opendev/system-config
Code Issues Proposed changes

Update colibri for all the JVBs

Browse Source 
We are currently running an all in one jitsi meet service at
meetpad.opendev.org due to connectivity issues for colibri websockets to
the jvb servers. Before we open these up we need to configure the http
server for websockets on the jvbs to do tls as they are on different
hosts.

Note it isn't entirely clear yet if a randomly generated keystore is
sufficient for the needs of the jvb colibri websocket system. If not we
may need to convert an LE provisioned cert and key pair into a keystore.

Change-Id: Ifbca19f1c112e30ee45975112863fc808db39fc9
This commit is contained in:
Clark Boylan 2022-09-08 10:18:48 -07:00
parent 9313c8e879
commit fa9aca784d
11 changed files with 169 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/service/group_vars/jvb.yaml
View File

@ -1,3 +1,5 @@
meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}" meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}"
iptables_extra_public_udp_ports: iptables_extra_public_udp_ports:
- 10000 - 10000
iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}

1
inventory/service/group_vars/meetpad.yaml
View File

@ -6,3 +6,4 @@ iptables_extra_public_udp_ports:
- 10000 - 10000
iptables_extra_allowed_groups: iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'} - {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'}
- {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}

4
playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml
View File

@ -11,6 +11,7 @@ services:
network_mode: host network_mode: host
volumes: volumes:
- ${CONFIG}/jvb:/config - ${CONFIG}/jvb:/config
- ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment: environment:
- DOCKER_HOST_ADDRESS - DOCKER_HOST_ADDRESS
- PUBLIC_URL - PUBLIC_URL
@ -25,4 +26,7 @@ services:
- JVB_TCP_PORT - JVB_TCP_PORT
- JVB_STUN_SERVERS - JVB_STUN_SERVERS
- JVB_ENABLE_APIS - JVB_ENABLE_APIS
- JVB_KEYSTORE_PATH
- JVB_KEYSTORE_PASSWORD
- JVB_WS_SERVER_ID
- TZ - TZ

4
playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
View File

@ -136,6 +136,7 @@ services:
network_mode: host network_mode: host
volumes: volumes:
- ${CONFIG}/jvb:/config - ${CONFIG}/jvb:/config
- ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment: environment:
- DOCKER_HOST_ADDRESS - DOCKER_HOST_ADDRESS
- PUBLIC_URL - PUBLIC_URL
@ -150,6 +151,9 @@ services:
- JVB_TCP_PORT - JVB_TCP_PORT
- JVB_STUN_SERVERS - JVB_STUN_SERVERS
- JVB_ENABLE_APIS - JVB_ENABLE_APIS
- JVB_KEYSTORE_PATH
- JVB_KEYSTORE_PASSWORD
- JVB_WS_SERVER_ID
- TZ - TZ
depends_on: depends_on:
- prosody - prosody

117
playbooks/roles/jitsi-meet/files/jvb.conf Normal file
View File

@ -0,0 +1,117 @@
// This file originates from
// https://github.com/jitsi/docker-jitsi-meet/blob/stable-7648-4/jvb/rootfs/defaults/jvb.conf
// We have modified it to run an ssl https server instead of a normal http
// server.
{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}}
{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}}
{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
{{ $ENABLE_MULTI_STREAM := .Env.ENABLE_MULTI_STREAM | default "true" | toBool -}}
{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}}
{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}}
{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}}
{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}}
{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}}
{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}}
{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}}
{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}}
{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}}
{{/* assign env from context, preserve during range when . is re-assigned */}}
{{ $ENV := .Env -}}
videobridge {
ice {
udp {
port = {{ .Env.JVB_PORT | default 10000 }}
}
advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }}
}
apis {
xmpp-client {
configs {
{{ range $index, $element := $XMPP_SERVERS -}}
{{ $SERVER := splitn ":" 2 $element }}
shard{{ $index }} {
HOSTNAME = "{{ $SERVER._0 }}"
PORT = "{{ $SERVER._1 | default $XMPP_PORT }}"
DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}"
USERNAME = "{{ $JVB_AUTH_USER }}"
PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}"
MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}"
DISABLE_CERTIFICATE_VERIFICATION = true
}
{{ end -}}
}
}
rest {
enabled = {{ $COLIBRI_REST_ENABLED }}
}
}
rest {
shutdown {
enabled = {{ $SHUTDOWN_REST_ENABLED }}
}
}
stats {
enabled = true
}
websockets {
enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }}
domain = "{{ $WS_DOMAIN }}"
tls = true
server-id = "{{ $WS_SERVER_ID }}"
}
multi-stream {
enabled = {{ $ENABLE_MULTI_STREAM }}
}
http-servers {
private {
host = 0.0.0.0
}
public {
host = 0.0.0.0
tls-port = 9090
key-store-path={{ .Env.JVB_KEYSTORE_PATH }}
key-store-password={{ .Env.JVB_KEYSTORE_PASSWORD }}
}
}
{{ if $ENABLE_OCTO -}}
octo {
enabled = true
bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}"
public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}"
bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}"
region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}"
}
{{ end -}}
}
ice4j {
harvest {
mapping {
stun {
{{ if not $JVB_DISABLE_STUN -}}
addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ]
{{ else -}}
enabled = false
{{ end -}}
}
static-mappings = [
{{ if .Env.DOCKER_HOST_ADDRESS -}}
{
local-address = "{{ .Env.LOCAL_ADDRESS }}"
public-address = "{{ .Env.DOCKER_HOST_ADDRESS }}"
}
{{ end -}}
]
}
}
}

2
playbooks/roles/jitsi-meet/files/meet.conf
View File

@ -74,7 +74,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; proxy_pass https://$1:9090/colibri-ws/$1/$2$is_args$args;
} }
{{ end }} {{ end }}

31
playbooks/roles/jitsi-meet/tasks/main.yaml
View File

@ -21,12 +21,14 @@
state: directory state: directory
path: "/var/jitsi-meet/{{ item }}" path: "/var/jitsi-meet/{{ item }}"
loop: loop:
- jvb
- web - web
- web/nginx - web/nginx
- web/nginx/site-confs - web/nginx/site-confs
- defaults - defaults
- defaults/web - defaults/web
- defaults/web/nginx - defaults/web/nginx
- defaults/jvb
# These files are interpreted by the container at startup and are templated # These files are interpreted by the container at startup and are templated
# using the frep tool. Ideally we'll keep the content in templates to a # using the frep tool. Ideally we'll keep the content in templates to a
@ -39,6 +41,10 @@
copy: copy:
src: settings-config.js src: settings-config.js
dest: /var/jitsi-meet/defaults/web/settings-config.js dest: /var/jitsi-meet/defaults/web/settings-config.js
- name: Write jvb.conf config template
copy:
src: jvb.conf
dest: /var/jitsi-meet/defaults/jvb/jvb.conf
# This file appears to be consumed as is by the jitsi meet web process. # This file appears to be consumed as is by the jitsi meet web process.
# No funny templating or replacement. # No funny templating or replacement.
@ -47,6 +53,31 @@
src: interface_config.js src: interface_config.js
dest: /var/jitsi-meet/defaults/web/interface_config.js dest: /var/jitsi-meet/defaults/web/interface_config.js
# This prepares a keystore for the JVB websocket connection
- name: Install java for keytool
package:
name: openjdk-11-jre-headless
state: present
- name: Create keystore if it isn't present
command:
cmd: >
keytool -genkeypair
-alias {{ inventory_hostname }}.key
-keyalg RSA
-keysize 2048
-validity 3652
-keystore /var/jitsi-meet/jvb/jvb-keystore.store
-storepass {{ meetpad_jvb_keystore_password }}
stdin: |
Infra Root
OpenDev
Open Infra Foundation
Austin
Texas
US
yes
creates: /var/jitsi-meet/jvb/jvb-keystore.store
- name: Run docker-compose pull - name: Run docker-compose pull
shell: shell:
cmd: docker-compose pull cmd: docker-compose pull

4
playbooks/roles/jitsi-meet/templates/jvb-env.j2
View File

@ -4,12 +4,16 @@
# Customized for OpenDev, all overrides go here (and remember to comment out # Customized for OpenDev, all overrides go here (and remember to comment out
# any defaults from the example): # any defaults from the example):
CONFIG=/var/jitsi-meet CONFIG=/var/jitsi-meet
DEFAULTS=/var/jitsi-meet/defaults
PUBLIC_URL=https://meetpad.opendev.org PUBLIC_URL=https://meetpad.opendev.org
XMPP_SERVER={{ meetpad_jvb_xmpp_server }} XMPP_SERVER={{ meetpad_jvb_xmpp_server }}
XMPP_AUTH_DOMAIN=auth.localhost XMPP_AUTH_DOMAIN=auth.localhost
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }} JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000 JVB_PORT=10000
JVB_KEYSTORE_PATH=/config/jvb-keystore.store
JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
JVB_WS_SERVER_ID={{ inventory_hostname }}
# shellcheck disable=SC2034 # shellcheck disable=SC2034

3
playbooks/roles/jitsi-meet/templates/meet-env.j2
View File

@ -17,6 +17,9 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
XMPP_GUEST_DOMAIN=guest.localhost XMPP_GUEST_DOMAIN=guest.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }} JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000 JVB_PORT=10000
JVB_KEYSTORE_PATH=/config/jvb-keystore.store
JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
JVB_WS_SERVER_ID={{ inventory_hostname }}
JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }} JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }}
JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }} JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }}
JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }} JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }}

1
playbooks/zuul/templates/group_vars/jvb.yaml.j2
View File

@ -1 +1,2 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0 meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG

1
playbooks/zuul/templates/group_vars/meetpad.yaml.j2
View File

@ -1,4 +1,5 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0 meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG
meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6 meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6
meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498 meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498
meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb