortem/2020-01-20-changement-ip.md +++ b/op_guide/postmortem/2020-01-20-changement-ip.md @@ -34,7 +34,7 @@ Voilà, après il ne vous reste plus qu'à redémarrer et suivre les logs, cherc ## Ce qui reste à faire - Mettre à jour les entrées DNS IPv6, ce qui devrait créer : - - digitale.machine.deuxfleurs.fr - - datura.machine.deuxfleurs.fr - - drosera.machine.deuxfleurs.fr + - digitale.machine.deuxfleurs.fr + - datura.machine.deuxfleurs.fr + - drosera.machine.deuxfleurs.fr - Mettre à jour l'instance garage sur io -- cgit v1.2.3 From b879be2156177ff475b4c18de6a9a4f8742bc9bc Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 10:49:29 +0100 Subject: Enrichir le postmortem --- op_guide/postmortem/2020-01-20-changement-ip.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/op_guide/postmortem/2020-01-20-changement-ip.md b/op_guide/postmortem/2020-01-20-changement-ip.md index ca793f5..21856a9 100644 --- a/op_guide/postmortem/2020-01-20-changement-ip.md +++ b/op_guide/postmortem/2020-01-20-changement-ip.md @@ -31,6 +31,11 @@ nomad: failed to start Raft: error="recovery failed to parse peers.json: json: c (je me suis trompé bien sûr). Voilà, après il ne vous reste plus qu'à redémarrer et suivre les logs, cherchez bien la ligne où il dit qu'il a trouvé le peers.json. +## Les trucs à pas oublier + + - Reconfigurer le backend KV de traefik (à voir à utiliser des DNS plutôt du coup) + - Reconfigurer l'IPv4 publique annoncée à Jitsi + ## Ce qui reste à faire - Mettre à jour les entrées DNS IPv6, ce qui devrait créer : -- cgit v1.2.3 From d3a3867180cbbbf4fb3a5545cc537f5316db16e7 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 10:51:25 +0100 Subject: Public IP changed --- app/jitsi/config/global_env.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/jitsi/config/global_env.tpl b/app/jitsi/config/global_env.tpl index 836a131..d78975d 100644 --- a/app/jitsi/config/global_env.tpl +++ b/app/jitsi/config/global_env.tpl @@ -5,6 +5,6 @@ JITSI_PROSODY_BOSH_PORT={{ env "NOMAD_PORT_bosh_port" }} JITSI_PROSODY_BOSH_HOST=127.0.0.1 JITSI_PROSODY_HOST=127.0.0.1 JITSI_CERTS_FOLDER=/secrets/certs/ -JITSI_NAT_PUBLIC_IP=82.253.205.190 +JITSI_NAT_PUBLIC_IP=78.197.205.190 JITSI_NAT_LOCAL_IP={{ env "NOMAD_IP_video1_port" }} NGINX_PORT={{ env "NOMAD_PORT_https_port" }} -- cgit v1.2.3 From bd9c854a12626e99737b25193b4fc3f11282af5e Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 11:35:54 +0100 Subject: change port due to a strange bug --- app/jitsi/deploy/jitsi.hcl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/jitsi/deploy/jitsi.hcl b/app/jitsi/deploy/jitsi.hcl index 852e1e6..1e625bb 100644 --- a/app/jitsi/deploy/jitsi.hcl +++ b/app/jitsi/deploy/jitsi.hcl @@ -14,7 +14,7 @@ job "jitsi" { port "ext_port" { static = 5347 } port "xmpp_port" { static = 5222 } port "https_port" { } - port "video1_port" { static = 8080 } + port "video1_port" { static = 8081 } port "video2_port" { static = 10000 } } @@ -189,7 +189,7 @@ job "jitsi" { env { #JITSI_DEBUG = 1 - JITSI_VIDEO_TCP = 8080 + JITSI_VIDEO_TCP = 8081 VIDEOBRIDGE_MAX_MEMORY = "1450m" } @@ -205,7 +205,7 @@ job "jitsi" { } service { - tags = [ "jitsi", "(diplonat (tcp_port 8080))" ] + tags = [ "jitsi", "(diplonat (tcp_port 8081))" ] port = "video1_port" address_mode = "host" name = "jitsi-videobridge-video1" -- cgit v1.2.3 From 5dfca7a713ce8322de9b0dbaa55aabb70b6ea585 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 12:53:23 +0100 Subject: fix naming --- app/jitsi/integratio/01_gen_certs.yml | 8 -------- app/jitsi/integratio/02_run.yml | 27 --------------------------- app/jitsi/integratio/README.md | 26 -------------------------- app/jitsi/integratio/dev.env | 10 ---------- app/jitsi/integratio/jitsi-certs/.gitignore | 2 -- app/jitsi/integration/01_gen_certs.yml | 8 ++++++++ app/jitsi/integration/02_run.yml | 27 +++++++++++++++++++++++++++ app/jitsi/integration/README.md | 26 ++++++++++++++++++++++++++ app/jitsi/integration/dev.env | 10 ++++++++++ app/jitsi/integration/jitsi-certs/.gitignore | 2 ++ 10 files changed, 73 insertions(+), 73 deletions(-) delete mode 100644 app/jitsi/integratio/01_gen_certs.yml delete mode 100644 app/jitsi/integratio/02_run.yml delete mode 100644 app/jitsi/integratio/README.md delete mode 100644 app/jitsi/integratio/dev.env delete mode 100644 app/jitsi/integratio/jitsi-certs/.gitignore create mode 100644 app/jitsi/integration/01_gen_certs.yml create mode 100644 app/jitsi/integration/02_run.yml create mode 100644 app/jitsi/integration/README.md create mode 100644 app/jitsi/integration/dev.env create mode 100644 app/jitsi/integration/jitsi-certs/.gitignore diff --git a/app/jitsi/integratio/01_gen_certs.yml b/app/jitsi/integratio/01_gen_certs.yml deleted file mode 100644 index bf73291..0000000 --- a/app/jitsi/integratio/01_gen_certs.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3' -services: - jitsi-xmpp: - image: superboum/amd64_jitsi_xmpp:v2 - command: ["/usr/local/bin/xmpp_gen"] - volumes: [ './jitsi-certs/:/certs:rw' ] - env_file: [ 'dev.env' ] - diff --git a/app/jitsi/integratio/02_run.yml b/app/jitsi/integratio/02_run.yml deleted file mode 100644 index 73eefad..0000000 --- a/app/jitsi/integratio/02_run.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: '3.4' -services: - jitsi-xmpp: - image: superboum/amd64_jitsi_xmpp:v3 - ports: - - "5222:5222" - - "5347:5347" - - "5280:5280" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-meet: - image: superboum/amd64_jitsi_meet:v1 - ports: - - "443:443" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-conference-focus: - image: superboum/amd64_jitsi_conference_focus:v4 - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-videobridge: - image: superboum/amd64_jitsi_videobridge:v14 - ports: - - "8080:8080/tcp" - - "10000:10000/udp" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] diff --git a/app/jitsi/integratio/README.md b/app/jitsi/integratio/README.md deleted file mode 100644 index 70b59fc..0000000 --- a/app/jitsi/integratio/README.md +++ /dev/null @@ -1,26 +0,0 @@ -This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md - -To build images: - -``` -docker-compose -f 02_run.yml build -``` - -To gen the certs: - -``` -docker-compose -f 01_gen_certs.yml up --force-recreate -``` - -To run the stack: - - -``` -docker-compose -f 02_run.yml up --force-recreate -``` - -To push the stack on the docker registry: - -``` -docker-compose -f 02_run.yml push -``` diff --git a/app/jitsi/integratio/dev.env b/app/jitsi/integratio/dev.env deleted file mode 100644 index 1dd2122..0000000 --- a/app/jitsi/integratio/dev.env +++ /dev/null @@ -1,10 +0,0 @@ -JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 -JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 -JITSI_SECRET_JICOFO_USER=S3CR3T03 -JITSI_PROSODY_BOSH_PORT=5280 -JITSI_PROSODY_BOSH_HOST=172.17.0.1 -JITSI_PROSODY_HOST=172.17.0.1 -JITSI_CERTS_FOLDER=/certs/ -JITSI_NAT_PUBLIC_IP=37.164.35.154 -JITSI_NAT_LOCAL_IP=192.168.0.231 -JITSI_VIDEO_TCP=8080 diff --git a/app/jitsi/integratio/jitsi-certs/.gitignore b/app/jitsi/integratio/jitsi-certs/.gitignore deleted file mode 100644 index d6b7ef3..0000000 --- a/app/jitsi/integratio/jitsi-certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/app/jitsi/integration/01_gen_certs.yml b/app/jitsi/integration/01_gen_certs.yml new file mode 100644 index 0000000..bf73291 --- /dev/null +++ b/app/jitsi/integration/01_gen_certs.yml @@ -0,0 +1,8 @@ +version: '3' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v2 + command: ["/usr/local/bin/xmpp_gen"] + volumes: [ './jitsi-certs/:/certs:rw' ] + env_file: [ 'dev.env' ] + diff --git a/app/jitsi/integration/02_run.yml b/app/jitsi/integration/02_run.yml new file mode 100644 index 0000000..73eefad --- /dev/null +++ b/app/jitsi/integration/02_run.yml @@ -0,0 +1,27 @@ +version: '3.4' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v3 + ports: + - "5222:5222" + - "5347:5347" + - "5280:5280" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-meet: + image: superboum/amd64_jitsi_meet:v1 + ports: + - "443:443" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-conference-focus: + image: superboum/amd64_jitsi_conference_focus:v4 + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] + jitsi-videobridge: + image: superboum/amd64_jitsi_videobridge:v14 + ports: + - "8080:8080/tcp" + - "10000:10000/udp" + env_file: [ 'dev.env' ] + volumes: [ './jitsi-certs/:/certs:ro' ] diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md new file mode 100644 index 0000000..70b59fc --- /dev/null +++ b/app/jitsi/integration/README.md @@ -0,0 +1,26 @@ +This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md + +To build images: + +``` +docker-compose -f 02_run.yml build +``` + +To gen the certs: + +``` +docker-compose -f 01_gen_certs.yml up --force-recreate +``` + +To run the stack: + + +``` +docker-compose -f 02_run.yml up --force-recreate +``` + +To push the stack on the docker registry: + +``` +docker-compose -f 02_run.yml push +``` diff --git a/app/jitsi/integration/dev.env b/app/jitsi/integration/dev.env new file mode 100644 index 0000000..1dd2122 --- /dev/null +++ b/app/jitsi/integration/dev.env @@ -0,0 +1,10 @@ +JITSI_SECRET_VIDEOBRIDGE=S3CR3T01 +JITSI_SECRET_JICOFO_COMPONENT=S3CR3T02 +JITSI_SECRET_JICOFO_USER=S3CR3T03 +JITSI_PROSODY_BOSH_PORT=5280 +JITSI_PROSODY_BOSH_HOST=172.17.0.1 +JITSI_PROSODY_HOST=172.17.0.1 +JITSI_CERTS_FOLDER=/certs/ +JITSI_NAT_PUBLIC_IP=37.164.35.154 +JITSI_NAT_LOCAL_IP=192.168.0.231 +JITSI_VIDEO_TCP=8080 diff --git a/app/jitsi/integration/jitsi-certs/.gitignore b/app/jitsi/integration/jitsi-certs/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/app/jitsi/integration/jitsi-certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore -- cgit v1.2.3 From 031f31e91eb3f934032d581989844c8e341042a9 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 15:44:42 +0100 Subject: WIP modernize jitsi conf --- app/docker-compose.yml | 4 +- app/jitsi/build/jitsi-conference-focus/Dockerfile | 7 +- app/jitsi/build/jitsi-conference-focus/jicofo | 9 +- .../sip-communicator.properties | 2 - app/jitsi/integration/README.md | 29 +-- app/jitsi/integration/jicofo.conf | 273 ++++++++++++++++++++ app/jitsi/integration/videobridge.conf | 279 +++++++++++++++++++++ 7 files changed, 570 insertions(+), 33 deletions(-) delete mode 100644 app/jitsi/build/jitsi-conference-focus/sip-communicator.properties create mode 100644 app/jitsi/integration/jicofo.conf create mode 100644 app/jitsi/integration/videobridge.conf diff --git a/app/docker-compose.yml b/app/docker-compose.yml index df7fee4..d734c20 100644 --- a/app/docker-compose.yml +++ b/app/docker-compose.yml @@ -58,7 +58,7 @@ services: # https://github.com/jitsi/jicofo PREFIXV: stable/jitsi-meet_ VERSION: 5390 - image: superboum/amd64_jitsi_conference_focus:v6 + image: superboum/amd64_jitsi_conference_focus:v7 jitsi-videobridge: build: @@ -67,7 +67,7 @@ services: # https://github.com/jitsi/jitsi-videobridge PREFIXV: stable/jitsi-meet_ VERSION: 5390 - image: superboum/amd64_jitsi_videobridge:v16 + image: superboum/amd64_jitsi_videobridge:v17 jitsi-xmpp: build: diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile index e2c459c..f78cc78 100644 --- a/app/jitsi/build/jitsi-conference-focus/Dockerfile +++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile @@ -18,10 +18,7 @@ FROM debian:buster RUN apt-get update && \ apt-get install -y openjdk-11-jre-headless ca-certificates -ENV JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/root -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=.sip-communicator -Dnet.java.sip.communicator.SC_LOG_DIR_LOCATION=/var/log/jitsi" - -COPY --from=builder /srv/build /srv/jicofo -COPY jicofo /usr/local/bin/jicofo -COPY sip-communicator.properties /root/.sip-communicator/sip-communicator.properties +COPY --from=builder /srv/build /usr/share/jicofo +COPY jicofo /usr/local/bin CMD ["/usr/local/bin/jicofo"] diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo index 2bc6e3f..1c1f77d 100755 --- a/app/jitsi/build/jitsi-conference-focus/jicofo +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -8,7 +8,14 @@ ${JITSI_PROSODY_HOST} jitsi.deuxfleurs.fr conference.jitsi.deuxfleurs.fr jitsi-v 127.0.0.1 `hostname` EOF -/srv/jicofo/jicofo.sh \ +exec java \ + -Xmx400m \ + -XX:+HeapDumpOnOutOfMemoryError \ + -XX:HeapDumpPath=/tmp \ + -Djdk.tls.ephemeralDHKeySize=2048 \ + -Djava.util.logging.config.file=/srv/jicofo/lib/logging.properties \ + -cp "/usr/share/jicofo/*:/usr/share/jicofo/lib/*" \ + org.jitsi.jicofo.Main \ --host=${JITSI_PROSODY_HOST} \ --domain=jitsi.deuxfleurs.fr \ --secret=${JITSI_SECRET_JICOFO_COMPONENT} \ diff --git a/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties b/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties deleted file mode 100644 index 53c32e2..0000000 --- a/app/jitsi/build/jitsi-conference-focus/sip-communicator.properties +++ /dev/null @@ -1,2 +0,0 @@ -org.jitsi.jicofo.SHORT_ID=1 -org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi.deuxfleurs.fr diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index 70b59fc..8d81150 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -1,26 +1,9 @@ -This installation is inspired by: https://github.com/jitsi/jitsi-meet/blob/master/doc/manual-install.md +Extract conf templates: -To build images: +```bash +sudo docker-compose run jitsi-conference-focus bash -c \ + 'apt-get update && apt-get install -y unzip && unzip /srv/jicofo/jicofo.jar && cat reference.conf' -``` -docker-compose -f 02_run.yml build -``` - -To gen the certs: - -``` -docker-compose -f 01_gen_certs.yml up --force-recreate -``` - -To run the stack: - - -``` -docker-compose -f 02_run.yml up --force-recreate -``` - -To push the stack on the docker registry: - -``` -docker-compose -f 02_run.yml push +sudo docker-compose run jitsi-videobridge bash -c \ + 'apt-get update && apt-get install -y unzip && unzip /srv/jvb/jitsi-videobridge.jar && cat reference.conf' ``` diff --git a/app/jitsi/integration/jicofo.conf b/app/jitsi/integration/jicofo.conf new file mode 100644 index 0000000..ecf45fc --- /dev/null +++ b/app/jitsi/integration/jicofo.conf @@ -0,0 +1,273 @@ +jicofo { + // Authentication with external services + authentication { + enabled = false + // The type of authentication. Supported values are XMPP, JWT or SHIBBOLETH (default). + type = SHIBBOLETH + + // The pattern of authentication URL. See ShibbolethAuthAuthority for more information. + # login-url = + + # logout-url = + + authentication-lifetime = 24 hours + enable-auto-login = true + } + // Configuration related to jitsi-videobridge + bridge { + // The maximum number of participants in a single conference to put on one bridge (use -1 for no maximum). + max-bridge-participants = -1 + // The assumed maximum packet rate that a bridge can handle. + max-bridge-packet-rate = 50000 + // The assumed average packet rate per participant. + average-participant-packet-rate-pps = 500 + // The assumed average stress per participant. + average-participant-stress = 0.01 + // The assumed time that an endpoint takes to start contributing fully to the load on a bridge. To avoid allocating + // a burst of endpoints to the same bridge, the bridge stress is adjusted by adding the number of new endpoints + // in the last [participant-rampup-time] multiplied by [average-participant-stress]. + participant-rampup-interval = 20 seconds + // The stress level above which a bridge is considered overstressed. + stress-threshold = 0.8 + // The amount of to wait before retrying using a failed bridge. + failure-reset-threshold = 1 minute + // The bridge selection strategy. The built-in strategies are: + // SingleBridgeSelectionStrategy: Use the least loaded bridge, do not split a conference between bridges (Octo). + // SplitBridgeSelectionStrategy: Use a separate bridge for each participant (for testing). + // RegionBasedBridgeSelectionStrategy: Attempt to put each participant in a bridge in their local region (i.e. use + // Octo for geo-location). + // IntraRegionBridgeSelectionStrategy: Use additional bridges when a bridge becomes overloaded (i.e. use Octo for + // load balancing). + // + // Additionally, you can use the fully qualified class name for custom BridgeSelectionStrategy implementations. + selection-strategy = SingleBridgeSelectionStrategy + health-checks { + // Whether jicofo should perform periodic health checks to the connected bridges. + enabled = true + // The interval at which to perform health checks. + interval = 10 seconds + // When a health checks times out, jicofo will retry and only consider it fail after the retry fails. This + // configures the delay between the original health check timing out and the second health check being sent. + // It is a duration and defaults to half the [interval]. + # retry-delay = 5 seconds + } + + // The JID of the MUC to be used as a brewery for bridge instances. + brewery-jid = jvbbrewery@example.com + } + // Configure the codecs and RTP extensions to be used in the offer sent to clients. + codec { + video { + vp8 { + enabled = true + pt = 100 + // Payload type for the associated RTX stream. Set to -1 to disable RTX. + rtx-pt = 96 + } + vp9 { + enabled = true + pt = 101 + // Payload type for the associated RTX stream. Set to -1 to disable RTX. + rtx-pt = 97 + } + h264 { + enabled = true + pt = 107 + // Payload type for the associated RTX stream. Set to -1 to disable RTX. + rtx-pt = 99 + } + } + + audio { + isac-16000 { + enabled = true + pt = 103 + } + isac-32000 { + enabled = true + pt = 104 + } + opus { + enabled = true + pt = 111 + minptime = 10 + use-inband-fec = true + red { + enabled = false + pt = 112 + } + } + telephone-event { + enabled = true + pt = 126 + } + } + + // RTP header extensions + rtp-extensions { + audio-level { + enabled = true + id = 1 + } + tof { + // TOF is currently disabled, because we don't support it in the bridge + // (and currently clients seem to not use it when abs-send-time is + // available). + enabled = false + id = 2 + } + abs-send-time { + enabled = true + id = 3 + } + rid { + enabled = false + id = 4 + } + tcc { + enabled = true + id = 5 + } + video-content-type { + enabled = false + id = 7 + } + framemarking { + enabled = false + id = 9 + } + } + } + + conference { + // Whether to automatically grant the 'owner' role to the first participant in the conference (and subsequently to + // the next in line when the current owner leaves). + enable-auto-owner = true + + // How long to wait for the initial participant in a conference. + initial-timeout = 15 seconds + + // Whether jicofo should inject a random SSRC for endpoints which don't advertise any SSRCs. This is a temporary + // workaround for an issue with signaling endpoints for Octo. + inject-ssrc-for-recv-only-endpoints = false + + max-ssrcs-per-user = 20 + + // How long a participant's media session will be kept alive once it remains the only participant in the room. + single-participant-timeout = 20 seconds + + // The minimum number of participants required for the conference to be started. + min-participants = 2 + + // Experimental. + enable-lip-sync = false + + shared-document { + // If `true` the shared document uses a random name. Otherwise, it uses the conference name. + use-random-name = false + } + } + + // Configuration for the internal health checks performed by jicofo. + health { + // Whether to perform health checks. + enabled = false + + // The interval between health checks. If set to 0, periodic health checks will not be performed. + interval = 10 seconds + + # The timeout for a health check + timeout = 30 seconds + + # If performing a health check takes longer than this, it is considered unsuccessful. + max-check-duration = 20 seconds + + # The prefix to use when creating MUC rooms for the purpose of health checks. + room-name-prefix = "__jicofo-health-check" + } + + jibri { + // The JID of the MUC to be used as a brewery for jibri instances for streaming. + # brewery-jid = "jibribrewery@example.com" + + // How many times to retry a given Jibri request before giving up. Set to -1 to allow infinite retries. + num-retries = 5 + + // How long to wait for Jibri to start recording from the time it accepts a START request. + pending-timeout = 90 seconds + } + + jibri-sip { + // The JID of the MUC to be used as a brewery for jibri instances for SIP. + # brewery-jid = "jibrisipbrewery@example.com" + } + + jigasi { + // The JID of the MUC to be used as a brewery for jigasi instances. + # brewery-jid = "jigasibrewery@example.com" + } + + // The region in which the machine is running. + #local-region="us-east-1" + + octo { + // Whether or not to use Octo. Note that when enabled, its use will be determined by + // $jicofo.bridge.selection-strategy. + enabled = true + + // An identifier of the Jicofo instance, used for the purpose of generating conference IDs unique across a set of + // Jicofo instances. Valid values are [1, 65535]. The value 0 is used when none is explicitly configured. + #id = 1234 + } + + rest { + port = 8888 + tls-port = 8843 + } + + sctp { + // Whether to allocate SCTP channels on the bridge (only when the client advertises support, and SCTP is + // enabled in the per-conference configuration). + enabled = true + } + + task-pools { + shared-pool-max-threads = 1500 + } + + xmpp { + // The separate XMPP connection used for communication with clients (endpoints). + client { + enabled = true + hostname = "localhost" + port = 5222 + #domain = + username = "focus" + #password = + + // How long to wait for a response to a stanza before giving up. + reply-timeout = 15 seconds + + // The JID/domain of the MUC service used for conferencing. + # conference-muc-jid = conference.example.com + + // A flag to suppress the TLS certificate verification. + disable-certificate-verification = false + } + // The separate XMPP connection used for internal services (currently only jitsi-videobridge). + service { + enabled = false + hostname = "localhost" + port = 6222 + #domain = + #username = + #password = + + // How long to wait for a response to a stanza before giving up. + reply-timeout = 15 seconds + + // A flag to suppress the TLS certificate verification. + disable-certificate-verification = false + } + } +} diff --git a/app/jitsi/integration/videobridge.conf b/app/jitsi/integration/videobridge.conf new file mode 100644 index 0000000..2e2548b --- /dev/null +++ b/app/jitsi/integration/videobridge.conf @@ -0,0 +1,279 @@ +videobridge { + entity-expiration { + # If an entity has no activity after this timeout, it is expired + timeout=1 minute + + # The interval at which the videobridge will check for expired entities + check-interval=${videobridge.entity-expiration.timeout} + } + health { + # The interval between health checks + interval=10 seconds + + # The timeout for a health check + timeout=30 seconds + + # If performing a health check takes longer than this, it is considered unsuccessful. + max-check-duration=3 seconds + + # Whether or not health check failures should be 'sticky' + # (i.e. once the bridge becomes unhealthy, it will never + # go back to a healthy state) + sticky-failures=false + } + ep-connection-status { + # How long we'll wait for an endpoint to *start* sending + # data before we consider it 'inactive' + first-transfer-timeout=15 seconds + + # How long an endpoint can be 'inactive' before it will + # be considered disconnected + max-inactivity-limit=3 seconds + + # How often we check endpoint's connectivity status + check-interval=500 milliseconds + } + cc { + bwe-change-threshold=0.15 + thumbnail-max-height-px=180 + onstage-ideal-height-px=1080 + onstage-preferred-height-px=360 + onstage-preferred-framerate=30 + enable-onstage-video-suspend=false + trust-bwe=true + + # How often we check to send probing data + padding-period=15ms + + # How often we'll force recalculations of forwarded + # streams + max-time-between-calculations = 15 seconds + + # A JVB-wide last-n value, observed by all endpoints. Endpoints + # will take the minimum of their setting and this one (-1 implies + # no last-n limit) + jvb-last-n = -1 + } + # The APIs by which the JVB can be controlled + apis { + xmpp-client { + # The interval at which presence is published in the configured MUCs. + presence-interval = ${videobridge.stats.interval} + + configs { + # example-connection-id { + # For the properties which should be + # filled out here, see MucClientConfiguration + # } + } + } + # The COLIBRI REST API + rest { + enabled = false + } + jvb-api { + enabled = false + } + } + # Configuration of the different REST APIs. + # Note that the COLIBRI REST API is configured under videobridge.apis.rest instead. + rest { + debug { + enabled = true + } + health { + enabled = true + } + shutdown { + # Note that the shutdown API requires the COLIBRI API to also be enabled. + enabled = false + } + version { + enabled = true + } + } + http-servers { + # The HTTP server which hosts services intended for 'public' use + # (e.g. websockets for the bridge channel connection) + public { + # See JettyBundleActivatorConfig in Jicoco for values + port = -1 + tls-port = -1 + } + # The HTTP server which hosts services intended for 'private' use + # (e.g. health or debug stats) + private { + # See JettyBundleActivatorConfig in Jicoco for values + host = 127.0.0.1 + } + } + octo { + # Whether or not Octo is enabled + enabled=false + + # A string denoting the 'region' of this JVB. This region + # will be used by Jicofo in the selection of a bridge for + # a client by comparing it to the client's region. + # Must be set when 'enabled' is true + #region="us-west-1" + + # The address on which the Octo relay should bind + # Must be set when 'enabled' is true + #bind-address=198.51.100.1 + + # The port to which the Octo relay should bind + bind-port=4096 + + # The address which controls the public address which + # will be part of the Octo relayId + #public-address=198.51.100.1 + + # The size of the incoming octo queue. This queue is per-remote-endpoint, + # so it matches what we use for local endpoints + recv-queue-size=1024 + + # The size of the outgoing octo queue. This is a per-originating-endpoint + # queue, so assuming all packets are routed (as they currently are for Octo) + # it should be the same size as the transceiver recv queue in + # jitsi-media-transform. Repeating the description from there: + # Assuming 300pps for high-definition, 200pps for standard-definition, + # 100pps for low-definition and 50pps for audio, this queue is fed + # 650pps, so its size in terms of millis is 1024/650*1000 ~= 1575ms. + send-queue-size=1024 + } + load-management { + # Whether or not the reducer will be enabled to take actions to mitigate load + reducer-enabled = false + load-measurements { + packet-rate { + # The packet rate at which we'll consider the bridge overloaded + load-threshold = 50000 + # The packet rate at which we'll consider the bridge 'underloaded' enough + # to start recovery + recovery-threshold = 40000 + } + } + load-reducers { + last-n { + # The factor by which we'll reduce the current last-n when trying to reduce load + reduction-scale = .75 + # The factor by which we'll increase the current last-n when trying to recover + recover-scale = 1.25 + # The minimum time in between runs of the last-n reducer to reduce or recover from + # load + impact-time = 1 minute + # The lowest value we'll set for last-n + minimum-last-n-value = 0 + # The highest last-n value we'll enforce. Once the enforced last-n exceeds this value + # we'll remove the limit entirely + maximum-enforced-last-n-value = 40 + } + } + } + sctp { + # Whether SCTP data channels are enabled. + enabled=true + } + stats { + # Whether periodic collection of statistics is enabled or not. When enabled they are accessible through the REST + # API (at `/colibri/stats`), and are available to other modules (e.g. to be pushed to callstats or in a MUC). + enabled = false + + # The interval at which stats are gathered. + interval = 5 seconds + + # Configuration related to pushing statistics to callstats.io. + callstats { + # An integer application ID (use 0 to disable pushing stats to callstats). + app-id = 0 + + # The shared secred to authentication with callstats.io. + //app-secret = "s3cret" + + # ID of the key that was used to generate token. + //key-id = "abcd" + + # The path to private key file. + //key-path = "/etc/jitsi/videobridge/ecpriv.jwk" + + # The ID of the server instance to be used when reporting to callstats. + bridge-id = "jitsi" + + # TODO: document + //conference-id-prefix = "abcd" + + # The interval at which statististics will be published to callstats. This affects both per-conference and global + # statistics. + # Note that this value will be overriden if a "callstatsio" transport is defined in the parent "stats" section. + interval = ${videobridge.stats.interval} + } + } + websockets { + enabled=false + server-id="default-id" + + # Optional, even when 'enabled' is set to true + # tls=true + # Must be set when enabled = true + #domain="some-domain" + } + ice { + tcp { + # Whether ICE/TCP is enabled. + enabled = false + + # The port to bind to for ICE/TCP. + port = 443 + + # An optional additional port to advertise. + # mapped-port = 8443 + # Whether to use "ssltcp" or plain "tcp". + ssltcp = true + } + + udp { + # The port for ICE/UDP. + port = 10000 + } + + # An optional prefix to include in STUN username fragments generated by the bridge. + #ufrag-prefix = "jvb-123:" + + # Which candidate pairs to keep alive. The accepted values are defined in ice4j's KeepAliveStrategy: + # "selected_and_tcp", "selected_only", or "all_succeeded". + keep-alive-strategy = "selected_and_tcp" + + # Whether to use the "component socket" feature of ice4j. + use-component-socket = true + + # Whether to attempt DNS resolution for remote candidates that contain a non-literal address. When set to 'false' + # such candidates will be ignored. + resolve-remote-candidates = false + + # The nomination strategy to use for ICE. THe accepted values are defined in ice4j's NominationStrategy: + # "NominateFirstValid", "NominateHighestPriority", "NominateFirstHostOrReflexiveValid", or "NominateBestRTT". + nomination-strategy = "NominateFirstValid" + } + + transport { + send { + # The size of the dtls-transport outgoing queue. This is a per-participant + # queue. Packets from the egress end-up in this queue right before + # transmission by the outgoing srtp pipeline (which mainly consists of the + # packet sender). + # + # Its size needs to be of the same order of magnitude as the rtp sender + # queue. In a 100 participant call, assuming 300pps for the on-stage and + # 100pps for low-definition, last-n 20 and 2 participants talking, so + # 2*50pps for audio, this queue is fed 300+19*100+2*50 = 2300pps, so its + # size in terms of millis is 1024/2300*1000 ~= 445ms. + queue-size=1024 + } + } + + version { + // Wheather to announe the jitsi-videobridge version to clients in the ServerHello message. + announce = false + } +} + -- cgit v1.2.3 From 3e7dc8b49dabe1c3613b2bd5063920585efb5c2e Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 15:54:17 +0100 Subject: Fix conf links --- app/jitsi/integration/README.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index 8d81150..b4c4354 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -1,9 +1,4 @@ -Extract conf templates: +Base conf: -```bash -sudo docker-compose run jitsi-conference-focus bash -c \ - 'apt-get update && apt-get install -y unzip && unzip /srv/jicofo/jicofo.jar && cat reference.conf' - -sudo docker-compose run jitsi-videobridge bash -c \ - 'apt-get update && apt-get install -y unzip && unzip /srv/jvb/jitsi-videobridge.jar && cat reference.conf' -``` + - [videobridge.conf](https://github.com/jitsi/jitsi-videobridge/blob/master/jvb/src/main/resources/reference.conf) + - [jicofo.conf](https://github.com/jitsi/jicofo/blob/master/src/main/resources/reference.conf) -- cgit v1.2.3 From 6adb551db44dad3043a12cbccda5a09f43051d93 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 20 Jan 2021 16:02:58 +0100 Subject: More info in README --- app/jitsi/integration/README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index b4c4354..725a9dc 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -1,4 +1,32 @@ +## About Jitsi + +Several server components: + - prosody XMPP (ext) + - jitsi videobridge aka JVB + - jitsi conference focus aka jicofo aka focus + - jitsi meet + - octo + - jigasi + - jibri + - etc. + +Some libs: + - libjitsi + - jicoco + - jitsi-utils + - etc. + +Client components: + - jitsi meet electron + - jitsi android/ios + - etc. + +## Conf + Base conf: - [videobridge.conf](https://github.com/jitsi/jitsi-videobridge/blob/master/jvb/src/main/resources/reference.conf) - [jicofo.conf](https://github.com/jitsi/jicofo/blob/master/src/main/resources/reference.conf) + +the following is used in videobridge.conf: +[jicoco/MucClientConfiguration](https://github.com/jitsi/jicoco/blob/master/jicoco/src/main/java/org/jitsi/xmpp/mucclient/MucClientConfiguration.java) -- cgit v1.2.3 From 07765e84561a87a02e4a82a8ea6212f0ffe3b1e3 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 21 Jan 2021 10:11:43 +0100 Subject: Add resources --- app/jitsi/integration/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index 725a9dc..261f71d 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -30,3 +30,8 @@ Base conf: the following is used in videobridge.conf: [jicoco/MucClientConfiguration](https://github.com/jitsi/jicoco/blob/master/jicoco/src/main/java/org/jitsi/xmpp/mucclient/MucClientConfiguration.java) + +## Resources to understand jitsi + + - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst) + - [videobridge/debian/postinst](https://github.com/jitsi/jitsi-videobridge/blob/master/debian/postinst) -- cgit v1.2.3 From ebb772e5ba26944ac002c236d33ef164e91c6a7d Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 28 Jan 2021 17:02:10 +0100 Subject: Fix ansible inventory + Fix jicofo's hocon conf + fix jicofo's dockerfile --- app/jitsi/build/jitsi-conference-focus/jicofo | 3 ++- app/jitsi/integration/README.md | 7 +++++++ app/jitsi/integration/jicofo.conf | 2 +- app/jitsi/integration/videobridge.conf | 4 ++-- os/config/production.yml | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo index 1c1f77d..bfc54f6 100755 --- a/app/jitsi/build/jitsi-conference-focus/jicofo +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -13,7 +13,8 @@ exec java \ -XX:+HeapDumpOnOutOfMemoryError \ -XX:HeapDumpPath=/tmp \ -Djdk.tls.ephemeralDHKeySize=2048 \ - -Djava.util.logging.config.file=/srv/jicofo/lib/logging.properties \ + -Djava.util.logging.config.file=/usr/share/jicofo/lib/logging.properties \ + -Dconfig.file=/etc/jitsi/jicofo.conf \ -cp "/usr/share/jicofo/*:/usr/share/jicofo/lib/*" \ org.jitsi.jicofo.Main \ --host=${JITSI_PROSODY_HOST} \ diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index 261f71d..315b5de 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -31,6 +31,13 @@ Base conf: the following is used in videobridge.conf: [jicoco/MucClientConfiguration](https://github.com/jitsi/jicoco/blob/master/jicoco/src/main/java/org/jitsi/xmpp/mucclient/MucClientConfiguration.java) +How the new configuration is read in jicoco: +https://github.com/jitsi/jicoco/blob/master/jicoco-config/src/main/kotlin/org/jitsi/config/JitsiConfig.kt#L83-L91 +They use this library: https://github.com/lightbend/config +We are particularly interested by: https://github.com/lightbend/config#standard-behavior +Using 'application.conf' with classpath does not seem to work. +But, specifying the file path as `-Dconfig.file=/etc/jitsi/jicofo.conf` works! + ## Resources to understand jitsi - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst) diff --git a/app/jitsi/integration/jicofo.conf b/app/jitsi/integration/jicofo.conf index ecf45fc..2351cde 100644 --- a/app/jitsi/integration/jicofo.conf +++ b/app/jitsi/integration/jicofo.conf @@ -53,7 +53,7 @@ jicofo { } // The JID of the MUC to be used as a brewery for bridge instances. - brewery-jid = jvbbrewery@example.com + brewery-jid = "jvbbrewery@example.com" } // Configure the codecs and RTP extensions to be used in the offer sent to clients. codec { diff --git a/app/jitsi/integration/videobridge.conf b/app/jitsi/integration/videobridge.conf index 2e2548b..e9bded0 100644 --- a/app/jitsi/integration/videobridge.conf +++ b/app/jitsi/integration/videobridge.conf @@ -220,10 +220,10 @@ videobridge { ice { tcp { # Whether ICE/TCP is enabled. - enabled = false + enabled = true # The port to bind to for ICE/TCP. - port = 443 + port = 8080 # An optional additional port to advertise. # mapped-port = 8443 diff --git a/os/config/production.yml b/os/config/production.yml index 210bd35..8870b52 100644 --- a/os/config/production.yml +++ b/os/config/production.yml @@ -40,7 +40,7 @@ cluster_nodes: ansible_python_interpreter: python3 io: - ansible_host: pluton.site.deuxfleurs.fr + ansible_host: jupiter.site.deuxfleurs.fr ansible_port: 110 ansible_become: true ipv4: 192.168.1.2 -- cgit v1.2.3 From 7b57ff72a918ca295e2b00e76da33eec700c6a2a Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 28 Jan 2021 17:52:41 +0100 Subject: Simplify prosody too --- app/jitsi/build/jitsi-conference-focus/Dockerfile | 1 + app/jitsi/build/jitsi-conference-focus/jicofo | 7 +- app/jitsi/build/jitsi-xmpp/Dockerfile | 10 +- .../build/jitsi-xmpp/external_components.cfg.lua | 2 - app/jitsi/build/jitsi-xmpp/xmpp_conf | 49 ---- app/jitsi/build/jitsi-xmpp/xmpp_gen | 5 - app/jitsi/build/jitsi-xmpp/xmpp_run | 18 +- app/jitsi/integration/README.md | 8 + app/jitsi/integration/dev.env | 10 - app/jitsi/integration/jicofo.conf | 273 -------------------- app/jitsi/integration/jicofo/jicofo.conf | 273 ++++++++++++++++++++ app/jitsi/integration/jitsi-certs/.gitignore | 2 - app/jitsi/integration/jvb/videobridge.conf | 279 +++++++++++++++++++++ app/jitsi/integration/prosody/prosody.cfg.lua | 34 +++ app/jitsi/integration/videobridge.conf | 279 --------------------- 15 files changed, 605 insertions(+), 645 deletions(-) delete mode 100644 app/jitsi/build/jitsi-xmpp/external_components.cfg.lua delete mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_conf delete mode 100644 app/jitsi/integration/dev.env delete mode 100644 app/jitsi/integration/jicofo.conf create mode 100644 app/jitsi/integration/jicofo/jicofo.conf delete mode 100644 app/jitsi/integration/jitsi-certs/.gitignore create mode 100644 app/jitsi/integration/jvb/videobridge.conf create mode 100644 app/jitsi/integration/prosody/prosody.cfg.lua delete mode 100644 app/jitsi/integration/videobridge.conf diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile index f78cc78..e67b3de 100644 --- a/app/jitsi/build/jitsi-conference-focus/Dockerfile +++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile @@ -20,5 +20,6 @@ RUN apt-get update && \ COPY --from=builder /srv/build /usr/share/jicofo COPY jicofo /usr/local/bin +ENV JICOFO_SECRET=IAMDEPRECATED CMD ["/usr/local/bin/jicofo"] diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo index bfc54f6..31cd9c4 100755 --- a/app/jitsi/build/jitsi-conference-focus/jicofo +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -16,9 +16,4 @@ exec java \ -Djava.util.logging.config.file=/usr/share/jicofo/lib/logging.properties \ -Dconfig.file=/etc/jitsi/jicofo.conf \ -cp "/usr/share/jicofo/*:/usr/share/jicofo/lib/*" \ - org.jitsi.jicofo.Main \ - --host=${JITSI_PROSODY_HOST} \ - --domain=jitsi.deuxfleurs.fr \ - --secret=${JITSI_SECRET_JICOFO_COMPONENT} \ - --user_domain=auth.jitsi.deuxfleurs.fr \ - --user_password=${JITSI_SECRET_JICOFO_USER} + org.jitsi.jicofo.Main diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile index f3dcd36..a682984 100644 --- a/app/jitsi/build/jitsi-xmpp/Dockerfile +++ b/app/jitsi/build/jitsi-xmpp/Dockerfile @@ -5,9 +5,15 @@ ARG VERSION RUN apt-get update && \ apt-get install -y prosody=${VERSION} -COPY external_components.cfg.lua /etc/prosody/conf.d/external_components.cfg.lua -COPY xmpp_conf /usr/local/bin/xmpp_conf +mkdir -p /usr/local/share/ca-certificates/ +ln -sf \ + /var/lib/prosody/auth.jitsi.crt \ + /usr/local/share/ca-certificates/auth.jitsi.crt + COPY xmpp_gen /usr/local/bin/xmpp_gen COPY xmpp_run /usr/local/bin/xmpp_run +USER prosody +RUN mkdir /run/prosody && touch /run/prosody/prosody.pid +WORKDIR /var/lib/prosody CMD ["/usr/local/bin/xmpp_run"] diff --git a/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua b/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua deleted file mode 100644 index beaaa87..0000000 --- a/app/jitsi/build/jitsi-xmpp/external_components.cfg.lua +++ /dev/null @@ -1,2 +0,0 @@ -component_ports = { 5347 } -component_interface = "0.0.0.0" diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_conf b/app/jitsi/build/jitsi-xmpp/xmpp_conf deleted file mode 100755 index 34b2cb3..0000000 --- a/app/jitsi/build/jitsi-xmpp/xmpp_conf +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -cat >> /etc/hosts < /etc/prosody/conf.avail/jitsi.deuxfleurs.fr.cfg.lua < Date: Thu, 28 Jan 2021 18:55:56 +0100 Subject: WIP integration jitsi --- app/docker-compose.yml | 2 +- app/jitsi/build/jitsi-xmpp/Dockerfile | 19 ++++++----- app/jitsi/build/jitsi-xmpp/xmpp_gen | 4 --- app/jitsi/build/jitsi-xmpp/xmpp_prosody | 5 +++ app/jitsi/build/jitsi-xmpp/xmpp_root | 4 +++ app/jitsi/build/jitsi-xmpp/xmpp_run | 4 --- app/jitsi/integration/01_gen_certs.yml | 8 ----- app/jitsi/integration/02_run.yml | 27 --------------- app/jitsi/integration/README.md | 6 ++++ app/jitsi/integration/docker-compose.yml | 22 ++++++++++++ app/jitsi/integration/prosody/accounts.txt | 2 ++ app/jitsi/integration/prosody/prosody.cfg.lua | 49 +++++++++++++++++++++------ 12 files changed, 89 insertions(+), 63 deletions(-) delete mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_gen create mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_prosody create mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_root delete mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_run delete mode 100644 app/jitsi/integration/01_gen_certs.yml delete mode 100644 app/jitsi/integration/02_run.yml create mode 100644 app/jitsi/integration/docker-compose.yml create mode 100644 app/jitsi/integration/prosody/accounts.txt diff --git a/app/docker-compose.yml b/app/docker-compose.yml index d734c20..d8a6ab2 100644 --- a/app/docker-compose.yml +++ b/app/docker-compose.yml @@ -74,7 +74,7 @@ services: context: ./jitsi/build/jitsi-xmpp args: VERSION: 0.11.2-1 - image: superboum/amd64_jitsi_xmpp:v8 + image: superboum/amd64_jitsi_xmpp:v9 plume: build: diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile index a682984..b32953a 100644 --- a/app/jitsi/build/jitsi-xmpp/Dockerfile +++ b/app/jitsi/build/jitsi-xmpp/Dockerfile @@ -5,15 +5,16 @@ ARG VERSION RUN apt-get update && \ apt-get install -y prosody=${VERSION} -mkdir -p /usr/local/share/ca-certificates/ -ln -sf \ - /var/lib/prosody/auth.jitsi.crt \ - /usr/local/share/ca-certificates/auth.jitsi.crt +RUN mkdir -p /usr/local/share/ca-certificates/ && \ + ln -sf \ + /var/lib/prosody/certs/auth.jitsi.crt \ + /usr/local/share/ca-certificates/auth.jitsi.crt && \ + mkdir /run/prosody && \ + touch /run/prosody/prosody.pid && \ + mkdir -p /var/lib/prosody -COPY xmpp_gen /usr/local/bin/xmpp_gen -COPY xmpp_run /usr/local/bin/xmpp_run +COPY xmpp_root /usr/local/bin/xmpp_root +COPY xmpp_prosody /usr/local/bin/xmpp_prosody -USER prosody -RUN mkdir /run/prosody && touch /run/prosody/prosody.pid WORKDIR /var/lib/prosody -CMD ["/usr/local/bin/xmpp_run"] +CMD ["/usr/local/bin/xmpp_root"] diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_gen b/app/jitsi/build/jitsi-xmpp/xmpp_gen deleted file mode 100755 index a66aad8..0000000 --- a/app/jitsi/build/jitsi-xmpp/xmpp_gen +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -prosodyctl cert generate jitsi.deuxfleurs.fr -prosodyctl cert generate auth.jitsi.deuxfleurs.fr diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_prosody b/app/jitsi/build/jitsi-xmpp/xmpp_prosody new file mode 100755 index 0000000..1101302 --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/xmpp_prosody @@ -0,0 +1,5 @@ +#!/bin/bash +chown -R prosody:prosody /var/lib/prosody /etc/prosody /run/prosody + +cat /etc/prosody/accounts.txt | xargs -n3 prosodyctl register +exec prosody diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_root b/app/jitsi/build/jitsi-xmpp/xmpp_root new file mode 100755 index 0000000..293915f --- /dev/null +++ b/app/jitsi/build/jitsi-xmpp/xmpp_root @@ -0,0 +1,4 @@ +#!/bin/bash + +chown -R prosody:prosody /var/lib/prosody /etc/prosody /run/prosody +exec su -s /bin/bash -c /usr/local/bin/xmpp_prosody - prosody diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_run b/app/jitsi/build/jitsi-xmpp/xmpp_run deleted file mode 100755 index 81329d2..0000000 --- a/app/jitsi/build/jitsi-xmpp/xmpp_run +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -prosodyctl register focus auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_JICOFO_USER} -prosodyctl register jvb auth.jitsi.deuxfleurs.fr ${JITSI_SECRET_VIDEOBRIDGE} -exec prosody diff --git a/app/jitsi/integration/01_gen_certs.yml b/app/jitsi/integration/01_gen_certs.yml deleted file mode 100644 index bf73291..0000000 --- a/app/jitsi/integration/01_gen_certs.yml +++ /dev/null @@ -1,8 +0,0 @@ -version: '3' -services: - jitsi-xmpp: - image: superboum/amd64_jitsi_xmpp:v2 - command: ["/usr/local/bin/xmpp_gen"] - volumes: [ './jitsi-certs/:/certs:rw' ] - env_file: [ 'dev.env' ] - diff --git a/app/jitsi/integration/02_run.yml b/app/jitsi/integration/02_run.yml deleted file mode 100644 index 73eefad..0000000 --- a/app/jitsi/integration/02_run.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: '3.4' -services: - jitsi-xmpp: - image: superboum/amd64_jitsi_xmpp:v3 - ports: - - "5222:5222" - - "5347:5347" - - "5280:5280" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-meet: - image: superboum/amd64_jitsi_meet:v1 - ports: - - "443:443" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-conference-focus: - image: superboum/amd64_jitsi_conference_focus:v4 - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] - jitsi-videobridge: - image: superboum/amd64_jitsi_videobridge:v14 - ports: - - "8080:8080/tcp" - - "10000:10000/udp" - env_file: [ 'dev.env' ] - volumes: [ './jitsi-certs/:/certs:ro' ] diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index e295745..d2d25c1 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -46,6 +46,12 @@ But we can see this is a deprecated thing, it has been already removed from mast For now (as per v5390) we will keep `JICOFO_SECRET` environment variable but will assume no other environment variable is set But maybe this value is deprecated: the check is still here but it is not used anymore?! +## Generate certs with prosody +``` +prosodyctl cert generate auth.jitsi +prosodyctl cert generate jitsi +``` + ## Resources to understand jitsi - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst) diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml new file mode 100644 index 0000000..0a4012a --- /dev/null +++ b/app/jitsi/integration/docker-compose.yml @@ -0,0 +1,22 @@ +version: '3.4' +services: + jitsi-xmpp: + image: superboum/amd64_jitsi_xmpp:v9 + volumes: + - "./prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua" + - "./prosody/accounts.txt:/etc/prosody/accounts.txt" + - "./prosody/certs/jitsi.crt:/var/lib/prosody/jitsi.crt" + - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key" + - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt" + - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key" + jitsi-meet: + image: superboum/amd64_jitsi_meet:v1 + ports: + - "443:443" + jitsi-conference-focus: + image: superboum/amd64_jitsi_conference_focus:v4 + jitsi-videobridge: + image: superboum/amd64_jitsi_videobridge:v14 + ports: + - "8080:8080/tcp" + - "10000:10000/udp" diff --git a/app/jitsi/integration/prosody/accounts.txt b/app/jitsi/integration/prosody/accounts.txt new file mode 100644 index 0000000..ef4f2cd --- /dev/null +++ b/app/jitsi/integration/prosody/accounts.txt @@ -0,0 +1,2 @@ +focus auth.jitsi xxx +jvb auth.jitsi yyy diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua index edfd820..5f18e2a 100644 --- a/app/jitsi/integration/prosody/prosody.cfg.lua +++ b/app/jitsi/integration/prosody/prosody.cfg.lua @@ -1,12 +1,41 @@ -component_ports = { 5347 } +daemonize = false +allow_registration = false +use_libevent = true component_interface = "0.0.0.0" -http_ports = { ${JITSI_PROSODY_BOSH_PORT} } +component_ports = { 5347 } +http_ports = { 5280 } + +-- Not sure all modules are required +modules_enabled = { + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + "compression"; -- Stream compression (requires the lua-zlib package installed) + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing music and more + -- jitsi + "smacks"; + "carbons"; + "mam"; + "lastactivity"; + "offline"; + "pubsub"; + "adhoc"; + "websocket"; + "http_altconnect"; +} + log = { - error="/dev/stderr" - info="/dev/stdout" + "*console"; } -VirtualHost "jitsi.deuxfleurs.fr" +VirtualHost "jitsi" authentication = "anonymous" ssl = { key = "/var/lib/prosody/jitsi.key"; @@ -18,17 +47,17 @@ VirtualHost "jitsi.deuxfleurs.fr" } c2s_require_encryption = false -VirtualHost "auth.jitsi.deuxfleurs.fr" +VirtualHost "auth.jitsi" ssl = { key = "/var/lib/prosody/auth.jitsi.key"; certificate = "/var/lib/prosody/auth.jitsi.crt"; } authentication = "internal_plain" - admins = { "focus@auth.jitsi.deuxfleurs.fr"} + admins = { "focus@auth.jitsi"} -Component "conference.jitsi.deuxfleurs.fr" "muc" -Component "internal.auth.jitsi.deuxfleurs.fr" "muc" +Component "conference.jitsi" "muc" +Component "internal.auth.jitsi" "muc" storage = "memory" modules_enabled = { "ping"; } - admins = { "focus@auth.jitsi.deuxfleurs.fr", "jvb@auth.jitsi.deuxfleurs.fr" } + admins = { "focus@auth.jitsi", "jvb@auth.jitsi" } -- cgit v1.2.3 From 0e848bb2d0e705e5e0858fe8f2c02a3c9c8f45e5 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 28 Jan 2021 19:28:15 +0100 Subject: Polished prosody --- app/docker-compose.yml | 2 +- app/jitsi/build/jitsi-xmpp/Dockerfile | 15 +++++++++++---- app/jitsi/build/jitsi-xmpp/xmpp_prosody | 2 -- app/jitsi/build/jitsi-xmpp/xmpp_root | 4 ---- app/jitsi/integration/README.md | 4 ++++ app/jitsi/integration/docker-compose.yml | 12 ++++++------ app/jitsi/integration/jicofo/jicofo.conf | 4 ++-- app/jitsi/integration/prosody/prosody.cfg.lua | 9 +++++---- 8 files changed, 29 insertions(+), 23 deletions(-) delete mode 100755 app/jitsi/build/jitsi-xmpp/xmpp_root diff --git a/app/docker-compose.yml b/app/docker-compose.yml index d8a6ab2..14a62b8 100644 --- a/app/docker-compose.yml +++ b/app/docker-compose.yml @@ -73,7 +73,7 @@ services: build: context: ./jitsi/build/jitsi-xmpp args: - VERSION: 0.11.2-1 + VERSION: 0.11.7-1~buster4 image: superboum/amd64_jitsi_xmpp:v9 plume: diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile index b32953a..6357cc6 100644 --- a/app/jitsi/build/jitsi-xmpp/Dockerfile +++ b/app/jitsi/build/jitsi-xmpp/Dockerfile @@ -3,7 +3,13 @@ FROM debian:buster ARG VERSION RUN apt-get update && \ - apt-get install -y prosody=${VERSION} + apt-get install -y wget gnupg2 && \ + echo deb http://packages.prosody.im/debian buster main \ + | tee -a /etc/apt/sources.list && \ + wget https://prosody.im/files/prosody-debian-packages.key -O - \ + | apt-key add - && \ + apt-get update && \ + apt-get install -y prosody=${VERSION} lua-event RUN mkdir -p /usr/local/share/ca-certificates/ && \ ln -sf \ @@ -11,10 +17,11 @@ RUN mkdir -p /usr/local/share/ca-certificates/ && \ /usr/local/share/ca-certificates/auth.jitsi.crt && \ mkdir /run/prosody && \ touch /run/prosody/prosody.pid && \ - mkdir -p /var/lib/prosody + mkdir -p /var/lib/prosody && \ + chown -R prosody:prosody /var/lib/prosody /run/prosody -COPY xmpp_root /usr/local/bin/xmpp_root COPY xmpp_prosody /usr/local/bin/xmpp_prosody WORKDIR /var/lib/prosody -CMD ["/usr/local/bin/xmpp_root"] +USER prosody +CMD ["/usr/local/bin/xmpp_prosody"] diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_prosody b/app/jitsi/build/jitsi-xmpp/xmpp_prosody index 1101302..4ae73f4 100755 --- a/app/jitsi/build/jitsi-xmpp/xmpp_prosody +++ b/app/jitsi/build/jitsi-xmpp/xmpp_prosody @@ -1,5 +1,3 @@ #!/bin/bash -chown -R prosody:prosody /var/lib/prosody /etc/prosody /run/prosody - cat /etc/prosody/accounts.txt | xargs -n3 prosodyctl register exec prosody diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_root b/app/jitsi/build/jitsi-xmpp/xmpp_root deleted file mode 100755 index 293915f..0000000 --- a/app/jitsi/build/jitsi-xmpp/xmpp_root +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -chown -R prosody:prosody /var/lib/prosody /etc/prosody /run/prosody -exec su -s /bin/bash -c /usr/local/bin/xmpp_prosody - prosody diff --git a/app/jitsi/integration/README.md b/app/jitsi/integration/README.md index d2d25c1..7f334af 100644 --- a/app/jitsi/integration/README.md +++ b/app/jitsi/integration/README.md @@ -52,6 +52,10 @@ prosodyctl cert generate auth.jitsi prosodyctl cert generate jitsi ``` +## An example prosody configuration file + +https://github.com/jitsi/jitsi-meet/blob/master/doc/example-config-files/prosody.cfg.lua.example + ## Resources to understand jitsi - [jicofo/debian/postinst](https://github.com/jitsi/jicofo/blob/master/debian/postinst) diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml index 0a4012a..64cd82d 100644 --- a/app/jitsi/integration/docker-compose.yml +++ b/app/jitsi/integration/docker-compose.yml @@ -3,12 +3,12 @@ services: jitsi-xmpp: image: superboum/amd64_jitsi_xmpp:v9 volumes: - - "./prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua" - - "./prosody/accounts.txt:/etc/prosody/accounts.txt" - - "./prosody/certs/jitsi.crt:/var/lib/prosody/jitsi.crt" - - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key" - - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt" - - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key" + - "./prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro" + - "./prosody/accounts.txt:/etc/prosody/accounts.txt:ro" + - "./prosody/certs/jitsi.crt:/var/lib/prosody/jitsi.crt:ro" + - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro" + - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro" + - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro" jitsi-meet: image: superboum/amd64_jitsi_meet:v1 ports: diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf index edb87c5..203cd15 100644 --- a/app/jitsi/integration/jicofo/jicofo.conf +++ b/app/jitsi/integration/jicofo/jicofo.conf @@ -241,9 +241,9 @@ jicofo { enabled = true hostname = "jitsi-xmpp" port = 5222 - #domain = + domain = "auth.jitsi" username = "focus" - password = "3x@mple01" + password = "xxx" // How long to wait for a response to a stanza before giving up. reply-timeout = 15 seconds diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua index 5f18e2a..2f75d83 100644 --- a/app/jitsi/integration/prosody/prosody.cfg.lua +++ b/app/jitsi/integration/prosody/prosody.cfg.lua @@ -4,6 +4,7 @@ use_libevent = true component_interface = "0.0.0.0" component_ports = { 5347 } http_ports = { 5280 } +https_ports = {} -- Not sure all modules are required modules_enabled = { @@ -13,14 +14,13 @@ modules_enabled = { "dialback"; -- s2s dialback support "disco"; -- Service discovery "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. - "compression"; -- Stream compression (requires the lua-zlib package installed) "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "pep"; -- Enables users to publish their mood, activity, playing music and more -- jitsi - "smacks"; + --"smacks"; -- not shipped with prosody "carbons"; "mam"; "lastactivity"; @@ -28,11 +28,12 @@ modules_enabled = { "pubsub"; "adhoc"; "websocket"; - "http_altconnect"; + --"http_altconnect"; -- not shipped with prosody } log = { - "*console"; + --log less on console with warn="*console"; or err="*console" or more with debug="*console" + info="*console"; } VirtualHost "jitsi" -- cgit v1.2.3 From 47bcdaaf0dc6d8caaaa8bd30055420ae90cc73eb Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 28 Jan 2021 21:05:10 +0100 Subject: Rework prosody's configuration --- app/docker-compose.yml | 3 +- app/jitsi/build/jitsi-conference-focus/jicofo | 6 - app/jitsi/build/jitsi-xmpp/Dockerfile | 16 ++- app/jitsi/integration/README.md | 6 + app/jitsi/integration/docker-compose.yml | 23 ++-- app/jitsi/integration/jicofo/jicofo.conf | 14 +-- app/jitsi/integration/prosody/prosody.cfg.lua | 137 +++++++++++++-------- app/jitsi/integration/prosody/prosody.cfg.lua.back | 64 ++++++++++ 8 files changed, 192 insertions(+), 77 deletions(-) create mode 100644 app/jitsi/integration/prosody/prosody.cfg.lua.back diff --git a/app/docker-compose.yml b/app/docker-compose.yml index 14a62b8..3bab916 100644 --- a/app/docker-compose.yml +++ b/app/docker-compose.yml @@ -73,7 +73,8 @@ services: build: context: ./jitsi/build/jitsi-xmpp args: - VERSION: 0.11.7-1~buster4 + MEET_VERSION: 5390 + PROSODY_VERSION: 0.11.7-1~buster4 image: superboum/amd64_jitsi_xmpp:v9 plume: diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/app/jitsi/build/jitsi-conference-focus/jicofo index 31cd9c4..2225e98 100755 --- a/app/jitsi/build/jitsi-conference-focus/jicofo +++ b/app/jitsi/build/jitsi-conference-focus/jicofo @@ -1,13 +1,7 @@ #!/bin/bash -cp ${JITSI_CERTS_FOLDER}/auth.jitsi.deuxfleurs.fr.crt /usr/local/share/ca-certificates/auth.jitsi.deuxfleurs.fr.crt update-ca-certificates -f -cat >> /etc/hosts < Date: Thu, 28 Jan 2021 21:47:35 +0100 Subject: Trying to switch on a development version --- app/docker-compose.yml | 10 +++++----- app/jitsi/build/jitsi-conference-focus/Dockerfile | 5 ++--- app/jitsi/build/jitsi-xmpp/xmpp_prosody | 8 +++++++- app/jitsi/integration/docker-compose.yml | 14 +++++++++++++- app/jitsi/integration/jicofo/jicofo.conf | 6 +++--- app/jitsi/integration/prosody/accounts.txt | 2 -- app/jitsi/integration/prosody/prosody.cfg.lua | 2 +- 7 files changed, 31 insertions(+), 16 deletions(-) delete mode 100644 app/jitsi/integration/prosody/accounts.txt diff --git a/app/docker-compose.yml b/app/docker-compose.yml index 3bab916..72e6955 100644 --- a/app/docker-compose.yml +++ b/app/docker-compose.yml @@ -48,8 +48,8 @@ services: args: # https://github.com/jitsi/jitsi-meet PREFIXV: stable/jitsi-meet_ - VERSION: 5390 - image: superboum/amd64_jitsi_meet:v3 + VERSION: 5463 + image: superboum/amd64_jitsi_meet:v4 jitsi-conference-focus: build: @@ -57,7 +57,7 @@ services: args: # https://github.com/jitsi/jicofo PREFIXV: stable/jitsi-meet_ - VERSION: 5390 + VERSION: 5463 image: superboum/amd64_jitsi_conference_focus:v7 jitsi-videobridge: @@ -66,14 +66,14 @@ services: args: # https://github.com/jitsi/jitsi-videobridge PREFIXV: stable/jitsi-meet_ - VERSION: 5390 + VERSION: 5463 image: superboum/amd64_jitsi_videobridge:v17 jitsi-xmpp: build: context: ./jitsi/build/jitsi-xmpp args: - MEET_VERSION: 5390 + MEET_VERSION: 5463 PROSODY_VERSION: 0.11.7-1~buster4 image: superboum/amd64_jitsi_xmpp:v9 diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile index e67b3de..525bffb 100644 --- a/app/jitsi/build/jitsi-conference-focus/Dockerfile +++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile @@ -3,9 +3,9 @@ FROM debian:buster AS builder ARG PREFIXV ARG VERSION RUN apt-get update && \ - apt-get install -y openjdk-11-jdk maven wget unzip && \ - wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip + apt-get install -y openjdk-11-jdk-headless maven wget unzip +RUN wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip RUN unzip jicofo.zip && \ mv jicofo*${VERSION} jicofo && \ cd jicofo && \ @@ -20,6 +20,5 @@ RUN apt-get update && \ COPY --from=builder /srv/build /usr/share/jicofo COPY jicofo /usr/local/bin -ENV JICOFO_SECRET=IAMDEPRECATED CMD ["/usr/local/bin/jicofo"] diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_prosody b/app/jitsi/build/jitsi-xmpp/xmpp_prosody index 4ae73f4..af179e5 100755 --- a/app/jitsi/build/jitsi-xmpp/xmpp_prosody +++ b/app/jitsi/build/jitsi-xmpp/xmpp_prosody @@ -1,3 +1,9 @@ #!/bin/bash -cat /etc/prosody/accounts.txt | xargs -n3 prosodyctl register +prosodyctl register focus auth.jitsi ${JICOFO_AUTH_PASSWORD} +prosodyctl register jvb auth.jitsi ${JVB_AUTH_PASSWORD} + +# copied from jitsi-meet.postinst +# Make sure the focus@auth user's roster includes the proxy component (this is idempotent) +prosodyctl mod_roster_command subscribe focus.jitsi focus@auth.jitsi + exec prosody diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml index 70bb41a..3aa3954 100644 --- a/app/jitsi/integration/docker-compose.yml +++ b/app/jitsi/integration/docker-compose.yml @@ -4,16 +4,28 @@ services: image: superboum/amd64_jitsi_xmpp:v9 volumes: - "./prosody/prosody.cfg.lua:/etc/prosody/prosody.cfg.lua:ro" - - "./prosody/accounts.txt:/etc/prosody/accounts.txt:ro" - "./prosody/certs/jitsi.crt:/var/lib/prosody/jitsi.crt:ro" - "./prosody/certs/jitsi.key:/var/lib/prosody/jitsi.key:ro" - "./prosody/certs/auth.jitsi.crt:/var/lib/prosody/auth.jitsi.crt:ro" - "./prosody/certs/auth.jitsi.key:/var/lib/prosody/auth.jitsi.key:ro" + environment: + - JICOFO_AUTH_PASSWORD=jicofopass + - JVB_AUTH_PASSWORD=jvbpass + jitsi-conference-focus: image: superboum/amd64_jitsi_conference_focus:v7 volumes: - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro" - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro" +# environment: +# - JDOMAIN=jitsi +# - JHOST=jitsi-xmpp +# - JPORT=5347 +# - JSUBDOMAIN=focus +# - JICOFO_SECRET=jicofosecretpass +# - JUSERDOMAIN=auth.jitsi +# - JUSERNAME=focus@auth.jitsi +# - JICOFO_AUTH_PASSWORD=jicofopass # jitsi-meet: # image: superboum/amd64_jitsi_meet:v1 # ports: diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf index c4fe5e4..477d37e 100644 --- a/app/jitsi/integration/jicofo/jicofo.conf +++ b/app/jitsi/integration/jicofo/jicofo.conf @@ -242,8 +242,8 @@ jicofo { hostname = "jitsi-xmpp" port = 5222 domain = "auth.jitsi" - username = "focus" - password = "xxx" + username = "focus@auth.jitsi" + password = "jicofopass" // How long to wait for a response to a stanza before giving up. reply-timeout = 15 seconds @@ -261,7 +261,7 @@ jicofo { port = 5222 domain = "auth.jitsi" username = "focus" - password = "xxx" + password = "jicofopass" // How long to wait for a response to a stanza before giving up. reply-timeout = 15 seconds diff --git a/app/jitsi/integration/prosody/accounts.txt b/app/jitsi/integration/prosody/accounts.txt deleted file mode 100644 index ef4f2cd..0000000 --- a/app/jitsi/integration/prosody/accounts.txt +++ /dev/null @@ -1,2 +0,0 @@ -focus auth.jitsi xxx -jvb auth.jitsi yyy diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua index da38be9..42831ce 100644 --- a/app/jitsi/integration/prosody/prosody.cfg.lua +++ b/app/jitsi/integration/prosody/prosody.cfg.lua @@ -85,7 +85,7 @@ VirtualHost "auth.jitsi" authentication = "internal_plain" Component "focus.jitsi" - component_secret = "focusSecret" + component_secret = "jicofosecretpass" Component "speakerstats.jitsi" "speakerstats_component" muc_component = "conference.jitsi" -- cgit v1.2.3 From 982efd1b49f7435f7c49c2099aabfc994d3901fb Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 28 Jan 2021 23:02:37 +0100 Subject: Still so broken... --- app/docker-compose.yml | 5 +++-- app/jitsi/build/jitsi-conference-focus/Dockerfile | 9 ++++----- app/jitsi/build/jitsi-xmpp/Dockerfile | 9 +++++---- app/jitsi/integration/docker-compose.yml | 18 +++++++++--------- app/jitsi/integration/jicofo/jicofo.conf | 4 ++-- app/jitsi/integration/prosody/prosody.cfg.lua | 11 ++++++++--- 6 files changed, 31 insertions(+), 25 deletions(-) diff --git a/app/docker-compose.yml b/app/docker-compose.yml index 72e6955..717e8ce 100644 --- a/app/docker-compose.yml +++ b/app/docker-compose.yml @@ -56,7 +56,7 @@ services: context: ./jitsi/build/jitsi-conference-focus args: # https://github.com/jitsi/jicofo - PREFIXV: stable/jitsi-meet_ + PREFIXV: jitsi-meet_ VERSION: 5463 image: superboum/amd64_jitsi_conference_focus:v7 @@ -65,7 +65,7 @@ services: context: ./jitsi/build/jitsi-videobridge args: # https://github.com/jitsi/jitsi-videobridge - PREFIXV: stable/jitsi-meet_ + PREFIXV: jitsi-meet_ VERSION: 5463 image: superboum/amd64_jitsi_videobridge:v17 @@ -73,6 +73,7 @@ services: build: context: ./jitsi/build/jitsi-xmpp args: + PREFIXV: jitsi-meet_ MEET_VERSION: 5463 PROSODY_VERSION: 0.11.7-1~buster4 image: superboum/amd64_jitsi_xmpp:v9 diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/app/jitsi/build/jitsi-conference-focus/Dockerfile index 525bffb..db50746 100644 --- a/app/jitsi/build/jitsi-conference-focus/Dockerfile +++ b/app/jitsi/build/jitsi-conference-focus/Dockerfile @@ -1,10 +1,9 @@ -FROM debian:buster AS builder +FROM fedora:33 AS builder + +RUN dnf install -y java-latest-openjdk-headless maven wget unzip ARG PREFIXV ARG VERSION -RUN apt-get update && \ - apt-get install -y openjdk-11-jdk-headless maven wget unzip - RUN wget https://github.com/jitsi/jicofo/archive/${PREFIXV}${VERSION}.zip -O jicofo.zip RUN unzip jicofo.zip && \ mv jicofo*${VERSION} jicofo && \ @@ -13,7 +12,7 @@ RUN unzip jicofo.zip && \ unzip target/jicofo-1.1-SNAPSHOT-archive.zip && \ mv jicofo-1.1-SNAPSHOT /srv/build -FROM debian:buster +FROM debian:bullseye RUN apt-get update && \ apt-get install -y openjdk-11-jre-headless ca-certificates diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/app/jitsi/build/jitsi-xmpp/Dockerfile index e3a8f8f..90aae76 100644 --- a/app/jitsi/build/jitsi-xmpp/Dockerfile +++ b/app/jitsi/build/jitsi-xmpp/Dockerfile @@ -1,11 +1,12 @@ FROM debian:buster as builder -ARG MEET_VERSION WORKDIR /tmp +ARG MEET_VERSION +ARG PREFIXV RUN apt-get update && \ - apt-get install -y wget unzip && \ - wget https://github.com/jitsi/jitsi-meet/archive/stable/jitsi-meet_${MEET_VERSION}.zip -O meet.zip && \ - unzip meet.zip && \ + apt-get install -y wget unzip +RUN wget https://github.com/jitsi/jitsi-meet/archive/${PREFIXV}${MEET_VERSION}.zip -O meet.zip +RUN unzip meet.zip && \ mv jitsi-meet-* jitsi-meet FROM debian:buster diff --git a/app/jitsi/integration/docker-compose.yml b/app/jitsi/integration/docker-compose.yml index 3aa3954..2f8141a 100644 --- a/app/jitsi/integration/docker-compose.yml +++ b/app/jitsi/integration/docker-compose.yml @@ -17,15 +17,15 @@ services: volumes: - "./prosody/certs/auth.jitsi.crt:/usr/local/share/ca-certificates/auth.jitsi.crt:ro" - "./jicofo/jicofo.conf:/etc/jitsi/jicofo.conf:ro" -# environment: -# - JDOMAIN=jitsi -# - JHOST=jitsi-xmpp -# - JPORT=5347 -# - JSUBDOMAIN=focus -# - JICOFO_SECRET=jicofosecretpass -# - JUSERDOMAIN=auth.jitsi -# - JUSERNAME=focus@auth.jitsi -# - JICOFO_AUTH_PASSWORD=jicofopass + environment: + - JDOMAIN=jitsi + - JHOST=jitsi-xmpp + - JPORT=5347 + - JSUBDOMAIN=focus + - JICOFO_SECRET=jicofosecretpass + - JUSERDOMAIN=auth.jitsi + - JUSERNAME=focus + - JICOFO_AUTH_PASSWORD=jicofopass # jitsi-meet: # image: superboum/amd64_jitsi_meet:v1 # ports: diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/app/jitsi/integration/jicofo/jicofo.conf index 477d37e..4ef175f 100644 --- a/app/jitsi/integration/jicofo/jicofo.conf +++ b/app/jitsi/integration/jicofo/jicofo.conf @@ -242,14 +242,14 @@ jicofo { hostname = "jitsi-xmpp" port = 5222 domain = "auth.jitsi" - username = "focus@auth.jitsi" + username = "focus" password = "jicofopass" // How long to wait for a response to a stanza before giving up. reply-timeout = 15 seconds // The JID/domain of the MUC service used for conferencing. - # conference-muc-jid = conference.example.com + conference-muc-jid = conference.jitsi // A flag to suppress the TLS certificate verification. disable-certificate-verification = false diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/app/jitsi/integration/prosody/prosody.cfg.lua index 42831ce..215bb5b 100644 --- a/app/jitsi/integration/prosody/prosody.cfg.lua +++ b/app/jitsi/integration/prosody/prosody.cfg.lua @@ -1,4 +1,9 @@ plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" } + +log = { + --log less on console with warn="*console"; or err="*console" or more with debug="*console" + debug="*console"; +} daemonize = false use_libevent = true @@ -29,7 +34,7 @@ ssl = { } VirtualHost "jitsi" - -- enabled = false -- Remove this line to enable this host + enabled = true -- Remove this line to enable this host authentication = "anonymous" -- Properties below are modified by jitsi-meet-tokens package config -- and authentication above is switched to "token" @@ -67,7 +72,7 @@ Component "conference.jitsi" "muc" "muc_domain_mapper"; --"token_verification"; } - admins = { "focusUser@auth.jitsi" } + admins = { "focus@auth.jitsi" } muc_room_locking = false muc_room_default_public_jids = true @@ -77,7 +82,7 @@ Component "internal.auth.jitsi" "muc" modules_enabled = { "ping"; } - admins = { "focusUser@auth.jitsi", "jvb@auth.jitsi" } + admins = { "focus@auth.jitsi", "jvb@auth.jitsi" } muc_room_locking = false muc_room_default_public_jids = true -- cgit v1.2.3