From 46591f2232e69739da5ab120fe819e2305c53ab0 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 21 Mar 2021 02:26:21 +0100
Subject: add coturn server for glt

---
 roles/apps/coturn/defaults/main.yml               |  5 ++++
 roles/apps/coturn/tasks/main.yml                  | 13 ++++++++++
 roles/apps/coturn/tasks/privileged-ports-hack.yml | 31 +++++++++++++++++++++++
 roles/apps/coturn/templates/pod-spec.yml.j2       | 11 ++++++++
 roles/apps/coturn/templates/turnserver.conf.j2    |  4 +--
 5 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 roles/apps/coturn/tasks/privileged-ports-hack.yml

(limited to 'roles/apps/coturn')

diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml
index a7a461bb..34629dbd 100644
--- a/roles/apps/coturn/defaults/main.yml
+++ b/roles/apps/coturn/defaults/main.yml
@@ -16,3 +16,8 @@ coturn_threads: 0
 # coturn_auth_secret: change-me
 
 coturn_dhparam_size: 2048
+
+coturn_listening_port: 3478
+coturn_tls_listening_port: 5349
+
+coturn_install_nginx_vhost: yes
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
index 176be664..a35734a8 100644
--- a/roles/apps/coturn/tasks/main.yml
+++ b/roles/apps/coturn/tasks/main.yml
@@ -59,6 +59,7 @@
     daemon_reload: yes
 
 - name: configure nginx vhost
+  when: coturn_install_nginx_vhost
   vars:
     nginx_vhost:
       name: "coturn-{{ coturn_realm }}"
@@ -68,6 +69,18 @@
   include_role:
     name: nginx/vhost
 
+- name: get certificate using acmetool
+  when: not coturn_install_nginx_vhost
+  import_role:
+    name: acmetool/cert
+  vars:
+    acmetool_cert_name: "coturn-{{ coturn_realm }}"
+    acmetool_cert_hostnames: "{{ coturn_hostnames }}"
+
+- name: apply hacky fix to support binding to privileged ports
+  when: (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024)
+  import_tasks: privileged-ports-hack.yml
+
 - name: install pod manifest
   vars:
     kubernetes_standalone_pod:
diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml
new file mode 100644
index 00000000..bafff0aa
--- /dev/null
+++ b/roles/apps/coturn/tasks/privileged-ports-hack.yml
@@ -0,0 +1,31 @@
+---
+### This hack is necessary becasue: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460
+### at the moment there are two possible workarounds:
+##  - Setting sysctl net.ipv4.ip_unprivileged_port_start=0.
+##    This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway).
+##  - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container.
+##    This what we are doning here.
+
+- name: create build directory for custom image
+  file:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
+    state: directory
+
+- name: generate Dockerfile for custom image
+  copy:
+    content: |
+      FROM instrumentisto/coturn:{{ coturn_version }}
+      RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver
+    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile"
+  register: coturn_custom_image_docker
+
+- name: build custom image
+  docker_image:
+    name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
+    state: present
+    force_source: "{{ coturn_custom_image_docker is changed }}"
+    source: build
+    build:
+      path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
+      network: host
+      pull: yes
diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2
index d157af37..a0842784 100644
--- a/roles/apps/coturn/templates/pod-spec.yml.j2
+++ b/roles/apps/coturn/templates/pod-spec.yml.j2
@@ -2,10 +2,21 @@ securityContext:
   allowPrivilegeEscalation: false
   runAsUser: {{ coturn_uid }}
   runAsGroup: {{ coturn_gid }}
+{# this does not work: https://github.com/kubernetes/kubernetes/issues/56374, https://github.com/moby/moby/issues/8460
+{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %}
+  capabilities:
+    add: ["NET_BIND_SERVICE"]
+{% endif %}
+#}
+terminationGracePeriodSeconds: 0
 hostNetwork: true
 containers:
 - name: coturn
+{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %}
+  image: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
+{% else %}
   image: "instrumentisto/coturn:{{ coturn_version }}"
+{% endif %}
   args:
     - --log-file=stdout
   resources:
diff --git a/roles/apps/coturn/templates/turnserver.conf.j2 b/roles/apps/coturn/templates/turnserver.conf.j2
index d61cdad3..9a587951 100644
--- a/roles/apps/coturn/templates/turnserver.conf.j2
+++ b/roles/apps/coturn/templates/turnserver.conf.j2
@@ -1,8 +1,8 @@
 realm={{ coturn_realm }}
 fingerprint
 
-listening-port=3478
-tls-listening-port=5349
+listening-port={{ coturn_listening_port }}
+tls-listening-port={{ coturn_tls_listening_port }}
 
 cert=/etc/coturn/ssl/cert.pem
 pkey=/etc/coturn/ssl/privkey.pem
-- 
cgit v1.2.3