diff --git a/CHANGELOG.md b/CHANGELOG.md index f69d25270..fd7072fa5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -582,7 +582,7 @@ Large Coturn deployments (with a huge range of ports specified via `matrix_cotur Such deployments don't need to run Coturn within a private container network anymore. Coturn can now run with host-networking by using configuration like this: ```yaml -matrix_coturn_docker_network: host +matrix_coturn_container_network: host ``` With such a configuration, **Docker no longer needs to configure thousands of firewall forwarding rules** each time Coturn starts and stops. diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 3080bbd21..cb2425396 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -22,13 +22,17 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(' # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking. # -# Setting `matrix_coturn_docker_network` to 'host' will run the container with host networking, +# Setting `matrix_coturn_container_network` to 'host' will run the container with host networking, # which will drastically improve performance when thousands of ports are opened due to Docker not having to set up forwarding rules for each port. # Running with host networking can be dangerous, as it potentially exposes your local network and its services to Coturn peers. # Regardless of the networking mode, we apply a deny list which via `matrix_coturn_denied_peer_ips`, # which hopefully prevents access to such private network ranges. # When running in host-networking mode, you need to adjust the firewall yourself, so that ports are opened. -matrix_coturn_docker_network: "matrix-coturn" +matrix_coturn_container_network: "matrix-coturn" + +matrix_coturn_container_additional_networks: "{{ matrix_coturn_container_additional_networks_auto + matrix_coturn_container_additional_networks_custom }}" +matrix_coturn_container_additional_networks_auto: [] +matrix_coturn_container_additional_networks_custom: [] matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn" matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src" @@ -50,12 +54,12 @@ matrix_coturn_container_extra_arguments: [] # Controls whether the Coturn container exposes its plain STUN port (tcp/3478 and udp/3478 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. -matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_docker_network != 'host' else '' }}" +matrix_coturn_container_stun_plain_host_bind_port: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}" # Controls whether the Coturn container exposes its TLS STUN port (tcp/5349 and udp/5349 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:5349"), or empty string to not expose. -matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_docker_network != 'host' else '' }}" +matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_container_network != 'host' else '' }}" # Controls whether the Coturn container exposes its TURN UDP port range and which interface to do it on. # @@ -63,7 +67,7 @@ matrix_coturn_container_stun_tls_host_bind_port: "{{ '5349' if matrix_coturn_doc # Takes a null/none value (`~`) or 'none' (as a string) to prevent listening. # # The UDP port-range itself is specified using `matrix_coturn_turn_udp_min_port` and `matrix_coturn_turn_udp_max_port`. -matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_docker_network != 'host' else 'none' }}" +matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_container_network != 'host' else 'none' }}" # UDP port-range to use for TURN matrix_coturn_turn_udp_min_port: 49152 @@ -97,7 +101,7 @@ matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_retries_del matrix_coturn_allowed_peer_ips: [] # We block loopback interfaces and private networks by default to prevent private resources from being accessible. -# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_docker_network: host`). +# This is especially important when Coturn does not run within a container network (e.g. `matrix_coturn_container_network: host`). # # Learn more: https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/ # diff --git a/roles/custom/matrix-coturn/tasks/setup_install.yml b/roles/custom/matrix-coturn/tasks/setup_install.yml index fbeba92d2..0969260a6 100644 --- a/roles/custom/matrix-coturn/tasks/setup_install.yml +++ b/roles/custom/matrix-coturn/tasks/setup_install.yml @@ -95,9 +95,9 @@ group: "{{ matrix_user_groupname }}" - name: Ensure Coturn network is created in Docker - when: matrix_coturn_docker_network not in ['', 'host'] + when: matrix_coturn_container_network not in ['', 'host'] community.docker.docker_network: - name: "{{ matrix_coturn_docker_network }}" + name: "{{ matrix_coturn_container_network }}" driver: bridge - name: Ensure matrix-coturn.service installed diff --git a/roles/custom/matrix-coturn/tasks/validate_config.yml b/roles/custom/matrix-coturn/tasks/validate_config.yml index 90e842e13..19ddb6e13 100644 --- a/roles/custom/matrix-coturn/tasks/validate_config.yml +++ b/roles/custom/matrix-coturn/tasks/validate_config.yml @@ -1,5 +1,14 @@ --- +- name: (Deprecation) Catch and report renamed Coturn settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`). + when: "item.old in vars" + with_items: + - {'old': 'matrix_coturn_docker_network', 'new': 'matrix_coturn_container_network'} + - name: Fail if required Coturn settings not defined ansible.builtin.fail: msg: >- diff --git a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 index 3354d3693..c72f2bc08 100644 --- a/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 +++ b/roles/custom/matrix-coturn/templates/systemd/matrix-coturn.service.j2 @@ -13,7 +13,9 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-coturn \ +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name=matrix-coturn \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ @@ -21,7 +23,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --entrypoint=turnserver \ --read-only \ --tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \ - --network={{ matrix_coturn_docker_network }} \ + --network={{ matrix_coturn_container_network }} \ {% if matrix_coturn_container_stun_plain_host_bind_port != '' %} -p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478 \ -p {{ matrix_coturn_container_stun_plain_host_bind_port }}:3478/udp \ @@ -43,6 +45,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name {{ matrix_coturn_docker_image }} \ -c /turnserver.conf +{% for network in matrix_coturn_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-coturn +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-coturn + ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-coturn 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-coturn 2>/dev/null || true'