Few debian updates #5729
Few debian updates #5729
Conversation
|
turnserver still does not work on Debian10 because of permissions ... #5714 |
|
I will push that commit from the other PR here just to test it. |
|
Finally I made it work :) |
|
@saghul I think this and the meta-package PR are all the known problems so far fixed. I was able to repro several times the re-ordering of the installing packets on Debian10 and with these PRs it is fixed. |
|
Commit debian: Update coturn udp port to non-privileged one. misses the explanation, why this change is good. The whole point of using the TURN server Coturn is for users behind Firewalls with only ports 80 and 443 open, isn’t it? |
No, it isn't. If 2 participants are behind symmetric NATs they will need TURN to etablish a P2P session. The reuse of ports 80 / 443 is is indeed nice to try and circumvent spartan firewalls, but the problem here is that Debian 10 doesn't have the capability to bind to priviledged ports set on their unit file, and hacking it ourselves is just not nice. This is just our default, you are welcome to make changes to your installation of course. |
|
I’d prefer if the scripts would create a drop-in snippet for Coturn. ( |
|
We have spent countless hours trying to get this right, we'll just land it as is. |
|
I am sorry, that you had to spend so much time with this, and thank you for supporting Jitsi users. What is the actual problem of sharing the port? The commit message and pull request description do not mention this. |
|
The issue is here: #5529 TLDR: There are two problems:
|
|
|
||
| # create a directory to store certs if it does not exists | ||
| if [ ! -d "$COTURN_CERT_DIR" ]; then | ||
| mkdir -p /etc/coturn/certs |
There was a problem hiding this comment.
Use the variable COTURN_CERT_DIR here?
|
|
||
| for domain in $RENEWED_DOMAINS; do | ||
| case $domain in | ||
| jitsi-meet.example.com) |
There was a problem hiding this comment.
Add a comment that this is updated/replaced with the correct domain by the install script?
Thank you for the summary.
Instead of changing to an unprivileged port, I am proposing to extend Coturn’s service unit to give the needed capability to bind to a privileged port to keep “The reuse of ports 80 / 443 is is indeed nice to try and circumvent spartan firewalls,” working.
Yes, fixed by commit add scripts for deploying coturn with certbot. |
The problem is not with sharing, it's with coturn not being able to bind to a priviledged port by default, on Debian 10. This is not the case on Ubuntu for example. |
|
Oh, there are more cases here with this turn ... if we skip its configuration, actually it is installed ... we may need to just configure it on another port (change prosody config) ... |
Do you mean problems? Which are those?
What do you mean? The package coturn was always installed, wasn’t it?
Why? To fix what problems? PS: It’s quite hard to help in any way with these terse (short) comments. |
|
Yeah, sorry for those. They were more like self note and @saul notes. Even when we skip configuring coturn it is installed as it is dependency of this package. And we still advertise it. |
|
I was also to leave and coturn and for apache on the non standard port. |
|
I did a few more changes. Hope those are the last one. I will be testing those now. |
|
Jenkins, skip ci. |
|
@paulmenzel I think everything is covered now. If you can take a look. @saghul will also take a look and approve. But I think this is it and this will go to stable fixing all discovered issues with the packaging. |
* debian: Update coturn udp port to non-privileged one. * debian: Turnserver config requires jitsi-meet-web-config files. * doc: Updates doc, removing `--no-install-recommends`. * debian: Moves checks and configs to default to prosody 0.11. * debian: Disable room locking on internal muc. * add scripts for deploying coturn with certbot * turnserver: Removes unused variable showing error. * debian: updates let's encrypt and coturn scripts. * debian: Detect failure to retrieve external ip address. * debian: Always configure turn when the turnserver package is installed. Co-authored-by: Julien Fastré <[email protected]>
|
Please have a look at my comment in the 'Move UDP port to 4446' thread: #5714 (comment) STUN and TURN have officially designated ports, I just submitted a PR for this: #6172 |
|
We are discussing this already, to drop the nginx multiplexing and just leave a documentation how to do it. And when this happen we will install and configure turnserver by default even with apache and leave ports on their defaults. We just haven't been able to work on that. |
|
@damencho please fix it ASAP since it broke me 2 servers while reloading NGINX |
|
What did broke is more important, as it should not break anything at the moment. |
|
And it will break if I didn't made my own fix xD |
|
The current stable detects and if there is already a host listening to 443 the multiplexing is skipped. |
|
@RubensRainelli, can you please create an issue with more context and refer to this merge/pull request as the “culprit”? |
No description provided.