From fa9aca784dfa031f93fb5ee9dca222120ba05ad5 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Thu, 8 Sep 2022 10:18:48 -0700 Subject: [PATCH] Update colibri for all the JVBs We are currently running an all in one jitsi meet service at meetpad.opendev.org due to connectivity issues for colibri websockets to the jvb servers. Before we open these up we need to configure the http server for websockets on the jvbs to do tls as they are on different hosts. Note it isn't entirely clear yet if a randomly generated keystore is sufficient for the needs of the jvb colibri websocket system. If not we may need to convert an LE provisioned cert and key pair into a keystore. Change-Id: Ifbca19f1c112e30ee45975112863fc808db39fc9 --- inventory/service/group_vars/jvb.yaml | 2 + inventory/service/group_vars/meetpad.yaml | 1 + .../jitsi-meet-docker/jvb-docker-compose.yaml | 4 + .../meet-docker-compose.yaml | 4 + playbooks/roles/jitsi-meet/files/jvb.conf | 117 ++++++++++++++++++ playbooks/roles/jitsi-meet/files/meet.conf | 2 +- playbooks/roles/jitsi-meet/tasks/main.yaml | 31 +++++ .../roles/jitsi-meet/templates/jvb-env.j2 | 4 + .../roles/jitsi-meet/templates/meet-env.j2 | 3 + .../zuul/templates/group_vars/jvb.yaml.j2 | 1 + .../zuul/templates/group_vars/meetpad.yaml.j2 | 1 + 11 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 playbooks/roles/jitsi-meet/files/jvb.conf diff --git a/inventory/service/group_vars/jvb.yaml b/inventory/service/group_vars/jvb.yaml index e3ca786f22..5f93162100 100644 --- a/inventory/service/group_vars/jvb.yaml +++ b/inventory/service/group_vars/jvb.yaml @@ -1,3 +1,5 @@ meetpad_jvb_xmpp_server: "{{ hostvars['meetpad01.opendev.org'].ansible_host }}" iptables_extra_public_udp_ports: - 10000 +iptables_extra_allowed_groups: + - {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'} diff --git a/inventory/service/group_vars/meetpad.yaml b/inventory/service/group_vars/meetpad.yaml index 4b5c5cade6..7fb4550fd5 100644 --- a/inventory/service/group_vars/meetpad.yaml +++ b/inventory/service/group_vars/meetpad.yaml @@ -6,3 +6,4 @@ iptables_extra_public_udp_ports: - 10000 iptables_extra_allowed_groups: - {'protocol': 'tcp', 'port': '5222', 'group': 'jvb'} + - {'protocol': 'tcp', 'port': '9090', 'group': 'meetpad'} diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml index 1c45e25372..39e18eff0f 100644 --- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml +++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/jvb-docker-compose.yaml @@ -11,6 +11,7 @@ services: network_mode: host volumes: - ${CONFIG}/jvb:/config + - ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf environment: - DOCKER_HOST_ADDRESS - PUBLIC_URL @@ -25,4 +26,7 @@ services: - JVB_TCP_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_KEYSTORE_PATH + - JVB_KEYSTORE_PASSWORD + - JVB_WS_SERVER_ID - TZ diff --git a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml index b11bfe45ed..9d770f9f5e 100644 --- a/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml +++ b/playbooks/roles/jitsi-meet/files/jitsi-meet-docker/meet-docker-compose.yaml @@ -136,6 +136,7 @@ services: network_mode: host volumes: - ${CONFIG}/jvb:/config + - ${DEFAULTS}/jvb/jvb.conf:/defaults/jvb.conf environment: - DOCKER_HOST_ADDRESS - PUBLIC_URL @@ -150,6 +151,9 @@ services: - JVB_TCP_PORT - JVB_STUN_SERVERS - JVB_ENABLE_APIS + - JVB_KEYSTORE_PATH + - JVB_KEYSTORE_PASSWORD + - JVB_WS_SERVER_ID - TZ depends_on: - prosody diff --git a/playbooks/roles/jitsi-meet/files/jvb.conf b/playbooks/roles/jitsi-meet/files/jvb.conf new file mode 100644 index 0000000000..0f43d8bdd0 --- /dev/null +++ b/playbooks/roles/jitsi-meet/files/jvb.conf @@ -0,0 +1,117 @@ +// This file originates from +// https://github.com/jitsi/docker-jitsi-meet/blob/stable-7648-4/jvb/rootfs/defaults/jvb.conf +// We have modified it to run an ssl https server instead of a normal http +// server. + +{{ $COLIBRI_REST_ENABLED := .Env.COLIBRI_REST_ENABLED | default "false" | toBool -}} +{{ $ENABLE_COLIBRI_WEBSOCKET := .Env.ENABLE_COLIBRI_WEBSOCKET | default "1" | toBool -}} +{{ $ENABLE_OCTO := .Env.ENABLE_OCTO | default "0" | toBool -}} +{{ $ENABLE_MULTI_STREAM := .Env.ENABLE_MULTI_STREAM | default "true" | toBool -}} +{{ $JVB_DISABLE_STUN := .Env.JVB_DISABLE_STUN | default "0" | toBool -}} +{{ $JVB_STUN_SERVERS := .Env.JVB_STUN_SERVERS | default "meet-jit-si-turnrelay.jitsi.net:443" -}} +{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}} +{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}} +{{ $JVB_MUC_NICKNAME := .Env.JVB_MUC_NICKNAME | default .Env.HOSTNAME -}} +{{ $JVB_ADVERTISE_PRIVATE_CANDIDATES := .Env.JVB_ADVERTISE_PRIVATE_CANDIDATES | default "true" | toBool -}} +{{ $PUBLIC_URL_DOMAIN := .Env.PUBLIC_URL | default "https://localhost:8443" | trimPrefix "https://" | trimSuffix "/" -}} +{{ $SHUTDOWN_REST_ENABLED := .Env.SHUTDOWN_REST_ENABLED | default "false" | toBool -}} +{{ $WS_DOMAIN := .Env.JVB_WS_DOMAIN | default $PUBLIC_URL_DOMAIN -}} +{{ $WS_SERVER_ID := .Env.JVB_WS_SERVER_ID | default .Env.JVB_WS_SERVER_ID_FALLBACK -}} +{{ $XMPP_AUTH_DOMAIN := .Env.XMPP_AUTH_DOMAIN | default "auth.meet.jitsi" -}} +{{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}} +{{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}} +{{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}} +{{ $XMPP_SERVERS := splitList "," $XMPP_SERVER -}} +{{/* assign env from context, preserve during range when . is re-assigned */}} +{{ $ENV := .Env -}} + +videobridge { + ice { + udp { + port = {{ .Env.JVB_PORT | default 10000 }} + } + advertise-private-candidates = {{ $JVB_ADVERTISE_PRIVATE_CANDIDATES }} + } + apis { + xmpp-client { + configs { +{{ range $index, $element := $XMPP_SERVERS -}} +{{ $SERVER := splitn ":" 2 $element }} + shard{{ $index }} { + HOSTNAME = "{{ $SERVER._0 }}" + PORT = "{{ $SERVER._1 | default $XMPP_PORT }}" + DOMAIN = "{{ $XMPP_AUTH_DOMAIN }}" + USERNAME = "{{ $JVB_AUTH_USER }}" + PASSWORD = "{{ $ENV.JVB_AUTH_PASSWORD }}" + MUC_JIDS = "{{ $JVB_BREWERY_MUC }}@{{ $XMPP_INTERNAL_MUC_DOMAIN }}" + MUC_NICKNAME = "{{ $JVB_MUC_NICKNAME }}" + DISABLE_CERTIFICATE_VERIFICATION = true + } +{{ end -}} + } + } + rest { + enabled = {{ $COLIBRI_REST_ENABLED }} + } + } + rest { + shutdown { + enabled = {{ $SHUTDOWN_REST_ENABLED }} + } + } + stats { + enabled = true + } + websockets { + enabled = {{ $ENABLE_COLIBRI_WEBSOCKET }} + domain = "{{ $WS_DOMAIN }}" + tls = true + server-id = "{{ $WS_SERVER_ID }}" + } + multi-stream { + enabled = {{ $ENABLE_MULTI_STREAM }} + } + http-servers { + private { + host = 0.0.0.0 + } + public { + host = 0.0.0.0 + tls-port = 9090 + key-store-path={{ .Env.JVB_KEYSTORE_PATH }} + key-store-password={{ .Env.JVB_KEYSTORE_PASSWORD }} + } + } + + {{ if $ENABLE_OCTO -}} + octo { + enabled = true + bind-address = "{{ .Env.JVB_OCTO_BIND_ADDRESS | default "0.0.0.0" }}" + public-address = "{{ .Env.JVB_OCTO_PUBLIC_ADDRESS }}" + bind-port = "{{ .Env.JVB_OCTO_BIND_PORT | default "4096" }}" + region = "{{ .Env.JVB_OCTO_REGION | default "europe" }}" + } + {{ end -}} +} + +ice4j { + harvest { + mapping { + stun { +{{ if not $JVB_DISABLE_STUN -}} + addresses = [ "{{ join "\",\"" (splitList "," $JVB_STUN_SERVERS) }}" ] +{{ else -}} + enabled = false +{{ end -}} + } + static-mappings = [ +{{ if .Env.DOCKER_HOST_ADDRESS -}} + { + local-address = "{{ .Env.LOCAL_ADDRESS }}" + public-address = "{{ .Env.DOCKER_HOST_ADDRESS }}" + } +{{ end -}} + ] + } + } +} diff --git a/playbooks/roles/jitsi-meet/files/meet.conf b/playbooks/roles/jitsi-meet/files/meet.conf index c8fedd8019..6d1795c03d 100644 --- a/playbooks/roles/jitsi-meet/files/meet.conf +++ b/playbooks/roles/jitsi-meet/files/meet.conf @@ -74,7 +74,7 @@ location ~ ^/colibri-ws/([a-zA-Z0-9-\._]+)/(.*) { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args; + proxy_pass https://$1:9090/colibri-ws/$1/$2$is_args$args; } {{ end }} diff --git a/playbooks/roles/jitsi-meet/tasks/main.yaml b/playbooks/roles/jitsi-meet/tasks/main.yaml index 33529489d0..0db8735d95 100644 --- a/playbooks/roles/jitsi-meet/tasks/main.yaml +++ b/playbooks/roles/jitsi-meet/tasks/main.yaml @@ -21,12 +21,14 @@ state: directory path: "/var/jitsi-meet/{{ item }}" loop: + - jvb - web - web/nginx - web/nginx/site-confs - defaults - defaults/web - defaults/web/nginx + - defaults/jvb # These files are interpreted by the container at startup and are templated # using the frep tool. Ideally we'll keep the content in templates to a @@ -39,6 +41,10 @@ copy: src: settings-config.js dest: /var/jitsi-meet/defaults/web/settings-config.js +- name: Write jvb.conf config template + copy: + src: jvb.conf + dest: /var/jitsi-meet/defaults/jvb/jvb.conf # This file appears to be consumed as is by the jitsi meet web process. # No funny templating or replacement. @@ -47,6 +53,31 @@ src: interface_config.js dest: /var/jitsi-meet/defaults/web/interface_config.js +# This prepares a keystore for the JVB websocket connection +- name: Install java for keytool + package: + name: openjdk-11-jre-headless + state: present +- name: Create keystore if it isn't present + command: + cmd: > + keytool -genkeypair + -alias {{ inventory_hostname }}.key + -keyalg RSA + -keysize 2048 + -validity 3652 + -keystore /var/jitsi-meet/jvb/jvb-keystore.store + -storepass {{ meetpad_jvb_keystore_password }} + stdin: | + Infra Root + OpenDev + Open Infra Foundation + Austin + Texas + US + yes + creates: /var/jitsi-meet/jvb/jvb-keystore.store + - name: Run docker-compose pull shell: cmd: docker-compose pull diff --git a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 b/playbooks/roles/jitsi-meet/templates/jvb-env.j2 index 2011c6bde2..f8278ca3c9 100644 --- a/playbooks/roles/jitsi-meet/templates/jvb-env.j2 +++ b/playbooks/roles/jitsi-meet/templates/jvb-env.j2 @@ -4,12 +4,16 @@ # Customized for OpenDev, all overrides go here (and remember to comment out # any defaults from the example): CONFIG=/var/jitsi-meet +DEFAULTS=/var/jitsi-meet/defaults PUBLIC_URL=https://meetpad.opendev.org XMPP_SERVER={{ meetpad_jvb_xmpp_server }} XMPP_AUTH_DOMAIN=auth.localhost XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }} JVB_PORT=10000 +JVB_KEYSTORE_PATH=/config/jvb-keystore.store +JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }} +JVB_WS_SERVER_ID={{ inventory_hostname }} # shellcheck disable=SC2034 diff --git a/playbooks/roles/jitsi-meet/templates/meet-env.j2 b/playbooks/roles/jitsi-meet/templates/meet-env.j2 index 27d4c68819..65b0e50dc9 100644 --- a/playbooks/roles/jitsi-meet/templates/meet-env.j2 +++ b/playbooks/roles/jitsi-meet/templates/meet-env.j2 @@ -17,6 +17,9 @@ XMPP_INTERNAL_MUC_DOMAIN=internal-muc.localhost XMPP_GUEST_DOMAIN=guest.localhost JVB_AUTH_PASSWORD={{ meetpad_jvb_auth_password }} JVB_PORT=10000 +JVB_KEYSTORE_PATH=/config/jvb-keystore.store +JVB_KEYSTORE_PASSWORD={{ meetpad_jvb_keystore_password }} +JVB_WS_SERVER_ID={{ inventory_hostname }} JICOFO_COMPONENT_SECRET={{ meetpad_jicofo_component_secret }} JICOFO_AUTH_PASSWORD={{ meetpad_jicofo_auth_password }} JIGASI_XMPP_PASSWORD={{ meetpad_jigasi_xmpp_password }} diff --git a/playbooks/zuul/templates/group_vars/jvb.yaml.j2 b/playbooks/zuul/templates/group_vars/jvb.yaml.j2 index 06deb123fc..59a159cf48 100644 --- a/playbooks/zuul/templates/group_vars/jvb.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/jvb.yaml.j2 @@ -1 +1,2 @@ meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0 +meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG diff --git a/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 b/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 index 4ab3ddb413..e427e8ce0e 100644 --- a/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 +++ b/playbooks/zuul/templates/group_vars/meetpad.yaml.j2 @@ -1,4 +1,5 @@ meetpad_jvb_auth_password: 8c64807830bcc7581821d3157899e3b0 +meetpad_jvb_keystore_password: ateeweegoLee3aig5eish8aeraetiG meetpad_jicofo_component_secret: 3bcd6b4494d99de7ff7b64b931d394f6 meetpad_jicofo_auth_password: e0d9bceec264b78d8bf0022787f92498 meetpad_jigasi_xmpp_password: 2a8fb7ff7c59f09d94960f3fa15001fb