Skip to content

Latest commit

 

History

History
330 lines (214 loc) · 11.2 KB

README.md

File metadata and controls

330 lines (214 loc) · 11.2 KB

eduMEET in Docker container

This is "dockerized" version of the eduMEET. (Successor of multiparty meeting fork of mediasoup-demo)

Docker hub repository: edumeet

It will setup a production eduMEET instance with or without authentication, and help you with setting up a development environment.

For further (more generic) information take a look at eduMEET repository


Setup guide in a video format can be found here: Watch the video

FAQ is at the bottom of this README.md !

Guides (click to open):

Recommended configuration + introduction

Recommended configuration of VM / server:

Specs
CPU typical modern CPU (8 cores)
RAM 8 GB
HDD 100GB
network 1 network adapter (1Gb/s)
OS Ubuntu / Debian
public IP address (without any NAT)
2 FQDN name assigned (for certificates)

In edumeet-docker components are linked together via the proxy (nginx) docker image.

By default it is using the docker networking hostnames to connect/link components.

Since some components need the hostname / domain name / IP to function it is included in every config and can be changed depending on the use case.

It also makes certificate renewal easy since on a single domain setup you only need to change the cert in the certs folder.

eduMEET client is the frontend, room-server is the backend, management-server is the auth backend, management-client is the frontend for authentication related stuff, media-node is used for everything media related.

General Architecture

Architecture eduMEET docker uses the following endpoints for components:

Architecture

eduMEET can run from a single host

Components can run on a single machine with docker compose or can be separated.

Architecture2

Scaling eduMEET

Media nodes can be selected with GeoIP.

Edumeet-client frontends can run on many different servers.

Management server can host many tenants/domains. The management server database can be clustered.

Keycloak can support a number of Realms.

Architecture3

Installation ⬅ (Without dependencies, edumeet-docker will probably fail!)

Install dependencies

sudo apt install jq ack

Install docker V2

https://docs.docker.com/engine/install/debian/#install-using-the-repository

Optional (add current user to docker group )

sudo groupadd docker
sudo usermod -aG docker $USER

Update, configure, build and run.

Clone repository to your (docker) host, and cd into the folder:

git clone https://github.com/edumeet/edumeet-docker.git
cd edumeet-docker
git checkout <branch>

Update, configure

Step 1:

  • start run-me-first.sh script. This script will download newest Dockerfile(s) and config.example.* files from the repository.
./run-me-first.sh

By running run-me-first.sh your domain names + your IP (you might have to change it it is not your public IP) will be set in the .env file

SET DOMAIN NAME (edumeet.example.com): yourdomain.com

The run-me-first.sh will scan for files with the default example domain/localhost occurances that shoud be changed:

configs/app/config.js:11:       managementUrl: 'http://localhost:3030',
...

There are automated steps to change the configs:

Do you want to remove tls option from server/config.json (recommended)? [Y/n] y
done

Do you want to set host configuration to domain name from .env file and docker hostname to mgmt in server/config.json (recommended)? [Y/n] y
done

Do you want to set managementUrl to https://edumeet.sth.sze.hu/mgmt from .env file in app/config.js (recommended)? [Y/n] y
done

Do you want to replace edumeet.example.com domain in management-server config files to edumeet.sth.sze.hu in mgmt/default.json (recommended)?[Y/n] y
done

Do you want to update Keycloak dev realm to your domain : edumeet.sth.sze.hu from .env file in kc/dev.json (recommended)? [Y/n] y
done

Do you want to set up edumeet-management-client to https://edumeet.sth.sze.hu/cli from .env file in mgmt-client/config.js (recommended)? [Y/n] y
done

Step 2 (Optional):

Set your desired release branch in .env file if you wish to run an other branch.

Branch names (for example 4.0) should match for client and server side.

Edit docker-compose.yml for services that you want.

For example want to separe media node(s) to different servers, or remove the included pgadmin interface.

Step 3:

NOTE! Certficates are selfsigned, for a production service you need to set YOUR signed certificate in nginx and server configuration files:

Certificates are now generated with Let's Encrypt by default with running the gen_cert.sh

Default certficates are in for applications that are behind proxy but still require one to start: in edumeet-docker/certs/

Default cert files: ( edumeet-demo-cert.pem and edumeet-demo-key.pem)

If cert names change you shoud update it in .env:

KC_HTTPS_CERTIFICATE_FILE, KC_HTTPS_CERTIFICATE_KEY_FILE

and

MN_EXTRA_PARAMS='--cert ./certs/edumeet-demo-cert.pem --key ./certs/edumeet-demo-key.pem'

For proxy certs can be changed in the nginx proxy file:

in configs/proxy/nginx.conf.template :

  server_name  edumeet.example.com; 
  ssl_certificate     /etc/edumeet/edumeet-demo-cert.pem;
  ssl_certificate_key /etc/edumeet/edumeet-demo-key.pem; 

Step 4 Run:

Run with docker compose

  $ sudo docker compose up --detach

*without the detach option you will see the logs

To build:

  1. Change TAG in .env file to your desired name.
  2. In .env file set to your desired BRANCH.
  3. Build and run:
  $ sudo docker compose build
  $ sudo docker compose up -d
Authentication (optional)

Initial setup after first run

Supported types: OIDC, SAML, Local DB (KeyCloak)

  • Authentication is optional but if you want to enable it, you should remove defualtroom paremeters from the config.json at configs/server/ and follow these steps:
  1. visit yourdomain/kc/ and set up your keycloak instance By default there is a dev configuration according to https://github.com/edumeet/edumeet-management-server/wiki/Keycloak-setup-(OAuth-openid-connect)

By default there is one test user in dev realm :

  • Username: edumeet
  • Password: edumeet
  1. visit yourdomain/cli/ and set up your management server config
    • add a tenant
    • add a tenant fqdn / domain
    • add authetntication

auth

  • Credential is located in keycloak admin console/ / clients / / credentials
  • Credential is not generated for default dev.json, change it in KeyCloak
  1. Logout
  2. Visit your domain (Login)
  3. Visit yourdomain/cli/ and as the logged in user create a room ( You will be assigned as a room owner and gain all permissions after login, but you can also set permissions for other users too. )
  4. Join the room
  • For auth you can use any OpenID compatible backend. Keycloak is reccomended for testing, integrating with common third party auth sources and deployments without a central authentication (local users).
  • For federated login with discovery we reccommend using SATOSA.
  • For SATOSA the mgmt service client_secret_basic auth has to be added to oauth tenant auth methods:

"dynamic": [ "key", "secret", "authorize_url", "access_url", "profile_url", "scope_delimiter", "scope", "redirect_uri" ], "token_endpoint_auth_method": "client_secret_basic" }

In SATOSA redirect uri should be: https://edumeet.example.com/mgmt/oauth/tenant/callback

Firewall ports and recommendations

Default ports for firewall setting

Port protocol description network path firewall advice
80 tcp edumeet-client webserver (redirect to 443) host network /
443 tcp edumeet-client https webserver and signaling proxy host network /
3000 edumeet-media-node port host network - should be limited so only the room-server can access it
3479 coturn port host network -
40000-49999 tcp/udp edumeet-media-node ports host network -

Network

Development

eduMEET development usualy happens in 2 ways:

  • Running components manualy
  • Running edumeet-docker with components linked into the docker container or passed to the proxy.

*Without valid certs you have to allow localhost/local ip to work without certs in the browser.

Dev

Docker networking

edumeet-media-node container works in "host" network mode, because bridge mode has the following issue: "Docker hangs when attempting to bind a large number of ports"

FAQ

Q: I get "Cannot find module erros" regarding config files

A: You are probably having a relative path issue with docker check if you are in the correct directory. (edumeet-docker folder)


Q: Docker-compose started, but some components are restarting.

A: You are probably having a config or permission problem. Try starting with "docker compose" without the detach parameter to see logs.

Or alternatively with:

docker logs -f <edumeet_container_name>

In the .env file there are a few log variables:

SERVER_DEBUG=

MGMT_DEBUG=

MGMT_CLIENT_DEBUG=

MN_DEBUG=

Changing them to * will provide extended logs that can help debugging problems.


Q: KeyCloak won't start

A: KeyCloak is sensitive to permission settings on cert files. Please check


Q: I get network conflicts with docker

A: You will most likely running an old version of docker, that doesn't handle links between containers


Q: I get network problems with room-server and media node within docker when using ufw

A: ufw by default blocks incoming traffic, and thinks that media control port is accessed outside of the network. Firewall can also cause issues with component internal communication.