Add Docker resources

[gary-kim]

Still a work in progress. Now complete.
This is the configuration I am using on my own server with some extra Janus command line flags and a separate Coturn server. I've made several calls with it and it works.

[markuman]

@gary-kim maybe adding also coturn to the docker-compose stack is also usefull as the server.conf.in is referring to a "turn" server also.

FROM alpine:3.11

RUN apk add --update coturn
CMD turnserver --prod --no-tlsv1 --no-tlsv1_1\
     --tls-listening-port 5349 \
     --fingerprint \
     --lt-cred-mech \
     --use-auth-secret \
     --static-auth-secret $STATIC_SECRET \
     --realm $REALM \
     --total-quota 100 \
     --bps-capacity=50000000 \
     --max-bps=50000000 \
     --stale-nonce=600 \
     --cert /cert.pem \
     --pkey /privkey.pem \
     --cipher-list “ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384″ \
     --no-multicast-peers

docker run -d --rm --name coturn \
    -e STATIC_SECRET=some-awesome-secret \
    -e REALM=myserver.domain.invalid \
    -v /mnt/data/caddy/acme/acme-v02.api.letsencrypt.org/sites/myserver.domain.invalid/myserver.domain.invalid.crt:/cert.pem:ro \
    -v /mnt/data/caddy/acme/acme-v02.api.letsencrypt.org/sites/myserver.domain.invalid/myserver.domain.invalid.key:/privkey.pem:ro \
    -p 5349:5349/tcp -p 5349:5349/udp \
    registry.gitlab.com/markuman/container-images:coturn

this works for me.

The coturn works also as stun

./stunclient myserver.domain.invalid 5349
Binding test: success
Local address: 192.168.178.42:36150
Mapped address: 178.5.157.167:36150

[gary-kim]

Honestly forgot about that part. I already had coturn set up for myself so I kind of forgot that's another thing to set up. I'll get to that in a bit once I finish what I'm working on.

[gary-kim]

Okay, added coturn to the setup. Let me try connecting my current setup to this turn server to make sure it works.

Yeah, seems to work.

[madmath03]

Hi,

StrukturAG had docker container for Coturn which was designed for Spreed WebRTC.
We made a fork of it to update it and use it with WebRTC solutions like NextCloud Talk : https://github.com/Monogramm/docker-coturn

Maybe we can send our updates to the base project and this could be used as the base for the Coturn container here ?

Still, love to see this being Open Sourced ❤️

[markuman]

@madmath03 for what does it need redis and mongodb in coturn?

[gary-kim]

I wanted the Coturn used here to be as simple as possible since I think most people who need something more advanced are probably going to connect it to their own separate TURN server. Still, let's see what @fancycode thinks.

[madmath03]

@madmath03 for what does it need redis and mongodb in coturn?

@markuman Coturn supports user authentication against a local database like SQLite, Postgres, Redis, MongoDB, etc...

Redis and MongoDB are not included in the docker container, it's just the drivers required to connect an external database.

Even if it's not needed for use with NextCloud Talk, we wanted to make the container provide support for (almost) 100% of Coturn capabilities.

[madmath03]

I tried to fork this branch and build the containers in Dockerhub but I get the following error:

Step 5/11 : RUN make build
---> Running in 56f2095aaaf2
[ ! -d "/workdir/.git/hooks" ] || ln -sf "/workdir/scripts/pre-commit.hook" "/workdir/.git/hooks/pre-commit"
GOPATH="/workdir/vendor:/workdir" /usr/local/go/bin/go get github.com/rogpeppe/godeps
/workdir/scripts/get_continent_map.py src/signaling/continentmap.go
/usr/bin/env: 
'python3'
: No such file or directory


make: *** [Makefile:56: src/signaling/continentmap.go] Error 127

Removing intermediate container 56f2095aaaf2

Should the docker-compose build be added to travis ?

[gary-kim]

Not sure why you're having the issue. I just tried building on a fresh system and it worked fine. Need to investigate this a bit more.

Log

Sending build context to Docker daemon  887.3kB
Step 1/11 : FROM golang:1.13 AS builder
1.13: Pulling from library/golang
376057ac6fa1: Pull complete 
5a63a0a859d8: Pull complete 
496548a8c952: Pull complete 
2adae3950d4d: Pull complete 
039b991354af: Pull complete 
220a25a42996: Pull complete 
b3616653c78b: Pull complete 
Digest: sha256:033b293ef6fce68fee373b0d5bfacb1c490ee6a91211cdaa3195416b27fcb4f8
Status: Downloaded newer image for golang:1.13
 ---> 6a67120df3f4
Step 2/11 : RUN mkdir /workdir
 ---> Running in 8ed9ea51508f
Removing intermediate container 8ed9ea51508f
 ---> 19c4d3431a42
Step 3/11 : WORKDIR /workdir
 ---> Running in f86d1f2b996e
Removing intermediate container f86d1f2b996e
 ---> cf96418519bf
Step 4/11 : COPY . .
 ---> dcf08159894a
Step 5/11 : RUN make build
 ---> Running in 16a102343175
[ ! -d "/workdir/.git/hooks" ] || ln -sf "/workdir/scripts/pre-commit.hook" "/workdir/.git/hooks/pre-commit"
GOPATH="/workdir/vendor:/workdir" /usr/local/go/bin/go get github.com/rogpeppe/godeps
/workdir/scripts/get_continent_map.py src/signaling/continentmap.go
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   222  100   222    0     0    123      0  0:00:01  0:00:01 --:--:--   123
100 49132  100 49132    0     0  16947      0  0:00:02  0:00:02 --:--:-- 49779
GOPATH="/workdir/vendor:/workdir" ./vendor/bin/godeps -u dependencies.tsv
update golang.org/x/sys failed; trying to fetch newer version
update github.com/dlintw/goconf failed; trying to fetch newer version
update github.com/nats-io/nuid failed; trying to fetch newer version
update github.com/gorilla/securecookie failed; trying to fetch newer version
update github.com/mailru/easyjson failed; trying to fetch newer version
update github.com/nats-io/go-nats failed; trying to fetch newer version
update github.com/notedit/janus-go failed; trying to fetch newer version
update github.com/oschwald/maxminddb-golang failed; trying to fetch newer version
update github.com/gorilla/context failed; trying to fetch newer version
update golang.org/x/net failed; trying to fetch newer version
update github.com/gorilla/websocket failed; trying to fetch newer version
update github.com/gorilla/mux failed; trying to fetch newer version
golang.org/x/net now at f01ecb60fe3835d80d9a0b7b2bf24b228c89260e
github.com/notedit/janus-go now at 8e6e2c423c03884d938d84442d37d6f6f5294197
github.com/gorilla/context now at 08b5f424b9271eedf6f9f0ce86cb9396ed337a42
github.com/nats-io/nuid now at 3cf34f9fca4e88afa9da8eabd75e3326c9941b44
github.com/dlintw/goconf now at dcc070983490608a14480e3bf943bad464785df5
github.com/gorilla/securecookie now at e59506cc896acb7f7bf732d4fdf5e25f7ccd8983
github.com/oschwald/maxminddb-golang now at 1960b16a5147df3a4c61ac83b2f31cd8f811d609
github.com/gorilla/websocket now at ea4d1f681babbce9545c9c5f3d5194a789c89f5b
github.com/gorilla/mux now at ac112f7d75a0714af1bd86ab17749b31f7809640
github.com/mailru/easyjson now at 2f5df55504ebc322e4d52d34df6a1f5b503bf26d
github.com/nats-io/go-nats now at d4ca4c8b588d5da9c2ac82d6e445ce4feaba18ba
golang.org/x/sys now at ac767d655b305d4e9612f5f6e33120b9176c4ad4
GOPATH="/workdir/vendor:/workdir" /usr/local/go/bin/go get -d github.com/mailru/easyjson/...
GOPATH="/workdir/vendor:/workdir" /usr/local/go/bin/go build -o ./vendor/bin/easyjson ./vendor/src/github.com/mailru/easyjson/easyjson/main.go
PATH=/usr/local/go/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOPATH="/workdir/vendor:/workdir" ./vendor/bin/easyjson -all src/signaling/api_signaling.go
PATH=/usr/local/go/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOPATH="/workdir/vendor:/workdir" ./vendor/bin/easyjson -all src/signaling/api_backend.go
PATH=/usr/local/go/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOPATH="/workdir/vendor:/workdir" ./vendor/bin/easyjson -all src/signaling/natsclient.go
PATH=/usr/local/go/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOPATH="/workdir/vendor:/workdir" ./vendor/bin/easyjson -all src/signaling/room.go
mkdir -p "/workdir/bin"
GOPATH="/workdir/vendor:/workdir" /usr/local/go/bin/go build  -ldflags '-X main.version=079cf7e06458db960baee61e9e8ab44674d7019b' -o "/workdir/bin"/signaling ./src/server/...
Removing intermediate container 16a102343175
 ---> b85e20bb47e8
Step 6/11 : FROM alpine:3.11
 ---> e7d92cdc71fe
Step 7/11 : ENV CONFIG=/config/server.conf
 ---> Running in 7544fd4a0302
Removing intermediate container 7544fd4a0302
 ---> 9ddfeed50b8c
Step 8/11 : RUN apk add --no-cache --no-cache ca-certificates libc6-compat libstdc++
 ---> Running in 1e083b4e4cd3
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/5) Upgrading musl (1.1.24-r0 -> 1.1.24-r2)
(2/5) Installing ca-certificates (20191127-r1)
(3/5) Installing libc6-compat (1.1.24-r2)
(4/5) Installing libgcc (9.2.0-r4)
(5/5) Installing libstdc++ (9.2.0-r4)
Executing busybox-1.31.1-r9.trigger
Executing ca-certificates-20191127-r1.trigger
OK: 8 MiB in 18 packages
Removing intermediate container 1e083b4e4cd3
 ---> 72d13f4abd8c
Step 9/11 : COPY --from=builder /workdir/bin/signaling /usr/local/signaling
 ---> 7e20f3d200ee
Step 10/11 : COPY ./server.conf.in /config/server.conf
 ---> d6779a264b90
Step 11/11 : CMD ["/bin/sh", "-c", "/usr/local/signaling --config=$CONFIG"]
 ---> Running in fc1e2ff58d65
Removing intermediate container fc1e2ff58d65
 ---> 435f6c5674cf
Successfully built 435f6c5674cf

[markuman]

build is fine for me too.

[madmath03]

@markuman & @gary-kim : did you both tried to build it locally or build using DockerHub ?

As mentioned, I just forked the project and pulled this branch into a develop branch (https://github.com/Monogramm/nextcloud-spreed-signaling/tree/develop) and created a dockerhub repository to build it (https://hub.docker.com/repository/docker/monogramm/nextcloud-spreed-signaling):

I'm gonna try adding the docker / docker-compose build to Travis, see if it has the same behavior as Dockerhub

[markuman]

@madmath03 locally and on a vm.

[rgl1234]

Hi @gary-kim
Thanks for fixing....but I have another issue.....I always get unauthorized-messages in coturn-log even though connection is working correctly and signaling in Nextcloud also seems to work correctly....
Do you have an idea?

René

[gary-kim]

That may have been because of using the wrong flags for Coturn which is now fixed or it may be a setup issue.

[rgl1234]

That may have been because of using the wrong flags for Coturn which is now fixed or it may be a setup issue.

Hello @gary-kim
Now I get a new problem during building of spreedbackend:

Successfully built 004a69bccdc7
Successfully tagged nextcloud-spreed-signaling_coturn:latest
Building spreedbackend
Step 1/11 : FROM golang:1.13 AS builder
---> 6a67120df3f4
Step 2/11 : RUN mkdir /workdir
---> Using cache
---> 8c278eb6f85f
Step 3/11 : WORKDIR /workdir
---> Using cache
---> 623ed7a37c16
Step 4/11 : COPY . .
---> Using cache
---> ccb57ce4215c
Step 5/11 : RUN make build
---> Running in 9176edee3108
[ ! -d "/workdir/.git/hooks" ] || ln -sf "/workdir/scripts/pre-commit.hook" "/workdir/.git/hooks/pre-commit"
GOPATH="/workdir/vendor:/workdir" /usr/local/go/bin/go get github.com/rogpeppe/godeps
/workdir/scripts/get_continent_map.py src/signaling/continentmap.go
/usr/bin/env: 'python3': No such file or directory
make: *** [Makefile:56: src/signaling/continentmap.go] Error 127
ERROR: Service 'spreedbackend' failed to build: The command '/bin/sh -c make build' returned a non-zero code: 2

[gary-kim]

Sounds like you're having the same problem as @madmath03. We could just add Python explicitly just in case.

[rgl1234]

Sounds like you're having the same problem as @madmath03. We could just add Python explicitly just in case.

yes, I think too.....where should I add "python" ?

[lnobach]

Hi, cool stuff :)
I have also worked on Docker/docker-compose support in a personal project during the last days (NC backend spawning via cloud-init, https://github.com/lnobach/nctalk-backend-cloud-config/), I haven't noticed your pull request until today.

I recommend these changes to your Dockerfile:

• golang:1.13-alpine instead of golang:1.13
• Drop privileges to non-root instead of running the signaling process as root.

Here is my Dockerfile which successfully builds (and runs):
https://github.com/lnobach/nctalk-backend-cloud-config/blob/master/spreedbackend/Dockerfile
E.g. via Docker Hub autobuild:
https://hub.docker.com/repository/docker/lnobach/spreed-signaling

[gary-kim]

* Drop privileges to non-root instead of running the `signaling` process as root.

Good idea, thanks!

* `golang:1.13-alpine` instead of `golang:1.13`

Since it's just the builder and using the Alpine install would mean installing things like make, I think it'd be better to use the Debian version.

[morph027]

Just noticed janus released version 10.0.0 ;)

[fancycode]

Thanks for your contribution, this looks good.

There are a couple of things that should be changed, but that could be done in future PRs:

• Link against custom-built libsrtp that uses openssl or nss for the crypto (to make use of AES-NI instructions).
• Upgrade Janus to the latest version.
• Load the Janus configuration files from outside the docker.