From 427275f99e56bcd49b297c5e95b5590401196057 Mon Sep 17 00:00:00 2001 From: Seungmin Kim <8457324+ehfd@users.noreply.github.com> Date: Sun, 3 Nov 2024 02:45:43 +0900 Subject: [PATCH] Fix host networking in containers --- addons/example/selkies-gstreamer-entrypoint.sh | 16 ++++++++-------- docs/component.md | 2 +- docs/firewall.md | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/addons/example/selkies-gstreamer-entrypoint.sh b/addons/example/selkies-gstreamer-entrypoint.sh index 0eac3dc1..e944a543 100755 --- a/addons/example/selkies-gstreamer-entrypoint.sh +++ b/addons/example/selkies-gstreamer-entrypoint.sh @@ -54,8 +54,8 @@ echo "# Selkies-GStreamer NGINX Configuration server { access_log /dev/stdout; error_log /dev/stderr; - listen 8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi); - listen [::]:8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi); + listen ${NGINX_PORT:-8080} $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi); + listen [::]:${NGINX_PORT:-8080} $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi); ssl_certificate ${SELKIES_HTTPS_CERT-/etc/ssl/certs/ssl-cert-snakeoil.pem}; ssl_certificate_key ${SELKIES_HTTPS_KEY-/etc/ssl/private/ssl-cert-snakeoil.key}; $(if [ \"$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')\" != \"false\" ]; then echo "auth_basic \"Selkies\";"; echo -n " auth_basic_user_file ${XDG_RUNTIME_DIR}/.htpasswd;"; fi) @@ -74,7 +74,7 @@ server { client_max_body_size 10M; - proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8081; + proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:${SELKIES_PORT:-8081}; } location /turn { @@ -86,7 +86,7 @@ server { client_max_body_size 10M; - proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8081; + proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:${SELKIES_PORT:-8081}; } location /ws { @@ -106,7 +106,7 @@ server { client_max_body_size 10M; - proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8081; + proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:${SELKIES_PORT:-8081}; } location /webrtc/signalling { @@ -126,7 +126,7 @@ server { client_max_body_size 10M; - proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8081; + proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:${SELKIES_PORT:-8081}; } location /metrics { @@ -153,8 +153,8 @@ rm -rf "${HOME}/.cache/gstreamer-1.0" # Start the Selkies-GStreamer WebRTC HTML5 remote desktop application selkies-gstreamer \ --addr="localhost" \ - --port="8081" \ + --port="${SELKIES_PORT:-8081}" \ --enable_basic_auth="false" \ --enable_metrics_http="true" \ - --metrics_http_port="9081" \ + --metrics_http_port="${SELKIES_METRICS_HTTP_PORT:-9081}" \ $@ diff --git a/docs/component.md b/docs/component.md index 24fadee2..a75b361c 100644 --- a/docs/component.md +++ b/docs/component.md @@ -231,7 +231,7 @@ If UDP cannot be used, at the cost of higher latency and lower performance, omit All these ports must be exposed to the internet if you need access over the internet. If you need use TURN within a local network, add `-e SELKIES_TURN_HOST={YOUR_INTERNAL_IP}` with `{YOUR_INTERNAL_IP}` to the internal hostname or IP of the local network. IPv6 addresses must be enclosed with square brackets such as `[::1]`. -Otherwise, to enable host networking, add `--network=host` to the Docker® command to enable host networking and work around this requirement if your server is not behind a firewall. Note that running multiple desktop containers in one host under this configuration may be problematic and is not recommended. You must also pass a new `DISPLAY` environment variable such as `-e DISPLAY=:22` into the container, that is not used with any other X11 server or container in the same host. +Otherwise, to enable host networking, add `--network=host` to the Docker® command to enable host networking and work around this requirement if your server is not behind a firewall. Note that running multiple desktop containers in one host under this configuration may be problematic and is not recommended. You must also pass new environment variables such as `-e DISPLAY=:22`, `-e NGINX_PORT=8082`, `-e SELKIES_PORT=8083`, and `-e SELKIES_METRICS_HTTP_PORT=9083` into the container, all not overlapping with any other X11 server or container in the same host. If you are behind a reverse proxy or can only expose one HTTP port, you will need to use an external STUN/TURN server capable of `srflx` or `relay` type ICE connections if you use this in a container WITHOUT host networking. diff --git a/docs/firewall.md b/docs/firewall.md index 9c9856ed..ec01a27e 100644 --- a/docs/firewall.md +++ b/docs/firewall.md @@ -20,7 +20,7 @@ A configuration in your internet router called `Full Cone NAT` (otherwise called For an easy fix for containers, add the option `--network=host` to your Docker® command, or add `hostNetwork: true` under your Kubernetes YAML configuration file's pod `spec:` entry, which should be indented in the same depth as `containers:` (note that your cluster may have not allowed this, resulting in an error). -**Note that running multiple desktop containers in one host under this configuration may be problematic and is not recommended. You must also pass a new `DISPLAY` environment variable such as `-e DISPLAY=:22` into the container, that is not used with any other X11 server or container in the same host.** +**Note that running multiple desktop containers in one host under this configuration may be problematic and is not recommended. You must also pass new environment variables such as `-e DISPLAY=:22`, `-e NGINX_PORT=8082`, `-e SELKIES_PORT=8083`, and `-e SELKIES_METRICS_HTTP_PORT=9083` into the container, all not overlapping with any other X11 server or container in the same host.** This exposes your container to the host network, which disables container network isolation.