Now that TCP harvester is disabled, document how to set up TURN correctly

[cedricroijakkers]

Since commit 7a939785, TCP support in JVB is disabled because it is not well tested. We rely on TCP almost exclusively because of various network reasons I won't go into detail on. It works flawlessly by the way.

The commit message says to use TURN. There is some documentation in the handbook (https://jitsi.github.io/handbook/docs/devops-guide/turn) on how to do this, but this is only applicable to a non-docker installation.

Can someone please create the necessary documentation on how to have all Jitsi traffic flow over TCP when using a Docker/Kubernetes setup? If possible, be a bit more specific than "it assumes a properly configured TURN server, and a properly configured XMPP server".

That, or at least allow the possibility to still use TCP in the mean time.

[saghul]

Here is how to connect an external TURN server: https://github.com/jitsi/docker-jitsi-meet/blob/1b51c777963634d8acacd0321ae2449dbdedf2bd/env.example#L370

Might be a good time to give that coturn PR one final push.

[cedricroijakkers]

I've managed to set up a fully working stack of Jitsi and coturn in a managed Azure Kubernetes cluster, with UDP connectivity and TCP fallback (via the TURN server) support (and thus working around the issue that Kubernetes cannot create a LoadBalancer service with both TCP and UDP ports).

I will clean up my manifest files a little bit and then create a pull request with the full documentation if someone is interested in getting this up and running.

I've only tested it on Azure, but with minimal adjustments it should just as well work on an AWS managed Kubernetes cluster, or any other cloud provider for that matter. And it uses all built-in cloud components, and does not require trickery like setting up your own load balancer and such. Only requirement so far is 3 distinct IP addresses:

• One for the http/https web pages (this can be combined with an ingress server if your Kubernetes cluster is running other web services)
• One for the JVP UDP video port (by default on UDP port 10000)
• One for the TURN server (this can be hosted on the same cluster, or somewhere totally different)

[santavizma]

@cedricroijakkers Can You share link to documentation as described above? Thank You.

[cedricroijakkers]

@santavizma I haven't come around to clean up my files yet, but the gist of it is the following:

You need to deploy Jitsi itself of course (I have k8s deployments of jicofo, jvb, prosody, and web), and you need to deploy a coturn server too. This last one is optional, but if you wish to have people connect who cannot reach the internet with UDP (i.e. behind a https proxy), they will not be able to connect to your rooms.

Secondly, you need the following set of services:

• web and xmpp as ClusterIP services, pointing to your web and prosody deployments respectively
• coturn and jvb as LoadBalancer deployments

The coturn service listens on port 443/tcp and directs traffic to your coturn deployment. Reserve a public IP for this service and write it down. The jvb service listens in port 10000/udp and directs traffic to your jvb deployment. Reserve a public IP for this one too and create a DNS record for it.

In your Jitsi configmap, set the following settings:

• JVB_ADVERTISE_IPS to the IP address of your jvb service
• TURNS_HOST to the DNS record you created for your coturn service
• TURNS_PORT to 443, the port your coturn service listens on (it's recommended to set this to 443, because that is what https proxies usually allow access to without asking questions)

Finally, in your ingress configuration, make a virtual host for your Jitsi webservice, and direct all traffic to the web service.

So in all, you need 3 IP addresses:

• One for jvb, listening on port 10000/udp, this needs to be dedicated for Jitsi
• One for coturn, listening on port 443/tcp, this needs to be dedicated for Jitsi
• One for your ingress service, listening on ports 80/tcp and 443/tcp, this can be shared with all other web traffic passing in your cluster

[zsinba]

We also believe that TCP is a very important tool and do not recommend removing it from the configuration. It is turned off by default, so why delete it? In some types of networks, UDP communication is not allowed, esp non-standard port communication, at this time can only use TCP to achieve this. Expect TCP to be added to the default functionality.

[zsinba]

Since commit 7a93978, TCP support in JVB is disabled because it is not well tested. We rely on TCP almost exclusively because of various network reasons I won't go into detail on. It works flawlessly by the way.

The commit message says to use TURN. There is some documentation in the handbook (https://jitsi.github.io/handbook/docs/devops-guide/turn) on how to do this, but this is only applicable to a non-docker installation.

Can someone please create the necessary documentation on how to have all Jitsi traffic flow over TCP when using a Docker/Kubernetes setup? If possible, be a bit more specific than "it assumes a properly configured TURN server, and a properly configured XMPP server".

That, or at least allow the possibility to still use TCP in the mean time.

When you use it normally, I hope you can share the experience.

[santavizma]

@cedricroijakkers Is the application security assessment conducted for Jitsi? Can You share evidence?

[cedricroijakkers]

@santavizma I don't think a GitHub issue for an open-source project is the right place to ask for security reviews. If you want to have that kind of support, I suggest you talk to 8x8 for a commercial version of Jitsi.