Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Rootless containers #2029

Open
wants to merge 23 commits into
base: master
Choose a base branch
from
Open

feat: Rootless containers #2029

wants to merge 23 commits into from
+625 −420

Conversation

emrahcom
Copy link
Contributor

This PR allows Jitsi containers to run without using root account.

Main changes:

  • s6-overlay is upgraded to v3.2.0.2

  • All processes are run by a non-root user: s6

  • Currently, container's filesystem is still writable but the active user is s6. So, it cannot write into the root's folders.

  • Config files are created in /run by using templates and provided config files (from /config)

  • The writable folders for s6 are:

    • /run
    • /tmp
    • Folders in the mounted volumes with write permission (writable folders should have 777 as mode)

  • Volumes are updated to differ read-only and writable volumes:

    • /config contains read-only config files
    • /storage contains created files during the runtime such as recordings, logs, etc.
    • /tmp contains created temporary files the runtime

  • Expected folders on host:

mkdir -p ~/.jitsi-meet-cfg/prosody/{config,prosody-plugins-custom}
mkdir -p ~/.jitsi-meet-cfg/{jibri,jicofo,jigasi,jvb,web}

mkdir -p ~/.jitsi-meet-cfg/storage/{jibri,transcripts}
chmod 777 ~/.jitsi-meet-cfg/storage/jibri
chmod 777 ~/.jitsi-meet-cfg/storage/transcripts

mkdir -p ~/.jitsi-meet-cfg/tmp/{web-crontabs,web-load-test}
chmod 777 ~/.jitsi-meet-cfg/tmp/web-crontabs
chmod 777 ~/.jitsi-meet-cfg/tmp/web-load-test
  • jibri container doesn't have CAPS_SYS_ADMIN anymore. Therfore Chrome is run with --no-sandbox.

My plan is to create a second PR to make container's filesystem completely read-only after a while. Actually this also works in my test but I don't want to make it harder to debug.

emrahcom and others added 15 commits February 21, 2025 14:56
@emrahcom
refactor(base): upgrade s6-overlay
e7e200a
@emrahcom
refactor(base-java): upgrade and use s6 as user
29a9a3b
@emrahcom
refactor(web): upgrade s6-overlay and rootless processes
e91e6c3
@emrahcom
refactor(prosody): upgrade s6-overlay and rootless processes
04c9c04
@emrahcom
refactor(jicofo): upgrade s6-overlay and rootless processes
60a8be1
@emrahcom
refactor(jvb): upgrade s6-overlay and rootless processes
81be54a
@emrahcom
refactor(jigasi): upgrade s6-overlay and rootless processes
bd07ace
@emrahcom
refactor(prosody): renamed as 20-saslauthd even the start order doesn…
c33199f 
…t depend on its name
@emrahcom
refactor(jibri): upgrade s6-overlay and rootless processes
a2611bd
@emrahcom
refactor(docker-compose.yml): use storage and tmp as writable volumes
0fcf9c4
@emrahcom
refactor(jibri.yml): use storage as writable volume and remove CAPS_S…
fb186c6 
…YS_ADMIN
@emrahcom
fix(transcriber): the volume permissions
4ed8899
@bgrozev @emrahcom
feat: Add an env var for jicofo ice failure detection. (jitsi#2028)
96281c8
@emrahcom
fix(prosody): update path for the renamed script
3f98d7b
@emrahcom
fix(jibri): --no-sandbox for pre-warm chrome
a33c106
saghul
saghul reviewed Feb 24, 2025
View reviewed changes
Copy link
Member

@saghul saghul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Impressive work @emrahcom ! 👏 I left some comments, please take a look!

emrahcom and others added 2 commits February 24, 2025 14:11
@emrahcom @saghul
refactor(base): space after >
ac0c8f1 
Co-authored-by: Saúl Ibarra Corretgé <s@saghul.net>
@emrahcom @saghul
refactor(base): space after >
c1d97c3 
Co-authored-by: Saúl Ibarra Corretgé <s@saghul.net>
@saghul
Copy link
Member

saghul commented Feb 24, 2025

Sorry for the exec comments, I got carried away during review ;-) I can make those after this lands.

@saghul
Copy link
Member

saghul commented Feb 24, 2025

I'll give this a try shortly @emrahcom, thanks a lot for the swift responses to my comments!

@emrahcom
Copy link
Contributor Author

Thank you very much for your helps.

@saghul
Copy link
Member

saghul commented Mar 4, 2025

Hey @emrahcom quick update: I will start testing the end of this week or the next.

Something important we need to handle here is migrating the XMPP data from existing installations since it may contain user accounts.

@emrahcom
Copy link
Contributor Author

emrahcom commented Mar 4, 2025

I will check the option to use ~/.jitsi-meet-cfg/storage/prosody as Prosody's data_path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saghul saghul saghul left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@emrahcom @saghul @bgrozev