From 3db6f8b21e2a6707381971a600268a0537f1074e Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 10 Jul 2021 21:28:45 +0200 Subject: coturn: use new images --- roles/apps/coturn/defaults/main.yml | 2 +- roles/apps/coturn/tasks/main.yml | 4 --- roles/apps/coturn/tasks/privileged-ports-hack.yml | 31 ----------------------- roles/apps/coturn/templates/pod-spec.yml.j2 | 8 ++---- 4 files changed, 3 insertions(+), 42 deletions(-) delete mode 100644 roles/apps/coturn/tasks/privileged-ports-hack.yml (limited to 'roles/apps/coturn') diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml index 34629dbd..842e7f05 100644 --- a/roles/apps/coturn/defaults/main.yml +++ b/roles/apps/coturn/defaults/main.yml @@ -3,7 +3,7 @@ coturn_uid: 930 coturn_gid: 930 coturn_base_path: /srv/coturn -# coturn_version: 4.5.1.1 +# coturn_version: 4.5.2-r2 # coturn_realm: example.com # coturn_hostnames: # - stun.example.com diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index a35734a8..838385ea 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -77,10 +77,6 @@ acmetool_cert_name: "coturn-{{ coturn_realm }}" acmetool_cert_hostnames: "{{ coturn_hostnames }}" -- name: apply hacky fix to support binding to privileged ports - when: (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) - import_tasks: privileged-ports-hack.yml - - name: install pod manifest vars: kubernetes_standalone_pod: diff --git a/roles/apps/coturn/tasks/privileged-ports-hack.yml b/roles/apps/coturn/tasks/privileged-ports-hack.yml deleted file mode 100644 index 6025b7e7..00000000 --- a/roles/apps/coturn/tasks/privileged-ports-hack.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -### This hack is necessary because: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460. -### AFAIK there are two possible workarounds at the moment: -## - Setting sysctl net.ipv4.ip_unprivileged_port_start=0. -## This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway). -## - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container. -## This is what we are doing here - at least until the upstream container includes this: https://github.com/instrumentisto/coturn-docker-image/issues/40 - -- name: create build directory for custom image - file: - path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" - state: directory - -- name: generate Dockerfile for custom image - copy: - content: | - FROM instrumentisto/coturn:{{ coturn_version }} - RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile" - register: coturn_custom_image_docker - -- name: build custom image - docker_image: - name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" - state: present - force_source: "{{ coturn_custom_image_docker is changed }}" - source: build - build: - path: "{{ coturn_base_path }}/{{ coturn_realm }}/build" - network: host - pull: yes diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2 index a0842784..20612e4b 100644 --- a/roles/apps/coturn/templates/pod-spec.yml.j2 +++ b/roles/apps/coturn/templates/pod-spec.yml.j2 @@ -12,13 +12,9 @@ terminationGracePeriodSeconds: 0 hostNetwork: true containers: - name: coturn -{% if (coturn_listening_port < 1024) or (coturn_tls_listening_port < 1024) %} - image: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}" -{% else %} - image: "instrumentisto/coturn:{{ coturn_version }}" -{% endif %} + image: "coturn/coturn:{{ coturn_version }}" args: - - --log-file=stdout + - --log-file=stdout resources: limits: memory: "1Gi" -- cgit v1.2.3