Update colibri for all the JVBs

We are currently running an all in one jitsi meet service at
meetpad.opendev.org due to connectivity issues for colibri websockets to
the jvb servers. Before we open these up we need to configure the http
server for websockets on the jvbs to do tls as they are on different
hosts.

Note it isn't entirely clear yet if a randomly generated keystore is
sufficient for the needs of the jvb colibri websocket system. If not we
may need to convert an LE provisioned cert and key pair into a keystore.

Change-Id: Ifbca19f1c112e30ee45975112863fc808db39fc9
changes/53/856553/5
Clark Boylan 3 months ago
parent 9313c8e879
commit fa9aca784d
  1. 2
      inventory/service/group_vars/jvb.yaml
  2. 1
      inventory/service/group_vars/meetpad.yaml
  3. 4
      playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml
  4. 4
      playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml
  5. 117
      playbooks/roles/jitsi-meet/files/jvb.conf
  6. 2
      playbooks/roles/jitsi-meet/files/meet.conf
  7. 31
      playbooks/roles/jitsi-meet/tasks/main.yaml
  8. 4
      playbooks/roles/jitsi-meet/templates/jvb-env.j2
  9. 3
      playbooks/roles/jitsi-meet/templates/meet-env.j2
  10. 1
      playbooks/zuul/templates/group_vars/jvb.yaml.j2
  11. 1
      playbooks/zuul/templates/group_vars/meetpad.yaml.j2

@ -1,3 +1,5 @@
meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}"
iptables_extra_public_udp_ports:
- 10000
iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}

@ -6,3 +6,4 @@ iptables_extra_public_udp_ports:
- 10000
iptables_extra_allowed_groups:
- {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'}
- {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'}

@ -11,6 +11,7 @@ services:
network_mode: host
volumes:
- ${CONFIG}/jvb:/config
- ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment:
- DOCKER_HOST_ADDRESS
- PUBLIC_URL
@ -25,4 +26,7 @@ services:
- JVB_TCP_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_KEYSTORE_PATH
- JVB_KEYSTORE_PASSWORD
- JVB_WS_SERVER_ID
- TZ

@ -136,6 +136,7 @@ services:
network_mode: host
volumes:
- ${CONFIG}/jvb:/config
- ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf
environment:
- DOCKER_HOST_ADDRESS
- PUBLIC_URL
@ -150,6 +151,9 @@ services:
- JVB_TCP_PORT
- JVB_STUN_SERVERS
- JVB_ENABLE_APIS
- JVB_KEYSTORE_PATH
- JVB_KEYSTORE_PASSWORD
- JVB_WS_SERVER_ID
- TZ
depends_on:
- prosody

@ -0,0 +1,117 @@
// This file originates from
// https://github.com/jitsi/docker-jitsi-meet/blob/stable-7648-4/jvb/rootfs/defaults/jvb.conf
// We have modified it to run an ssl https server instead of a normal http
// server.
{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}}
{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}}
{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}}
{{ $ENABLE_MULTI_STREAM := .Env.ENABLE_MULTI_STREAM | default "true" | toBool -}}
{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}}
{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}}
{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}}
{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}}
{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}}
{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}}
{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}}
{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}}
{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}}
{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}}
{{/* assign env from context, preserve during range when . is re-assigned */}}
{{ $ENV := .Env -}}
videobridge {
ice {
udp {
port = {{ .Env.JVB_PORT | default 10000 }}
}
advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }}
}
apis {
xmpp-client {
configs {
{{ range $index, $element := $XMPP_SERVERS -}}
{{ $SERVER := splitn ":" 2 $element }}
shard{{ $index }} {
HOSTNAME = "{{ $SERVER._0 }}"
PORT = "{{ $SERVER._1 | default $XMPP_PORT }}"
DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}"
USERNAME = "{{ $JVB_AUTH_USER }}"
PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}"
MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}"
MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}"
DISABLE_CERTIFICATE_VERIFICATION = true
}
{{ end -}}
}
}
rest {
enabled = {{ $COLIBRI_REST_ENABLED }}
}
}
rest {
shutdown {
enabled = {{ $SHUTDOWN_REST_ENABLED }}
}
}
stats {
enabled = true
}
websockets {
enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }}
domain = "{{ $WS_DOMAIN }}"
tls = true
server-id = "{{ $WS_SERVER_ID }}"
}
multi-stream {
enabled = {{ $ENABLE_MULTI_STREAM }}
}
http-servers {
private {
host = 0.0.0.0
}
public {
host = 0.0.0.0
tls-port = 9090
key-store-path={{ .Env.JVB_KEYSTORE_PATH }}
key-store-password={{ .Env.JVB_KEYSTORE_PASSWORD }}
}
}
{{ if $ENABLE_OCTO -}}
octo {
enabled = true
bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}"
public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}"
bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}"
region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}"
}
{{ end -}}
}
ice4j {
harvest {
mapping {
stun {
{{ if not $JVB_DISABLE_STUN -}}
addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ]
{{ else -}}
enabled = false
{{ end -}}
}
static-mappings = [
{{ if .Env.DOCKER_HOST_ADDRESS -}}
{
local-address = "{{ .Env.LOCAL_ADDRESS }}"
public-address = "{{ .Env.DOCKER_HOST_ADDRESS }}"
}
{{ end -}}
]
}
}
}

@ -74,7 +74,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
proxy_pass https://$1:9090/colibri-ws/$1/$2$is_args$args;
}
{{ end }}

@ -21,12 +21,14 @@
state: directory
path: "/var/jitsi-meet/{{ item }}"
loop:
- jvb
- web
- web/nginx
- web/nginx/site-confs
- defaults
- defaults/web
- defaults/web/nginx
- defaults/jvb
# These files are interpreted by the container at startup and are templated
# using the frep tool. Ideally we'll keep the content in templates to a
@ -39,6 +41,10 @@
copy:
src: settings-config.js
dest: /var/jitsi-meet/defaults/web/settings-config.js
- name: Write jvb.conf config template
copy:
src: jvb.conf
dest: /var/jitsi-meet/defaults/jvb/jvb.conf
# This file appears to be consumed as is by the jitsi meet web process.
# No funny templating or replacement.
@ -47,6 +53,31 @@
src: interface_config.js
dest: /var/jitsi-meet/defaults/web/interface_config.js
# This prepares a keystore for the JVB websocket connection
- name: Install java for keytool
package:
name: openjdk-11-jre-headless
state: present
- name: Create keystore if it isn't present
command:
cmd: >
keytool -genkeypair
-alias {{ inventory_hostname }}.key
-keyalg RSA
-keysize 2048
-validity 3652
-keystore /var/jitsi-meet/jvb/jvb-keystore.store
-storepass {{ meetpad_jvb_keystore_password }}
stdin: |
Infra Root
OpenDev
Open Infra Foundation
Austin
Texas
US
yes
creates: /var/jitsi-meet/jvb/jvb-keystore.store
- name: Run docker-compose pull
shell:
cmd: docker-compose pull

@ -4,12 +4,16 @@
# Customized for OpenDev, all overrides go here (and remember to comment out
# any defaults from the example):
CONFIG=/var/jitsi-meet
DEFAULTS=/var/jitsi-meet/defaults
PUBLIC_URL=https://meetpad.opendev.org
XMPP_SERVER={{ meetpad_jvb_xmpp_server }}
XMPP_AUTH_DOMAIN=auth.localhost
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000
JVB_KEYSTORE_PATH=/config/jvb-keystore.store
JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
JVB_WS_SERVER_ID={{ inventory_hostname }}
# shellcheck disable=SC2034

@ -17,6 +17,9 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost
XMPP_GUEST_DOMAIN=guest.localhost
JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }}
JVB_PORT=10000
JVB_KEYSTORE_PATH=/config/jvb-keystore.store
JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }}
JVB_WS_SERVER_ID={{ inventory_hostname }}
JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }}
JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }}
JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }}

@ -1 +1,2 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG

@ -1,4 +1,5 @@
meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0
meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG
meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6
meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498
meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb

Loading…
Cancel
Save