diff options
author | Christian Pointner <equinox@spreadspace.org> | 2021-03-21 02:26:21 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2021-03-21 02:26:21 +0100 |
commit | 46591f2232e69739da5ab120fe819e2305c53ab0 (patch) | |
tree | ee2ab2fcfcbcc5f3a43ad64c3d4d459483f4dfdf /roles/apps/coturn/tasks | |
parent | install zstd to core/base (diff) |
add coturn server for glt
Diffstat (limited to 'roles/apps/coturn/tasks')
-rw-r--r-- | roles/apps/coturn/tasks/main.yml | 13 | ||||
-rw-r--r-- | roles/apps/coturn/tasks/privileged-ports-hack.yml | 31 |
2 files changed, 44 insertions, 0 deletions
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 176be664..a35734a8 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -59,6 +59,7 @@ daemon_reload: yes - name: configure nginx vhost + when: coturn_install_nginx_vhost vars: nginx_vhost: name: "coturn-{{ coturn_realm }}" @@ -68,6 +69,18 @@ include_role: name: nginx/vhost +- name: get certificate using acmetool + when: not coturn_install_nginx_vhost + import_role: + name: acmetool/cert + vars: + acmetool_cert_name: "coturn-{{ coturn_realm }}" + acmetool_cert_hostnames: "{{ coturn_hostnames }}" + +- name: apply hacky fix to support binding to privileged ports + when: (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) + import_tasks: privileged-ports-hack.yml + - name: install pod manifest vars: kubernetes_standalone_pod: diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml new file mode 100644 index 00000000..bafff0aa --- /dev/null +++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml @@ -0,0 +1,31 @@ +--- +### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460 +### at the moment there are two possible workarounds: +## - Setting sysctl net.ipv4.ip_unprivileged_port_start=0. +## This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway). +## - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container. +## This what we are doning here. + +- name: create build directory for custom image + file: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + state: directory + +- name: generate Dockerfile for custom image + copy: + content: | + FROM instrumentisto/coturn:{{ coturn_version }} + RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver + dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile" + register: coturn_custom_image_docker + +- name: build custom image + docker_image: + name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" + state: present + force_source: "{{ coturn_custom_image_docker is changed }}" + source: build + build: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + network: host + pull: yes |