Allow matrix_coturn_docker_network to be set to 'host' to use host-networking

This helps large deployments which need to open up thousands of ports (matrix_coturn_turn_udp_min_port, matrix_coturn_turn_udp_min_port) On a test VM, opening 1k ports takes 17 seconds for Docker to "publish" all of these ports (setting up forwarding rules with the firewall, etc), so service startup and shutdown take a long amount of time. If host-networking is used, there's no need to open any ports at all and startup/shutdown can be quick.
2023-01-26 17:16:20 +02:00
parent bb0faa6bc3
commit aafa8f019c
4 changed files with 30 additions and 6 deletions
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@ -20,6 +20,13 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith('
 #
 # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
 # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
+#
+# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking,
+# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
+# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers.
+# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
+# which hopefully prevents access to such private network ranges.
+# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
 matrix_coturn_docker_network: "matrix-coturn"

 matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
@ -41,20 +48,20 @@ matrix_coturn_container_extra_arguments: []
 # Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
-matrix_coturn_container_stun_plain_host_bind_port: '3478'
+matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}"

 # Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
-matrix_coturn_container_stun_tls_host_bind_port: '5349'
+matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}"

 # Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
 #
 # Takes an interface "<ip address>" (e.g. "127.0.0.1"), or empty string to listen on all interfaces.
-# Takes a null/none value (`~`) to prevent listening.
+# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
 #
 # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
-matrix_coturn_container_turn_range_listen_interface: ''
+matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}"

 # UDP port-range to use for TURN
 matrix_coturn_turn_udp_min_port: 49152
--- a/roles/custom/matrix-coturn/tasks/setup_install.yml
+++ b/roles/custom/matrix-coturn/tasks/setup_install.yml
@ -62,7 +62,8 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

- name: Ensure Coturn network is created in Docker
+- when: matrix_coturn_docker_network not in ['', 'host']
+  name: Ensure Coturn network is created in Docker
  community.docker.docker_network:
    name: "{{ matrix_coturn_docker_network }}"
    driver: bridge
--- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@ -30,7 +30,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			-p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349 \
 			-p {{ matrix_coturn_container_stun_tls_host_bind_port }}:5349/udp \
 			{% endif %}
-			{% if matrix_coturn_container_turn_range_listen_interface is not none %}
+			{% if matrix_coturn_container_turn_range_listen_interface is not in [none, 'none'] %}
 			-p {{ matrix_coturn_container_turn_range_listen_interface }}{{ ':' if matrix_coturn_container_turn_range_listen_interface else '' }}{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \
 			{% endif %}
 			--mount type=bind,src={{ matrix_coturn_config_path }},dst=/turnserver.conf,ro \