opendev/system-config
Code Issues Proposed changes

Update colibri for all the JVBs

Browse Source 
We are currently running an all in one jitsi meet service at
meetpad.opendev.org due to connectivity issues for colibri websockets to
the jvb servers. Before we open these up we need to configure the http
server for websockets on the jvbs to do tls as they are on different
hosts.

Note it isn't entirely clear yet if a randomly generated keystore is
sufficient for the needs of the jvb colibri websocket system. If not we
may need to convert an LE provisioned cert and key pair into a keystore.

Change-Id: Ifbca19f1c112e30ee45975112863fc808db39fc9
This commit is contained in:
Clark Boylan 2022-09-08 10:18:48 -07:00
parent 9313c8e879
commit fa9aca784d
11 changed files with 169 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/service/group_vars/jvb.yaml
View File

@ -1,3 +1,5 @@
meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}"
iptables_extra_public_udp_ports:
- 10000
iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}

1
inventory/service/group_vars/meetpad.yaml
View File

@ -6,3 +6,4 @@ iptables_extra_public_udp_ports:
- 10000
iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'}
- {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}

4
playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml
View File

@ -11,6 +11,7 @@ services:
network_mode: host
volumes:
- ${CONFIG}/jvb:/config
- ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment:
- DOCKER_HOST_ADDRESS
- PUBLIC_URL
@ -25,4 +26,7 @@ services:
- JVB_TCP_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_KEYSTORE_PATH
- JVB_KEYSTORE_PASSWORD
- JVB_WS_SERVER_ID
- TZ

4
playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
View File

@ -136,6 +136,7 @@ services:
network_mode: host
volumes:
- ${CONFIG}/jvb:/config
- ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment:
- DOCKER_HOST_ADDRESS
- PUBLIC_URL
@ -150,6 +151,9 @@ services:
- JVB_TCP_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_KEYSTORE_PATH
- JVB_KEYSTORE_PASSWORD
- JVB_WS_SERVER_ID
- TZ
depends_on:
- prosody

117
playbooks/roles/jitsi-meet/files/jvb.conf Normal file
View File

@ -0,0 +1,117 @@
// This file originates from
// https://github.com/jitsi/docker-jitsi-meet/blob/stable-7648-4/jvb/rootfs/defaults/jvb.conf
// We have modified it to run an ssl https server instead of a normal http
// server.
{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}}
{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}}
{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
{{ $ENABLE_MULTI_STREAM := .Env.ENABLE_MULTI_STREAM | default "true" | toBool -}}
{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}}
{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}}
{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}}
{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}}
{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}}
{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}}
{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}}
{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}}
{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}}
{{/* assign env from context, preserve during range when . is re-assigned */}}
{{ $ENV := .Env -}}
videobridge {
ice {
udp {
port = {{ .Env.JVB_PORT | default 10000 }}
}
advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }}
}
apis {
xmpp-client {
configs {
{{ range $index, $element := $XMPP_SERVERS -}}
{{ $SERVER := splitn ":" 2 $element }}
shard{{ $index }} {
HOSTNAME = "{{ $SERVER._0 }}"
PORT = "{{ $SERVER._1 | default $XMPP_PORT }}"
DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}"
USERNAME = "{{ $JVB_AUTH_USER }}"
PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}"
MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}"
DISABLE_CERTIFICATE_VERIFICATION = true
}
{{ end -}}
}
}
rest {
enabled = {{ $COLIBRI_REST_ENABLED }}
}
}
rest {
shutdown {
enabled = {{ $SHUTDOWN_REST_ENABLED }}
}
}
stats {
enabled = true
}
websockets {
enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }}
domain = "{{ $WS_DOMAIN }}"
tls = true
server-id = "{{ $WS_SERVER_ID }}"
}
multi-stream {
enabled = {{ $ENABLE_MULTI_STREAM }}
}
http-servers {
private {
host = 0.0.0.0
}
public {
host = 0.0.0.0
tls-port = 9090
key-store-path={{ .Env.JVB_KEYSTORE_PATH }}
key-store-password={{ .Env.JVB_KEYSTORE_PASSWORD }}
}
}
{{ if $ENABLE_OCTO -}}
octo {
enabled = true
bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}"
public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}"
bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}"
region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}"
}
{{ end -}}
}
ice4j {
harvest {
mapping {
stun {
{{ if not $JVB_DISABLE_STUN -}}
addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ]
{{ else -}}
enabled = false
{{ end -}}
}
static-mappings = [
{{ if .Env.DOCKER_HOST_ADDRESS -}}
{
local-address = "{{ .Env.LOCAL_ADDRESS }}"
public-address = "{{ .Env.DOCKER_HOST_ADDRESS }}"
}
{{ end -}}
]
}
}
}

2
playbooks/roles/jitsi-meet/files/meet.conf
View File

@ -74,7 +74,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
proxy_pass https://$1:9090/colibri-ws/$1/$2$is_args$args;
}
{{ end }}

31
playbooks/roles/jitsi-meet/tasks/main.yaml
View File

@ -21,12 +21,14 @@
state: directory
path: "/var/jitsi-meet/{{ item }}"
loop:
- jvb
- web
- web/nginx
- web/nginx/site-confs
- defaults
- defaults/web
- defaults/web/nginx
- defaults/jvb
# These files are interpreted by the container at startup and are templated
# using the frep tool. Ideally we'll keep the content in templates to a
@ -39,6 +41,10 @@
copy:
src: settings-config.js
dest: /var/jitsi-meet/defaults/web/settings-config.js
- name: Write jvb.conf config template
copy:
src: jvb.conf
dest: /var/jitsi-meet/defaults/jvb/jvb.conf
# This file appears to be consumed as is by the jitsi meet web process.
# No funny templating or replacement.
@ -47,6 +53,31 @@
src: interface_config.js
dest: /var/jitsi-meet/defaults/web/interface_config.js
# This prepares a keystore for the JVB websocket connection
- name: Install java for keytool
package:
name: openjdk-11-jre-headless
state: present
- name: Create keystore if it isn't present
command:
cmd: >
keytool -genkeypair
-alias {{ inventory_hostname }}.key
-keyalg RSA
-keysize 2048
-validity 3652
-keystore /var/jitsi-meet/jvb/jvb-keystore.store
-storepass {{ meetpad_jvb_keystore_password }}
stdin: |
Infra Root
OpenDev
Open Infra Foundation
Austin
Texas
US
yes
creates: /var/jitsi-meet/jvb/jvb-keystore.store
- name: Run docker-compose pull
shell:
cmd: docker-compose pull

4
playbooks/roles/jitsi-meet/templates/jvb-env.j2
View File

@ -4,12 +4,16 @@
# Customized for OpenDev, all overrides go here (and remember to comment out
# any defaults from the example):
CONFIG=/var/jitsi-meet
DEFAULTS=/var/jitsi-meet/defaults
PUBLIC_URL=https://meetpad.opendev.org
XMPP_SERVER={{ meetpad_jvb_xmpp_server }}
XMPP_AUTH_DOMAIN=auth.localhost
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000
JVB_KEYSTORE_PATH=/config/jvb-keystore.store
JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
JVB_WS_SERVER_ID={{ inventory_hostname }}
# shellcheck disable=SC2034

3
playbooks/roles/jitsi-meet/templates/meet-env.j2
View File

@ -17,6 +17,9 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
XMPP_GUEST_DOMAIN=guest.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000
JVB_KEYSTORE_PATH=/config/jvb-keystore.store
JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
JVB_WS_SERVER_ID={{ inventory_hostname }}
JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }}
JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }}
JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }}

1
playbooks/zuul/templates/group_vars/jvb.yaml.j2
View File

@ -1 +1,2 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG

1
playbooks/zuul/templates/group_vars/meetpad.yaml.j2
View File

@ -1,4 +1,5 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG
meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6
meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498
meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb