1 files changed, 31 insertions, 0 deletions

diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml
new file mode 100644
index 00000000..bafff0aa
--- /dev/null
+++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml
@@ -0,0 +1,31 @@
+---
+### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460
+### at the moment there are two possible workarounds:
+##  - Setting sysctl net.ipv4.ip_unprivileged_port_start=0.
+##    This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway).
+##  - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container.
+##    This what we are doning here.
+
+- name: create build directory for custom image
+  file:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
+    state: directory
+
+- name: generate Dockerfile for custom image
+  copy:
+    content: |
+      FROM instrumentisto/coturn:{{ coturn_version }}
+      RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver
+    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile"
+  register: coturn_custom_image_docker
+
+- name: build custom image
+  docker_image:
+    name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
+    state: present
+    force_source: "{{ coturn_custom_image_docker is changed }}"
+    source: build
+    build:
+      path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
+      network: host
+      pull: yes