diff --git a/conf/dialplan_public/.gitkeep b/.cache/go-build/.gitkeep similarity index 100% rename from conf/dialplan_public/.gitkeep rename to .cache/go-build/.gitkeep diff --git a/.cache/go/.gitkeep b/.cache/go/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/.cache/meteor/.gitkeep b/.cache/meteor/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/.cache/npm/.gitkeep b/.cache/npm/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/.gitignore b/.gitignore index aec982e5..ef811d5b 100644 --- a/.gitignore +++ b/.gitignore @@ -14,5 +14,13 @@ docker-compose.override.yml # App generated .env +.env.bak postgres-data -greenlight-data \ No newline at end of file +greenlight-data + +.cache/*/** +!.cache/*/.gitkeep +data/* +!data/.gitkeep + +conf/bbb-html5.yml \ No newline at end of file diff --git a/.gitmodules b/.gitmodules index 9065c088..5a8521fd 100644 --- a/.gitmodules +++ b/.gitmodules @@ -22,3 +22,6 @@ [submodule "repos/bbb-pads"] path = repos/bbb-pads url = https://github.com/bigbluebutton/bbb-pads.git +[submodule "repos/bbb-webrtc-recorder"] + path = repos/bbb-webrtc-recorder + url = https://github.com/bigbluebutton/bbb-webrtc-recorder.git diff --git a/README.md b/README.md index e8ad7bb8..385d90c6 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ bbb-docker-banner -# 📦 BigBlueButton 2.7 Docker +# 📦 BigBlueButton 3.0 Docker -Version: 2.7.3 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md) +Version: 3.0.0-beta.5 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigbluebutton/docker/issues) | [Upgrading](docs/upgrading.md) | [Development](docs/development.md) ## Features - Easy installation @@ -18,9 +18,7 @@ Version: 2.7.3 | [Changelog](CHANGELOG.md) | [Issues](https://github.com/bigblue - Linux (it will not work under Windows/WSL) - Root access (bbb-docker uses host networking, so it won't work with Kubernetes, any "CaaS"-Service, etc.) - Public IPv4 (expect issues with a firewall / NAT) - -## What is not implemented yet -- bbb-lti +- firewall allows internal networking (e.g. for ufw: `ufw allow 10.7.7.0/24`) ## Install 1. Ensure the requirements above are fulfilled (it really doesn't work without them) diff --git a/conf/dialplan_public/example.xml b/conf/dialplan_public/example.xml deleted file mode 100644 index a7b74298..00000000 --- a/conf/dialplan_public/example.xml +++ /dev/null @@ -1,17 +0,0 @@ - diff --git a/data/.gitkeep b/data/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/dev.env b/dev.env new file mode 100644 index 00000000..58fb4ae0 --- /dev/null +++ b/dev.env @@ -0,0 +1,170 @@ +# fixed environment for an working dev setup + +# enables +# - html5: webpack dev server +# - bbb-grahql-actions: watch & restart +# - bbb-graphql-middleware: building on start +DEV_MODE=true + +# accept self signed certificates +IGNORE_TLS_CERT_ERRORS=true + +# user and group used for +# this avoid any file permission issues with files +# created inside docker (e.g. node_modules) +BBB_DEV_UID=1000 +BBB_DEV_GID=1000 + + +# ==================================== +# ADDITIONS to BigBlueButton +# ==================================== +# (place a '#' before to disable them) + +# HTTPS Proxy +# fully automated Lets Encrypt certificates +ENABLE_HTTPS_PROXY=true +# If your network doesn't allow access to DNS at 8.8.8.8 specify your own resolvers +#RESOLVER_ADDRESS=x.x.x.x + +# Greenlight Frontend +# https://docs.bigbluebutton.org/greenlight/gl-overview.html +ENABLE_GREENLIGHT=true + +# Enable Webhooks +# used by some integrations +ENABLE_WEBHOOKS=true + +# Prometheus Exporter +# serves the bigbluebutton-exporter under following URL: +# https://yourdomain/bbb-exporter +ENABLE_PROMETHEUS_EXPORTER=true +#ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION=true + +# Recording +# IMPORTANT: this is currently a big privacy issues, because it will +# record everything which happens in the conference, even when the button +# suggets, that it does not. +# https://github.com/bigbluebutton/bigbluebutton/issues/9202 +# make sure that you get peoples consent, before they join a room +ENABLE_RECORDING=true +#REMOVE_OLD_RECORDING=false +#RECORDING_MAX_AGE_DAYS=14 + +# ==================================== +# SECRETS +# ==================================== +# important! change these to any random values +SHARED_SECRET=SuperSecret +ETHERPAD_API_KEY=SuperEtherpadKey +RAILS_SECRET=SuperRailsSecret_SuperRailsSecret +POSTGRESQL_SECRET=SuperPostgresSecret +FSESL_PASSWORD=SuperFreeswitchESLPassword +#TURN_SECRET= + + +# ==================================== +# CONNECTION +# ==================================== + +DOMAIN=10.7.7.1 + +EXTERNAL_IPv4=10.7.7.1 +EXTERNAL_IPv6= + +# STUN SERVER +# stun.freeswitch.org +STUN_IP=147.182.188.245 +STUN_PORT=3478 + +# Allowed SIP IPs +# due to high traffic caused by bots, by default the SIP port is blocked. +# but you can allow access by your providers IP or IP ranges (comma seperated) +# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0 +SIP_IP_ALLOWLIST=0.0.0.0/0 + + +# ==================================== +# CUSTOMIZATION +# ==================================== + +# use following lines to replace the default welcome message and footer +WELCOME_MESSAGE="Welcome to %%CONFNAME%%!

For help on using BigBlueButton see these (short) tutorial videos.

To join the audio bridge click the speaker button. Use a headset to avoid causing background noise for others." +WELCOME_FOOTER="This server is running BigBlueButton." + +# use following line for an additional SIP dial-in message +#WELCOME_FOOTER="This server is running BigBlueButton.

To join this meeting by phone, dial:
INSERT_YOUR_PHONE_NUMBER_HERE
Then enter %%CONFNUM%% as the conference PIN number." + +# for a different default presentation, place the pdf file in ./conf/ and +# adjust the following path +DEFAULT_PRESENTATION=./mod/nginx/default.pdf + +# language of sound announcements +# options: +# - en-ca-june - EN Canadian June +# - en-us-allison - US English Allison +# - en-us-callie - US English Callie (default) +# - de-de-daedalus3 - German by Daedalus3 (https://github.com/Daedalus3/freeswitch-german-soundfiles) +# - es-ar-mario - Spanish/Argentina Mario +# - fr-ca-june - FR Canadian June +# - pt-br-karina - Brazilian Portuguese Karina +# - ru-RU-elena - RU Russian Elena +# - ru-RU-kirill - RU Russian Kirill +# - ru-RU-vika - RU Russian Viktoriya +# - sv-se-jakob - Swedish (Sweden) Jakob +# - zh-cn-sinmei - Chinese/China Sinmei +# - zh-hk-sinmei - Chinese/Hong Kong Sinmei +SOUNDS_LANGUAGE=en-us-callie + +# set to true to disable announcements "You are now (un-)muted" +DISABLE_SOUND_MUTED=false + +# set to true to disable announcement "You are the only person in this conference" +DISABLE_SOUND_ALONE=false + +# set to false to disable the learning dashboard +ENABLE_LEARNING_DASHBOARD=true + +# ==================================== +# GREENLIGHT CONFIGURATION +# ==================================== + +### SMTP CONFIGURATION +# Emails are required for the basic features of Greenlight to function. +# Please refer to your SMTP provider to get the values for the variables below +#SMTP_SENDER_EMAIL= +#SMTP_SENDER_NAME= +#SMTP_SERVER= +#SMTP_PORT= +#SMTP_DOMAIN= +#SMTP_USERNAME= +#SMTP_PASSWORD= +#SMTP_AUTH= +#SMTP_STARTTLS_AUTO=true +#SMTP_STARTTLS=false +#SMTP_TLS=false +#SMTP_SSL_VERIFY=true + +### EXTERNAL AUTHENTICATION METHODS +# +#OPENID_CONNECT_CLIENT_ID= +#OPENID_CONNECT_CLIENT_SECRET= +#OPENID_CONNECT_ISSUER= +#OPENID_CONNECT_REDIRECT= + +# To enable hCaptcha on the user sign up and sign in, define these 2 keys +#HCAPTCHA_SITE_KEY= +#HCAPTCHA_SECRET_KEY= + +# Set these if you are using a Simple Storage Service (S3) +# Uncomment S3_ENDPOINT only if you are using a S3 OTHER than Amazon Web Service (AWS) S3. +#S3_ACCESS_KEY_ID= +#S3_SECRET_ACCESS_KEY= +#S3_REGION= +#S3_BUCKET= +#S3_ENDPOINT= + +# Define the default locale language code (i.e. 'en' for English) from the fallowing list: +# [en, ar, fr, es] +#DEFAULT_LOCALE=en + diff --git a/docker-compose.tmpl.yml b/docker-compose.tmpl.yml index aef1b682..a00c34fe 100644 --- a/docker-compose.tmpl.yml +++ b/docker-compose.tmpl.yml @@ -3,46 +3,23 @@ # don't edit this directly. {{/* -------- */}} -version: '3.6' - -# html5 templates -x-html5-backend: &html5backend - build: - context: mod/html5 - additional_contexts: - - source=./repos/bigbluebutton/bigbluebutton-html5 - args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 - TAG_BBB: {{ .Env.TAG_BBB }} - image: alangecker/bbb-docker-html5:{{ .Env.TAG_BBB }} - restart: unless-stopped - depends_on: - - redis - - mongodb - - etherpad - environment: &html5backend-env - DOMAIN: ${DOMAIN} - CLIENT_TITLE: ${CLIENT_TITLE} - LISTEN_ONLY_MODE: ${LISTEN_ONLY_MODE:-true} - DISABLE_ECHO_TEST: ${DISABLE_ECHO_TEST:-false} - AUTO_SHARE_WEBCAM: ${AUTO_SHARE_WEBCAM:-false} - DISABLE_VIDEO_PREVIEW: ${DISABLE_VIDEO_PREVIEW:-false} - CHAT_ENABLED: ${CHAT_ENABLED:-true} - CHAT_START_CLOSED: ${CHAT_START_CLOSED:-false} - BREAKOUTROOM_LIMIT: ${BREAKOUTROOM_LIMIT:-8} - DEV_MODE: ${DEV_MODE:-} - BBB_HTML5_ROLE: backend - -x-html5-frontend: &html5frontend - <<: *html5backend - volumes: - - html5-static:/html5-static:rw - environment: &html5frontend-env - <<: *html5backend-env - BBB_HTML5_ROLE: frontend -# ========================= +{{ $ignore_tls_cert_errors := or (isTrue .Env.DEV_MODE) (isTrue .Env.IGNORE_TLS_CERT_ERRORS)}} services: + {{ if isTrue .Env.DEV_MODE }} + html5-dev: + build: + context: mod/html5-dev + args: + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + user: ${BBB_DEV_UID}:${BBB_DEV_GID} + restart: unless-stopped + volumes: + - ./repos/bigbluebutton/bigbluebutton-html5:/app/:rw + - ./.cache/npm:/tmp/.npm:rw + network_mode: host + {{ end }} + bbb-web: build: context: mod/bbb-web @@ -51,61 +28,38 @@ services: - src-common-message=./repos/bigbluebutton/bbb-common-message - src-common-web=./repos/bigbluebutton/bbb-common-web args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} image: alangecker/bbb-docker-web:{{ .Env.TAG_BBB }} restart: unless-stopped depends_on: - redis - etherpad - bbb-pads + - collabora healthcheck: test: wget --no-proxy --no-verbose --tries=1 --spider http://10.7.7.2:8090/bigbluebutton/api || exit 1 start_period: 2m environment: - DEV_MODE: ${DEV_MODE:-} + IGNORE_TLS_CERT_ERRORS: {{ $ignore_tls_cert_errors }} DOMAIN: ${DOMAIN} ENABLE_RECORDING: ${ENABLE_RECORDING:-false} SHARED_SECRET: ${SHARED_SECRET} WELCOME_MESSAGE: ${WELCOME_MESSAGE:-} WELCOME_FOOTER: ${WELCOME_FOOTER} STUN_SERVER: stun:${STUN_IP}:${STUN_PORT} - TURN_SERVER: ${TURN_SERVER:-} + ENABLE_HTTPS_PROXY: ${ENABLE_HTTPS_PROXY:-false} TURN_SECRET: ${TURN_SECRET:-} + TURN_EXT_SERVER: ${TURN_EXT_SERVER:-} + TURN_EXT_SECRET: ${TURN_EXT_SECRET:-} ENABLE_LEARNING_DASHBOARD: ${ENABLE_LEARNING_DASHBOARD:-true} - NUMBER_OF_BACKEND_NODEJS_PROCESSES: {{ .Env.NUMBER_OF_BACKEND_NODEJS_PROCESSES }} volumes: - - bigbluebutton:/var/bigbluebutton - - vol-freeswitch:/var/freeswitch/meetings + - ./data/bigbluebutton:/var/bigbluebutton + - ./data/freeswitch-meetings:/var/freeswitch/meetings networks: bbb-net: ipv4_address: 10.7.7.2 -{{ range $i := loop 0 (atoi .Env.NUMBER_OF_BACKEND_NODEJS_PROCESSES) }} - html5-backend-{{ add $i 1 }}: - <<: *html5backend - environment: - <<: *html5backend-env - INSTANCE_ID: {{ add $i 1 }} - PORT: {{ add 4000 $i }} - networks: - bbb-net: - ipv4_address: 10.7.7.{{ add 100 $i }} -{{end}} - -{{ range $i := loop 0 (atoi .Env.NUMBER_OF_FRONTEND_NODEJS_PROCESSES) }} - html5-frontend-{{ add $i 1 }}: - <<: *html5frontend - environment: - <<: *html5frontend-env - INSTANCE_ID: {{ add $i 1 }} - PORT: {{ add 4100 $i }} - networks: - bbb-net: - ipv4_address: 10.7.7.{{ add 200 $i }} -{{end}} - - freeswitch: container_name: bbb-freeswitch build: @@ -115,7 +69,7 @@ services: - build-files=./repos/bigbluebutton/build/packages-template/bbb-freeswitch-core/ - fs-config=./repos/bigbluebutton/bbb-voice-conference/config/freeswitch/conf/ args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} image: alangecker/bbb-docker-freeswitch:{{ .Env.TAG_FREESWITCH }}-{{ .Env.TAG_BBB }} restart: unless-stopped cap_add: @@ -134,11 +88,16 @@ services: DISABLE_SOUND_ALONE: ${DISABLE_SOUND_ALONE:-false} SOUNDS_LANGUAGE: ${SOUNDS_LANGUAGE:-en-us-callie} ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon} + {{ if .Env.SIP_IP_ALLOWLIST }} + ports: + - 5060:5060/udp + {{ end }} volumes: - - ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external - - ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker - - vol-freeswitch:/var/freeswitch/meetings - network_mode: host + - ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external-dialin + - ./data/freeswitch-meetings:/var/freeswitch/meetings + networks: + bbb-net: + ipv4_address: 10.7.7.10 logging: # reduce logs to a minimum, so `docker compose logs -f` still works driver: "local" @@ -153,26 +112,31 @@ services: additional_contexts: - src-learning-dashboard=./repos/bigbluebutton/bbb-learning-dashboard - src-playback=./repos/bbb-playback + - src-html5=./repos/bigbluebutton/bigbluebutton-html5 args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 - image: alangecker/bbb-docker-nginx:1.23-{{ .Env.TAG_PLAYBACK }}-{{ .Env.TAG_BBB }} + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + TAG_BBB: {{ .Env.TAG_BBB }} + image: alangecker/bbb-docker-nginx:{{ .Env.TAG_BBB }}-{{ .Env.TAG_PLAYBACK }}-1.25 restart: unless-stopped - depends_on: - - etherpad - - webrtc-sfu - - html5-backend-1 volumes: - - bigbluebutton:/var/bigbluebutton - - html5-static:/html5-static:ro + - ./data/bigbluebutton:/var/bigbluebutton - ${DEFAULT_PRESENTATION:-/dev/null}:/www/default.pdf + + {{ if isTrue .Env.DEV_MODE }} + # overwrite html5 config + - ./mod/nginx/bbb-html5.dev.nginx:/etc/nginx/bbb/bbb-html5.nginx:ro + {{ end }} + tmpfs: + - /tmp network_mode: host extra_hosts: - "host.docker.internal:10.7.7.1" - "bbb-web:10.7.7.2" - "etherpad:10.7.7.4" - "webrtc-sfu:10.7.7.1" - - "html5:10.7.7.11" - "greenlight:10.7.7.21" + - "bbb-graphql-server:10.7.7.31" + - "bbb-graphql-middleware:10.7.7.32" etherpad: build: @@ -181,11 +145,12 @@ services: - plugin=./repos/bbb-etherpad-plugin - skin=./repos/bbb-etherpad-skin args: - TAG_ETHERPAD: "1.9.1" - image: alangecker/bbb-docker-etherpad:1.9.1-s{{ .Env.COMMIT_ETHERPAD_SKIN }}-p{{ .Env.COMMIT_ETHERPAD_PLUGIN }} + TAG_ETHERPAD: "2.2.6" + image: alangecker/bbb-docker-etherpad:2.2.6-s{{ .Env.COMMIT_ETHERPAD_SKIN }}-p{{ .Env.COMMIT_ETHERPAD_PLUGIN }} restart: unless-stopped depends_on: - redis + - collabora environment: ETHERPAD_API_KEY: ${ETHERPAD_API_KEY} networks: @@ -208,6 +173,27 @@ services: bbb-net: ipv4_address: 10.7.7.18 + bbb-export-annotations: + build: + context: mod/bbb-export-annotations + additional_contexts: + bigbluebutton: ./repos/bigbluebutton + image: alangecker/bbb-docker-bbb-export-annotations:v2.7.0 + restart: unless-stopped + depends_on: + - redis + - etherpad + - bbb-pads + networks: + # need connections to: + # https://github.com/bigbluebutton/bigbluebutton/blob/v2.7.0/bbb-export-annotations/config/settings.json + # "bbbWebAPI": "http://127.0.0.1:8090", -> bbb-web + # "bbbPadsAPI": "http://127.0.0.1:9002", -> bbb-pads + bbb-net: + ipv4_address: 10.7.7.19 + volumes: + - ./data/bigbluebutton:/var/bigbluebutton + redis: image: redis:7.2-alpine restart: unless-stopped @@ -220,66 +206,34 @@ services: bbb-net: ipv4_address: 10.7.7.5 - mongodb: - container_name: bbb-mongodb - image: mongo:4.4 - restart: unless-stopped - volumes: - - ./mod/mongo/mongod.conf:/etc/mongod.conf - - ./mod/mongo/init-replica.sh:/docker-entrypoint-initdb.d/init-replica.sh - tmpfs: - - /data/configdb - - /data/db - command: mongod --config /etc/mongod.conf --oplogSize 8 --replSet rs0 --noauth - healthcheck: - test: bash -c "if mongo --eval 'quit(db.runCommand({ ping':' 1 }).ok ? 0 ':' 2)'; then exit 0; fi; exit 1;" - networks: - bbb-net: - ipv4_address: 10.7.7.6 - - # TODO: remove as soon as not required anymore by webrtc-sfu - kurento: - image: kurento/kurento-media-server:6.18 - restart: unless-stopped - network_mode: host - volumes: - - vol-kurento:/var/kurento - webrtc-sfu: build: context: mod/webrtc-sfu additional_contexts: - source=./repos/bbb-webrtc-sfu args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} image: alangecker/bbb-docker-webrtc-sfu:{{ .Env.TAG_WEBRTC_SFU }} restart: unless-stopped depends_on: - redis - freeswitch - - kurento environment: - CLIENT_HOST: 10.7.7.1 - REDIS_HOST: 10.7.7.5 - FREESWITCH_IP: 10.7.7.1 - FREESWITCH_SIP_IP: ${EXTERNAL_IPv4} - MCS_HOST: 0.0.0.0 - MCS_ADDRESS: 127.0.0.1 - ESL_IP: 10.7.7.1 ESL_PASSWORD: ${FSESL_PASSWORD:-ClueCon} - # TODO: add mediasoup IPv6 - # TODO: can listen to 0.0.0.0 for nat support? https://github.com/versatica/mediasoup/issues/487 - {{ if .Env.EXTERNAL_IPv6 }} - MS_WEBRTC_LISTEN_IPS: '[{"ip":"{{ .Env.EXTERNAL_IPv6 }}", "announcedIp":"{{ .Env.EXTERNAL_IPv6 }}"}, {"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]' - {{else}} + {{ if .Env.EXTERNAL_IPv6 }} + MS_WEBRTC_LISTEN_IPS: '[{"ip":"::", "announcedIp":"${EXTERNAL_IPv6}"}, {"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]' + {{else}} MS_WEBRTC_LISTEN_IPS: '[{"ip":"${EXTERNAL_IPv4}", "announcedIp":"${EXTERNAL_IPv4}"}]' - {{end}} - MS_RTP_LISTEN_IP: '{"ip":"0.0.0.0", "announcedIp":"${EXTERNAL_IPv4}"}' + {{end}} volumes: - - vol-mediasoup:/var/mediasoup + - ./data/mediasoup:/var/mediasoup tmpfs: - /var/log/bbb-webrtc-sfu network_mode: host + security_opt: + - seccomp:unconfined # allow io_uring access for mediasoup + ulimits: + memlock: -1 # allow io_uring_register_buffers to allocate enough ram fsesl-akka: build: @@ -289,7 +243,7 @@ services: - src-fsesl-client=./repos/bigbluebutton/bbb-fsesl-client - src-fsesl-akka=./repos/bigbluebutton/akka-bbb-fsesl args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} image: alangecker/bbb-docker-fsesl-akka:{{ .Env.TAG_BBB }} restart: unless-stopped depends_on: @@ -307,47 +261,126 @@ services: additional_contexts: - src-common-message=./repos/bigbluebutton/bbb-common-message - src-apps-akka=./repos/bigbluebutton/akka-bbb-apps + - src-config=./repos/bigbluebutton/bigbluebutton-html5/private/config/ args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + TAG_BBB: {{ .Env.TAG_BBB }} image: alangecker/bbb-docker-apps-akka:{{ .Env.TAG_BBB }} restart: unless-stopped depends_on: - redis + - postgres environment: DOMAIN: ${DOMAIN} SHARED_SECRET: ${SHARED_SECRET} + POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password} volumes: - - vol-freeswitch:/var/freeswitch/meetings + - ./data/freeswitch-meetings:/var/freeswitch/meetings + - ./conf/bbb-html5.yml:/etc/bigbluebutton/bbb-html5.yml:ro networks: bbb-net: ipv4_address: 10.7.7.15 - jodconverter: - build: mod/jodconverter - image: alangecker/bbb-docker-jodconverter:latest - security_opt: - - 'no-new-privileges:true' + bbb-graphql-server: + build: + context: mod/bbb-graphql-server + additional_contexts: + - src=./repos/bigbluebutton/bbb-graphql-server + args: + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + GRAPHQL_ENGINE_TAG: v2.44.0 + depends_on: + - postgres + - bbb-web + - apps-akka + - bbb-graphql-actions + restart: unless-stopped + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password} + HASURA_GRAPHQL_ADMIN_SECRET: TODO_CHANGE_ME + networks: + bbb-net: + ipv4_address: 10.7.7.31 + + + bbb-graphql-actions: + build: + context: mod/bbb-graphql-actions + {{ if isTrue .Env.DEV_MODE }} + dockerfile: Dockerfile.dev + {{ else }} + additional_contexts: + - src=./repos/bigbluebutton/bbb-graphql-actions + {{ end }} + args: + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + restart: unless-stopped + depends_on: + - redis + - apps-akka + networks: + bbb-net: + ipv4_address: 10.7.7.30 + {{ if isTrue .Env.DEV_MODE }} + volumes: + - ./repos/bigbluebutton/bbb-graphql-actions:/app/:rw + - ./.cache/npm:/tmp/.npm:rw + {{ end }} + + bbb-graphql-middleware: + build: + context: mod/bbb-graphql-middleware + {{ if isTrue .Env.DEV_MODE }} + dockerfile: Dockerfile.dev + {{ else }} + additional_contexts: + - src=./repos/bigbluebutton/bbb-graphql-middleware + {{ end }} + args: + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + restart: unless-stopped + depends_on: + - bbb-graphql-server + - bbb-graphql-actions + - bbb-web + - redis + networks: + bbb-net: + ipv4_address: 10.7.7.32 + + {{ if isTrue .Env.DEV_MODE }} + user: ${BBB_DEV_UID}:${BBB_DEV_GID} + volumes: + - ./repos/bigbluebutton/bbb-graphql-middleware:/app/:ro + - ./repos/bigbluebutton/bbb-graphql-middleware/config/config.yml:/usr/share/bbb-graphql-middleware/config.yml:ro + - ./mod/bbb-graphql-middleware/config.yml:/etc/bigbluebutton/bbb-graphql-middleware.yml:ro + - ./.cache/go:/gopath:rw + - ./.cache/go-build:/.cache/go-build:rw + {{ end }} + + collabora: + image: collabora/code:latest restart: unless-stopped tmpfs: - /tmp - deploy: - resources: - limits: - memory: 512M networks: bbb-net: ipv4_address: 10.7.7.20 + # disable logging (way to verbose) + logging: + driver: none + periodic: build: mod/periodic image: alangecker/bbb-docker-periodic:v2.7.0 restart: unless-stopped - depends_on: - - mongodb + volumes: - /var/run/docker.sock:/var/run/docker.sock - - bigbluebutton:/var/bigbluebutton - - vol-mediasoup:/var/mediasoup + - ./data/bigbluebutton:/var/bigbluebutton + - ./data/mediasoup:/var/mediasoup tmpfs: - /var/log/bigbluebutton environment: @@ -368,8 +401,8 @@ services: - presentation=./repos/bigbluebutton/record-and-playback/presentation - bbb-conf=./repos/bigbluebutton/bigbluebutton-config args: - BBB_BUILD_TAG: bbb27-2023-06-13-java17 - TAG_BBB_PRESENTATION_VIDEO: "4.0.3" + BBB_BUILD_TAG: {{ .Env.BBB_BUILD_TAG }} + TAG_BBB_PRESENTATION_VIDEO: "5.0.0-beta.2" image: alangecker/bbb-docker-recordings:{{ .Env.TAG_BBB }} restart: unless-stopped depends_on: @@ -379,16 +412,32 @@ services: DOMAIN: ${DOMAIN} SHARED_SECRET: ${SHARED_SECRET} volumes: - - bigbluebutton:/var/bigbluebutton - - vol-freeswitch:/var/freeswitch/meetings - - vol-mediasoup:/var/mediasoup - - vol-kurento:/var/kurento + - ./data/bigbluebutton:/var/bigbluebutton + - ./data/freeswitch-meetings:/var/freeswitch/meetings + - ./data/mediasoup:/var/mediasoup + - ./data/bbb-webrtc-recorder:/var/lib/bbb-webrtc-recorder tmpfs: - /var/log/bigbluebutton - /tmp networks: bbb-net: ipv4_address: 10.7.7.16 + + bbb-webrtc-recorder: + build: + context: mod/bbb-webrtc-recorder + additional_contexts: + - src=./repos/bbb-webrtc-recorder + image: alangecker/bbb-docker-webrtc-recorder:{{ .Env.TAG_WEBRTC_RECORDER }} + depends_on: + - redis + volumes: + - ./data/bbb-webrtc-recorder:/var/lib/bbb-webrtc-recorder + # WebRTC connection to bbb-webrtc-sfu seem to + # only to work via the external IP + network_mode: host + extra_hosts: + - "redis:10.7.7.5" {{end}} {{ if isTrue .Env.ENABLE_WEBHOOKS }} @@ -411,32 +460,21 @@ services: {{end}} {{ if isTrue .Env.ENABLE_HTTPS_PROXY }} - # https - https_proxy: - image: valian/docker-nginx-auto-ssl - restart: unless-stopped + + haproxy: + build: mod/haproxy + image: alangecker/bbb-haproxy:2.8.10 volumes: - - ssl_data:/etc/resty-auto-ssl - {{ if .Env.EXTERNAL_IPv6 }} - - ./mod/https/site.conf:/etc/nginx/conf.d/bbb-docker.conf - {{else}} - - ./mod/https/site-ipv4only.conf:/etc/nginx/conf.d/bbb-docker.conf - {{end}} - {{ if isTrue .Env.DEV_MODE }} - # allow bbb api access without https - - ./mod/https/force-https.conf:/usr/local/openresty/nginx/conf/force-https.conf - {{end}} + - ./data/haproxy/letsencrypt:/etc/letsencrypt + - ./mod/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg + - ./mod/haproxy/protocolmap:/etc/haproxy/protocolmap environment: - {{ if isTrue .Env.DEV_MODE }} - ALLOWED_DOMAINS: "" - {{else}} - ALLOWED_DOMAINS: ${DOMAIN} - {{end}} - RESOLVER_ADDRESS: ${RESOLVER_ADDRESS:-9.9.9.9} + - IGNORE_TLS_CERT_ERRORS={{$ignore_tls_cert_errors}} + - CERT1=${DOMAIN} + - EMAIL=${LETSENCRYPT_EMAIL} network_mode: host {{end}} -{{ if isTrue .Env.ENABLE_COTURN }} # coturn coturn: image: coturn/coturn:4.6-alpine @@ -445,26 +483,18 @@ services: - "--external-ip=${EXTERNAL_IPv4}/${EXTERNAL_IPv4}" - "--external-ip=${EXTERNAL_IPv6:-::1}/${EXTERNAL_IPv6:-::1}" - "--static-auth-secret=${TURN_SECRET}" + - "--allowed-peer-ip=${EXTERNAL_IPv4}" + - "--relay-ip=${EXTERNAL_IPv4}" + - "--relay-ip=${EXTERNAL_IPv6:-::1}" volumes: - {{ if isTrue .Env.ENABLE_HTTPS_PROXY }} - - ssl_data:/etc/resty-auto-ssl - {{else}} - - ${COTURN_TLS_CERT_PATH}:/tmp/cert.pem - - ${COTURN_TLS_KEY_PATH}:/tmp/key.pem - {{end}} - - ./mod/coturn/entrypoint.sh:/usr/local/bin/docker-entrypoint.sh - ./mod/coturn/turnserver.conf:/etc/coturn/turnserver.conf - environment: - ENABLE_HTTPS_PROXY: - user: root network_mode: host -{{end}} {{ if isTrue .Env.ENABLE_GREENLIGHT }} # greenlight greenlight: - image: bigbluebutton/greenlight:v3.0.6.1 + image: bigbluebutton/greenlight:v3.4.1 restart: unless-stopped env_file: .env depends_on: @@ -474,8 +504,8 @@ services: environment: DATABASE_URL: postgres://postgres:${POSTGRESQL_SECRET:-password}@postgres:5432/greenlight-v3 REDIS_URL: redis://redis:6379 - {{ if isTrue .Env.DEV_MODE }} - BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1/bigbluebutton/api + {{ if $ignore_tls_cert_errors }} + BIGBLUEBUTTON_ENDPOINT: http://10.7.7.1:48083/bigbluebutton/api {{else}} BIGBLUEBUTTON_ENDPOINT: https://${DOMAIN}/bigbluebutton/api {{end}} @@ -483,16 +513,17 @@ services: SECRET_KEY_BASE: ${RAILS_SECRET} RELATIVE_URL_ROOT: / volumes: - - ./greenlight-data:/usr/src/app/storage + - ./data/greenlight:/usr/src/app/storage networks: bbb-net: ipv4_address: 10.7.7.21 +{{end}} postgres: - image: postgres:12-alpine + image: postgres:16-alpine restart: unless-stopped environment: - POSTGRES_DB: greenlight-v3 + POSTGRES_MULTIPLE_DATABASES: bbb_graphql,hasura_app,greenlight POSTGRES_USER: postgres POSTGRES_PASSWORD: ${POSTGRESQL_SECRET:-password} healthcheck: @@ -501,11 +532,11 @@ services: timeout: 5s retries: 5 volumes: - - ./postgres-data:/var/lib/postgresql/data + - ./data/postgres:/var/lib/postgresql/data + - ./mod/postgres/initdb.sh:/docker-entrypoint-initdb.d/initdb.sh networks: bbb-net: ipv4_address: 10.7.7.22 -{{end}} {{ if isTrue .Env.ENABLE_PROMETHEUS_EXPORTER }} # prometheus @@ -521,7 +552,7 @@ services: ipv4_address: 10.7.7.33 {{ if isTrue .Env.ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION }} volumes: - - bigbluebutton:/var/bigbluebutton:ro + - ./data/bigbluebutton:/var/bigbluebutton:ro {{end}} # the exporter requires /etc/bigbluebutton/bigbluebutton-release @@ -530,17 +561,6 @@ services: entrypoint: sh -c 'echo "BIGBLUEBUTTON_RELEASE=2.7.3" > /etc/bigbluebutton/bigbluebutton-release && python server.py' {{end}} - -volumes: - bigbluebutton: - vol-freeswitch: - vol-kurento: - vol-mediasoup: - html5-static: -{{ if isTrue .Env.ENABLE_HTTPS_PROXY }} - ssl_data: -{{end}} - networks: bbb-net: ipam: diff --git a/docs/development.md b/docs/development.md index c791b1bd..ca5a3a91 100644 --- a/docs/development.md +++ b/docs/development.md @@ -1,50 +1,29 @@ # bbb-docker Development ## Basics -normally people start BBB with the pre-built docker images, but for developing you need to build them by yourself. For that you need to ensure that the submodules are also checked out: +normally people start BBB with the pre-built docker images, but for developing you need to build them by yourself. For that you need to ensure that the submodules are also checked out ```sh -$ git submodule update --init +$ git clone --recurse-submodules https://github.com/bigbluebutton/docker.git bbb-dev +$ cd bbb-dev ``` - ## Running -you can run bbb-docker locally without any certificate issues with following `.env` configurations: - -``` -DEV_MODE=true - -ENABLE_HTTPS_PROXY=true -#ENABLE_COTURN=true -#ENABLE_GREENLIGHT=true -#ENABLE_WEBHOOKS=true -#ENABLE_PROMETHEUS_EXPORTER=true -#ENABLE_RECORDING=true - -DOMAIN=10.7.7.1 -EXTERNAL_IPv4=10.7.7.1 -STUN_IP=216.93.246.18 -STUN_PORT=3478 -TURN_SERVER=turns:localhost:5349?transport=tcp +you can now run bbb-docker locally by simply starting -TURN_SECRET=SuperTurnSecret -SHARED_SECRET=SuperSecret -ETHERPAD_API_KEY=SuperEtherpadKey -RAILS_SECRET=SuperRailsSecret_SuperRailsSecret - -# ==================================== -# CUSTOMIZATION -# ==================================== - -[... add rest of sample.env here ...] +```sh +$ ./scripts/dev ``` -- regenerate `docker-compose.yml` \ +### Hints +- the html5 component will watch and automatically reload on any changes 🚀 +- if you change anything in the other components, you need to + * manually rebuilt it \ + `$ docker compose build CONTAINERNAME` + * restart it \ + `$ docker compose up -d CONTAINERNAME` +- if you change any variable in .env, always run following to rebuild the `docker-compose.yml`` `$ ./scripts/generate-compose` -- build the images \ - `$ docker compose build` -- you can than start it with \ - `$ docker compose up -d` - view the logs with \ `$ docker compose logs -f` - and access the API via \ @@ -55,16 +34,6 @@ RAILS_SECRET=SuperRailsSecret_SuperRailsSecret ## Notes - Due to the self signed ssl certificate it is currently not possible to notify greenlight about recordings in dev mode -## Changes -- After doing some changes you usually must... - - recreate `docker-compose.yml` \ - `$ ./scripts/generate-compose` - * rebuild the image(s): \ - `$ docker compose build [containername]` - * restart changes image(s): \ - `$ docker compose up -d` - - ## How to do create a new update for a newer BBB release? This always consists out of following steps 1. **Get an understanding about changes that happened and find out what changes to bbb-docker that require.** \ diff --git a/docs/network-config.md b/docs/network-config.md index 8382fb9e..32891837 100644 --- a/docs/network-config.md +++ b/docs/network-config.md @@ -24,6 +24,7 @@ Services as configured. | coturn | network_mode: host | | | greenlight | | | ports: 10.7.7.1:5000:80 | prometheus | bbb-net | 10.7.7.33 | +| bbb-export-annotations | bbb-net | 10.7.7.19 | ```yml networks: diff --git a/mod/apps-akka/Dockerfile b/mod/apps-akka/Dockerfile index fcd876c6..6d4bf578 100644 --- a/mod/apps-akka/Dockerfile +++ b/mod/apps-akka/Dockerfile @@ -19,12 +19,25 @@ RUN cd /source \ # =================================================== + +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-settings +RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 && chmod a+x /usr/local/bin/yq +COPY --from=src-config /settings.yml /settings.yml +ARG TAG_BBB +RUN yq e -i ".public.app.bbbServerVersion = \"$TAG_BBB\"" /settings.yml +RUN yq e -i ".public.app.html5ClientBuild = \"$TAG_BBB\"" /settings.yml + + +# =================================================== + FROM alangecker/bbb-docker-base-java +COPY --from=builder-settings /usr/local/bin/yq /usr/local/bin/yq COPY --from=builder /bbb-apps-akka-0.0.4 /bbb-apps-akka COPY bbb-apps-akka.conf /etc/bigbluebutton/bbb-apps-akka.conf.tmpl COPY logback.xml /bbb-apps-akka/conf/logback.xml COPY entrypoint.sh /entrypoint.sh +COPY --from=builder-settings --chown=bigbluebutton:bigbluebutton /settings.yml /usr/share/bigbluebutton/html5-client/private/config/settings.yml USER bigbluebutton ENTRYPOINT /entrypoint.sh diff --git a/mod/apps-akka/bbb-apps-akka.conf b/mod/apps-akka/bbb-apps-akka.conf index d05cebc5..f145c721 100644 --- a/mod/apps-akka/bbb-apps-akka.conf +++ b/mod/apps-akka/bbb-apps-akka.conf @@ -11,4 +11,14 @@ services { } http { interface = "0.0.0.0" +} + +postgres { + properties = { + serverName = "postgres" + portNumber = "5432" + databaseName = "bbb_graphql" + user = "postgres" + password = "POSTGRES_PASSWORD" + } } \ No newline at end of file diff --git a/mod/apps-akka/entrypoint.sh b/mod/apps-akka/entrypoint.sh index 3938a7ca..033429e5 100755 --- a/mod/apps-akka/entrypoint.sh +++ b/mod/apps-akka/entrypoint.sh @@ -1,9 +1,17 @@ #!/bin/sh -e +# bbb-apps-akka.conf TARGET=/etc/bigbluebutton/bbb-apps-akka.conf cp /etc/bigbluebutton/bbb-apps-akka.conf.tmpl $TARGET sed -i "s/DOMAIN/$DOMAIN/" $TARGET sed -i "s/SHARED_SECRET/$SHARED_SECRET/" $TARGET +sed -i "s/POSTGRES_PASSWORD/$POSTGRES_PASSWORD/" $TARGET + + +# settings.yml +TARGET=/usr/share/bigbluebutton/html5-client/private/config/settings.yml +yq e -i ".public.kurento.wsUrl = \"wss://$DOMAIN/bbb-webrtc-sfu\"" $TARGET +yq e -i ".public.pads.url = \"https://$DOMAIN/pad\"" $TARGET cd /bbb-apps-akka /bbb-apps-akka/bin/bbb-apps-akka \ No newline at end of file diff --git a/mod/apps-akka/logback.xml b/mod/apps-akka/logback.xml index 0d9c0047..c29b1fbb 100644 --- a/mod/apps-akka/logback.xml +++ b/mod/apps-akka/logback.xml @@ -9,8 +9,10 @@ + - + + diff --git a/mod/base-java/Dockerfile b/mod/base-java/Dockerfile index 154e8768..810feee1 100644 --- a/mod/base-java/Dockerfile +++ b/mod/base-java/Dockerfile @@ -16,7 +16,7 @@ RUN groupadd -g 998 bigbluebutton \ && chown bigbluebutton:bigbluebutton /etc/bigbluebutton # add dockerize -ENV DOCKERIZE_VERSION v0.6.1 +ENV DOCKERIZE_VERSION v0.7.0 RUN wget -q https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \ && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz diff --git a/mod/bbb-export-annotations/Dockerfile b/mod/bbb-export-annotations/Dockerfile new file mode 100644 index 00000000..07238604 --- /dev/null +++ b/mod/bbb-export-annotations/Dockerfile @@ -0,0 +1,24 @@ +FROM node:18-bullseye-slim AS builder + +COPY --from=bigbluebutton /bbb-export-annotations /bbb-export-annotations +RUN cd /bbb-export-annotations && npm ci && npm install + +# -------------------- + +FROM node:18-bullseye-slim + +#depends on; +#Depends: nodejs,npm,bbb-apps-akka,bbb-web,cairosvg,ghostscript,imagemagick, nodejs (>= 18), nodejs (<< 20) +#see repo https://ubuntu.bigbluebutton.org/focal-270/ bigbluebutton-focal main +#apt info bbb-export-annotations +#missing dependency: poppler-utils for pdftocairo bin -> covert background / original presentation to png +RUN apt update && apt install -y \ + nodejs npm cairosvg ghostscript imagemagick nodejs poppler-utils +# && useradd --uid 2004 --create-home --user-group bbb-export + +COPY --from=builder /bbb-export-annotations /bbb-export-annotations +#we need acces to volume bigbluebutton! +USER root +COPY ./config/settings.json /bbb-export-annotations/config/settings.json +COPY entrypoint.sh /entrypoint.sh +ENTRYPOINT /entrypoint.sh diff --git a/mod/bbb-export-annotations/config/settings.json b/mod/bbb-export-annotations/config/settings.json new file mode 100644 index 00000000..3283a8b6 --- /dev/null +++ b/mod/bbb-export-annotations/config/settings.json @@ -0,0 +1,41 @@ +{ + "log": { + "level": "info", + "msgName": "PresAnnStatusMsg" + }, + "shared": { + "presDir": "/var/bigbluebutton", + "presAnnDropboxDir": "/tmp/pres-ann-dropbox", + "cairosvg": "/usr/bin/cairosvg", + "ghostscript": "/usr/bin/gs", + "imagemagick": "/usr/bin/convert", + "pdftocairo": "/usr/bin/pdftocairo" + }, + "collector": { + "pngWidthRasterizedSlides": 2560 + }, + "process": { + "whiteboardTextEncoding": "utf-8", + "maxImageWidth": 1440, + "maxImageHeight": 1080, + "textScaleFactor": 2, + "pointsPerInch": 72, + "pixelsPerInch": 96 + }, + "notifier": { + "pod_id": "DEFAULT_PRESENTATION_POD", + "is_downloadable": "false", + "msgName": "NewPresFileAvailableMsg" + }, + "bbbWebAPI": "http://bbb-web:8090", + "bbbPadsAPI": "http://bbb-pads:9002", + "redis": { + "host": "redis", + "port": 6379, + "password": null, + "channels": { + "queue": "exportJobs", + "publish": "to-akka-apps-redis-channel" + } + } +} diff --git a/mod/bbb-export-annotations/entrypoint.sh b/mod/bbb-export-annotations/entrypoint.sh new file mode 100755 index 00000000..a637c844 --- /dev/null +++ b/mod/bbb-export-annotations/entrypoint.sh @@ -0,0 +1,6 @@ +#!/bin/sh +set -e + +cd /bbb-export-annotations +export NODE_ENV=production +npm start diff --git a/mod/bbb-graphql-actions/Dockerfile b/mod/bbb-graphql-actions/Dockerfile new file mode 100644 index 00000000..66ac9b8c --- /dev/null +++ b/mod/bbb-graphql-actions/Dockerfile @@ -0,0 +1,34 @@ +ARG BBB_BUILD_TAG +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder + +COPY --from=src ./ /src +RUN cd /src && \ + npm ci --no-progress && \ + npm run build + +# delete node_modules (it should create a fresh one inside /src/dist/) +RUN rm -rf /src/node_modules + +RUN cd /src/dist && \ + mv index.js bbb-graphql-actions.js && \ + cp ../package.json ../package-lock.json . && \ + npm ci --no-progress --omit=dev + + +# ------------------------------ +FROM node:22-bookworm-slim + +RUN groupadd -g 2062 app \ + && useradd -m -u 2063 -g app app + +USER app + +WORKDIR /app + +ENV SERVER_HOST 0.0.0.0 +ENV BBB_REDIS_HOST redis +ENV NODE_ENV=production + +COPY --from=builder /src/dist /app + +CMD [ "node", "/app/bbb-graphql-actions.js" ] \ No newline at end of file diff --git a/mod/bbb-graphql-actions/Dockerfile.dev b/mod/bbb-graphql-actions/Dockerfile.dev new file mode 100644 index 00000000..22babbbc --- /dev/null +++ b/mod/bbb-graphql-actions/Dockerfile.dev @@ -0,0 +1,16 @@ +ARG BBB_BUILD_TAG +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder + +RUN apt-get update && apt-get install -y gosu + +# allow any user to use node in /root/.nvm +RUN chmod 755 /root + +COPY dev-entrypoint.sh /dev-entrypoint.sh +ENTRYPOINT [ "/dev-entrypoint.sh" ] + +WORKDIR /app +ENV SERVER_HOST 0.0.0.0 +ENV BBB_REDIS_HOST redis + +CMD [ "npm install && npm start" ] \ No newline at end of file diff --git a/mod/bbb-graphql-actions/dev-entrypoint.sh b/mod/bbb-graphql-actions/dev-entrypoint.sh new file mode 100755 index 00000000..7c3700c2 --- /dev/null +++ b/mod/bbb-graphql-actions/dev-entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# get owner of /app +OWNER="$(stat -c '%u' "/app")" +GROUP="$(stat -c '%g' "/app")" +useradd --home-dir /tmp -u $OWNER user || /bin/true + +# run with same user to avoid any issues +# with file permissions +. /root/.nvm/nvm.sh +gosu $OWNER:$GROUP bash -c "$@" + diff --git a/mod/bbb-graphql-middleware/Dockerfile b/mod/bbb-graphql-middleware/Dockerfile new file mode 100644 index 00000000..763ee1a0 --- /dev/null +++ b/mod/bbb-graphql-middleware/Dockerfile @@ -0,0 +1,12 @@ +ARG BBB_BUILD_TAG +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder + +COPY --from=src / /src/ +RUN cd /src/ && CGO_ENABLED=0 go build -o bbb-graphql-middleware cmd/bbb-graphql-middleware/main.go + +# ------------------------------ +FROM alpine +COPY --from=builder /src/bbb-graphql-middleware /app/bbb-graphql-middleware +COPY --from=builder /src/config/config.yml /usr/share/bbb-graphql-middleware/config.yml +COPY config.yml /etc/bigbluebutton/bbb-graphql-middleware.yml +CMD [ "/app/bbb-graphql-middleware" ] \ No newline at end of file diff --git a/mod/bbb-graphql-middleware/Dockerfile.dev b/mod/bbb-graphql-middleware/Dockerfile.dev new file mode 100644 index 00000000..d1952d47 --- /dev/null +++ b/mod/bbb-graphql-middleware/Dockerfile.dev @@ -0,0 +1,8 @@ +ARG BBB_BUILD_TAG +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder + +WORKDIR /app + +ENV GOPATH /gopath + +CMD ["go", "run", "cmd/bbb-graphql-middleware/main.go", "--signal", "SIGTERM"] \ No newline at end of file diff --git a/mod/bbb-graphql-middleware/config.yml b/mod/bbb-graphql-middleware/config.yml new file mode 100644 index 00000000..3740d32f --- /dev/null +++ b/mod/bbb-graphql-middleware/config.yml @@ -0,0 +1,15 @@ +server: + listen_host: 0.0.0.0 + listen_port: 8378 +redis: + host: redis + port: 6379 + password: "" +hasura: + url: ws://bbb-graphql-server:8085/v1/graphql +graphql-actions: + url: http://bbb-graphql-actions:8093 +auth_hook: + url: http://bbb-web:8090/bigbluebutton/connection/checkGraphqlAuthorization +session_vars_hook: + url: http://apps-akka:8901/userInfo \ No newline at end of file diff --git a/mod/bbb-graphql-server/Dockerfile b/mod/bbb-graphql-server/Dockerfile new file mode 100644 index 00000000..3c087cc7 --- /dev/null +++ b/mod/bbb-graphql-server/Dockerfile @@ -0,0 +1,25 @@ +ARG BBB_BUILD_TAG +ARG GRAPHQL_ENGINE_TAG +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder + +RUN curl -L https://github.com/hasura/graphql-engine/raw/stable/cli/get.sh | INSTALL_PATH=/usr/local/bin VERSION=v2.44.0 bash +RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && chmod a+x /usr/local/bin/yq + +# ---------------------------- +FROM hasura/graphql-engine:$GRAPHQL_ENGINE_TAG + +# install netstat, required for start script +RUN apt-get update && apt-get install -y net-tools gosu + +COPY --from=builder /usr/local/bin/yq /usr/local/bin/yq +COPY --from=builder /usr/local/bin/hasura /usr/local/bin/hasura + +COPY --from=src /bbb_schema.sql /app/ +COPY --from=src /metadata /app/metadata + +COPY config.yaml /app/config.yaml +COPY entrypoint.sh /entrypoint.sh +COPY start.sh /app/start.sh + +ENTRYPOINT [ "/entrypoint.sh" ] +CMD [ "/app/start.sh" ] diff --git a/mod/bbb-graphql-server/config.yaml b/mod/bbb-graphql-server/config.yaml new file mode 100644 index 00000000..cd39dc2f --- /dev/null +++ b/mod/bbb-graphql-server/config.yaml @@ -0,0 +1,7 @@ +version: 3 +endpoint: http://localhost:8085 +admin_secret: bigbluebutton +metadata_directory: metadata +actions: + kind: synchronous + handler_webhook_baseurl: http://localhost:3000 diff --git a/mod/bbb-graphql-server/entrypoint.sh b/mod/bbb-graphql-server/entrypoint.sh new file mode 100755 index 00000000..096d49cd --- /dev/null +++ b/mod/bbb-graphql-server/entrypoint.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# for psql +export PGHOST=postgres +export PGUSER="${POSTGRES_USER}" +export PGPASSWORD="${POSTGRES_PASSWORD}" + + +# for hasura +export HASURA_GRAPHQL_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/hasura_app +export HASURA_GRAPHQL_METADATA_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/hasura_app +export HASURA_GRAPHQL_LOG_LEVEL=warn +export HASURA_GRAPHQL_ENABLE_CONSOLE=false +export HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=250 +export HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_BATCH_SIZE=1000 +export HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=100 +export HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_BATCH_SIZE=1000 +export HASURA_GRAPHQL_SERVER_PORT=8085 +export HASURA_GRAPHQL_ENABLE_TELEMETRY=false +export HASURA_GRAPHQL_WEBSOCKET_KEEPALIVE=10 +export HASURA_GRAPHQL_AUTH_HOOK=http://apps-akka:8901/userInfo +export HASURA_BBB_GRAPHQL_ACTIONS_ADAPTER_URL=http://bbb-graphql-actions:8093 + + +export HASURA_GRAPHQL_BBB_DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/bbb_graphql + +exec $@ \ No newline at end of file diff --git a/mod/bbb-graphql-server/start.sh b/mod/bbb-graphql-server/start.sh new file mode 100755 index 00000000..5fc33548 --- /dev/null +++ b/mod/bbb-graphql-server/start.sh @@ -0,0 +1,39 @@ +#!/bin/bash +set -e + +cd /app/ + +# patch database url +# TODO: this should be possible upstream in BBB via an environment variable +yq e -i ".[1].configuration.connection_info.database_url = \"$HASURA_GRAPHQL_BBB_DATABASE_URL\"" metadata/databases/databases.yaml + +sed -i "s/^admin_secret: .*/admin_secret: $HASURA_GRAPHQL_ADMIN_SECRET/g" /app/config.yaml + +echo "SELECT 'CREATE DATABASE hasura_app' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'hasura_app')\gexec" | psql + +echo "Restarting database bbb_graphql" +psql -c "SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity WHERE datname = 'bbb_graphql'" > /dev/null +psql -c "drop database if exists bbb_graphql with (force)" +psql -c "create database bbb_graphql WITH TEMPLATE template0 LC_COLLATE 'C.UTF-8'" +psql -c "alter database bbb_graphql set timezone to 'UTC'" + +echo "Creating tables in bbb_graphql" +psql -U postgres -d bbb_graphql -q -f bbb_schema.sql --set ON_ERROR_STOP=on + +echo "Starting hasura-graphql-engine" +gosu nobody graphql-engine serve & +PID=$! + +sleep 1 + + +#Check if Hasura is ready before applying metadata +while ! netstat -tuln | grep ":$HASURA_GRAPHQL_SERVER_PORT " > /dev/null; do + echo "Waiting for Hasura's port ($HASURA_GRAPHQL_SERVER_PORT) to be ready..." + sleep 1 +done + +echo "Applying new metadata to Hasura" +/usr/local/bin/hasura metadata apply --skip-update-check + +wait "$PID" \ No newline at end of file diff --git a/mod/bbb-pads/Dockerfile b/mod/bbb-pads/Dockerfile index 61096756..7498a105 100644 --- a/mod/bbb-pads/Dockerfile +++ b/mod/bbb-pads/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18-bullseye-slim AS builder +FROM node:18-bookworm-slim AS builder COPY --from=src / /bbb-pads RUN cd /bbb-pads && rm -r .git && npm install --production @@ -7,7 +7,7 @@ RUN cd /bbb-pads && rm -r .git && npm install --production RUN chmod 777 /bbb-pads/config # ------------------------------ -FROM node:18-bullseye-slim +FROM node:18-bookworm-slim RUN apt update && apt install -y jq moreutils \ && useradd --uid 2003 --create-home --user-group bbb-pads diff --git a/mod/bbb-web/Dockerfile b/mod/bbb-web/Dockerfile index 1b636ecd..e5fefa59 100644 --- a/mod/bbb-web/Dockerfile +++ b/mod/bbb-web/Dockerfile @@ -47,12 +47,10 @@ COPY --from=builder /dist /usr/share/bbb-web COPY --from=builder /bbb-web/pres-checker/lib /usr/share/prescheck/lib COPY --from=builder /bbb-web/pres-checker/run.sh /usr/share/prescheck/prescheck.sh -COPY mocked-ps /usr/bin/ps - # add entrypoint and templates COPY entrypoint.sh /entrypoint.sh COPY bbb-web.properties /etc/bigbluebutton/bbb-web.properties.tmpl -COPY turn-stun-servers.xml /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml.tmpl +COPY turn-stun-servers.xml /etc/bigbluebutton/turn-stun-servers.xml.tmpl COPY logback.xml /usr/share/bbb-web/WEB-INF/classes/logback.xml COPY office-convert.sh /usr/share/bbb-libreoffice-conversion/convert.sh diff --git a/mod/bbb-web/bbb-web.properties b/mod/bbb-web/bbb-web.properties index 0f500d22..1357f23b 100644 --- a/mod/bbb-web/bbb-web.properties +++ b/mod/bbb-web/bbb-web.properties @@ -13,8 +13,10 @@ securitySalt={{ .Env.SHARED_SECRET }} redisHost=redis -{{ if isTrue .Env.DEV_MODE }} -beans.presentationService.defaultUploadedPresentation=https://test.bigbluebutton.org/default.pdf +{{ if isTrue .Env.IGNORE_TLS_CERT_ERRORS }} +beans.presentationService.defaultUploadedPresentation=https://test27.bigbluebutton.org/default.pdf +# fetch presentations without HTTPS +presentationBaseURL=http://{{ .Env.DOMAIN }}/bigbluebutton/presentation {{else}} beans.presentationService.defaultUploadedPresentation=${bigbluebutton.web.serverURL}/default.pdf {{end}} diff --git a/mod/bbb-web/entrypoint.sh b/mod/bbb-web/entrypoint.sh index 346fac7a..7c9506b5 100755 --- a/mod/bbb-web/entrypoint.sh +++ b/mod/bbb-web/entrypoint.sh @@ -2,28 +2,30 @@ set -e # create recording directory structure if it doesn't exist yet +mkdir -p /var/bigbluebutton/recording/status +mkdir -p /var/bigbluebutton/events +mkdir -p /var/bigbluebutton/recording mkdir -p /var/bigbluebutton/recording/raw mkdir -p /var/bigbluebutton/recording/process mkdir -p /var/bigbluebutton/recording/publish mkdir -p /var/bigbluebutton/recording/status/recorded mkdir -p /var/bigbluebutton/recording/status/archived mkdir -p /var/bigbluebutton/recording/status/processed -mkdir -p /var/bigbluebutton/recording/status/sanity mkdir -p /var/bigbluebutton/recording/status/ended +mkdir -p /var/bigbluebutton/recording/status/sanity mkdir -p /var/bigbluebutton/recording/status/published +mkdir -p /var/bigbluebutton/captions mkdir -p /var/bigbluebutton/captions/inbox mkdir -p /var/bigbluebutton/published -mkdir -p /var/bigbluebutton/published/notes mkdir -p /var/bigbluebutton/deleted mkdir -p /var/bigbluebutton/unpublished +mkdir -p /var/bigbluebutton/basic_stats chown -R bigbluebutton:bigbluebutton /var/bigbluebutton -echo "$NUMBER_OF_BACKEND_NODEJS_PROCESSES" > /tmp/NUMBER_OF_BACKEND_NODEJS_PROCESSES - cd /usr/share/bbb-web/ dockerize \ -template /etc/bigbluebutton/bbb-web.properties.tmpl:/etc/bigbluebutton/bbb-web.properties \ - -template /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml.tmpl:/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml \ + -template /etc/bigbluebutton/turn-stun-servers.xml.tmpl:/etc/bigbluebutton/turn-stun-servers.xml \ gosu bigbluebutton java -Dgrails.env=prod -Dserver.address=0.0.0.0 -Dserver.port=8090 -Dspring.main.allow-circular-references=true -Xms384m -Xmx384m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/bigbluebutton/diagnostics -cp WEB-INF/lib/*:/:WEB-INF/classes/:. org.springframework.boot.loader.WarLauncher diff --git a/mod/bbb-web/logback.xml b/mod/bbb-web/logback.xml index 8fb58386..def4f595 100644 --- a/mod/bbb-web/logback.xml +++ b/mod/bbb-web/logback.xml @@ -22,7 +22,7 @@ - + diff --git a/mod/bbb-web/mocked-ps b/mod/bbb-web/mocked-ps deleted file mode 100755 index bb67da3f..00000000 --- a/mod/bbb-web/mocked-ps +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -echo "(mocked-ps for HTML5LoadBalancingService.java)" - -# fake random process load to distribute meetings equally -for i in `seq $(cat /tmp/NUMBER_OF_BACKEND_NODEJS_PROCESSES)`; do - randomLoad=$(echo $(( $RANDOM % 100 ))) - echo " $randomLoad.1 /usr/share/node-v12.16.1-linux-x64/bin/node main.js NODEJS_BACKEND_INSTANCE_ID=$i" -done diff --git a/mod/bbb-web/office-convert.sh b/mod/bbb-web/office-convert.sh index b4c7c9e0..f896bfc5 100755 --- a/mod/bbb-web/office-convert.sh +++ b/mod/bbb-web/office-convert.sh @@ -7,6 +7,8 @@ PATH="/bin/:/usr/bin/" # Param 1: Input office file path (e.g. "/tmp/test.odt") # Param 2: Output pdf file path (e.g. "/tmp/test.pdf") # Param 3: Destination Format (pdf default) +# Param 4: Timeout (secs) (optional) + if (( $# == 0 )); then echo "Missing parameter 1 (Input office file path)"; exit 1 @@ -16,15 +18,19 @@ elif (( $# == 1 )); then fi; -source="${1}" -dest="${2}" +source="$1" +dest="$2" -#If output format is missing, define PDF +# If output format is missing, define PDF convertTo="${3:-pdf}" -curl -v -X POST "http://jodconverter:8080/lool/convert-to/$convertTo" \ - -H "accept: application/octet-stream" \ - -H "Content-Type: multipart/form-data" \ - -F "data=@${source}" > "${dest}" +# If timeout is missing, define 60 +timeoutSecs="${4:-60}" +# Truncate timeout to max 3 digits (as expected by sudoers) +timeoutSecs="${timeoutSecs:0:3}" + +# The timeout is important. + +timeout $(printf %03d $timeoutSecs)s curl -F "data=@${source}" -k https://collabora:9980/cool/convert-to/$convertTo > "${dest}" -exit 0 \ No newline at end of file +exit 0 diff --git a/mod/bbb-web/turn-stun-servers.xml b/mod/bbb-web/turn-stun-servers.xml index e97dcab8..de928389 100644 --- a/mod/bbb-web/turn-stun-servers.xml +++ b/mod/bbb-web/turn-stun-servers.xml @@ -8,10 +8,26 @@ - {{if .Env.TURN_SERVER }} - - - + + + + + + + {{if and (isTrue .Env.ENABLE_HTTPS_PROXY) (not (isTrue .Env.IGNORE_TLS_CERT_ERRORS)) }} + {{/* ignore when using a self signed certificate in dev mode */}} + + + + + + {{end}} + + + {{if .Env.TURN_EXT_SERVER }} + + + {{end}} @@ -24,8 +40,14 @@ - {{if .Env.TURN_SERVER }} + + {{if and (isTrue .Env.ENABLE_HTTPS_PROXY) (not (isTrue .Env.IGNORE_TLS_CERT_ERRORS)) }} + + {{end}} + + {{if .Env.TURN_EXT_SERVER }} + {{end}} diff --git a/mod/bbb-webrtc-recorder/Dockerfile b/mod/bbb-webrtc-recorder/Dockerfile new file mode 100644 index 00000000..07fd1c41 --- /dev/null +++ b/mod/bbb-webrtc-recorder/Dockerfile @@ -0,0 +1,40 @@ +# Build stage +FROM golang:1.21 as builder + +ARG APP_VERSION=devel +ARG GOMOD=github.com/bigbluebutton/bbb-webrtc-recorder + +WORKDIR /app + +COPY --from=src go.* ./ + +RUN go mod tidy + +COPY --from=src . ./ + +RUN APP_VERSION=$(cat ./VERSION | sed 's/ /-/g') \ + go build -o ./build/bbb-webrtc-recorder \ + -ldflags="-X '$GOMOD/internal.AppVersion=v${APP_VERSION1}'" \ + ./cmd/bbb-webrtc-recorder + + +RUN mv /app/build/bbb-webrtc-recorder /usr/bin/bbb-webrtc-recorder + +# Running stage +FROM debian:bookworm-slim + +RUN apt-get update && apt-get install -y gosu + +# use same UID as in the recordings container +RUN groupadd -g 998 bigbluebutton && useradd -m -u 998 -g bigbluebutton bigbluebutton + +# config +ENV BBBRECORDER_PUBSUB_ADAPTERS_REDIS_ADDRESS=redis:6379 +ENV BBBRECORDER_PUBSUB_ADAPTERS_REDIS_NETWORK=tcp +ENV BBBRECORDER_DEBUG=true + +# Copy the binary to the production image from the builder stage. +COPY --from=builder /usr/bin/bbb-webrtc-recorder /usr/bin/bbb-webrtc-recorder +COPY --from=builder /app/config/bbb-webrtc-recorder.yml /etc/bbb-webrtc-recorder/bbb-webrtc-recorder.yml + +CMD ["/bin/sh", "-c", "chown -R bigbluebutton:bigbluebutton /var/lib/bbb-webrtc-recorder && gosu bigbluebutton /usr/bin/bbb-webrtc-recorder"] \ No newline at end of file diff --git a/mod/coturn/entrypoint.sh b/mod/coturn/entrypoint.sh deleted file mode 100755 index 62cd1262..00000000 --- a/mod/coturn/entrypoint.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -set -e -apk add jq su-exec -if [ "$ENABLE_HTTPS_PROXY" == true ]; then - - while [ ! -f /etc/resty-auto-ssl/storage/file/*latest ] - do - echo "ERROR: certificate doesn't exist yet." - echo "Certificate gets create on the first request to the HTTPS proxy." - echo "We will try again..." - sleep 10 - done - - # extract cert - cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.fullchain_pem' > /tmp/cert.pem - cat /etc/resty-auto-ssl/storage/file/*%3Alatest | jq -r '.privkey_pem' > /tmp/key.pem -fi - -if [ ! -f /tmp/cert.pem ] || [ ! -f /tmp/key.pem ]; then - echo "ERROR: certificate not found, but coturn relies on it." - echo "Use either auto HTTPS proxy or" - echo "provide path to certificates in .env file" - exit 1 -fi - -# If command starts with an option, prepend with turnserver binary. -if [ "${1:0:1}" == '-' ]; then - set -- turnserver "$@" -fi - -su-exec nobody $(eval "echo $@") \ No newline at end of file diff --git a/mod/coturn/turnserver.conf b/mod/coturn/turnserver.conf index be71ffe4..55cdf9d6 100644 --- a/mod/coturn/turnserver.conf +++ b/mod/coturn/turnserver.conf @@ -1,73 +1,28 @@ -# Example coturn configuration for BigBlueButton - -# These are the two network ports used by the TURN server which the client -# may connect to. We enable the standard unencrypted port 3478 for STUN, listening-port=3478 -# and since TLS over SMTP port (465) is now blocked by major browser vendors, -# we reverted to the most common coturn TLS port 5349, which has limitations -# in restrictive firewall environments. For maximum client support run -# coturn on a dedicated host on port 443. -tls-listening-port=5349 - -# If the server has multiple IP addresses, you may wish to limit which -# addresses coturn is using. Do that by setting this option (it can be -# specified multiple times). The default is to listen on all addresses. -# You do not normally need to set this option. -#listening-ip=172.17.19.101 +# listening-ip=${INTERNAL_IP:-$IP} +# relay-ip=${INTERNAL_IP:-$IP} -# If the server is behind NAT, you need to specify the external IP address. -# If there is only one external address, specify it like this: -#external-ip=172.17.19.120 -# If you have multiple external addresses, you have to specify which -# internal address each corresponds to, like this. The first address is the -# external ip, and the second address is the corresponding internal IP. -#external-ip=172.17.19.131/10.0.0.11 -#external-ip=172.17.18.132/10.0.0.12 +min-port=32769 +max-port=65535 +# verbose -# Fingerprints in TURN messages are required for WebRTC fingerprint - -# The long-term credential mechanism is required for WebRTC lt-cred-mech - -# Configure coturn to use the "TURN REST API" method for validating time- -# limited credentials. BigBlueButton will generate credentials in this -# format. Note that the static-auth-secret value specified here must match -# the configuration in BigBlueButton's turn-stun-servers.xml -# You can generate a new random value by running the command: -# openssl rand -hex 16 use-auth-secret -# static-auth-secret= - -# If the realm value is unspecified, it defaults to the TURN server hostname. -# You probably want to configure it to a domain name that you control to -# improve log output. There is no functional impact. -realm=example.com +realm=bbb-docker -# Configure TLS support. -# Adjust these paths to match the locations of your certificate files -cert=/tmp/cert.pem -pkey=/tmp/key.pem -# Limit the allowed ciphers to improve security -# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ -cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" - -# Enable longer DH TLS key to improve security -dh2066 +keep-address-family -# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable -# older protocols +no-cli no-tlsv1 no-tlsv1_1 -# To enable single filename logs you need to enable the simple-log flag -syslog -#verbose +# Block connections to IP ranges which shouldn't be reachable +no-loopback-peers +no-multicast-peers -# Allocate Address Family according -# If enabled then TURN server allocates address family according the TURN -# Client <=> Server communication address family. -# (By default Coturn works according RFC 6156.) -# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!! -keep-address-family + +# we only need to allow peer connections from the machine itself (from mediasoup or freeswitch). +denied-peer-ip=0.0.0.0-255.255.255.255 +denied-peer-ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff \ No newline at end of file diff --git a/mod/etherpad/Dockerfile b/mod/etherpad/Dockerfile index c5309521..e421fc22 100644 --- a/mod/etherpad/Dockerfile +++ b/mod/etherpad/Dockerfile @@ -7,20 +7,21 @@ RUN apk add git curl USER etherpad -RUN npm install \ - ep_cursortrace@3.1.16 \ - git+https://github.com/mconf/ep_pad_ttl.git#360136cd38493dd698435631f2373cbb7089082d \ - git+https://github.com/mconf/ep_redis_publisher.git#2b6e47c1c59362916a0b2961a29b259f2977b694 \ - ep_disable_chat@0.0.8 \ +RUN pnpm run plugins i \ + ep_cursortrace@3.1.18 \ + ep_disable_chat@0.0.10 \ ep_auth_session@1.1.1 \ -# remove npm lockfile, because somehow it prevents etherpad from detecting the manual added plugin ep_bigbluebutton_patches - && rm package-lock.json package.json + --github \ + mconf/ep_pad_ttl#360136cd38493dd698435631f2373cbb7089082d \ + mconf/ep_redis_publisher#2b6e47c1c59362916a0b2961a29b259f2977b694 + # add skin from git submodule COPY --chown=etherpad:0 --from=skin / /opt/etherpad-lite/src/static/skins/bigbluebutton # add plugin from git submodule -COPY --chown=etherpad:0 --from=plugin / /opt/etherpad-lite/node_modules/ep_bigbluebutton_patches +COPY --chown=etherpad:0 --from=plugin / /ep_bigbluebutton_patches +RUN pnpm run plugins i --path /ep_bigbluebutton_patches COPY settings.json /opt/etherpad-lite/settings.json COPY etherpad-export.sh /etherpad-export.sh diff --git a/mod/etherpad/entrypoint.sh b/mod/etherpad/entrypoint.sh index 79a0ecd7..acc23921 100755 --- a/mod/etherpad/entrypoint.sh +++ b/mod/etherpad/entrypoint.sh @@ -1,5 +1,3 @@ #!/bin/sh echo $ETHERPAD_API_KEY > /tmp/apikey -export NODE_ENV=production - -node /opt/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js --apikey /tmp/apikey \ No newline at end of file +pnpm run prod --apikey /tmp/apikey \ No newline at end of file diff --git a/mod/etherpad/etherpad-export.sh b/mod/etherpad/etherpad-export.sh index f23c72e4..6bf6e672 100755 --- a/mod/etherpad/etherpad-export.sh +++ b/mod/etherpad/etherpad-export.sh @@ -4,9 +4,6 @@ dest="$(echo $8 | sed -E -e 's/html|odt/'$7'/')" convertTo="$7" -curl -v -X POST "http://jodconverter:8080/lool/convert-to/$convertTo" \ - -H "accept: application/octet-stream" \ - -H "Content-Type: multipart/form-data" \ - -F "data=@$src" > $dest +curl -v -F "data=@${src}" -k https://collabora:9980/cool/convert-to/$convertTo > "${dest}" exit 0 \ No newline at end of file diff --git a/mod/etherpad/settings.json b/mod/etherpad/settings.json index 42466c55..d3c1c4e4 100644 --- a/mod/etherpad/settings.json +++ b/mod/etherpad/settings.json @@ -140,7 +140,7 @@ * "full-width-editor" variant (by default editor is rendered as a page, with * a max-width of 900px). */ - "skinVariants": "super-light-toolbar super-light-editor light-background", + "skinVariants": "", /* * IP and port which Etherpad should bind at. @@ -162,6 +162,14 @@ */ "showSettingsInAdminPage": true, + /* + * Settings for cleanup of pads + */ + "cleanup": { + "enabled": false, + "keepRevisions": 5 + }, + /* * Node native SSL support * @@ -271,6 +279,14 @@ "pageDown": true }, + /* + * Enables the use of a different server. We have a different one that syncs changes from the original server. + * It is hosted on GitHub and should not be blocked by many firewalls. + * https://etherpad.org/ep_infos + */ + + "updateServer": "https://etherpad.org/ep_infos", + /* * Should we suppress errors from being visible in the default Pad Text? */ @@ -323,14 +339,6 @@ */ "soffice": "/etherpad-export.sh", - /* - * Path to the Tidy executable. - * - * Tidy is used to improve the quality of exported pads. - * Setting it to null disables Tidy. - */ - "tidyHtml": null, - /* * Allow import of file types other than the supported ones: * txt, doc, docx, rtf, odt, html & htm @@ -364,6 +372,22 @@ * Settings controlling the session cookie issued by Etherpad. */ "cookie": { + /* + * How often (in milliseconds) the key used to sign the express_sid cookie + * should be rotated. Long rotation intervals reduce signature verification + * overhead (because there are fewer historical keys to check) and database + * load (fewer historical keys to store, and less frequent queries to + * get/update the keys). Short rotation intervals are slightly more secure. + * + * Multiple Etherpad processes sharing the same database (table) is + * supported as long as the clock sync error is significantly less than this + * value. + * + * Key rotation can be disabled (not recommended) by setting this to 0 or + * null, or by disabling session expiration (see sessionLifetime). + */ + "keyRotationInterval": 86400000, // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s + /* * Value of the SameSite cookie property. "Lax" is recommended unless * Etherpad will be embedded in an iframe from another site, in which case @@ -375,7 +399,51 @@ * significant usability drawbacks vs. "Lax". See * https://stackoverflow.com/q/41841880 for discussion. */ - "sameSite": "None" + "sameSite": "None", + + /* + * How long (in milliseconds) after navigating away from Etherpad before the + * user is required to log in again. (The express_sid cookie is set to + * expire at time now + sessionLifetime when first created, and its + * expiration time is periodically refreshed to a new now + sessionLifetime + * value.) If requireAuthentication is false then this value does not really + * matter. + * + * The "best" value depends on your users' usage patterns and the amount of + * convenience you desire. A long lifetime is more convenient (users won't + * have to log back in as often) but has some drawbacks: + * - It increases the amount of state kept in the database. + * - It might weaken security somewhat: The cookie expiration is refreshed + * indefinitely without consulting authentication or authorization + * hooks, so once a user has accessed a pad, the user can continue to + * use the pad until the user leaves for longer than sessionLifetime. + * - More historical keys (sessionLifetime / keyRotationInterval) must be + * checked when verifying signatures. + * + * Session lifetime can be set to infinity (not recommended) by setting this + * to null or 0. Note that if the session does not expire, most browsers + * will delete the cookie when the browser exits, but a session record is + * kept in the database forever. + */ + "sessionLifetime": 864000000, // = 10d * 24h/d * 60m/h * 60s/m * 1000ms/s + + /* + * How long (in milliseconds) before the expiration time of an active user's + * session is refreshed (to now + sessionLifetime). This setting affects the + * following: + * - How often a new session expiration time will be written to the + * database. + * - How often each user's browser will ping the Etherpad server to + * refresh the expiration time of the session cookie. + * + * High values reduce the load on the database and the load from browsers, + * but can shorten the effective session lifetime if Etherpad is restarted + * or the user navigates away. + * + * Automatic session refreshes can be disabled (not recommended) by setting + * this to null. + */ + "sessionRefreshInterval": 86400000 // = 1d * 24h/d * 60m/h * 60s/m * 1000ms/s }, /* @@ -475,7 +543,7 @@ /* * Restrict socket.io transport methods */ - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "socketTransportProtocols" : ["websocket", "polling"], "socketIo": { /* @@ -485,7 +553,7 @@ * value to work properly, but increasing the value increases susceptibility * to denial of service attacks (malicious clients can exhaust memory). */ - "maxHttpBufferSize": 10000 + "maxHttpBufferSize": 50000 }, /* @@ -539,7 +607,7 @@ "windowMs": 90000, // maximum number of requests per IP to allow during the rate limit window - "max": 16 + "max": 32 }, /* @@ -550,6 +618,13 @@ */ "importMaxFileSize": 52428800, // 50 * 1024 * 1024 + /* + The authentication method used by the server. + The default value is sso + If you want to use the old authentication system, change this to apikey + */ + "authenticationMethod": "apikey", + /* * From Etherpad 1.8.5 onwards, when Etherpad is in production mode commits from individual users are rate limited * @@ -566,7 +641,6 @@ "points": 100 }, - /* * Toolbar buttons configuration. * @@ -596,6 +670,13 @@ */ "loglevel": "INFO", + /* + * The log layout type to use. + * + * Valid values: basic, colored + */ + "logLayoutType": "colored", + /* Override any strings found in locale directories */ "customLocaleStrings": { "de": { @@ -633,8 +714,10 @@ }, /* Disable Admin UI tests */ - "enableAdminUITests": false -} - - + "enableAdminUITests": false, + /* + * Enable/Disable case-insensitive pad names. + */ + "lowerCasePadIds": false +} \ No newline at end of file diff --git a/mod/freeswitch/Dockerfile b/mod/freeswitch/Dockerfile index 19107e18..01537630 100644 --- a/mod/freeswitch/Dockerfile +++ b/mod/freeswitch/Dockerfile @@ -28,7 +28,7 @@ RUN cd /build && ./build.sh # add english sounds RUN mkdir -p /build/staging/opt/freeswitch/share/freeswitch && \ - wget http://bigbluebutton.org/downloads/sounds.tar.gz -O sounds.tar.gz && \ + wget https://ubuntu.bigbluebutton.org/sounds.tar.gz -O sounds.tar.gz && \ tar xvfz sounds.tar.gz -C /build/staging/opt/freeswitch/share/freeswitch && \ wget https://gitlab.senfcall.de/senfcall-public/mute-and-unmute-sounds/-/archive/master/mute-and-unmute-sounds-master.zip && \ unzip mute-and-unmute-sounds-master.zip && \ @@ -42,11 +42,11 @@ COPY --from=fs-config / /build/staging/opt/freeswitch/etc/freeswitch/ # =============================================== # we are using ubuntu here, because libjpeg8 is required, but not available in debian -FROM ubuntu:20.04 +FROM ubuntu:22.04 RUN apt-get update && \ apt-get install -y \ xmlstarlet wget iptables curl \ - libfreetype6 libcurl4 libspeex1 libspeexdsp1 libopus0 libsndfile1 libopusfile0 liblua5.2-0 libjbig0 libldns2 libedit2 libtiff5 libpng16-16 \ + libfreetype6 libcurl4 libspeex1 libspeexdsp1 libopus0 libsndfile1 libopusfile0 liblua5.2-0 libjbig0 libldns3 libedit2 libtiff5 libpng16-16 libsqlite3-0 \ && \ # install libopusenc0 wget -O /tmp/libopusenc0_0.2.1-1bbb2_amd64.deb https://launchpad.net/~bigbluebutton/+archive/ubuntu/support/+files/libopusenc0_0.2.1-1bbb2_amd64.deb \ diff --git a/mod/freeswitch/conf/autoload_configs/acl.conf.xml b/mod/freeswitch/conf/autoload_configs/acl.conf.xml deleted file mode 100644 index 78628d84..00000000 --- a/mod/freeswitch/conf/autoload_configs/acl.conf.xml +++ /dev/null @@ -1,49 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/mod/freeswitch/conf/autoload_configs/event_socket.conf.xml b/mod/freeswitch/conf/autoload_configs/event_socket.conf.xml index 664aa8f8..6d7d4d72 100644 --- a/mod/freeswitch/conf/autoload_configs/event_socket.conf.xml +++ b/mod/freeswitch/conf/autoload_configs/event_socket.conf.xml @@ -4,7 +4,7 @@ - + - \ No newline at end of file + diff --git a/mod/freeswitch/conf/autoload_configs/modules.conf.xml b/mod/freeswitch/conf/autoload_configs/modules.conf.xml index 36f5d4b7..f05aa527 100644 --- a/mod/freeswitch/conf/autoload_configs/modules.conf.xml +++ b/mod/freeswitch/conf/autoload_configs/modules.conf.xml @@ -2,6 +2,7 @@ + diff --git a/mod/freeswitch/conf/dialplan/public.xml b/mod/freeswitch/conf/dialplan/public.xml deleted file mode 100644 index ac355dc4..00000000 --- a/mod/freeswitch/conf/dialplan/public.xml +++ /dev/null @@ -1,43 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/mod/freeswitch/conf/dialplan/public/dialin.xml b/mod/freeswitch/conf/dialplan/public/dialin.xml new file mode 100644 index 00000000..02c4ed7a --- /dev/null +++ b/mod/freeswitch/conf/dialplan/public/dialin.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/mod/freeswitch/conf/sip_profiles/external-dialin.xml b/mod/freeswitch/conf/sip_profiles/external-dialin.xml new file mode 100644 index 00000000..fbe7ca3e --- /dev/null +++ b/mod/freeswitch/conf/sip_profiles/external-dialin.xml @@ -0,0 +1,86 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/mod/freeswitch/conf/sip_profiles/external-ipv6.xml b/mod/freeswitch/conf/sip_profiles/external-ipv6.xml deleted file mode 100644 index 834441bc..00000000 --- a/mod/freeswitch/conf/sip_profiles/external-ipv6.xml +++ /dev/null @@ -1,113 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/mod/freeswitch/conf/sip_profiles/external.xml b/mod/freeswitch/conf/sip_profiles/external.xml index d8073f7f..53c9de1b 100644 --- a/mod/freeswitch/conf/sip_profiles/external.xml +++ b/mod/freeswitch/conf/sip_profiles/external.xml @@ -1,16 +1,6 @@ - - - - - - - @@ -25,7 +15,13 @@ - + + + @@ -36,7 +32,7 @@ - + @@ -73,20 +69,12 @@ --> - + - - - - - + + + @@ -113,9 +101,8 @@ - - - + + diff --git a/mod/freeswitch/conf/vars.xml.tmpl b/mod/freeswitch/conf/vars.xml.tmpl index b31edebf..b86502d6 100644 --- a/mod/freeswitch/conf/vars.xml.tmpl +++ b/mod/freeswitch/conf/vars.xml.tmpl @@ -1,12 +1,15 @@ - @@ -15,6 +18,7 @@ The following variables are set dynamically - calculated if possible by freeswitch - and are available to the config as $${variable}. You can see their calculated value via fs_cli by entering eval $${variable} + hostname local_ip_v4 local_mask_v4 @@ -41,21 +45,24 @@ nat_public_addr nat_private_addr nat_type + --> + + - - + - + @@ -63,6 +70,7 @@ @@ -70,7 +78,9 @@ NOTICE: When using SRTP it's critical that you do not offer or accept variable bit rate codecs, doing so would leak information and possibly compromise your SRTP stream. (FS-6404) + Supported SRTP Crypto Suites: + AEAD_AES_256_GCM_8 ____________________________________________________________________________ This algorithm is identical to AEAD_AES_256_GCM (see Section 5.2 of @@ -78,6 +88,8 @@ authentication tag with a length of 8 octets (64 bits) is used. An AEAD_AES_256_GCM_8 ciphertext is exactly 8 octets longer than its corresponding plaintext. + + AEAD_AES_128_GCM_8 ____________________________________________________________________________ This algorithm is identical to AEAD_AES_128_GCM (see Section 5.1 of @@ -85,6 +97,8 @@ authentication tag with a length of 8 octets (64 bits) is used. An AEAD_AES_128_GCM_8 ciphertext is exactly 8 octets longer than its corresponding plaintext. + + AES_CM_256_HMAC_SHA1_80 | AES_CM_192_HMAC_SHA1_80 | AES_CM_128_HMAC_SHA1_80 ____________________________________________________________________________ AES_CM_128_HMAC_SHA1_80 is the SRTP default AES Counter Mode cipher @@ -92,18 +106,25 @@ tag. The master-key length is 128 bits and has a default lifetime of a maximum of 2^48 SRTP packets or 2^31 SRTCP packets, whichever comes first. + + AES_CM_256_HMAC_SHA1_32 | AES_CM_192_HMAC_SHA1_32 | AES_CM_128_HMAC_SHA1_32 ____________________________________________________________________________ This crypto-suite is identical to AES_CM_128_HMAC_SHA1_80 except that the authentication tag is 32 bits. The length of the base64-decoded key and salt value for this crypto-suite MUST be 30 octets i.e., 240 bits; otherwise, the crypto attribute is considered invalid. + + AES_CM_128_NULL_AUTH ____________________________________________________________________________ The SRTP default cipher (AES-128 Counter Mode), but to use no authentication method. This policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5 of [RFC3711]. + + SRTP variables that modify behaviors based on direction/leg: + rtp_secure_media ____________________________________________________________________________ possible values: @@ -112,11 +133,16 @@ forbidden - More useful for inbound to deny SAVP negotiation false - implies forbidden true - implies mandatory + default if not set is accept SAVP inbound if offered. + + rtp_secure_media_inbound | rtp_secure_media_outbound ____________________________________________________________________________ This is the same as rtp_secure_media, but would apply to either inbound or outbound offers specifically. + + How to specify crypto suites: ____________________________________________________________________________ By default without specifying any crypto suites FreeSWITCH will offer @@ -124,29 +150,39 @@ endpoint has in common. If you wish to force specific crypto suites you can do so by appending the suites in a comma separated list in the order that you wish to offer them in. + Examples: + rtp_secure_media=mandatory:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32 rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32 rtp_secure_media=optional:AES_CM_256_HMAC_SHA1_80 rtp_secure_media=true:AES_CM_256_HMAC_SHA1_80 + Additionally you can narrow this down on either inbound or outbound by specifying as so: + rtp_secure_media_inbound=true:AEAD_AES_256_GCM_8 rtp_secure_media_inbound=mandatory:AEAD_AES_256_GCM_8 rtp_secure_media_outbound=true:AEAD_AES_128_GCM_8 rtp_secure_media_outbound=optional:AEAD_AES_128_GCM_8 + + rtp_secure_media_suites ____________________________________________________________________________ - Optionaly you can use rtp_secure_media_suites to dictate the suite list + Optionally you can use rtp_secure_media_suites to dictate the suite list and only use rtp_secure_media=[optional|mandatory|false|true] without having to dictate the suite list with the rtp_secure_media* variables. --> @@ -232,7 +275,9 @@ @@ -256,7 +302,7 @@ If unspecified, the bind_server_ip value is used. Used by: sofia.conf.xml dingaling.conf.xml --> - + - + @@ -342,6 +390,7 @@ @@ -354,16 +403,21 @@ @@ -380,7 +434,7 @@ - + @@ -395,4 +449,5 @@ - \ No newline at end of file + + diff --git a/mod/fsesl-akka/bbb-fsesl-akka.conf b/mod/fsesl-akka/bbb-fsesl-akka.conf index ed1b4753..12acb3e2 100644 --- a/mod/fsesl-akka/bbb-fsesl-akka.conf +++ b/mod/fsesl-akka/bbb-fsesl-akka.conf @@ -4,13 +4,13 @@ include "/bbb-fsesl-akka/conf/application.conf" freeswitch { esl { - host="10.7.7.1" + host="freeswitch" password="FSESL_PASSWORD" } } redis { - host="10.7.7.5" + host="redis" } http { diff --git a/mod/fsesl-akka/logback.xml b/mod/fsesl-akka/logback.xml index a6749c0d..9e587d91 100644 --- a/mod/fsesl-akka/logback.xml +++ b/mod/fsesl-akka/logback.xml @@ -11,8 +11,7 @@ - + - diff --git a/mod/haproxy/Dockerfile b/mod/haproxy/Dockerfile new file mode 100644 index 00000000..f172a4b2 --- /dev/null +++ b/mod/haproxy/Dockerfile @@ -0,0 +1,4 @@ +FROM ghcr.io/tomdess/docker-haproxy-certbot:2.8.10 + +# overwrite bootstrap.sh +COPY bootstrap.sh /bootstrap.sh \ No newline at end of file diff --git a/mod/haproxy/bootstrap.sh b/mod/haproxy/bootstrap.sh new file mode 100755 index 00000000..35c045d4 --- /dev/null +++ b/mod/haproxy/bootstrap.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +set -e + +# save container environment variables to use it +# in cron scripts + +declare -p | grep -Ev '^declare -[[:alpha:]]*r' > /container.env + +if [ "$IGNORE_TLS_CERT_ERRORS" ] && [ "$IGNORE_TLS_CERT_ERRORS" != "false" ]; then + # use self signed certificate + if [ ! -f /etc/haproxy/certs/haproxy-10.7.7.1.pem ]; then + mkdir -p /etc/haproxy/certs + # generate self signed certificate + openssl req -x509 -nodes -days 700 -newkey rsa:2048 \ + -keyout /tmp/domain.key -out /tmp/domain.crt \ + -subj "/C=CA/ST=Quebec/L=Montreal/O=BigBlueButton Development/OU=bbb-docker/CN=10.7.7.1" + + cat /tmp/domain.key /tmp/domain.crt | tee /etc/haproxy/certs/haproxy-10.7.7.1.pem >/dev/null + fi +else + # obtain certificates from lets encrypt + /certs.sh +fi +supervisord -c /etc/supervisord.conf -n \ No newline at end of file diff --git a/mod/haproxy/haproxy.cfg b/mod/haproxy/haproxy.cfg new file mode 100644 index 00000000..a66c2dd8 --- /dev/null +++ b/mod/haproxy/haproxy.cfg @@ -0,0 +1,80 @@ +global + log stdout format raw local0 debug + + maxconn 20480 + ############# IMPORTANT ################################# + ## DO NOT SET CHROOT OTHERWISE YOU HAVE TO CHANGE THE ## + ## acme-http01-webroot.lua file ## + # chroot /jail ## + ######################################################### + lua-load /etc/haproxy/acme-http01-webroot.lua + # + # SSL options + ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + ssl-default-bind-options ssl-min-ver TLSv1.2 + tune.ssl.default-dh-param 4096 + + + # workaround for bug #14 (Cert renewal blocks HAProxy indefinitely with Websocket connections) + hard-stop-after 3s + + +# DNS runt-time resolution on backend hosts +resolvers docker + nameserver dns "127.0.0.11:53" + +defaults + log global + mode http + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms + # option forwardfor + option httplog + + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + + # never fail on address resolution + default-server init-addr last,libc,none + +frontend http + bind *:80,[::]:80 + mode http + acl url_acme_http01 path_beg /.well-known/acme-challenge/ + http-request use-service lua.acme-http01 if METH_GET url_acme_http01 + redirect scheme https code 301 if !{ ssl_fc } + +frontend nginx_or_turn + bind *:443,:::443 ssl crt /etc/haproxy/certs/ ssl-min-ver TLSv1.2 alpn h2,http/1.1,stun.turn + mode tcp + option tcplog + tcp-request content capture req.payload(0,1) len 1 + log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq captured_user:%{+X}[capture.req.hdr(0)]" + tcp-request inspect-delay 30s + # We terminate SSL on haproxy. HTTP2 is a binary protocol. haproxy has to + # decide which protocol is spoken. This is negotiated by ALPN. + # + # Depending on the ALPN value traffic is redirected to either port 82 (HTTP2, + # ALPN value h2) or 81 (HTTP 1.0 or HTTP 1.1, ALPN value http/1.1 or no value) + # If no ALPN value is set, the first byte is inspected and depending on the + # value traffic is sent to either port 81 or coturn. + use_backend nginx-http2 if { ssl_fc_alpn h2 } + use_backend nginx if { ssl_fc_alpn http/1.1 } + use_backend turn if { ssl_fc_alpn stun.turn } + use_backend %[capture.req.hdr(0),map_str(/etc/haproxy/protocolmap,turn)] + default_backend turn + +backend turn + mode tcp + server localhost 10.7.7.1:3478 check + +backend nginx + mode tcp + server localhost 10.7.7.1:48081 send-proxy check + +backend nginx-http2 + mode tcp + server localhost 10.7.7.1:48082 send-proxy check diff --git a/mod/haproxy/protocolmap b/mod/haproxy/protocolmap new file mode 100644 index 00000000..0f85dd0c --- /dev/null +++ b/mod/haproxy/protocolmap @@ -0,0 +1,52 @@ +a nginx +b nginx +c nginx +d nginx +e nginx +f nginx +g nginx +h nginx +i nginx +j nginx +k nginx +l nginx +m nginx +n nginx +o nginx +p nginx +q nginx +r nginx +s nginx +t nginx +u nginx +v nginx +w nginx +x nginx +y nginx +z nginx +A nginx +B nginx +C nginx +D nginx +E nginx +F nginx +G nginx +H nginx +I nginx +J nginx +K nginx +L nginx +M nginx +N nginx +O nginx +P nginx +Q nginx +R nginx +S nginx +T nginx +U nginx +V nginx +W nginx +X nginx +Y nginx +Z nginx \ No newline at end of file diff --git a/mod/html5-dev/Dockerfile b/mod/html5-dev/Dockerfile new file mode 100644 index 00000000..474410af --- /dev/null +++ b/mod/html5-dev/Dockerfile @@ -0,0 +1,13 @@ +ARG BBB_BUILD_TAG +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG + + +# use /tmp as home dir as writeable directory for whatever UID we get +ENV HOME /tmp + +# allow all user to access .nvm in root +RUN chmod 755 /root + +WORKDIR /app +COPY /entrypoint.sh /entrypoint.sh +ENTRYPOINT /entrypoint.sh diff --git a/mod/html5-dev/entrypoint.sh b/mod/html5-dev/entrypoint.sh new file mode 100755 index 00000000..09c1ee18 --- /dev/null +++ b/mod/html5-dev/entrypoint.sh @@ -0,0 +1,11 @@ +set -e + +# enable nvm +. /root/.nvm/nvm.sh + +if [ -n "$1" ]; then + exec "$@" +else + npm install + npm start -- --host 0.0.0.0 +fi \ No newline at end of file diff --git a/mod/html5/Dockerfile b/mod/html5/Dockerfile deleted file mode 100644 index 5f092c0d..00000000 --- a/mod/html5/Dockerfile +++ /dev/null @@ -1,44 +0,0 @@ -ARG BBB_BUILD_TAG -FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder - -# RUN groupadd -g 2000 meteor && useradd -m -u 2001 -g meteor meteor -# USER meteor - -ARG TAG_HTML5 - -COPY --from=source ./ /source -RUN cd /source && meteor npm ci --production \ - && METEOR_DISABLE_OPTIMISTIC_CACHING=1 meteor build --architecture os.linux.x86_64 --allow-superuser --directory /app \ - && rm -rf /source - -RUN cd /app/bundle/programs/server \ - && npm install --production - -RUN mkdir -p /app/bundle/programs/web.browser/app/files && \ - cp /app/bundle/programs/server/npm/node_modules/@fontsource/*/files/*.woff* /app/bundle/programs/web.browser/app/files/ - -RUN sed -i "s/VERSION/$TAG_BBB/" /app/bundle/programs/web.browser/head.html \ - && find /app/bundle/programs/web.browser -name '*.js' -exec gzip -k -f -9 '{}' \; \ - && find /app/bundle/programs/web.browser -name '*.css' -exec gzip -k -f -9 '{}' \; \ - && find /app/bundle/programs/web.browser -name '*.wasm' -exec gzip -k -f -9 '{}' \; - -# ------------------------------ - -FROM node:14.21-bullseye-slim - -RUN apt-get update && apt-get install -y gosu - -# add user & group -RUN groupadd -g 2000 meteor \ - && useradd -m -u 2001 -g meteor meteor - -COPY --from=alangecker/bbb-docker-base-java /usr/local/bin/dockerize /usr/local/bin/dockerize -COPY --from=builder --chown=meteor:meteor /app/bundle /app -COPY entrypoint.sh /entrypoint.sh -COPY bbb-html5.yml /app/bbb-html5.yml.tmpl - -# expose TAG_BBB in container for the version display -ARG TAG_BBB -ENV TAG_BBB $TAG_BBB - -ENTRYPOINT ["/entrypoint.sh"] diff --git a/mod/html5/bbb-html5.yml b/mod/html5/bbb-html5.yml deleted file mode 100644 index 17db5356..00000000 --- a/mod/html5/bbb-html5.yml +++ /dev/null @@ -1,25 +0,0 @@ -public: - app: - html5ClientBuild: {{ .Env.TAG_HTML5 }} - bbbServerVersion: {{ .Env.TAG_HTML5 }}-docker - listenOnlyMode: {{ .Env.LISTEN_ONLY_MODE }} - skipCheck: {{ .Env.DISABLE_ECHO_TEST }} - clientTitle: {{ .Env.CLIENT_TITLE }} - appName: BigBlueButton HTML5 Client (docker) - breakouts: - breakoutRoomLimit: {{ .Env.BREAKOUTROOM_LIMIT }} - kurento: - wsUrl: wss://{{ .Env.DOMAIN }}/bbb-webrtc-sfu - autoShareWebcam: {{ .Env.AUTO_SHARE_WEBCAM }} - skipVideoPreview: {{ .Env.DISABLE_VIDEO_PREVIEW }} - chat: - enabled: {{ .Env.CHAT_ENABLED }} - startClosed: {{ .Env.CHAT_START_CLOSED }} - pads: - url: https://{{ .Env.DOMAIN }}/pad -private: - app: - host: 0.0.0.0 - redis: - host: redis - port: '6379' diff --git a/mod/html5/entrypoint.sh b/mod/html5/entrypoint.sh deleted file mode 100755 index a0cb369a..00000000 --- a/mod/html5/entrypoint.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -set -e - -cd /app -export MONGO_OPLOG_URL=mongodb://10.7.7.6/local -export MONGO_URL=mongodb://10.7.7.6/meteor -export ROOT_URL=http://127.0.0.1/html5client -export NODE_ENV=production -export SERVER_WEBSOCKET_COMPRESSION='{"level":5, "maxWindowBits":13, "memLevel":7, "requestMaxWindowBits":13}' -export BIND_IP=0.0.0.0 -export LANG=en_US.UTF-8 -export INSTANCE_MAX=1 -export ENVIRONMENT_TYPE=production -export NODE_VERSION=node-v14.21.1-linux-x64 -export BBB_HTML5_LOCAL_SETTINGS=/app/bbb-html5.yml - -if [ "$DEV_MODE" == true ]; then - echo "DEV_MODE=true, disable TLS certificate rejecting" - export NODE_TLS_REJECT_UNAUTHORIZED=0 -fi - -if [ "$BBB_HTML5_ROLE" == "backend" ]; then - PARAM=NODEJS_BACKEND_INSTANCE_ID=$INSTANCE_ID -fi - - -# if container is the first frontend, do some additional tasks -if [ "$BBB_HTML5_ROLE" == "frontend" ] && [ "$INSTANCE_ID" == "1" ]; then - - - # copy static files into volume for direct access by nginx - # https://github.com/bigbluebutton/bigbluebutton/issues/10739 - if [ -d "/html5-static" ]; then - rm -rf /html5-static/* - cp -r /app/programs/web.browser/* /html5-static - fi - -fi - -dockerize \ - -template /app/bbb-html5.yml.tmpl:/app/bbb-html5.yml \ - gosu meteor \ - node --max-old-space-size=2048 --max_semi_space_size=128 main.js $PARAM diff --git a/mod/https/force-https.conf b/mod/https/force-https.conf deleted file mode 100644 index b9ad46a6..00000000 --- a/mod/https/force-https.conf +++ /dev/null @@ -1,15 +0,0 @@ -# overwriting force-https.conf from valian/docker-nginx-auto-ssl - -location /bigbluebutton/api/join { - return 301 https://$host$request_uri; -} - -# allow /api calls without redirecting to https -location /bigbluebutton/api { - proxy_pass https://127.0.0.1:443; - proxy_ssl_verify off; -} - -location / { - return 301 https://$host$request_uri; -} diff --git a/mod/https/site-ipv4only.conf b/mod/https/site-ipv4only.conf deleted file mode 100644 index 3ab9c1c8..00000000 --- a/mod/https/site-ipv4only.conf +++ /dev/null @@ -1,33 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -server { - listen 443 ssl http2 default_server; - - # we at still serve https via IPv6 for the - # case that an AAAA record is set. - listen [::]:443 ssl http2 default_server; - - server_name _; - - include resty-server-https.conf; - - location / { - proxy_http_version 1.1; - proxy_pass http://127.0.0.1:48087; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_cache_bypass $http_upgrade; - - proxy_read_timeout 6h; - proxy_send_timeout 6h; - client_body_timeout 6h; - send_timeout 6h; - } -} diff --git a/mod/https/site.conf b/mod/https/site.conf deleted file mode 100644 index ba81f57b..00000000 --- a/mod/https/site.conf +++ /dev/null @@ -1,33 +0,0 @@ -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} -map $remote_addr $endpoint_addr { - "~:" [::1]; - default 127.0.0.1; -} - -server { - listen 443 ssl http2 default_server; - listen [::]:443 ssl http2 default_server; - server_name _; - - include resty-server-https.conf; - - location / { - proxy_http_version 1.1; - proxy_pass http://$endpoint_addr:48087; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_cache_bypass $http_upgrade; - - proxy_read_timeout 6h; - proxy_send_timeout 6h; - client_body_timeout 6h; - send_timeout 6h; - } -} diff --git a/mod/jodconverter/Dockerfile b/mod/jodconverter/Dockerfile deleted file mode 100644 index 8ae7e27c..00000000 --- a/mod/jodconverter/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -FROM ghcr.io/jodconverter/jodconverter-examples:rest -RUN echo "ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true" | debconf-set-selections -RUN sed -i 's/main/main contrib/' /etc/apt/sources.list.d/debian.sources && apt-get update -RUN apt-get update && apt -y install --no-install-recommends \ - fonts-arkpandora \ - fonts-crosextra-carlito \ - fonts-crosextra-caladea \ - fonts-noto \ - fonts-noto-cjk \ - fonts-liberation \ - fontconfig \ - ttf-mscorefonts-installer - - -# avoid "APPLICATION FAILED TO START. Config data location '/etc/app/' does not exist" -# https://github.com/bigbluebutton/docker/issues/178 -CMD ["--spring.config.additional-location=optional:/etc/app/"] \ No newline at end of file diff --git a/mod/livekit/livekit.yaml b/mod/livekit/livekit.yaml new file mode 100644 index 00000000..55653f33 --- /dev/null +++ b/mod/livekit/livekit.yaml @@ -0,0 +1,15 @@ +port: 7880 +log_level: debug +# when enabled, LiveKit will expose prometheus metrics on :6789/metrics +#prometheus_port: 6789 +rtc: + port_range_start: 16384 + port_range_end: 32768 + use_external_ip: false +redis: + # redis is recommended for production deploys + address: redis:6379 + +keys: + # TODO: change keys + TEST: TEST diff --git a/mod/mongo/init-replica.sh b/mod/mongo/init-replica.sh deleted file mode 100755 index 188cddaf..00000000 --- a/mod/mongo/init-replica.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -set -e - - -host=${HOSTNAME:-$(hostname -f)} - -# shut down again -mongod --pidfilepath /tmp/docker-entrypoint-temp-mongod.pid --shutdown -# restart again binding to 0.0.0.0 to allow a replset with 10.7.7.6 -mongod --oplogSize 8 --replSet rs0 --noauth \ - --config /tmp/docker-entrypoint-temp-config.json \ - --bind_ip 0.0.0.0 --port 27017 \ - --tlsMode disabled \ - --logpath /proc/1/fd/1 --logappend \ - --pidfilepath /tmp/docker-entrypoint-temp-mongod.pid --fork - -# init replset with defaults -mongo 10.7.7.6 --eval "rs.initiate({ - _id: 'rs0', - members: [ { _id: 0, host: '10.7.7.6:27017' } ] -})" - -echo "Waiting to become a master" -echo 'while (!db.isMaster().ismaster) { sleep(100); }' | mongo - -echo "I'm the master!" \ No newline at end of file diff --git a/mod/mongo/mongod.conf b/mod/mongo/mongod.conf deleted file mode 100644 index f7910655..00000000 --- a/mod/mongo/mongod.conf +++ /dev/null @@ -1,33 +0,0 @@ -# mongod.conf - -# for documentation of all options, see: -# http://docs.mongodb.org/manual/reference/configuration-options/ - -storage: - dbPath: /data/db - journal: - enabled: true - wiredTiger: - engineConfig: - cacheSizeGB: 1 - journalCompressor: none - directoryForIndexes: true - collectionConfig: - blockCompressor: none - indexConfig: - prefixCompression: false - - -net: - port: 27017 - bindIp: 0.0.0.0 - - -replication: - replSetName: rs0 - -setParameter: - diagnosticDataCollectionEnabled: false - -security: - javascriptEnabled: false diff --git a/mod/nginx/Dockerfile b/mod/nginx/Dockerfile index 091ebde9..692f88f3 100644 --- a/mod/nginx/Dockerfile +++ b/mod/nginx/Dockerfile @@ -1,20 +1,29 @@ ARG BBB_BUILD_TAG -FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder - -# -------------------- - +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-learning-dashboard COPY --from=src-learning-dashboard / /bbb-learning-dashboard RUN cd /bbb-learning-dashboard && npm ci && npm run build + +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-playback COPY --from=src-playback / /bbb-playback RUN cd /bbb-playback && npm install && npm run-script build +FROM bigbluebutton/bbb-build:$BBB_BUILD_TAG AS builder-html5 +COPY --from=src-html5 / /source +RUN cd /source && CI=true npm ci +RUN cd /source && DISABLE_ESLINT_PLUGIN=true npm run build +RUN find /source/dist -name '*.js' -exec gzip -k -f -9 '{}' \; \ + && find /source/dist -name '*.css' -exec gzip -k -f -9 '{}' \; \ + && find /source/dist -name '*.wasm' -exec gzip -k -f -9 '{}' \; + # -------------------- FROM nginx:1.25-alpine -COPY --from=builder /bbb-learning-dashboard/build /www/learning-analytics-dashboard/ -COPY --from=builder /bbb-playback/build /www/playback/presentation/2.3 +COPY --from=builder-learning-dashboard /bbb-learning-dashboard/build /www/learning-analytics-dashboard/ +COPY --from=builder-playback /bbb-playback/build /www/playback/presentation/2.3 +COPY --from=builder-html5 /source/dist /usr/share/bigbluebutton/html5-client/ COPY ./bbb /etc/nginx/bbb COPY ./bigbluebutton /etc/nginx/conf.d/default.conf +COPY ./bbb-graphql-client-settings-cache.conf /etc/nginx/conf.d/bbb-graphql-client-settings-cache.conf COPY ./nginx.conf /etc/nginx/nginx.conf diff --git a/mod/nginx/bbb-graphql-client-settings-cache.conf b/mod/nginx/bbb-graphql-client-settings-cache.conf new file mode 100644 index 00000000..fbea8b7e --- /dev/null +++ b/mod/nginx/bbb-graphql-client-settings-cache.conf @@ -0,0 +1 @@ +proxy_cache_path /tmp/hasura-client-settings-cache levels=1:2 keys_zone=client_settings_cache:64m inactive=2880m use_temp_path=off; \ No newline at end of file diff --git a/mod/nginx/bbb-html5.dev.nginx b/mod/nginx/bbb-html5.dev.nginx new file mode 100644 index 00000000..17f82bfc --- /dev/null +++ b/mod/nginx/bbb-html5.dev.nginx @@ -0,0 +1,18 @@ +# serve locale index from prebuilt static files +location = /html5client/locales/ { + alias /usr/share/bigbluebutton/html5-client/locales/; + autoindex on; + autoindex_format json; +} + +# running from source (npm start) +location /html5client/ { + rewrite /html5client/(.*) /$1 break; + gzip_static on; + proxy_pass http://10.7.7.1:3000/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; +} + diff --git a/mod/nginx/bbb/bbb-html5.nginx b/mod/nginx/bbb/bbb-html5.nginx index 9b0ab894..e62c0470 100644 --- a/mod/nginx/bbb/bbb-html5.nginx +++ b/mod/nginx/bbb/bbb-html5.nginx @@ -1,49 +1,13 @@ -location @html5client { - proxy_pass http://poolhtml5servers; # use for production - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; +# running in production (static assets) +location /html5client { + gzip_static on; + alias /usr/share/bigbluebutton/html5-client/; + index index.html; + try_files $uri $uri/ =404; } location /html5client/locales { - alias /html5-static/app/locales; -} - -location /html5client/compatibility { - gzip_static on; - alias /html5-static/app/compatibility; -} - -location /html5client/resources { - alias /html5-static/app/resources; -} - -location /html5client/svgs { - alias /html5-static/app/svgs; -} - -location /html5client/fonts { - alias /html5-static/app/fonts; + alias /usr/share/bigbluebutton/html5-client/locales; + autoindex on; + autoindex_format json; } - -location /html5client/files { - alias /html5-static/app/files; -} - -location /html5client/wasm { - types { - application/wasm wasm; - } - gzip_static on; - alias /html5-static/app/wasm; -} - -location /html5client { - gzip_static on; - alias /html5-static; - try_files $uri @html5client; -} - -location /html5client/sockjs { - try_files $uri @html5client; -} \ No newline at end of file diff --git a/mod/nginx/bbb/graphql.nginx b/mod/nginx/bbb/graphql.nginx new file mode 100644 index 00000000..91ca2ff7 --- /dev/null +++ b/mod/nginx/bbb/graphql.nginx @@ -0,0 +1,39 @@ +# Websocket connection +location /graphql { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + #proxy_pass http://bbb-graphql-server:8085; #Hasura (it requires to change the location to /v1/graphql) + proxy_pass http://bbb-graphql-middleware:8378; #Graphql Middleware +} + +#Set cache system for client settings +location /api/rest/clientSettings { + auth_request /bigbluebutton/connection/checkGraphqlAuthorization; + auth_request_set $meeting_id $sent_http_meeting_id; + + proxy_cache client_settings_cache; + proxy_cache_key "$uri|$meeting_id"; + proxy_cache_use_stale updating; + proxy_cache_valid 24h; + proxy_cache_lock on; + add_header X-Cached $upstream_cache_status; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_pass http://bbb-graphql-server:8085; #Hasura +} + +location /api/rest/userMetadata { + auth_request /bigbluebutton/connection/checkGraphqlAuthorization; + auth_request_set $meeting_id $sent_http_meeting_id; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_pass http://bbb-graphql-server:8085; #Hasura +} diff --git a/mod/nginx/bbb/learning-dashboard.nginx b/mod/nginx/bbb/learning-dashboard.nginx index 2b78e2a8..f0b4fc3f 100644 --- a/mod/nginx/bbb/learning-dashboard.nginx +++ b/mod/nginx/bbb/learning-dashboard.nginx @@ -1,8 +1,3 @@ -location ~ /learning-analytics-dashboard/([0-9a-f]+-[0-9]+)/(.*) { - alias /var/bigbluebutton/learning-dashboard/$1/$2; - autoindex off; -} - location /learning-analytics-dashboard/ { alias /www/learning-analytics-dashboard/; autoindex off; diff --git a/mod/nginx/bbb/livekit.nginx b/mod/nginx/bbb/livekit.nginx new file mode 100644 index 00000000..c2955625 --- /dev/null +++ b/mod/nginx/bbb/livekit.nginx @@ -0,0 +1,11 @@ +location /livekit/ { + proxy_pass http://127.0.0.1:7880/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + + proxy_read_timeout 60s; + proxy_send_timeout 60s; + client_body_timeout 60s; + send_timeout 60s; +} diff --git a/mod/nginx/bbb/notes.nginx b/mod/nginx/bbb/notes.nginx index bc37eed2..4965d2d4 100644 --- a/mod/nginx/bbb/notes.nginx +++ b/mod/nginx/bbb/notes.nginx @@ -15,7 +15,7 @@ location /pad/p/ { proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP - proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used proxy_http_version 1.1; auth_request /bigbluebutton/connection/checkAuthorization; @@ -57,7 +57,7 @@ location /pad/socket.io { proxy_buffering off; proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP - proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used + proxy_set_header X-Forwarded-Proto $real_scheme; # for EP to set secure cookie flag when https is used proxy_set_header Host $host; # pass the host header proxy_http_version 1.1; # recommended with keepalive connections # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html diff --git a/mod/nginx/bbb/presentation-slides.nginx b/mod/nginx/bbb/presentation-slides.nginx index 1ea4c4fa..d90adebb 100644 --- a/mod/nginx/bbb/presentation-slides.nginx +++ b/mod/nginx/bbb/presentation-slides.nginx @@ -20,34 +20,27 @@ # causes tomcat to OOM. (ralam sept 20, 2018) location ~^\/bigbluebutton\/presentation\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/svg\/(?\d+)$ { - default_type image/svg+xml; + default_type image/svg+xml; alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/svgs/slide$page_num.svg; - if ($bbb_loadbalancer_node) { - add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always; - } + add_header 'Access-Control-Allow-Origin' '*' always; } - location ~^\/bigbluebutton\/presentation\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/slide\/(?\d+)$ { - alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/slide-$page_num.swf; - if ($bbb_loadbalancer_node) { - add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always; - } + location ~^\/bigbluebutton\/presentation\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/pdf\/(?[A-Za-z0-9]+)\/annotated_slides.pdf$ { + default_type application/pdf; + alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/pdfs/$job_id/annotated_slides.pdf; + add_header 'Access-Control-Allow-Origin' '*' always; } location ~^\/bigbluebutton\/presentation\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/thumbnail\/(?\d+)$ { - default_type image/png; + default_type image/png; alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/thumbnails/thumb-$page_num.png; - if ($bbb_loadbalancer_node) { - add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always; - } + add_header 'Access-Control-Allow-Origin' '*' always; } location ~^\/bigbluebutton\/presentation\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/(?[A-Za-z0-9\-]+)\/textfiles\/(?\d+)$ { - default_type text/plain; + default_type text/plain; alias /var/bigbluebutton/$meeting_id_2/$meeting_id_2/$pres_id/textfiles/slide-$page_num.txt; - if ($bbb_loadbalancer_node) { - add_header 'Access-Control-Allow-Origin' $bbb_loadbalancer_node always; - } + add_header 'Access-Control-Allow-Origin' '*' always; } diff --git a/mod/nginx/bbb/sip.nginx b/mod/nginx/bbb/sip.nginx deleted file mode 100644 index ee4993e2..00000000 --- a/mod/nginx/bbb/sip.nginx +++ /dev/null @@ -1,15 +0,0 @@ -location /ws { - proxy_pass https://$freeswitch_addr:7443; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Ssl on; - proxy_read_timeout 6h; - proxy_send_timeout 6h; - client_body_timeout 6h; - send_timeout 6h; - - auth_request /bigbluebutton/connection/checkAuthorization; - auth_request_set $auth_status $upstream_status; -} \ No newline at end of file diff --git a/mod/nginx/bbb/web.nginx b/mod/nginx/bbb/web.nginx index 7e6f2090..b7c9e692 100755 --- a/mod/nginx/bbb/web.nginx +++ b/mod/nginx/bbb/web.nginx @@ -92,6 +92,16 @@ proxy_set_header X-Original-URI $request_uri; } + location = /bigbluebutton/connection/checkGraphqlAuthorization { + internal; + proxy_pass http://bbb-web:8090; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + # this is required for CORS preflight checks in cluster setup + proxy_set_header X-Original-Method $request_method; + } + location = /bigbluebutton/connection/legacyCheckAuthorization { internal; proxy_pass http://bbb-web:8090; @@ -149,6 +159,18 @@ proxy_set_header X-Original-URI $request_uri; } + location /bigbluebutton/ping { + default_type text/plain; + add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"; + add_header Pragma "no-cache"; + add_header Expires "0"; + # this Header is required for cluster setups as the ping check is a + # CORS request. No cookies are required so we can just allow anyone + # to use this endpoint. + add_header 'Access-Control-Allow-Origin' '*'; + return 200 ""; + } + } location @error403 { diff --git a/mod/nginx/bigbluebutton b/mod/nginx/bigbluebutton index 759278d6..33b3f326 100644 --- a/mod/nginx/bigbluebutton +++ b/mod/nginx/bigbluebutton @@ -1,30 +1,21 @@ -map $remote_addr $freeswitch_addr { - "~:" [::1]; - default 10.7.7.1; -} - -upstream poolhtml5servers { - zone poolhtml5servers 32k; - least_conn; - server 10.7.7.200:4100 fail_timeout=10s max_fails=4 backup; - server 10.7.7.201:4101 fail_timeout=120s max_fails=1; - server 10.7.7.202:4102 fail_timeout=120s max_fails=1; - server 10.7.7.203:4103 fail_timeout=120s max_fails=1; - # TODO: set server list based on NUMBER_OF_FRONTEND_NODEJS_PROCESSES - # server 10.7.7.204:4104 fail_timeout=120s max_fails=1; - # server 10.7.7.205:4105 fail_timeout=120s max_fails=1; - # server 10.7.7.206:4106 fail_timeout=120s max_fails=1; - # server 10.7.7.207:4107 fail_timeout=120s max_fails=1; -} - server { + # proxied from HAProxy + listen 48082 http2 proxy_protocol; + listen 48081 proxy_protocol; + + # optional ports for other reverse proxies listen 48087 default_server; listen [::]:48087 default_server; + server_name _; access_log /dev/stdout; absolute_redirect off; root /www/; + # This variable is used instead of $scheme by bigbluebutton nginx include + # files, so $scheme can be overridden in reverse-proxy configurations. + set $real_scheme $scheme; + # opt-out of google's floc tracking # https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea add_header Permissions-Policy "interest-cohort=()"; diff --git a/mod/nginx/nginx.conf b/mod/nginx/nginx.conf index 993eb826..270b9eae 100644 --- a/mod/nginx/nginx.conf +++ b/mod/nginx/nginx.conf @@ -29,4 +29,25 @@ http { #gzip on; include /etc/nginx/conf.d/*.conf; + + + server { + # additional server only used for greenlight in dev mode + # allows it to use the BBB API without failing + # due to the self signed certificates + # + # all other requests (e.g. /join) is then redirected + listen 48083 http2; + + location /bigbluebutton/api/join { + return 301 https://10.7.7.1$request_uri; + } + location /bigbluebutton/api { + proxy_pass http://127.0.0.1:48087; + } + location / { + return 301 https://10.7.7.1$request_uri; + } + } + } diff --git a/mod/periodic/Dockerfile b/mod/periodic/Dockerfile index 184cc89c..770dcafd 100644 --- a/mod/periodic/Dockerfile +++ b/mod/periodic/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bullseye-slim +FROM debian:bookworm-slim # -- install docker cli COPY --from=library/docker:latest /usr/local/bin/docker /usr/bin/docker diff --git a/mod/postgres/initdb.sh b/mod/postgres/initdb.sh new file mode 100755 index 00000000..fb0560e5 --- /dev/null +++ b/mod/postgres/initdb.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e +set -u + +function create_user_and_database() { + local database=$1 + echo " Creating user and database '$database'" + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE DATABASE $database; + GRANT ALL PRIVILEGES ON DATABASE $database TO $POSTGRES_USER; +EOSQL +} + +if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then + echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES" + for db in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do + create_user_and_database $db + done + echo "Multiple databases created" +fi \ No newline at end of file diff --git a/mod/recordings/Dockerfile b/mod/recordings/Dockerfile index 9f087630..56c7d9f5 100644 --- a/mod/recordings/Dockerfile +++ b/mod/recordings/Dockerfile @@ -1,5 +1,5 @@ -FROM ruby:2.7-slim-bullseye +FROM ruby:3.0-slim-bullseye # install apt dependencies RUN apt-get update && apt-get install -y \ diff --git a/mod/recordings/supervisord.conf b/mod/recordings/supervisord.conf index 443be88a..22e456d3 100644 --- a/mod/recordings/supervisord.conf +++ b/mod/recordings/supervisord.conf @@ -4,7 +4,7 @@ user=root [program:rasque_workers] command=bundle exec rake -f Rakefile resque:workers directory=/usr/local/bigbluebutton/core/scripts -environment=QUEUE="rap:archive,rap:publish,rap:process,rap:sanity,rap:captions,rap:events",COUNT="1",VVERBOSE="1",HOME="/home/bigbluebutton" +environment=QUEUE="rap:archive,rap:publish,rap:process,rap:sanity,rap:captions,rap:events",COUNT="1",HOME="/home/bigbluebutton" user=bigbluebutton stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 diff --git a/mod/webhooks/Dockerfile b/mod/webhooks/Dockerfile index f0aaa9fa..69272af9 100644 --- a/mod/webhooks/Dockerfile +++ b/mod/webhooks/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18-bullseye-slim AS builder +FROM node:18-bookworm-slim AS builder RUN apt-get update && apt-get install -y git wget @@ -7,12 +7,12 @@ RUN wget -q https://github.com/mikefarah/yq/releases/download/v4.25.1/yq_linux_ && chmod +x /usr/bin/yq COPY --from=src / /bbb-webhooks -RUN cd /bbb-webhooks && npm install --production +RUN cd /bbb-webhooks && npm ci --omit=dev && rm -rf /bbb-webhooks./.git RUN chmod 777 /bbb-webhooks/config # ------------------------------ -FROM node:18-bullseye-slim +FROM node:18-bookworm-slim RUN useradd --uid 2004 --user-group bbb-webhooks COPY --from=builder /usr/bin/yq /usr/bin/yq diff --git a/mod/webhooks/entrypoint.sh b/mod/webhooks/entrypoint.sh index 22107ac0..1cd89e03 100755 --- a/mod/webhooks/entrypoint.sh +++ b/mod/webhooks/entrypoint.sh @@ -3,14 +3,14 @@ set -e TARGET=/bbb-webhooks/config/production.yml cp /bbb-webhooks/config/default.example.yml $TARGET -yq e -i ".bbb.sharedSecret = \"$SHARED_SECRET\"" $TARGET -yq e -i ".bbb.serverDomain = \"$DOMAIN\"" $TARGET -yq e -i ".bbb.auth2_0 = true" $TARGET -yq e -i ".server.bind = \"0.0.0.0\"" $TARGET yq e -i ".hooks.getRaw = false" $TARGET -yq e -i ".redis.host = \"redis\"" $TARGET +yq e -i '.modules."../out/webhooks/index.js".config.getRaw = false' $TARGET export NODE_ENV=production +export REDIS_HOST=redis +export SERVER_DOMAIN=$DOMAIN +export BEARER_AUTH=true +export SERVER_BIND_IP=0.0.0.0 cd /bbb-webhooks node app.js diff --git a/mod/webrtc-sfu/Dockerfile b/mod/webrtc-sfu/Dockerfile index b3f57afe..086b4e96 100644 --- a/mod/webrtc-sfu/Dockerfile +++ b/mod/webrtc-sfu/Dockerfile @@ -18,7 +18,7 @@ RUN cd /app \ # ============================= -FROM node:18-bullseye-slim +FROM node:18-bookworm-slim RUN useradd --uid 2004 --user-group webrtc-sfu ENV NODE_ENV production @@ -27,4 +27,10 @@ RUN mkdir /home/webrtc-sfu && chown -R webrtc-sfu:webrtc-sfu /app/config /home/w USER webrtc-sfu WORKDIR /app + + +COPY config.yaml /etc/bigbluebutton/bbb-webrtc-sfu/production.yml +ENV NODE_ENV=production +ENV NODE_CONFIG_DIR=/app/config/:/etc/bigbluebutton/bbb-webrtc-sfu/ +ENV ALLOW_CONFIG_MUTATIONS=true CMD [ "npm", "start" ] diff --git a/mod/webrtc-sfu/config.yaml b/mod/webrtc-sfu/config.yaml new file mode 100644 index 00000000..e06ea177 --- /dev/null +++ b/mod/webrtc-sfu/config.yaml @@ -0,0 +1,32 @@ +kurento: [] +redisHost: 10.7.7.5 +clientHost: 10.7.7.1 +recordingAdapter: bbb-webrtc-recorder + +mcs-host: 10.7.7.1 +mcs-address: 10.7.7.1 +freeswitch: + ip: 10.7.7.10 + sip_ip: 10.7.7.10 + port: 5066 + esl_ip: 10.7.7.10 + esl_port: 8021 + +log: + # trace|debug|info|warn|error + level: debug + # Whether to log to stdout + stdout: true + # Whether to log to a file + file: false + +mediasoup: + dedicatedMediaTypeWorkers: + audio: auto + workerBalancing: + strategy: least-loaded + + plainRtp: + listenIp: + ip: "0.0.0.0" + announcedIp: "10.7.7.1" \ No newline at end of file diff --git a/repos/bbb-etherpad-plugin b/repos/bbb-etherpad-plugin index 068ded57..927747e0 160000 --- a/repos/bbb-etherpad-plugin +++ b/repos/bbb-etherpad-plugin @@ -1 +1 @@ -Subproject commit 068ded573380087e120713d1ccc3c86713ec8c88 +Subproject commit 927747e0e18500f027a91bea2742e6061d388e28 diff --git a/repos/bbb-pads b/repos/bbb-pads index 433fe4c3..724d55c2 160000 --- a/repos/bbb-pads +++ b/repos/bbb-pads @@ -1 +1 @@ -Subproject commit 433fe4c3934edff36cddcfb1e892e323c2fe75ea +Subproject commit 724d55c26b1c94ea22a85b0c7e064f57b54875cb diff --git a/repos/bbb-playback b/repos/bbb-playback index a8f5a72a..4e11f933 160000 --- a/repos/bbb-playback +++ b/repos/bbb-playback @@ -1 +1 @@ -Subproject commit a8f5a72a7dc55cc8bab6f980035291b6e8fe5de5 +Subproject commit 4e11f9337cecb36400f8c41caa12431b2667d8bb diff --git a/repos/bbb-webhooks b/repos/bbb-webhooks index 7c0cd8e6..a3e2f1fe 160000 --- a/repos/bbb-webhooks +++ b/repos/bbb-webhooks @@ -1 +1 @@ -Subproject commit 7c0cd8e6cad144578598f9fa6ea2d9ab78af560b +Subproject commit a3e2f1fe2f12bd9d0be86a8afac71b2a82455269 diff --git a/repos/bbb-webrtc-recorder b/repos/bbb-webrtc-recorder new file mode 160000 index 00000000..b121d3ca --- /dev/null +++ b/repos/bbb-webrtc-recorder @@ -0,0 +1 @@ +Subproject commit b121d3caa4ff8101e4d9404247686913b1552fe3 diff --git a/repos/bbb-webrtc-sfu b/repos/bbb-webrtc-sfu index c0de0ff3..6fbde34c 160000 --- a/repos/bbb-webrtc-sfu +++ b/repos/bbb-webrtc-sfu @@ -1 +1 @@ -Subproject commit c0de0ff3857146da4924233d36b710874d16a26f +Subproject commit 6fbde34c357ba656741842048e936611faf45a09 diff --git a/repos/bigbluebutton b/repos/bigbluebutton index 5d671b3b..c36e394e 160000 --- a/repos/bigbluebutton +++ b/repos/bigbluebutton @@ -1 +1 @@ -Subproject commit 5d671b3b506712e54093f50c2a4bdb9995982fab +Subproject commit c36e394e4aaa6be6c429222b7c9a86a8945b5563 diff --git a/repos/freeswitch b/repos/freeswitch index 4cb05e7f..a88d069d 160000 --- a/repos/freeswitch +++ b/repos/freeswitch @@ -1 +1 @@ -Subproject commit 4cb05e7f4a23645ec387f3b5391194128be7d193 +Subproject commit a88d069d6ffb74df797bcaf001f7e63181c07a09 diff --git a/repos/tags b/repos/tags index b569c71a..1857b3b7 100644 --- a/repos/tags +++ b/repos/tags @@ -5,9 +5,9 @@ repos/bbb-etherpad-plugin 068ded5 repos/bbb-etherpad-skin 8328b77 -repos/bbb-pads v1.5.2 -repos/bbb-playback v5.0.2 -repos/bbb-webhooks v2.6.1 -repos/bbb-webrtc-sfu v2.12.0 -repos/bigbluebutton v2.7.3 -repos/freeswitch v1.10.10 +repos/bbb-pads v1.5.3 +repos/bbb-playback v5.1.3 +repos/bbb-webhooks v3.3.0 +repos/bbb-webrtc-sfu v2.17.0-alpha.1 +repos/bigbluebutton v3.0.0-beta.5 +repos/freeswitch v1.10.12 diff --git a/sample.env b/sample.env index 49133085..99b654ec 100644 --- a/sample.env +++ b/sample.env @@ -6,15 +6,7 @@ # HTTPS Proxy # fully automated Lets Encrypt certificates ENABLE_HTTPS_PROXY=true -# If your network doesn't allow access to DNS at 8.8.8.8 specify your own resolvers -#RESOLVER_ADDRESS=x.x.x.x - -# coturn (a TURN Server) -# requires either the abhove HTTPS Proxy to be enabled -# or TLS certificates to be mounted to container -ENABLE_COTURN=true -#COTURN_TLS_CERT_PATH= -#COTURN_TLS_KEY_PATH= +LETSENCRYPT_EMAIL=test@example.net # Greenlight Frontend # https://docs.bigbluebutton.org/greenlight/gl-overview.html @@ -49,6 +41,7 @@ ETHERPAD_API_KEY=SuperEtherpadKey RAILS_SECRET=SuperRailsSecret_SuperRailsSecret POSTGRESQL_SECRET=SuperPostgresSecret FSESL_PASSWORD=SuperFreeswitchESLPassword +TURN_SECRET=SuperTurnSecret @@ -68,8 +61,8 @@ STUN_PORT=3478 # TURN SERVER # uncomment and adjust following two lines to add an external TURN server -#TURN_SERVER=turns:turn.example.com:443?transport=tcp -#TURN_SECRET= +#TURN_EXT_SERVER=turns:example.org:443?transport=tcp +#TURN_EXT_SECRET= # Allowed SIP IPs # due to high traffic caused by bots, by default the SIP port is blocked. @@ -82,8 +75,6 @@ SIP_IP_ALLOWLIST= # CUSTOMIZATION # ==================================== -CLIENT_TITLE=BigBlueButton - # use following lines to replace the default welcome message and footer WELCOME_MESSAGE="Welcome to %%CONFNAME%%!

For help on using BigBlueButton see these (short) tutorial videos.

To join the audio bridge click the speaker button. Use a headset to avoid causing background noise for others." WELCOME_FOOTER="This server is running BigBlueButton." @@ -112,52 +103,15 @@ DEFAULT_PRESENTATION=./mod/nginx/default.pdf # - zh-hk-sinmei - Chinese/Hong Kong Sinmei SOUNDS_LANGUAGE=en-us-callie -# set to false to disable listenOnlyMode -LISTEN_ONLY_MODE=true - -# set to true to disable echo test -DISABLE_ECHO_TEST=false - -# set to true to automatically share webcam -AUTO_SHARE_WEBCAM=false - -# set to true to disable video preview for webcam sharing -DISABLE_VIDEO_PREVIEW=false - -# set to false to disable chat -CHAT_ENABLED=true - -# set to true to start chat closed -CHAT_START_CLOSED=false - # set to true to disable announcements "You are now (un-)muted" DISABLE_SOUND_MUTED=false # set to true to disable announcement "You are the only person in this conference" DISABLE_SOUND_ALONE=false -# maximum count of breakout rooms per meeting -# Warning: increasing the limit of breakout rooms per meeting -# can generate excessive overhead to the server. We recommend -# this value to be kept under 12. -BREAKOUTROOM_LIMIT=8 - # set to false to disable the learning dashboard ENABLE_LEARNING_DASHBOARD=true -# ==================================== -# Tuning -# ==================================== -# Default = 2; Min = 1; Max = 4 -# On powerful systems with high number of meetings you can set values up to 4 to accelerate handling of events -NUMBER_OF_BACKEND_NODEJS_PROCESSES=2 - -# Default = 2; Min = 1; Max = 8 -# Set a number between 1 and 4 times the value of NUMBER_OF_BACKEND_NODEJS_PROCESSES where higher number helps with meetings -# stretching the recommended number of users in BigBlueButton -NUMBER_OF_FRONTEND_NODEJS_PROCESSES=2 - - # ==================================== # GREENLIGHT CONFIGURATION # ==================================== diff --git a/scripts/dev b/scripts/dev new file mode 100755 index 00000000..e599ea8a --- /dev/null +++ b/scripts/dev @@ -0,0 +1,70 @@ +#!/bin/bash + +set -e +cd "$(dirname "$0")/.." +. scripts/functions.sh + +ensure_bbbhtml5yml + +create_dev_env () { + cp dev.env .env + sed -i "s/BBB_DEV_UID=.*/BBB_DEV_UID=$(id -u)/" .env + sed -i "s/BBB_DEV_GID=.*/BBB_DEV_GID=$(id -g)/" .env + load_env +} + +if [ -f ".env" ]; then + load_env + if [[ "$DEV_MODE" == "" ]]; then + echo "Error: .env is not configured as a development environment" + echo "" + read -r -p "Should .env be automatically overwritten with a predefined .env? [Y/n]" response + response=${response,,} # tolower + if [[ $response =~ ^(y| ) ]] || [[ -z $response ]]; then + cp .env .env.bak + create_dev_env + else + echo "we can't continue with a .env file configured as a development environment" + exit 1 + fi + fi +else + echo "# creating a .env for the dev setup" + create_dev_env +fi + + +echo "" +echo "# ensure submodules are checked out" +ensure_submodules + +echo "" +echo "# ensure IP in .env is correct" +EXTERNAL_IPv4=$(ip route get 8.8.8.8 | head -1 | awk '{ print $7 }') +echo "The IP of this machine in the local network seems to be" +echo " $EXTERNAL_IPv4" +sed -i "s/EXTERNAL_IPv4=.*/EXTERNAL_IPv4=${EXTERNAL_IPv4}/" .env +sed -i "s/DOMAIN=.*/DOMAIN=${EXTERNAL_IPv4}/" .env + +echo "" +echo "# recreating docker-compose.yml" +./scripts/generate-compose + +echo "" +echo "# rebuilding images" +docker compose build + + +echo "" +echo "============================================" +echo "BBB Development server" +echo "============================================" +echo "API Mate: https://mconf.github.io/api-mate/#server=https://${EXTERNAL_IPv4}/bigbluebutton/api&sharedSecret=SuperSecret" +echo "Greenlight: https://${EXTERNAL_IPv4}/" +echo "Check containers: docker-compose ps" +echo "Rebuilding container: docker-compose up --build CONTAINERNAME" +echo "============================================" + +sleep 1 + +docker compose up \ No newline at end of file diff --git a/scripts/fs_cli b/scripts/fs_cli index de7fc5d5..f252276f 100755 --- a/scripts/fs_cli +++ b/scripts/fs_cli @@ -4,7 +4,7 @@ set -e cd $(dirname $0)/.. # load .env -. functions.sh +. ./scripts/functions.sh load_env -docker compose exec freeswitch /opt/freeswitch/bin/fs_cli -H 10.7.7.1 -p "$FSESL_PASSWORD" +docker compose exec freeswitch /opt/freeswitch/bin/fs_cli -H 10.7.7.10 -p "$FSESL_PASSWORD" $@ diff --git a/scripts/functions.sh b/scripts/functions.sh index 4f42e623..b2a71a03 100644 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -1,15 +1,5 @@ function load_env { - FILE=.env - if [ "$BBB_DOCKER_DEV" = "1" ]; then - FILE=dev.env - else - FILE=.env - fi - - if [ -f $FILE ] - then - export $(cat $FILE | sed 's/#.*//g' | grep -v "WELCOME_FOOTER" | grep -v "WELCOME_MESSAGE" | grep -v "CLIENT_TITLE" | xargs) - fi + export $(cat .env | sed 's/#.*//g' | grep -v "WELCOME_FOOTER" | grep -v "WELCOME_MESSAGE" | xargs) } function ensure_submodules { @@ -26,3 +16,14 @@ function ensure_submodules { } +function ensure_bbbhtml5yml { + if [ ! -f conf/bbb-html5.yml ]; then + + cat << EOF > conf/bbb-html5.yml +# this file equals the /etc/bigbluebutton/bbb-html5.yml file referenced in the docs +public: + app: + appName: BigBlueButton HTML5 Client (docker) +EOF + fi +} \ No newline at end of file diff --git a/scripts/generate-compose b/scripts/generate-compose index 6348c9c7..5f61bab2 100755 --- a/scripts/generate-compose +++ b/scripts/generate-compose @@ -7,6 +7,8 @@ cd $(dirname $0)/.. . scripts/functions.sh load_env +ensure_bbbhtml5yml + # check for non-optional environment variables, # which got introduced later and may miss in existing # .env files during upgrades @@ -16,18 +18,11 @@ if [ -z "$EXTERNAL_IPv4" ]; then exit 1 fi -if [ "$ENABLE_COTURN" == true ]; then - if [ -z "$ENABLE_HTTPS_PROXY" ] && [ -z "$COTURN_TLS_CERT_PATH" ]; then - echo "ERROR: coturn requires TLS certificates." - echo "Either enable the https proxy for certificate retrival" - echo "or provide a path to your certificates in .env file." - exit 1 - fi - if [ -z "$ENABLE_HTTPS_PROXY" ] && [ "$DEV_MODE" == true ]; then - echo "ERROR: the https proxy can't get a certificate if ran locally and therefor coturn will never start" - echo "you should disable coturn in .env" +if [ "$ENABLE_HTTPS_PROXY" ] && [ -z "$LETSENCRYPT_EMAIL" ] && [ -z "$DEV_MODE" ]; then + echo "ERROR: LETSENCRYPT_EMAIL is not set in .env" + echo "you need to specify an email adress, otherwise the certificate" + echo "retrieval will fail" exit 1 - fi fi function get_tag { @@ -40,6 +35,9 @@ function get_tag { fi } +# https://hub.docker.com/r/bigbluebutton/bbb-build +BBB_BUILD_TAG=v3.0.x-release--2024-08-30-014114 + docker run \ --rm \ -v $(pwd)/docker-compose.tmpl.yml:/docker-compose.tmpl.yml \ @@ -48,19 +46,20 @@ docker run \ -e TAG_WEBRTC_SFU=$(get_tag repos/bbb-webrtc-sfu) \ -e TAG_WEBHOOKS=$(get_tag repos/bbb-webhooks) \ -e TAG_PLAYBACK=$(get_tag repos/bbb-playback) \ + -e TAG_WEBRTC_RECORDER=$(get_tag repos/bbb-webrtc-recorder) \ -e TAG_PADS=$(get_tag repos/bbb-pads) \ -e COMMIT_ETHERPAD_SKIN=$(get_tag repos/bbb-etherpad-skin) \ -e COMMIT_ETHERPAD_PLUGIN=$(get_tag repos/bbb-etherpad-plugin) \ + -e BBB_BUILD_TAG=${BBB_BUILD_TAG} \ -e DEV_MODE=${DEV_MODE:-false} \ + -e IGNORE_TLS_CERT_ERRORS=${IGNORE_TLS_CERT_ERRORS:-} \ -e EXTERNAL_IPv6=${EXTERNAL_IPv6:-} \ + -e SIP_IP_ALLOWLIST=${SIP_IP_ALLOWLIST:-} \ -e ENABLE_RECORDING=${ENABLE_RECORDING:-false} \ -e ENABLE_HTTPS_PROXY=${ENABLE_HTTPS_PROXY:-false} \ -e ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS:-false} \ - -e ENABLE_COTURN=${ENABLE_COTURN:-false} \ -e ENABLE_GREENLIGHT=${ENABLE_GREENLIGHT:-false} \ -e ENABLE_PROMETHEUS_EXPORTER=${ENABLE_PROMETHEUS_EXPORTER:-false} \ -e ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION=${ENABLE_PROMETHEUS_EXPORTER_OPTIMIZATION:-false} \ - -e NUMBER_OF_BACKEND_NODEJS_PROCESSES=${NUMBER_OF_BACKEND_NODEJS_PROCESSES:-1} \ - -e NUMBER_OF_FRONTEND_NODEJS_PROCESSES=${NUMBER_OF_FRONTEND_NODEJS_PROCESSES:-1} \ jwilder/dockerize -template /docker-compose.tmpl.yml \ > docker-compose.yml diff --git a/scripts/setup b/scripts/setup index 1667c0d7..94927a66 100755 --- a/scripts/setup +++ b/scripts/setup @@ -18,6 +18,8 @@ then exit 1 fi +. scripts/functions.sh +ensure_bbbhtml5yml EXTERNAL_IPv4=$(curl -4 -s https://icanhazip.com) EXTERNAL_IPv6=$(curl -6 -s -m 10 https://icanhazip.com || true) @@ -28,25 +30,15 @@ while [[ ! $greenlight =~ ^(y|n)$ ]]; do done https_proxy="" +LETSENCRYPT_EMAIL="" while [[ ! $https_proxy =~ ^(y|n)$ ]]; do read -p "Should an automatic HTTPS Proxy be included? (y/n): " https_proxy done -coturn="" -while [[ ! $coturn =~ ^(y|n)$ ]]; do - read -p "Should a coturn be included? (y/n): " coturn -done -if [ "$coturn" == "y" ] && [ ! "$https_proxy" == "y" ] +if [ "$https_proxy" == "y" ] then - echo "Coturn needs TLS to function properly." - echo " Since automatic HTTPS Proxy is disabled," - echo " you must provide a relative or absolute path" - echo " to your certificates." - while [[ -z "$CERTPATH" ]]; do - read -p "Please enter path to cert.pem: " CERTPATH - done - while [[ -z "$KEYPATH" ]]; do - read -p "Please enter path to key.pem: " KEYPATH + while [[ ! $LETSENCRYPT_EMAIL =~ ^.+@.+\..+$ ]]; do + read -p "Please enter an Email adress for the Let's Encrypt notifications: " LETSENCRYPT_EMAIL done fi @@ -135,6 +127,7 @@ cp sample.env .env sed -i "s/EXTERNAL_IPv4=.*/EXTERNAL_IPv4=$EXTERNAL_IPv4/" .env sed -i "s/EXTERNAL_IPv6=.*/EXTERNAL_IPv6=$EXTERNAL_IPv6/" .env sed -i "s/DOMAIN=.*/DOMAIN=$DOMAIN/" .env +sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IPv4/" .env if [ ! "$greenlight" == "y" ] then @@ -146,6 +139,9 @@ then sed -i "s/ENABLE_HTTPS_PROXY.*/#ENABLE_HTTPS_PROXY=true/" .env fi +sed -i "s/LETSENCRYPT_EMAIL=.*/LETSENCRYPT_EMAIL=$LETSENCRYPT_EMAIL/" .env + + if [ "$recording" == "y" ] then sed -i "s/#ENABLE_RECORDING.*/ENABLE_RECORDING=true/" .env @@ -157,21 +153,6 @@ then sed -i "s/#RECORDING_MAX_AGE_DAYS=.*/RECORDING_MAX_AGE_DAYS=$recording_max_age_days/" .env fi -if [ "$coturn" == "y" ] -then - sed -i "s/.*TURN_SERVER=.*/TURN_SERVER=turns:$DOMAIN:5349?transport=tcp/" .env - TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32) - sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env - sed -i "s/.*STUN_IP=.*/STUN_IP=$EXTERNAL_IPv4/" .env -else - sed -i "s/ENABLE_COTURN.*/#ENABLE_COTURN=true/" .env -fi - -if [ -n "$CERTPATH" ] && [ -n "$KEYPATH" ] -then - sed -i "s,#COTURN_TLS_CERT_PATH=.*,COTURN_TLS_CERT_PATH=$CERTPATH," .env - sed -i "s,#COTURN_TLS_KEY_PATH=.*,COTURN_TLS_KEY_PATH=$KEYPATH," .env -fi if [ "$prometheus_exporter" == "y" ] then @@ -189,12 +170,16 @@ RANDOM_2=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40) RANDOM_3=$(head /dev/urandom | tr -dc a-f0-9 | head -c 128) RANDOM_4=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40) RANDOM_5=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 40) +TURN_SECRET=$(head /dev/urandom | tr -dc A-Za-f0-9 | head -c 32) + sed -i "s/SHARED_SECRET=.*/SHARED_SECRET=$RANDOM_1/" .env sed -i "s/ETHERPAD_API_KEY=.*/ETHERPAD_API_KEY=$RANDOM_2/" .env sed -i "s/RAILS_SECRET=.*/RAILS_SECRET=$RANDOM_3/" .env sed -i "s/FSESL_PASSWORD=.*/FSESL_PASSWORD=$RANDOM_4/" .env sed -i "s/POSTGRESQL_SECRET=.*/POSTGRESQL_SECRET=$RANDOM_5/" .env +sed -i "s/.*TURN_SECRET=.*/TURN_SECRET=$TURN_SECRET/" .env + ./scripts/generate-compose diff --git a/scripts/upgrade b/scripts/upgrade index 4d403b53..454d02ea 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -19,6 +19,30 @@ else echo "# recreate docker-compose.yml" ./scripts/generate-compose + + echo "" + echo "# checking for old volumes & migrate them" + COMPOSE_PREFIX=$(docker compose config | grep '^name:' | awk '{print $2}') + + function migrate { + VOLUME=${COMPOSE_PREFIX}_${1} + EXISTING=$(docker volume ls | grep $VOLUME | tail -n1 | awk '{print $2}') + if [ -n "$EXISTING" ]; then + # ensure volume is not used + docker compose down --remove-orphans + + echo "Migrating $VOLUME to $2" + docker run --rm -v $VOLUME:/src -v $2:/dest --entrypoint /bin/sh eeacms/rsync -c 'rsync -av /src/ /dest' + docker volume rm $EXISTING + fi + } + migrate bigbluebutton ./data/bigbluebutton + migrate vol-freeswitch ./data/freeswitch-meetings + migrate vol-mediasoup ./data/mediasoup + + # TODO: migrate postgres database + # TODO: migrate greenlight-data + echo "" echo "# pull newest images" docker compose pull --ignore-pull-failures diff --git a/scripts/upgrade-and-build b/scripts/upgrade-and-build index 9543c30f..c4a2644a 100755 --- a/scripts/upgrade-and-build +++ b/scripts/upgrade-and-build @@ -14,11 +14,6 @@ then exit else - - echo "" - echo "# pull newest git submodules" - ./scripts/checkout-submodules - echo "" echo "# recreate docker-compose.yml" ./scripts/generate-compose