From 46591f2232e69739da5ab120fe819e2305c53ab0 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 21 Mar 2021 02:26:21 +0100 Subject: add coturn server for glt --- roles/apps/coturn/tasks/privileged-ports-hack.yml | 31 +++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 roles/apps/coturn/tasks/privileged-ports-hack.yml (limited to 'roles/apps/coturn/tasks/privileged-ports-hack.yml') diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml new file mode 100644 index 00000000..bafff0aa --- /dev/null +++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml @@ -0,0 +1,31 @@ +--- +### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460 +### at the moment there are two possible workarounds: +## - Setting sysctl net.ipv4.ip_unprivileged_port_start=0. +## This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway). +## - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container. +## This what we are doning here. + +- name: create build directory for custom image + file: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + state: directory + +- name: generate Dockerfile for custom image + copy: + content: | + FROM instrumentisto/coturn:{{ coturn_version }} + RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver + dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile" + register: coturn_custom_image_docker + +- name: build custom image + docker_image: + name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" + state: present + force_source: "{{ coturn_custom_image_docker is changed }}" + source: build + build: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" + network: host + pull: yes -- cgit v1.2.3