diff options
Diffstat (limited to 'roles/apps')
-rw-r--r-- | roles/apps/collabora/code/tasks/custom-image.yml | 4 | ||||
-rw-r--r-- | roles/apps/coturn/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/apps/coturn/tasks/main.yml | 13 | ||||
-rw-r--r-- | roles/apps/coturn/tasks/privileged-ports-hack.yml | 31 | ||||
-rw-r--r-- | roles/apps/coturn/templates/pod-spec.yml.j2 | 11 | ||||
-rw-r--r-- | roles/apps/coturn/templates/turnserver.conf.j2 | 4 |
6 files changed, 64 insertions, 4 deletions
diff --git a/roles/apps/collabora/code/tasks/custom-image.yml b/roles/apps/collabora/code/tasks/custom-image.yml index 38c453fa..84f6b1ae 100644 --- a/roles/apps/collabora/code/tasks/custom-image.yml +++ b/roles/apps/collabora/code/tasks/custom-image.yml @@ -10,13 +10,13 @@ FROM {{ item.value.custom_image.from | default('collabora/code:' + item.value.version) }} {{ item.value.custom_image.dockerfile }} dest: "{{ collabora_code_base_path }}/{{ item.key }}/build/Dockerfile" - register: nextcloud_custom_image_docker + register: collabora_code_custom_image_docker - name: build custom image docker_image: name: "collabora/code/{{ item.key }}:{{ item.value.version }}" state: present - force_source: "{{ nextcloud_custom_image_docker is changed }}" + force_source: "{{ collabora_code_custom_image_docker is changed }}" source: build build: path: "{{ collabora_code_base_path }}/{{ item.key }}/build" diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml index a7a461bb..34629dbd 100644 --- a/roles/apps/coturn/defaults/main.yml +++ b/roles/apps/coturn/defaults/main.yml @@ -16,3 +16,8 @@ coturn_threads: 0 # coturn_auth_secret: change-me coturn_dhparam_size: 2048 + +coturn_listening_port: 3478 +coturn_tls_listening_port: 5349 + +coturn_install_nginx_vhost: yes diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 176be664..a35734a8 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -59,6 +59,7 @@ daemon_reload: yes - name: configure nginx vhost + when: coturn_install_nginx_vhost vars: nginx_vhost: name: "coturn-{{ coturn_realm }}" @@ -68,6 +69,18 @@ include_role: name: nginx/vhost +- name: get certificate using acmetool + when: not coturn_install_nginx_vhost + import_role: + name: acmetool/cert + vars: + acmetool_cert_name: "coturn-{{ coturn_realm }}" + acmetool_cert_hostnames: "{{ coturn_hostnames }}" + +- name: apply hacky fix to support binding to privileged ports + when: (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) + import_tasks: privileged-ports-hack.yml + - name: install pod manifest vars: kubernetes_standalone_pod: diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml new file mode 100644 index 00000000..bafff0aa --- /dev/null +++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml @@ -0,0 +1,31 @@ +--- +### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460 +### at the moment there are two possible workarounds: +## - Setting sysctl net.ipv4.ip_unprivileged_port_start=0. +## This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway). +## - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container. +## This what we are doning here. + +- name: create build directory for custom image + file: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + state: directory + +- name: generate Dockerfile for custom image + copy: + content: | + FROM instrumentisto/coturn:{{ coturn_version }} + RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver + dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile" + register: coturn_custom_image_docker + +- name: build custom image + docker_image: + name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" + state: present + force_source: "{{ coturn_custom_image_docker is changed }}" + source: build + build: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + network: host + pull: yes diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2 index d157af37..a0842784 100644 --- a/roles/apps/coturn/templates/pod-spec.yml.j2 +++ b/roles/apps/coturn/templates/pod-spec.yml.j2 @@ -2,10 +2,21 @@ securityContext: allowPrivilegeEscalation: false runAsUser: {{ coturn_uid }} runAsGroup: {{ coturn_gid }} +{# this does not work: https://github.com/kubernetes/kubernetes/issues/56374, https://github.com/moby/moby/issues/8460 +{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %} + capabilities: + add: ["NET_BIND_SERVICE"] +{% endif %} +#} +terminationGracePeriodSeconds: 0 hostNetwork: true containers: - name: coturn +{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %} + image: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" +{% else %} image: "instrumentisto/coturn:{{ coturn_version }}" +{% endif %} args: - --log-file=stdout resources: diff --git a/roles/apps/coturn/templates/turnserver.conf.j2 b/roles/apps/coturn/templates/turnserver.conf.j2 index d61cdad3..9a587951 100644 --- a/roles/apps/coturn/templates/turnserver.conf.j2 +++ b/roles/apps/coturn/templates/turnserver.conf.j2 @@ -1,8 +1,8 @@ realm={{ coturn_realm }} fingerprint -listening-port=3478 -tls-listening-port=5349 +listening-port={{ coturn_listening_port }} +tls-listening-port={{ coturn_tls_listening_port }} cert=/etc/coturn/ssl/cert.pem pkey=/etc/coturn/ssl/privkey.pem |