Add additional-networks support to matrix-coturn
Not that it seems necessary right now, but it makes it consistent with all other roles.
This commit is contained in:
parent
fe13d7d010
commit
ad32953e0b
@ -582,7 +582,7 @@ Large Coturn deployments (with a huge range of ports specified via `matrix_cotur
|
|||||||
Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this:
|
Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
matrix_coturn_docker_network: host
|
matrix_coturn_container_network: host
|
||||||
```
|
```
|
||||||
|
|
||||||
With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops.
|
With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops.
|
||||||
|
@ -22,13 +22,17 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith('
|
|||||||
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
|
# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
|
||||||
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
|
# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
|
||||||
#
|
#
|
||||||
# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking,
|
# Setting `matrix_coturn_container_network` to 'host' will run the container with host networking,
|
||||||
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
|
# which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port.
|
||||||
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers.
|
# Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers.
|
||||||
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
|
# Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`,
|
||||||
# which hopefully prevents access to such private network ranges.
|
# which hopefully prevents access to such private network ranges.
|
||||||
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
|
# When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened.
|
||||||
matrix_coturn_docker_network: "matrix-coturn"
|
matrix_coturn_container_network: "matrix-coturn"
|
||||||
|
|
||||||
|
matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}"
|
||||||
|
matrix_coturn_container_additional_networks_auto: []
|
||||||
|
matrix_coturn_container_additional_networks_custom: []
|
||||||
|
|
||||||
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
|
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
|
||||||
matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
|
matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
|
||||||
@ -50,12 +54,12 @@ matrix_coturn_container_extra_arguments: []
|
|||||||
# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
|
# Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container).
|
||||||
#
|
#
|
||||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
|
||||||
matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}"
|
matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"
|
||||||
|
|
||||||
# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
|
# Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container).
|
||||||
#
|
#
|
||||||
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
|
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5349"), or empty string to not expose.
|
||||||
matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}"
|
matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}"
|
||||||
|
|
||||||
# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
|
# Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on.
|
||||||
#
|
#
|
||||||
@ -63,7 +67,7 @@ matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_doc
|
|||||||
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
|
# Takes a null/none value (`~`) or 'none' (as a string) to prevent listening.
|
||||||
#
|
#
|
||||||
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
|
# The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`.
|
||||||
matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}"
|
matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}"
|
||||||
|
|
||||||
# UDP port-range to use for TURN
|
# UDP port-range to use for TURN
|
||||||
matrix_coturn_turn_udp_min_port: 49152
|
matrix_coturn_turn_udp_min_port: 49152
|
||||||
@ -97,7 +101,7 @@ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_del
|
|||||||
matrix_coturn_allowed_peer_ips: []
|
matrix_coturn_allowed_peer_ips: []
|
||||||
|
|
||||||
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
|
# We block loopback interfaces and private networks by default to prevent private resources from being accessible.
|
||||||
# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_docker_network: host`).
|
# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`).
|
||||||
#
|
#
|
||||||
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
|
# Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
|
||||||
#
|
#
|
||||||
|
@ -95,9 +95,9 @@
|
|||||||
group: "{{ matrix_user_groupname }}"
|
group: "{{ matrix_user_groupname }}"
|
||||||
|
|
||||||
- name: Ensure Coturn network is created in Docker
|
- name: Ensure Coturn network is created in Docker
|
||||||
when: matrix_coturn_docker_network not in ['', 'host']
|
when: matrix_coturn_container_network not in ['', 'host']
|
||||||
community.docker.docker_network:
|
community.docker.docker_network:
|
||||||
name: "{{ matrix_coturn_docker_network }}"
|
name: "{{ matrix_coturn_container_network }}"
|
||||||
driver: bridge
|
driver: bridge
|
||||||
|
|
||||||
- name: Ensure matrix-coturn.service installed
|
- name: Ensure matrix-coturn.service installed
|
||||||
|
@ -1,5 +1,14 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- name: (Deprecation) Catch and report renamed Coturn settings
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: >-
|
||||||
|
Your configuration contains a variable, which now has a different name.
|
||||||
|
Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
|
||||||
|
when: "item.old in vars"
|
||||||
|
with_items:
|
||||||
|
- {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'}
|
||||||
|
|
||||||
- name: Fail if required Coturn settings not defined
|
- name: Fail if required Coturn settings not defined
|
||||||
ansible.builtin.fail:
|
ansible.builtin.fail:
|
||||||
msg: >-
|
msg: >-
|
||||||
|
@ -13,7 +13,9 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
|
|||||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
|
||||||
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
|
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
|
||||||
|
|
||||||
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-coturn \
|
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
|
||||||
|
--rm \
|
||||||
|
--name=matrix-coturn \
|
||||||
--log-driver=none \
|
--log-driver=none \
|
||||||
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
||||||
--cap-drop=ALL \
|
--cap-drop=ALL \
|
||||||
@ -21,7 +23,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||||||
--entrypoint=turnserver \
|
--entrypoint=turnserver \
|
||||||
--read-only \
|
--read-only \
|
||||||
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
|
||||||
--network={{ matrix_coturn_docker_network }} \
|
--network={{ matrix_coturn_container_network }} \
|
||||||
{% if matrix_coturn_container_stun_plain_host_bind_port != '' %}
|
{% if matrix_coturn_container_stun_plain_host_bind_port != '' %}
|
||||||
-p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478 \
|
-p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478 \
|
||||||
-p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478/udp \
|
-p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478/udp \
|
||||||
@ -43,6 +45,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
|
|||||||
{{ matrix_coturn_docker_image }} \
|
{{ matrix_coturn_docker_image }} \
|
||||||
-c /turnserver.conf
|
-c /turnserver.conf
|
||||||
|
|
||||||
|
{% for network in matrix_coturn_container_additional_networks %}
|
||||||
|
ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn
|
||||||
|
|
||||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
|
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true'
|
||||||
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
|
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user