search

jitsi / docker-jitsi-meet

Jitsi Meet on Docker
https://hub.docker.com/u/jitsi/
Apache License 2.0
3k stars 1.34k forks source link

Problems with docker-compose.yml for traefik-v2 (jvb entrypoints / jicofo port) #687

Open rlue opened 3 years ago

rlue commented 3 years ago

I'm trying to launch this service using the examples/traefik-v2/docker-compose.yml file. I made the following changes before running:

After completing these steps, I ran these commands and saw these error messages:

$ docker-compose -f examples/traefik-v2/docker-compose.yml up -d
$ docker logs traefik_reverse-proxy_1
level=error msg="service \"jicofo-traefik-v2\" error: port is missing" providerName=docker container=jicofo-traefik-v2-978e931e948edf531c5fdc3fecb99444022a290bd2267c41fb130117de951733
level=error msg="entryPoint \"video\" doesn't exist" routerName=jvb@docker entryPointName=video
level=error msg="no valid entryPoint for this router" routerName=jvb@docker

It appears that there are two problems:

  1. The sample docker-compose.yml references a "video" traefik entrypoint that I don't have defined—but I don't see any definition of this entrypoint in the docs.
  2. Traefik needs to know which port to talk to the "jicofo" service on. (Alternately, if jicofo doesn't need to receive any transactions on any ports, maybe it would help to add a traefik.enable: false label to that service?)

@ruby232, I notice you committed this file at the end of March. Any insight on these questions?

bluikko commented 3 years ago

@rlue I don't think you are supposed to replace the web's network with traefik network. Traefik network is supposed to be added.

I suggest to paste your docker-compose.yml here so it would be easier to see what might be wrong.

I do add the traefik.enable: false to all services that don't need traefik, otherwise you will see several unnecessary endpoints in traefik. This should be added to the traefik example in fact.

rlue commented 3 years ago

Thanks for your feedback.

I do add the traefik.enable: false to all services that don't need traefik, otherwise you will see several unnecessary endpoints in traefik. This should be added to the traefik example in fact.

Am I correct in understanding that the jicofo service does not have to be exposed to the internet by traefik's reverse proxy, then?

I don't think you are supposed to replace the web's network with traefik network. Traefik network is supposed to be added.

Here's a direct excerpt from examples/traefik-v2/docker-compose.yml on master:

networks:
  # traefik: change the following line to your external docker network 
  web:

The docker-compose.yml file I am using is almost exactly the one provided in the repo, with the exceptions outlined in my original post. Here's the diff (most of the removals in the second section are covered by traefik's static configuration):

diff --git a/examples/traefik-v2/docker-compose.yml b/examples/traefik-v2/docker-compose.yml
index ad87480..b0e1dbd 100644
--- a/examples/traefik-v2/docker-compose.yml
+++ b/examples/traefik-v2/docker-compose.yml
@@ -37,19 +37,14 @@ services:
             - ENABLE_RECORDING
         networks:
             # traefik: change the following line to your external docker network
-            web:
+            mydomaincom_default:
             meet.jitsi:
                 aliases:
                     - ${XMPP_DOMAIN}
         labels:
-            traefik.http.middlewares.redirect.redirectscheme.scheme: https
-            traefik.http.routers.app-http.entrypoints: web
-            traefik.http.routers.app-http.middlewares: redirect
-            traefik.http.routers.app-http.rule: 'Host(`your.host.name`)'
-            traefik.http.routers.app.entrypoints: websecure
-            traefik.http.routers.app.rule: 'Host(`your.host.name`)'
+            traefik.http.routers.app.rule: 'Host(`jitsi.mydomain.com`)'
             traefik.http.routers.app.tls: 'true'
-            traefik.http.routers.app.tls.certresolver: le
+            traefik.http.routers.app.tls.certresolver: letsencrypt
             traefik.http.services.app.loadbalancer.server.port: 80

     # XMPP server
@@ -139,6 +134,8 @@ services:
             - prosody
         networks:
             meet.jitsi:
+        labels:
+            traefik.enable: false

     # Video bridge
     jvb:
@@ -175,5 +172,5 @@ services:
 networks:
     meet.jitsi:
     # traefik: change the following line to your external docker network
-    web:
+    mydomaincom_default:
         external: true

And here's the complete Docker Compose file:

docker-compose.yml 
version: '3'

services:
    # Frontend
    web:
        image: jitsi/web
        volumes:
            - ${CONFIG}/web:/config
            - ${CONFIG}/web/letsencrypt:/etc/letsencrypt
            - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts
        environment:
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - ENABLE_LETSENCRYPT
            - ENABLE_HTTP_REDIRECT
            - ENABLE_TRANSCRIPTIONS
            - DISABLE_HTTPS
            - JICOFO_AUTH_USER
            - LETSENCRYPT_DOMAIN
            - LETSENCRYPT_EMAIL
            - PUBLIC_URL
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_BOSH_URL_BASE
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_RECORDER_DOMAIN
            - ETHERPAD_URL_BASE
            - ETHERPAD_PUBLIC_URL
            - TZ
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - ENABLE_RECORDING
        networks:
            # traefik: change the following line to your external docker network 
            mydomaincom_default:
            meet.jitsi:
                aliases:
                    - ${XMPP_DOMAIN}
        labels:
            traefik.http.routers.jellyfin.rule: 'Host(`jitsi.mydomain.com`)'
            traefik.http.routers.jellyfin.tls: 'true'
            traefik.http.routers.jellyfin.tls.certresolver: letsencrypt
            traefik.http.services.jellyfin.loadbalancer.server.port: 80

    # XMPP server
    prosody:
        image: jitsi/prosody
        expose:
            - '5222'
            - '5347'
            - '5280'
        volumes:
            - ${CONFIG}/prosody:/config
        environment:
            - AUTH_TYPE
            - ENABLE_AUTH
            - ENABLE_GUESTS
            - GLOBAL_MODULES
            - GLOBAL_CONFIG
            - LDAP_URL
            - LDAP_BASE
            - LDAP_BINDDN
            - LDAP_BINDPW
            - LDAP_FILTER
            - LDAP_AUTH_METHOD
            - LDAP_VERSION
            - LDAP_USE_TLS
            - LDAP_TLS_CIPHERS
            - LDAP_TLS_CHECK_PEER
            - LDAP_TLS_CACERT_FILE
            - LDAP_TLS_CACERT_DIR
            - LDAP_START_TLS
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_GUEST_DOMAIN
            - XMPP_MUC_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_MODULES
            - XMPP_MUC_MODULES
            - XMPP_INTERNAL_MUC_MODULES
            - XMPP_RECORDER_DOMAIN
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JIGASI_XMPP_USER
            - JIGASI_XMPP_PASSWORD
            - JIBRI_XMPP_USER
            - JIBRI_XMPP_PASSWORD
            - JIBRI_RECORDER_USER
            - JIBRI_RECORDER_PASSWORD
            - JWT_APP_ID
            - JWT_APP_SECRET
            - JWT_ACCEPTED_ISSUERS
            - JWT_ACCEPTED_AUDIENCES
            - JWT_ASAP_KEYSERVER
            - JWT_ALLOW_EMPTY
            - JWT_AUTH_TYPE
            - JWT_TOKEN_AUTH_MODULE
            - LOG_LEVEL
            - TZ
        networks:
            meet.jitsi:
                aliases:
                    - ${XMPP_SERVER}

    # Focus component
    jicofo:
        image: jitsi/jicofo
        volumes:
            - ${CONFIG}/jicofo:/config
        environment:
            - ENABLE_AUTH
            - XMPP_DOMAIN
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JICOFO_COMPONENT_SECRET
            - JICOFO_AUTH_USER
            - JICOFO_AUTH_PASSWORD
            - JICOFO_RESERVATION_REST_BASE_URL
            - JVB_BREWERY_MUC
            - JIGASI_BREWERY_MUC
            - JIBRI_BREWERY_MUC
            - JIBRI_PENDING_TIMEOUT
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:
        labels:
            traefik.enable: false

    # Video bridge
    jvb:
        image: jitsi/jvb
        ports:
            - '${JVB_PORT}:${JVB_PORT}/udp'
            - '${JVB_TCP_MAPPED_PORT}:${JVB_TCP_PORT}'
        volumes:
            - ${CONFIG}/jvb:/config
        environment:
            - DOCKER_HOST_ADDRESS
            - XMPP_AUTH_DOMAIN
            - XMPP_INTERNAL_MUC_DOMAIN
            - XMPP_SERVER
            - JVB_AUTH_USER
            - JVB_AUTH_PASSWORD
            - JVB_BREWERY_MUC
            - JVB_PORT
            - JVB_TCP_HARVESTER_DISABLED
            - JVB_TCP_PORT
            - JVB_STUN_SERVERS
            - JVB_ENABLE_APIS
            - TZ
        depends_on:
            - prosody
        networks:
            meet.jitsi:
        labels:
            traefik.udp.routers.jvb.entrypoints: video
            traefik.udp.routers.jvb.service: jvb
            traefik.udp.services.jvb.loadbalancer.server.port: 10000

# Custom network so all services can communicate using a FQDN
networks:
    meet.jitsi:
    # traefik: change the following line to your external docker network 
    mydomaincom_default:
        external: true

Again, it seems that the biggest issue is that the jvb service specifies an entrypoint called "video" which is never defined anywhere. I've looked all over, but haven't managed to find a definition or sample configuration anywhere. If anyone knows what @ruby232 intended here, I'd really appreciate it.

rlue commented 3 years ago

Sorry, I figured this out—you need the following block in your traefik.toml:

[entryPoints]
  [entryPoints.video]
    address = ":10000/udp"

Will submit a PR later.

bluikko commented 3 years ago

Thanks for your feedback.

I'm not an expert in this at all so take what I say with a grain of salt...

I do add the traefik.enable: false to all services that don't need traefik, otherwise you will see several unnecessary endpoints in traefik. This should be added to the traefik example in fact.

Am I correct in understanding that the jicofo service does not have to be exposed to the internet by traefik's reverse proxy, then?

Yes, I have it disabled. I have prosody disabled as well. Since they do not need connections outside then why allow them in traefik.

I was creating a PR for the above changes but see your good work with port 10000 - I was sure that this port needed more than is in the example but now can just follow your solution.

I don't think you are supposed to replace the web's network with traefik network. Traefik network is supposed to be added.

Here's a direct excerpt from examples/traefik-v2/docker-compose.yml on master:

networks:
  # traefik: change the following line to your external docker network 
  web:

Sorry - I was thinking that you replaced the network in the default compose file. So ignore what I said.

The docker-compose.yml file I am using is almost exactly the one provided in the repo, with the exceptions outlined in my original post. Here's the diff (most of the removals in the second section are covered by traefik's static configuration):

diff --git a/examples/traefik-v2/docker-compose.yml b/examples/traefik-v2/docker-compose.yml
index ad87480..b0e1dbd 100644
--- a/examples/traefik-v2/docker-compose.yml
+++ b/examples/traefik-v2/docker-compose.yml
@@ -37,19 +37,14 @@ services:
             - ENABLE_RECORDING
         networks:
             # traefik: change the following line to your external docker network
-            web:
+            mydomaincom_default:
             meet.jitsi:
                 aliases:
                     - ${XMPP_DOMAIN}
         labels:
-            traefik.http.middlewares.redirect.redirectscheme.scheme: https
-            traefik.http.routers.app-http.entrypoints: web
-            traefik.http.routers.app-http.middlewares: redirect
-            traefik.http.routers.app-http.rule: 'Host(`your.host.name`)'
-            traefik.http.routers.app.entrypoints: websecure
-            traefik.http.routers.app.rule: 'Host(`your.host.name`)'
+            traefik.http.routers.app.rule: 'Host(`jitsi.mydomain.com`)'
             traefik.http.routers.app.tls: 'true'
-            traefik.http.routers.app.tls.certresolver: le
+            traefik.http.routers.app.tls.certresolver: letsencrypt
             traefik.http.services.app.loadbalancer.server.port: 80

     # XMPP server
@@ -139,6 +134,8 @@ services:
             - prosody
         networks:
             meet.jitsi:
+        labels:
+            traefik.enable: false

     # Video bridge
     jvb:
@@ -175,5 +172,5 @@ services:
 networks:
     meet.jitsi:
     # traefik: change the following line to your external docker network
-    web:
+    mydomaincom_default:
         external: true

And here's the complete Docker Compose file:

docker-compose.yml Again, it seems that the biggest issue is that the jvb service specifies an entrypoint called "video" which is never defined anywhere. I've looked all over, but haven't managed to find a definition or sample configuration anywhere. If anyone knows what @ruby232 intended here, I'd really appreciate it.

Agreed. My setup (similar to traefik v1 example) does work without it but I was always sure it isn't working 100% correctly. I never had the time to look into fixing it and I guess I can just copy-paste now. So thank you!

prayagsingh commented 3 years ago

FYI: A working example based on traefik:v2.2.8. Using tls-challenge for letsencrypt cert.

version: '3.8'

services:
  traefik:
    image: "traefik:v2.2.8"
    hostname: "traefik"
    labels:
      - "traefik.enable=false"  # set it to `true` if you want traefik dashboard. If set to `false` then traefik won't consider below config
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.api.rule=Host(`traefik.example.com`)  && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.middlewares=auth"
      ## Middlewares
      - "traefik.http.middlewares.auth.basicauth.users=alpha:$$1$$SEjVHN0z$$Apa3.iHJAW2dbAi6OuwDe/"
      ### host header
      #- "traefik.http.middlewares.hosthdr.headers.stsseconds=31536000"
      #- "traefik.http.middlewares.hosthdr.headers.stsincludesubdomains=true"
      #- "traefik.http.middlewares.hosthdr.headers.stspreload=true"
      # enable https for api/dashboard
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.domains[0].main=traefik.example.com"
      # dummy port
      - "traefik.http.services.dummyservice.loadbalancer.server.port=1111" # In swarm mode, traefik requires a dummy Port

    command:
      - --api=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.swarmMode=false
      - --providers.docker.exposedbydefault=false
      - --log.level=INFO #DEBUG
      - --accesslog=false
      - --entryPoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --entryPoints.websecure.address=:443
      # comment below line in production
      - --certificatesResolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesResolvers.letsencrypt.acme.tlsChallenge=true
      - --certificatesresolvers.letsencrypt.acme.email=myemail@gmail.com
      - --certificatesResolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
    ports:
      - target: 80
        published: 80
        mode: host

      - target: 443
        published: 443
        mode: host

    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./letsencrypt:/letsencrypt"
    networks:
      - proxy

networks:
  proxy:
    external: true
    name: proxy

  1. Add below config under web service in docker-compose.yml file.

       labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.http.routers.jitsi-secure.entrypoints=websecure"
      - "traefik.http.routers.jitsi-secure.rule=Host(`meet.example.com`)"
      ## LetsEncrypt
      - "traefik.http.routers.jitsi-secure.tls=true"
      - "traefik.http.routers.jitsi-secure.tls.certresolver=letsencrypt"
      - "traefik.http.routers.jitsi-secure.tls.domains[0].main=meet.example.com"
      ## Service
      - "traefik.http.routers.jitsi-secure.service=jitsi" #here service name is jitsi
      - "traefik.http.services.jitsi.loadbalancer.server.port=80"

   networks:
        proxy:  # traefik network created externally
        jitsi:     # jitsi network
          aliases:
            - meet.example.com # change this accordingly