From 46591f2232e69739da5ab120fe819e2305c53ab0 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 21 Mar 2021 02:26:21 +0100 Subject: add coturn server for glt --- inventory/group_vars/glt-live/vars.yml | 16 ++++++++++++ inventory/host_vars/glt-coturn.yml | 29 +++++++++++++++++++++ inventory/hosts.ini | 10 ++++++++ roles/apps/collabora/code/tasks/custom-image.yml | 4 +-- roles/apps/coturn/defaults/main.yml | 5 ++++ roles/apps/coturn/tasks/main.yml | 13 ++++++++++ roles/apps/coturn/tasks/privileged-ports-hack.yml | 31 +++++++++++++++++++++++ roles/apps/coturn/templates/pod-spec.yml.j2 | 11 ++++++++ roles/apps/coturn/templates/turnserver.conf.j2 | 4 +-- spreadspace/glt-coturn.yml | 14 ++++++++++ spreadspace/group_vars/glt-live.yml | 10 ++++++++ spreadspace/host_vars/glt-coturn.yml | 10 ++++++++ 12 files changed, 153 insertions(+), 4 deletions(-) create mode 100644 inventory/group_vars/glt-live/vars.yml create mode 100644 inventory/host_vars/glt-coturn.yml create mode 100644 roles/apps/coturn/tasks/privileged-ports-hack.yml create mode 100644 spreadspace/glt-coturn.yml create mode 100644 spreadspace/group_vars/glt-live.yml create mode 100644 spreadspace/host_vars/glt-coturn.yml diff --git a/inventory/group_vars/glt-live/vars.yml b/inventory/group_vars/glt-live/vars.yml new file mode 100644 index 00000000..42f824c8 --- /dev/null +++ b/inventory/group_vars/glt-live/vars.yml @@ -0,0 +1,16 @@ +--- +zsh_banner: spreadspace + +acmetool_account_email: equinox@spreadspace.org +acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" + +install: + cloud: + credentials: + token: "{{ vault_hcloud_api_token }}" + +network: {} + +apt_repo_blackmagic_auth: + username: "spreadspace" + password: "{{ vault_apt_repo_blackmagic_auth.password }}" diff --git a/inventory/host_vars/glt-coturn.yml b/inventory/host_vars/glt-coturn.yml new file mode 100644 index 00000000..5511d75a --- /dev/null +++ b/inventory/host_vars/glt-coturn.yml @@ -0,0 +1,29 @@ +--- +docker_lvm: + vg: "{{ host_name }}" + lv: docker + size: 5G + fs: ext4 + +kubelet_lvm: + vg: "{{ host_name }}" + lv: kubelet + size: 5G + fs: ext4 + +kubernetes_version: 1.20.5 +kubernetes_container_runtime: docker +kubernetes_standalone_max_pods: 100 +kubernetes_standalone_pod_cidr: 192.168.255.0/24 +kubernetes_standalone_cni_variant: with-portmap + + +coturn_version: 4.5.2 +coturn_realm: linuxtage.at +coturn_hostnames: + - cdn13.linuxtage.at + +coturn_auth_secret: "{{ vault_coturn_auth_secret }}" +coturn_listening_port: 3478 +coturn_tls_listening_port: 443 +coturn_install_nginx_vhost: no diff --git a/inventory/hosts.ini b/inventory/hosts.ini index 1e052e8f..06c4fc47 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -132,6 +132,14 @@ lw-live-02 host_name=cdn-02 lw-live-03 host_name=cdn-03 +[glt-live:vars] +host_domain=linuxtage.at +env_group=spreadspace + +[glt-live] +glt-coturn host_name=cdn13 + + ############################### # environment: dan @@ -351,6 +359,7 @@ sk-tomnext [hcloud] ch-mimas2 ele-lt +glt-coturn [hcloud:children] emc-dist @@ -408,6 +417,7 @@ lw-thetys s2-thetys sk-tomnext-nc ch-thetys +glt-coturn [kubernetes:children] kubernetes-cluster diff --git a/roles/apps/collabora/code/tasks/custom-image.yml b/roles/apps/collabora/code/tasks/custom-image.yml index 38c453fa..84f6b1ae 100644 --- a/roles/apps/collabora/code/tasks/custom-image.yml +++ b/roles/apps/collabora/code/tasks/custom-image.yml @@ -10,13 +10,13 @@ FROM {{ item.value.custom_image.from | default('collabora/code:' + item.value.version) }} {{ item.value.custom_image.dockerfile }} dest: "{{ collabora_code_base_path }}/{{ item.key }}/build/Dockerfile" - register: nextcloud_custom_image_docker + register: collabora_code_custom_image_docker - name: build custom image docker_image: name: "collabora/code/{{ item.key }}:{{ item.value.version }}" state: present - force_source: "{{ nextcloud_custom_image_docker is changed }}" + force_source: "{{ collabora_code_custom_image_docker is changed }}" source: build build: path: "{{ collabora_code_base_path }}/{{ item.key }}/build" diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml index a7a461bb..34629dbd 100644 --- a/roles/apps/coturn/defaults/main.yml +++ b/roles/apps/coturn/defaults/main.yml @@ -16,3 +16,8 @@ coturn_threads: 0 # coturn_auth_secret: change-me coturn_dhparam_size: 2048 + +coturn_listening_port: 3478 +coturn_tls_listening_port: 5349 + +coturn_install_nginx_vhost: yes diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 176be664..a35734a8 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -59,6 +59,7 @@ daemon_reload: yes - name: configure nginx vhost + when: coturn_install_nginx_vhost vars: nginx_vhost: name: "coturn-{{ coturn_realm }}" @@ -68,6 +69,18 @@ include_role: name: nginx/vhost +- name: get certificate using acmetool + when: not coturn_install_nginx_vhost + import_role: + name: acmetool/cert + vars: + acmetool_cert_name: "coturn-{{ coturn_realm }}" + acmetool_cert_hostnames: "{{ coturn_hostnames }}" + +- name: apply hacky fix to support binding to privileged ports + when: (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) + import_tasks: privileged-ports-hack.yml + - name: install pod manifest vars: kubernetes_standalone_pod: diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml new file mode 100644 index 00000000..bafff0aa --- /dev/null +++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml @@ -0,0 +1,31 @@ +--- +### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460 +### at the moment there are two possible workarounds: +## - Setting sysctl net.ipv4.ip_unprivileged_port_start=0. +## This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway). +## - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container. +## This what we are doning here. + +- name: create build directory for custom image + file: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + state: directory + +- name: generate Dockerfile for custom image + copy: + content: | + FROM instrumentisto/coturn:{{ coturn_version }} + RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver + dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile" + register: coturn_custom_image_docker + +- name: build custom image + docker_image: + name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" + state: present + force_source: "{{ coturn_custom_image_docker is changed }}" + source: build + build: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + network: host + pull: yes diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2 index d157af37..a0842784 100644 --- a/roles/apps/coturn/templates/pod-spec.yml.j2 +++ b/roles/apps/coturn/templates/pod-spec.yml.j2 @@ -2,10 +2,21 @@ securityContext: allowPrivilegeEscalation: false runAsUser: {{ coturn_uid }} runAsGroup: {{ coturn_gid }} +{# this does not work: https://github.com/kubernetes/kubernetes/issues/56374, https://github.com/moby/moby/issues/8460 +{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %} + capabilities: + add: ["NET_BIND_SERVICE"] +{% endif %} +#} +terminationGracePeriodSeconds: 0 hostNetwork: true containers: - name: coturn +{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %} + image: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" +{% else %} image: "instrumentisto/coturn:{{ coturn_version }}" +{% endif %} args: - --log-file=stdout resources: diff --git a/roles/apps/coturn/templates/turnserver.conf.j2 b/roles/apps/coturn/templates/turnserver.conf.j2 index d61cdad3..9a587951 100644 --- a/roles/apps/coturn/templates/turnserver.conf.j2 +++ b/roles/apps/coturn/templates/turnserver.conf.j2 @@ -1,8 +1,8 @@ realm={{ coturn_realm }} fingerprint -listening-port=3478 -tls-listening-port=5349 +listening-port={{ coturn_listening_port }} +tls-listening-port={{ coturn_tls_listening_port }} cert=/etc/coturn/ssl/cert.pem pkey=/etc/coturn/ssl/privkey.pem diff --git a/spreadspace/glt-coturn.yml b/spreadspace/glt-coturn.yml new file mode 100644 index 00000000..4cb46213 --- /dev/null +++ b/spreadspace/glt-coturn.yml @@ -0,0 +1,14 @@ +--- +- name: Basic Setup + hosts: glt-coturn + roles: + - role: apt-repo/base + - role: core/base + - role: core/sshd + - role: core/zsh + - role: core/ntp + - role: kubernetes/base + - role: kubernetes/standalone/base + - role: apt-repo/spreadspace + - role: acmetool/base + - role: apps/coturn diff --git a/spreadspace/group_vars/glt-live.yml b/spreadspace/group_vars/glt-live.yml new file mode 100644 index 00000000..59924bba --- /dev/null +++ b/spreadspace/group_vars/glt-live.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;spreadspace +30363032353531613732386332346431623532356466353765633939656635353835353930376561 +6537383665376330653366313635396134376464383462380a376530623330343934363738316565 +37336134663631303061623438346631306562386564386531623536313063386137326635663637 +3131653239393838390a623838333532663938643361333931343534663331396231393434656363 +66656536653534303835663732346563653662313164323333643939616330653861636439666461 +65326163656439306339383338623337643535653331343737663936666132656233353236343331 +32646132623334343264336131323138383231613831303735633237323463663638343639346638 +39336339326266363133326638646438313665346635663836356334616564643132373633386232 +6431 diff --git a/spreadspace/host_vars/glt-coturn.yml b/spreadspace/host_vars/glt-coturn.yml new file mode 100644 index 00000000..5a25939b --- /dev/null +++ b/spreadspace/host_vars/glt-coturn.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;spreadspace +66623933363135653535643038353239653765363938623335663961626538313036346263376636 +6634313836393163336339666639663233383564346363630a313136343838393366333765623130 +63613934363564626161653562623833323230393265613234616239333237373837356532363161 +6335306637396339610a363634343637613332393464623339333230666531343837323138393965 +62383266643466643430663030313531313063616666646439616330376537393137663234303761 +66646639643865376233366235383831383165656663666162383663356163363661383865656163 +36643163313634356239643435323137643861666139643834363539656465613539626637336634 +62643866613138613530316635316561616461346666623135313838663138313336323562623266 +62626536333832343931613064363231316637323462303037333234336563313135 -- cgit v1.2.3