mumble-voip / mumble-docker

The official Mumble Docker image
BSD 3-Clause "New" or "Revised" License
146 stars 34 forks source link

Simple Compose additions/ example #7

Closed hofq closed 2 years ago

hofq commented 2 years ago

Hi, thanks for the Re-Release!

I am currently struggeling with the Mumble LDAP Authenticator. The Server is currently Running 1 Release behind on Static x86. In this Setup, i Build murmur & the LDAP Authenticator from the Git Tag of the Latest Release.

I have used the following Configs, but it doesn't seem to work.

The LDAP seems to can't connect to the murmur server and i cant figure out why. I have tried switching up the IPs (172.16.238.2 / 172.16.238.3) but that doesn't help at all.

docker-compose.yaml

version: "3.7"
services:
  murmur:
    build: ./mumble
    volumes:
    - $PWD/conf/murmur.ini:/etc/murmur/murmur.ini:ro
    - $PWD/murmur.sqlite:/var/lib/murmur/murmur.sqlite:rw
    - $PWD/log/murmur.log:/var/log/murmur/murmur.log:rw
    ports:
    - 6502:6502
    networks:
      ice:
        ipv4_address: 172.16.238.3
  murmur-ldap:
    build: ./mumble-scripts/Authenticators/LDAP
    volumes:
    - $PWD/conf/LDAPauth.ini:/app/LDAPauth.ini:ro
    - $PWD/log/LDAPauth.log:/var/log/murmur/LDAPauth.log:rw
    - $PWD/mumble/src/murmur/Murmur.ice:/app/Murmur.ice:ro
    networks:
      ice:
        ipv4_address: 172.16.238.2

networks:
   ice:
      driver: bridge
      ipam:
        config:
        - subnet: 172.16.238.0/24

LDAPauth.ini

. . . 
;Ice configuration
[ice]
host            = 172.16.238.3
port            = 6502
slice           = Murmur.ice
secret          = 4MST5yDtefksy3oLWMMNN
watchdog        = 30
. . . 

LDAPauth Dockerfile

FROM python:slim-bullseye
WORKDIR /app
COPY LDAPauth.py LDAPauth.py
RUN apt-get update -y && apt-get install -y libsasl2-dev python-dev libldap2-dev libssl-dev build-essential libbz2-dev
RUN pip3 install python-daemon python-ldap zeroc-ice
ENTRYPOINT python3 LDAPauth.py
EXPOSE 6502

murmur.ini

. . .
ice="tcp -h 172.16.238.2 -p 6502"
icesecretread=***********************
icesecretwrite=***********************
;identical

Could you Provide Official examples on how to set it up?

Krzmbrzl commented 2 years ago

Hm - I have never used docker-compose nor have I ever touched that LDAP-thingy, so I'm afraid that I'm not too much of a help here xD

@azlux do you have any ideas on this? @Natenom do you happen to have any experience with LDAP?

hofq commented 2 years ago

My Current Issue is related to the connection between the mumble server and LDAPauth via ice.

I have tried so far: Murmur [Container] -> LDAPauth [Directly on Linux VM] ✔ Murmur [Directly on Linux VM] -> LDAPauth [Directly on Linux VM] ✔ Murmur [Container] -> LDAPauth [Container] ❌

I Really have Issues if the IP of the LDAP Authenticator and the Murmur Server is not the Same.

Krzmbrzl commented 2 years ago

What about the case Murmur [Directly on Linux VM] -> LDAPauth [Container] ? Does that also fail?

hofq commented 2 years ago

I have not tested that since the Static Server is discontinued. If it makes sense i would try it.

Krzmbrzl commented 2 years ago

Yeah well it would be more in order to complete the test-case set than as a suggested workaround. I was just curious what the outcome would be. Maybe that could hint as to where the problem lies.

azlux commented 2 years ago

If you have a custom config file, you should use the MUMBLE_CUSTOM_CONFIG_FILE variable : https://github.com/mumble-voip/mumble-docker#additional-variables I think your real issue is the image don't take your custom config

hofq commented 2 years ago

Okay, i try to change it on my VM.

https://github.com/mumble-voip/mumble/blob/d16ad421d496aefdc68468d1e64425a086d0a32a/scripts/murmur.ini#L65 Do i have to enter here the IP/Hostname of the Authenticator or does it work with an Wildcard or CIDR?

Krzmbrzl commented 2 years ago

I doubt that it would work with a wildcard as the ICE interface expects a concrete address to bind to (afaik)... I might be wrong though :eyes:

Kissaki commented 2 years ago

https://doc.zeroc.com/display/Ice34/Proxy+and+Endpoint+Syntax#ProxyandEndpointSyntax-AddressSyntax

0.0.0.0 should work as a IPv4 wildcard. :: for IPv6. * may too; I’m not entirely sure whether the server is considered a “proxy” in ice context.

Kissaki commented 2 years ago

Given that Mumble in container, ldap auth on host works, I don’t see why it’d be a config file not being used issue?

In your posted configuration I see LDAP docker conf has EXPOSE 6502. Doesn’t that mean it’d expect it as an outgoing port, and may not identify it as an incoming port of the network?

https://docs.docker.com/engine/reference/builder/#expose

hofq commented 2 years ago

Never used the Ice Protocol before. I tried it vice versa but it didn't worked. Has anyone of you time to run a Quick Test with my Setup? I really tried much, but either the Authenticator can't connect at all or i get the Error that the Address is already allocated.

azlux commented 2 years ago

I've added a docker-compose example into the wiki : https://github.com/mumble-voip/mumble-docker/wiki If you want to use the nework for ice, you should use : ice="tcp -h 0.0.0.0 -p 6502" into the config AND into the docker-compose (not the dockerfile)

EXPOSE:
 - 6502

to allow other containers to reach this port.

hofq commented 2 years ago
2022-05-11 10:36:20,914 INFO Shutdown complete
2022-05-11 10:42:58,510 INFO Starting LDAP mumble authenticator
2022-05-11 10:42:58,512 DEBUG Using shared ice secret
2022-05-11 10:42:58,512 INFO Connecting to Ice server (10.10.10.189:6502)
2022-05-11 10:42:58.513692 LDAPauth.py: error: Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/Ice/__init__.py", line 1548, in doMain
    status = self.run(args)
  File "/app/LDAPauth.py", line 226, in run
    if not self.initializeIceConnection():
  File "/app/LDAPauth.py", line 264, in initializeIceConnection
    adapter = ice.createObjectAdapterWithEndpoints('Callback.Client', 'tcp -h %s' % cfg.ice.host)
  File "/usr/local/lib/python3.10/site-packages/Ice/__init__.py", line 934, in createObjectAdapterWithEndpoints
    adapter = self._impl.createObjectAdapterWithEndpoints(name, endpoints)
Ice.SocketException: Ice.SocketException:
Cannot assign requested address
;Ice configuration
[ice]
host            = 10.10.10.xxx
port            = 6502
slice           = Murmur.ice
secret          = ******************************
watchdog        = 30
version: "3.7"
services:
  murmur:
    environment:
      - MUMBLE_CUSTOM_CONFIG_FILE=/data/murmur.ini
    image: mumblevoip/mumble-server:latest
    volumes:
    - $PWD/conf/murmur.ini:/data/murmur.ini:ro
    - $PWD/murmur.sqlite:/data/murmur.sqlite:rw
    - $PWD/log/murmur.log:/data/murmur.log:rw
    hostname: murmur
    expose:
      - 6502
    ports:
    - 64738:64738
    - 64738:64738/udp
    - 6502:6502/tcp
    - 6502:6502/udp
  murmur-ldap:
    build: ./mumble-scripts/Authenticators/LDAP
    hostname: murmur-ldap
    depends_on:
    - "murmur"
    volumes:
    - $PWD/conf/LDAPauth.ini:/app/LDAPauth.ini:ro
    - $PWD/log/LDAPauth.log:/var/log/murmur/LDAPauth.log:rw
    - $PWD/mumble/src/murmur/Murmur.ice:/app/Murmur.ice:ro
murmur-murmur-1  | Using manually specified config file at /data/murmur.ini
murmur-murmur-1  | All MUMBLE_CONFIG variables will be ignored
murmur-murmur-1  | Running Mumble server as uid=1000 gid=1000
murmur-murmur-1  | "/data" has the following permissions set:
murmur-murmur-1  |   drwxr-xr-x, owner: "mumble" (UID: 1000), group: "mumble" (GID: 1000)
murmur-murmur-1  | Command run to start the service : /usr/bin/mumble-server -fg -ini /data/murmur.ini
murmur-murmur-1  | Starting...
murmur-murmur-1  | <X>2022-05-11 10:42:56.343 SSL: OpenSSL version is 'OpenSSL 1.1.1f  31 Mar 2020'
murmur-murmur-1  | <W>2022-05-11 10:42:56.344 Initializing settings from /data/murmur.ini (basepath /data)
murmur-murmur-1  | <W>2022-05-11 10:42:56.652 MetaParams: TLS cipher preference is "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA"
murmur-murmur-1  | <W>2022-05-11 10:42:56.690 ServerDB: Opened SQLite database /data/murmur.sqlite
murmur-murmur-1  | <W>2022-05-11 10:42:56.691 ServerDB: Using SQLite's default rollback journal.
murmur-murmur-1  | <W>2022-05-11 10:42:56.693 MurmurIce: Endpoint "tcp -h 192.168.0.2 -p 6502 -t 60000" running
murmur-murmur-1  | <W>2022-05-11 10:42:56.693 Murmur 1.4.230 (1.4.230) running on Linux: Ubuntu 20.04.4 LTS [x64]: Booting servers
murmur-murmur-1  | <W>2022-05-11 10:42:56.697 1 => Server listening on 0.0.0.0:64738
murmur-murmur-1  | <W>2022-05-11 10:42:57.072 1 => Registration needs nonempty 'registername', 'registerpassword' and 'registerurl', must have an empty 'password' and allowed pings.
murmur-murmur-1  | <W>2022-05-11 10:43:01.847 Killing running servers
murmur-murmur-1  | <W>2022-05-11 10:43:01.852 1 => Stopped
murmur-murmur-1  | <W>2022-05-11 10:43:01.852 Shutting down
murmur-murmur-1  | <W>2022-05-11 10:43:01.853 MurmurIce: Shutdown complete

In firewalld i Opened Port 6502 tcp and udp. on the Port there is something. I don't know why the Authenticator won't connect and if it's a Docker or Authenticator Issue.

[root@MUMBLE murmur]# telnet 10.10.10.XXX 6502
Trying 10.10.10.XXX...
Connected to 10.10.10.XXX.
Escape character is '^]'.
IceP
hofq commented 2 years ago

murmur-murmur-1 | 2022-05-11 10:42:56.693 MurmurIce: Endpoint "tcp -h 192.168.0.2 -p 6502 -t 60000" running

Here i used the Wildcard. The log just shows a random local IP

azlux commented 2 years ago

Ok I start to understand the issue you have, Ice use a open port on mumble-server to register a callback on specific port

So BOTH ice client and ice server need open ports :

Easy way : network_mode : "service:murmur" into the docker-compose.yaml for your service murmur-ldap.

Hard way: expose 6502 on mumble-server and the other port mumble-ldap (and use the name of container instead of fixed IP). But I don't know if you can choose the callback port on your script (look like 6502 too regarding to your logs, but not sure). If you are on a separate network bridge you can expose (0-65535) (the doc allow that : --expose list = Expose a port or a range of ports)

hofq commented 2 years ago

Network mode does it.

I think the Authenticator Configuration needs a better seperation between Host and Client Variables.