Kopano Meet, Docker + own coturn

xplod.ing

Hi.

Can anybody tell me how I can use my own turn server with kopano meet in a docker environment?

I’ve got a working coturn installation (used for matrix/synapse), but I wasn’t able to pass the “turn_uris” into my docker-compose file.

Does anybody know how to do that? Is there a way to pass the turn uri via variables? Or do I have to create a derivate of the kopano meet image?

Best regards,
Dirk

fbartels

Hi @xplod-ing,

an own turn server can be configured by passing the environment variables turn_uris and turn_server_shared_secret to kwmserver.

Below you can see how this is done for the Univention Meet app:

https://github.com/Z-Hub/kopano-apps/blob/6b9ba60ce8fa45787391f69caae9d873926c29fd/kopano-meet/compose#L142-L143

xplod.ing

@fbartels
I had the same statements in my docker-compose file (just without oidc_issuer_identifier, enable_mcu_api and pipeline_forced_regexp), but in a different order.

After inserting your code directly, my turn server is now found.

Thanks for your help,
Dirk

xplod.ing

@fbartels
Hmm. Now the coturn server is used, but on the other hand, guest logins won’t work any more.

Each call to

https://<domain>/api/kwm/v2/guest/logon

Is terminated with 403 Bad request.
Strangely, this didn’t occure before enabling the turn server (or the error didn’t occure, because the turn server was missing)

The kwmserver is attached to an apache webserver as a proxy:

#kwmserver
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /api/kwm/v2/(.*) ws://localhost:8778/api/kwm/v2/$1 [P,L]
ProxyPass /api/kwm/v2/ http://localhost:8778/api/kwm/v2/ retry=0
ProxyPass /api/v1/websocket/ http://127.0.0.1:8778/api/v1/websocket/ retry=0

The kwm debug output:

time="2021-05-22T18:16:45Z" level=debug msg="parsing clients registration conf from /kopano/ssl/konnectd-identifier-registration.yaml"
time="2021-05-22T18:16:45Z" level=debug msg="registered client" application_type=web client_id="kpop-https://<url>/meet/" insecure=false origins="[]" trusted=true
time="2021-05-22T18:16:45Z" level=warning msg="admin: using random admin tokens singing key - API endpoint admin disabled"
time="2021-05-22T18:16:45Z" level=info msg="pattern \"‘^group/public/.*\" public guest rooms enabled" manager=guest
time="2021-05-22T18:16:45Z" level=info msg="guest: API endpoint enabled"
time="2021-05-22T18:16:45Z" level=info msg="pattern \"@conference/.*\" forced pipline channels enabled" manager=rtm
time="2021-05-22T18:16:45Z" level=info msg="rtm: API endpoint enabled"
time="2021-05-22T18:16:45Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8778"
time="2021-05-22T18:16:45Z" level=info msg="ready to handle requests"
time="2021-05-22T18:18:57Z" level=debug msg="guest handler logon request" guest=null manager=guest
time="2021-05-22T18:18:58Z" level=debug msg="guest handler logon request" guest=null manager=guest
time="2021-05-22T18:22:52Z" level=debug msg="guest handler logon request" guest=null manager=guest
time="2021-05-22T18:22:52Z" level=debug msg="guest handler logon request" guest=null manager=guest

Do you know where this error comes from, and can help me to get rid of it?

fbartels

@xplod-ing said in Kopano Meet, Docker + own coturn:

Is terminated with 403 Bad request.

403 usually means forbidden, which means that the user was not allowed to login. Can you post your complete compose file to make sure you did not accidentally disable guest logons? What is logged in Konnect and Kwmserver at startup?

Configuring a turn server has not direct relation to guest logins, so enabling one cannot affect the other.

xplod.ing

@fbartels
I uploaded the current configuration (with all security related settings removed, I hope) on a gitea server:
https://gitea.xplod.de/XploD/Kopano

(In the meantime, I have removed the web-net network, so that all components are created with kopano-net attached, but this didn’t remove the problem)

Thanks,
Dirk

fbartels

@xplod-ing said in Kopano Meet, Docker + own coturn:

https://gitea.xplod.de/XploD/Kopano

what about startup logging?

xplod.ing

@fbartels
Konnekt:

2021/05/25 18:23:51 Waiting for: file:///etc/machine-id
2021/05/25 18:23:51 Waiting for: file:///var/lib/dbus/machine-id
2021/05/25 18:23:52 File file:///var/lib/dbus/machine-id had been generated
2021/05/25 18:23:52 File file:///etc/machine-id had been generated
+ exec konnectd serve '--signing-private-key=/kopano/ssl/konnectd-tokens-signing-key.pem' '--encryption-secret=/kopano/                                                               ssl/konnectd-encryption.key' --identifier-registration-conf /kopano/ssl/konnectd-identifier-registration.yaml --identif                                                               ier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml '--iss=https://url.de' '--log-level=debug' --allow                                                               -client-guests --allow-dynamic-client-registration kc
time="2021-05-25T18:23:52Z" level=info msg="serve start"
time="2021-05-25T18:23:52Z" level=info msg="client controlled guests are enabled"
time="2021-05-25T18:23:52Z" level=info msg="dynamic client registration is enabled"
time="2021-05-25T18:23:52Z" level=info msg="loading encryption secret from file" file=/kopano/ssl/konnectd-encryption.k                                                               ey
time="2021-05-25T18:23:52Z" level=info msg="loading signing key" path=/kopano/ssl/konnectd-tokens-signing-key.pem
time="2021-05-25T18:23:52Z" level=debug msg="loaded signer key" kid=konnect-20210522-0039 path=/kopano/ssl/konnectd-tok                                                               ens-signing-key.pem
time="2021-05-25T18:23:52Z" level=warning msg="skipped as signer with same kid already loaded" kid=konnect-20210522-003                                                               9 path=/kopano/ssl/konnectd-tokens-signing-key.pem
time="2021-05-25T18:23:52Z" level=info msg="encryption set up with 32 key size"
time="2021-05-25T18:23:52Z" level=debug msg="parsing identifier registration conf from /kopano/ssl/konnectd-identifier-                                                               registration.yaml"
time="2021-05-25T18:23:52Z" level=debug msg="registered client" application_type=web client_id="kpop-https://                                                            url.de/meet/" insecure=false origins="[https://url.de]" redirect_uris="[https://url.de/meet/]" trusted                                                               =true with_client_secret=false
time="2021-05-25T18:23:52Z" level=debug msg="parsing authorities registration conf from /kopano/ssl/konnectd-identifier                                                               -registration.yaml"
time="2021-05-25T18:23:52Z" level=warning msg="limiting access token duration to 240 seconds because of lower KOPANO_SE                                                               RVER_SESSION_TIMEOUT"
time="2021-05-25T18:23:52Z" level=info msg="kc server identifier backend connection set up" client="KCC(<socket:/run/ko                                                               pano/server.sock>)"
time="2021-05-25T18:23:52Z" level=debug msg="parsing scopes conf from /etc/kopano/konnectd-identifier-scopes.yaml"
time="2021-05-25T18:23:52Z" level=debug msg="registered scope" id=kopano/gc priority=0
time="2021-05-25T18:23:52Z" level=debug msg="registered scope" id=kopano/kwm priority=0
time="2021-05-25T18:23:52Z" level=debug msg="registered scope" id=kopano/kvs priority=0
time="2021-05-25T18:23:52Z" level=debug msg="registered scope" id=kopano/pubs priority=0
time="2021-05-25T18:23:52Z" level=info msg="identifier set up" security="A256GCM:A256GCMKW"
time="2021-05-25T18:23:52Z" level=info msg="using identifier backed identity manager"
time="2021-05-25T18:23:52Z" level=info msg="identity manager set up" claims="[name family_name given_name email email_v                                                               erified]" name=kc scopes="[offline_access email konnect/id kopano/kvs kopano/pubs profile konnect/raw_sub kopano/gc kop                                                               ano/kwm konnect/uuid]"
time="2021-05-25T18:23:52Z" level=info msg="identity guest manager set up"
time="2021-05-25T18:23:52Z" level=info msg="set provider signing alg" alg=PS256
time="2021-05-25T18:23:52Z" level=info msg="set provider signing key" id=konnect-20210522-0039 method="*jwt.SigningMeth                                                               odRSAPSS" type="*rsa.PrivateKey"
time="2021-05-25T18:23:52Z" level=info msg="set provider validation key" id=konnect-20210522-0039 type="*rsa.PublicKey"
time="2021-05-25T18:23:52Z" level=info msg="set provider validation key" id=default type="*rsa.PublicKey"
time="2021-05-25T18:23:52Z" level=info msg="oidc token signing default set up" alg=PS256 id=konnect-20210522-0039 metho                                                               d="*jwt.SigningMethodRSAPSS"
time="2021-05-25T18:23:52Z" level=info msg="serve started"
time="2021-05-25T18:23:52Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8777"
time="2021-05-25T18:23:52Z" level=info msg="ready to handle requests"

KwmServer:

2021/05/25 18:24:01 Ready: file:///var/lib/dbus/machine-id.
2021/05/25 18:24:01 Ready: file:///etc/machine-id.
+ registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
+ exec /usr/local/bin/docker-entrypoint.sh serve --registration-conf /kopano/ssl/konnectd-identifier-registration.yaml '--log-level=debug' '--iss=https://url.de' --enable-guest-api '--turn-service-url=xplod.de:3478' '--turn-service-credentials=/tmp/turn_service_credentials' '--turn-server-shared-secret=/tmp/turn_server_shared_secret_file' '--turn-uri=turn:url.de:3478?transport=udp' '--public-guest-access-regexp="‘^group/public/.*"' '--pipeline-forced-regexp="@conference/.*"'
time="2021-05-25T18:24:01Z" level=info msg="serve start"
time="2021-05-25T18:24:01Z" level=info msg="using external TURN service: url.de:3478"
time="2021-05-25T18:24:01Z" level=info msg="serve started"
time="2021-05-25T18:24:01Z" level=debug msg="OIDC provider initialized" iss="https://url.de"
time="2021-05-25T18:24:01Z" level=debug msg="TURN credentials support enabled" uris="[turn:url.de:3478?transport=udp]"
time="2021-05-25T18:24:01Z" level=debug msg="parsing clients registration conf from /kopano/ssl/konnectd-identifier-registration.yaml"
time="2021-05-25T18:24:01Z" level=debug msg="registered client" application_type=web client_id="kpop-https://url.de/meet/" insecure=false origins="[]" trusted=true
time="2021-05-25T18:24:01Z" level=warning msg="admin: using random admin tokens singing key - API endpoint admin disabled"
time="2021-05-25T18:24:01Z" level=info msg="pattern \"‘^group/public/.*\" public guest rooms enabled" manager=guest
time="2021-05-25T18:24:01Z" level=info msg="guest: API endpoint enabled"
time="2021-05-25T18:24:01Z" level=info msg="pattern \"@conference/.*\" forced pipline channels enabled" manager=rtm
time="2021-05-25T18:24:01Z" level=info msg="rtm: API endpoint enabled"
time="2021-05-25T18:24:01Z" level=info msg="starting http listener" listenAddr="0.0.0.0:8778"
time="2021-05-25T18:24:01Z" level=info msg="ready to handle requests"
time="2021-05-25T18:24:19Z" level=debug msg="websocket rtm connect" manager=rtm rtm_connection=1 user_id=(main user)
time="2021-05-25T18:24:19Z" level=debug msg="user is now active" manager=rtm user_id=(main user)
time="2021-05-25T18:24:19Z" level=debug msg="websocket rtm connect done" manager=rtm rtm_connection=1 user_id=(main user)

fbartels

@xplod-ing hmm… that looks all correct. Not quite sure why logins then don’t work on your system. I am guessing there is no further logging upon a denied client login?

If you have a subscription I would recommend to get in direct contact with the Kopano support, so that someone could have a direct look at your system.