switch-ch / jitsi-deploy

The ansible deployment scripts for the switch.ch/meet service (based on Jitsi). Multiple Jitis-Meet servers that share a pool of videobridges
88 stars 22 forks source link

The SWITCH scalable Jitsi Installation

22.3.2020

SWITCH is the Swiss National Research and Education Network (NREN) and provides various IT services to Swiss higher education institutions. This ansible playbook is used to set up a cluster of individual Jitsi Frontend servers (one for each insitiution) that share a pool of videobridges. This is a brand new service that was started during the Covid19 crisis in March 2020. A service description can be found at https://switch.ch/meet

This repository is provided AS IS under a MIT license without any implicit or explicit guarantees that it will work for you.

The setup is geared towards our needs and will most likely not work out of the box for you.

Things to look out for:

Create your own directories for group_vars, hosts_vars and inventory Or use the ansible-galaxy approach, then use

$ cd ansible
$ ansible-galaxy install -fr roles/requirements.yml

Adding a new service VM (this is very SWITCH specific)

The follwowing steps guides you through a building process of a new Jitsi Meet instance.

Important: Variables such as inventory, host_vars and group_vars go into jitsi-deploy-vars repo! (ansible-galaxy)

Add a new videobridge server

switch-net

The new Transform's switch-net gives us unNATed, unfiltered IP addresses (IPv4 and IPv6) in the SWITCH network ranges.

The switch-net were add to the videobridges.meet.switch.ch project in ZH and LS as decribed in Self-Service Port Allocation

Create and provision videobridge server

Create and provision coturn server

Testing STUN/TURN

NB: Be sure to test this while NOT on the VPN.

To test if STUN/TURN is working, open a conference in three tabs of the browser and disable outgoing UDP packets to port 10000. On Mac OSX:

# set rule to block outgoing traffic udp 10000
$ (sudo pfctl -sr 2>/dev/null; echo "block drop out quick on en0 proto udp from any to any port = 10000 no state") | sudo pfctl -f -
# enable the PacketFilter (pf) firewall
# sudo pfctl -e

If STUN/TURN works, the images of the two "remote" participants (i.e. the other browser tabs) should continue to show video. In addition the note (stun) is added in the Show More information of the network data.

If it doesn't work, the remote participants will show no video (and have no audio obviously).

To display information about pf

# verbose listing of rules
$ sudo pfctl -v -s rules

To reset the firewall

# Disable pf
$ sudo pfctl -d
# Reload the default rules
$ sudo pfctl -f /etc/pf.conf

Add jibri service

Purge Services

While installing and trying to get things working, you might want to purge all traces of nginx or jitsi from your servers. Use the purge.yml playbook like so:

$ ansible-playbook -i inventory/production purge.yml --limit ORGANISATION.meet.example.com

Specify one (or more of the following tags) with --tags ...

Reinstallation of a service

It might happen that things get broken, so you can redeploy the Jitsi Meet instance easily.

Attribution

The Jitsi Ansible role is heavily influenced by https://github.com/freedomofpress/ansible-role-jitsi-meet

License

MIT Licence

Copyright 2020 SWITCH, https://switch.ch

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.