blob: 6025b7e7dca95d0b2f2bb685f10d24c068d1c7f8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
---
### This hack is necessary because: https://github.com/kubernetes/kubernetes/issues/56374 and https://github.com/moby/moby/issues/8460.
### AFAIK there are two possible workarounds at the moment:
## - Setting sysctl net.ipv4.ip_unprivileged_port_start=0.
## This does not work because kubelet would not allow this for containers using host networking (and actually this would be a bad idea anyway).
## - Adding the CAP_NET_BIND_SERVICE capability on the turnserver binary file inside the container.
## This is what we are doing here - at least until the upstream container includes this: https://github.com/instrumentisto/coturn-docker-image/issues/40
- name: create build directory for custom image
file:
path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
state: directory
- name: generate Dockerfile for custom image
copy:
content: |
FROM instrumentisto/coturn:{{ coturn_version }}
RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver
dest: "{{ coturn_base_path }}/{{ coturn_realm }}/build/Dockerfile"
register: coturn_custom_image_docker
- name: build custom image
docker_image:
name: "instrumentisto/coturn/{{ coturn_realm }}:{{ coturn_version }}"
state: present
force_source: "{{ coturn_custom_image_docker is changed }}"
source: build
build:
path: "{{ coturn_base_path }}/{{ coturn_realm }}/build"
network: host
pull: yes
|
