diff --git a/base-java/Dockerfile b/base-java/Dockerfile index 9bd9389a0e..40d5d15843 100644 --- a/base-java/Dockerfile +++ b/base-java/Dockerfile @@ -2,12 +2,20 @@ ARG JITSI_REPO=jitsi ARG BASE_TAG=latest FROM ${JITSI_REPO}/base:${BASE_TAG} -RUN mkdir -p /usr/share/man/man1 && \ - mkdir -p /etc/apt/keyrings/ && \ - apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y unzip ca-certificates curl gnupg && \ - curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \ - echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \ - apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y nodejs openjdk-17-jre-headless openjdk-17-jdk-headless && \ - apt-cleanup +USER root + +COPY rootfs / + +RUN \ + wget -qO - https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | \ + gpg --dearmour > /usr/share/keyrings/nodesource.gpg && \ +\ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + nodejs \ + openjdk-17-jdk-headless \ + openjdk-17-jre-headless \ + && \ + apt-cleanup + +USER s6 diff --git a/base-java/rootfs/etc/apt/sources.list.d/nodejs.sources b/base-java/rootfs/etc/apt/sources.list.d/nodejs.sources new file mode 100644 index 0000000000..52b0b487a6 --- /dev/null +++ b/base-java/rootfs/etc/apt/sources.list.d/nodejs.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: https://deb.nodesource.com/node_20.x +Suites: nodistro +Components: main +Signed-By: /usr/share/keyrings/nodesource.gpg diff --git a/base/Dockerfile b/base/Dockerfile index d862ab5cac..6ed04008f7 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -1,40 +1,73 @@ FROM docker.io/library/debian:bookworm-slim ARG JITSI_RELEASE=stable +ARG S6_OVERLAY_VERSION=v3.2.0.2 +ARG S6_OVERLAY_DOWNLOAD=https://github.com/just-containers/s6-overlay/releases/download/${S6_OVERLAY_VERSION} +ARG TPL_VERSION=v1.4.0 +ARG TPL_DOWNLOAD=https://github.com/jitsi/tpl/releases/download/${TPL_VERSION} + ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2 COPY rootfs / RUN \ - dpkgArch="$(dpkg --print-architecture)" && \ - case "${dpkgArch##*-}" in \ - "amd64") TPL_ARCH=amd64; S6_ARCH=amd64 ;; \ - "arm64") TPL_ARCH=arm64; S6_ARCH=aarch64 ;; \ - *) echo "unsupported architecture"; exit 1 ;; \ - esac && \ - apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y apt-transport-https apt-utils ca-certificates gnupg wget curl && \ - wget -qO /usr/bin/tpl https://github.com/jitsi/tpl/releases/download/v1.4.0/tpl-linux-${TPL_ARCH} && \ - # Workaround S6 bug when /bin is a symlink - wget -qO /tmp/s6.tar.gz https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-${S6_ARCH}.tar.gz && \ - mkdir /tmp/s6 && \ - tar xfz /tmp/s6.tar.gz -C /tmp/s6 && \ - tar hxfz /tmp/s6.tar.gz -C / && \ - rm -f /usr/bin/execlineb && \ - cp /tmp/s6/bin/execlineb /usr/bin/ && \ - rm -rf /tmp/s6* && \ - wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmour > /etc/apt/trusted.gpg.d/jitsi.gpg && \ - echo "deb https://download.jitsi.org $JITSI_RELEASE/" > /etc/apt/sources.list.d/jitsi.list && \ - echo "deb http://ftp.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/backports.list && \ - apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get dist-upgrade -y && \ - apt-cleanup && \ - chmod +x /usr/bin/tpl + dpkgArch="$(dpkg --print-architecture)" && \ + case "${dpkgArch##*-}" in \ + "amd64") TPL_ARCH=amd64; S6_ARCH=x86_64 ;; \ + "arm64") TPL_ARCH=arm64; S6_ARCH=aarch64 ;; \ + *) echo "unsupported architecture"; exit 1 ;; \ + esac && \ +\ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + apt-utils \ + ca-certificates \ + curl \ + gnupg \ + wget \ + && \ + apt-dpkg-wrap apt-get install -y \ + xz-utils \ + && \ +\ + wget -qO /usr/bin/tpl ${TPL_DOWNLOAD}/tpl-linux-${TPL_ARCH} && \ + chmod +x /usr/bin/tpl && \ + mkdir /tmp/s6 && \ + wget -qO /tmp/s6/s6-overlay-noarch.tar.xz \ + ${S6_OVERLAY_DOWNLOAD}/s6-overlay-noarch.tar.xz && \ + wget -qO /tmp/s6/s6-overlay-${S6_ARCH}.tar.xz \ + ${S6_OVERLAY_DOWNLOAD}/s6-overlay-${S6_ARCH}.tar.xz && \ + tar -C / -Jxpf /tmp/s6/s6-overlay-noarch.tar.xz && \ + tar -C / -Jxpf /tmp/s6/s6-overlay-${S6_ARCH}.tar.xz && \ + rm -rf /tmp/s6 && \ +\ + wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | \ + gpg --dearmour > /usr/share/keyrings/jitsi.gpg && \ + sed -i "s/stable/${JITSI_RELEASE}/" /etc/apt/sources.list.d/jitsi.sources && \ +\ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get dist-upgrade -y && \ + apt-get purge -y \ + xz-utils \ + && \ + apt-cleanup && \ +\ + adduser --disabled-password --gecos "" s6 -RUN [ "$JITSI_RELEASE" = "unstable" ] && \ +RUN \ + [ "${JITSI_RELEASE}" = "unstable" ] && \ apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y jq procps curl vim iputils-ping net-tools && \ - apt-cleanup || \ + apt-dpkg-wrap apt-get install -y \ + jq \ + iputils-ping \ + net-tools \ + procps \ + vim \ + && \ + apt-cleanup \ + || \ true +USER s6 + ENTRYPOINT [ "/init" ] diff --git a/base/rootfs/etc/apt/sources.list.d/backports.sources b/base/rootfs/etc/apt/sources.list.d/backports.sources new file mode 100644 index 0000000000..0e8591e4d6 --- /dev/null +++ b/base/rootfs/etc/apt/sources.list.d/backports.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: https://deb.debian.org/debian +Suites: bookworm-backports +Components: main +Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg diff --git a/base/rootfs/etc/apt/sources.list.d/jitsi.sources b/base/rootfs/etc/apt/sources.list.d/jitsi.sources new file mode 100644 index 0000000000..8e5b19e807 --- /dev/null +++ b/base/rootfs/etc/apt/sources.list.d/jitsi.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: https://download.jitsi.org +Suites: stable/ +Components: +Signed-By: /usr/share/keyrings/jitsi.gpg diff --git a/base/rootfs/etc/cont-init.d/01-set-timezone b/base/rootfs/etc/cont-init.d/01-set-timezone deleted file mode 100644 index 71e6dec481..0000000000 --- a/base/rootfs/etc/cont-init.d/01-set-timezone +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [[ ! -z "$TZ" ]]; then - if [[ -f /usr/share/zoneinfo/$TZ ]]; then - ln -sf /usr/share/zoneinfo/$TZ /etc/localtime - echo "$TZ" > /etc/timezone - else - echo "WARNING: $TZ is not a valid time zone." - fi -fi diff --git a/base/rootfs/usr/bin/apt-cleanup b/base/rootfs/usr/bin/apt-cleanup index 1d3d61b58a..4ca4126554 100755 --- a/base/rootfs/usr/bin/apt-cleanup +++ b/base/rootfs/usr/bin/apt-cleanup @@ -1,3 +1,6 @@ #!/bin/sh +apt-get autopurge -y +apt-get clean + rm -rf /var/lib/apt/lists/ diff --git a/docker-compose.yml b/docker-compose.yml index 3d23a4d70d..80868d4948 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,9 +10,9 @@ services: - '${HTTPS_PORT}:443' volumes: - ${CONFIG}/web:/config:Z - - ${CONFIG}/web/crontabs:/var/spool/cron/crontabs:Z - - ${CONFIG}/transcripts:/usr/share/jitsi-meet/transcripts:Z - - ${CONFIG}/web/load-test:/usr/share/jitsi-meet/load-test:Z + - ${CONFIG}/storage/transcripts:/usr/share/jitsi-meet/transcripts:ro,z + - ${CONFIG}/tmp/web-crontabs:/var/spool/cron/crontabs:Z + - ${CONFIG}/tmp/web-load-test:/usr/share/jitsi-meet/load-test:Z labels: service: "jitsi-web" environment: @@ -203,6 +203,7 @@ services: volumes: - ${CONFIG}/prosody/config:/config:Z - ${CONFIG}/prosody/prosody-plugins-custom:/prosody-plugins-custom:Z + - ${CONFIG}/storage/prosody:/var/lib/prosody:Z environment: - AUTH_TYPE - DISABLE_POLLS @@ -383,6 +384,7 @@ services: - JICOFO_CONF_STRIP_SIMULCAST - JICOFO_CONF_SSRC_REWRITING - JICOFO_ENABLE_HEALTH_CHECKS + - JICOFO_ENABLE_ICE_FAILURE_DETECTION - JICOFO_ENABLE_REST - JICOFO_HEALTH_CHECKS_USE_PRESENCE - JICOFO_MAX_MEMORY diff --git a/jibri.yml b/jibri.yml index 8257b7531a..4badeac92b 100644 --- a/jibri.yml +++ b/jibri.yml @@ -6,9 +6,8 @@ services: restart: ${RESTART_POLICY:-unless-stopped} volumes: - ${CONFIG}/jibri:/config:Z + - ${CONFIG}/storage/jibri:/storage:Z shm_size: '2gb' - cap_add: - - SYS_ADMIN environment: - AUTOSCALER_SIDECAR_KEY_FILE - AUTOSCALER_SIDECAR_KEY_ID diff --git a/jibri/Dockerfile b/jibri/Dockerfile index 6ac03633fb..4f2eae96fd 100644 --- a/jibri/Dockerfile +++ b/jibri/Dockerfile @@ -2,6 +2,8 @@ ARG JITSI_REPO=jitsi ARG BASE_TAG=latest FROM ${JITSI_REPO}/base-java:${BASE_TAG} +USER root + LABEL org.opencontainers.image.title="Jitsi Broadcasting Infrastructure (jibri)" LABEL org.opencontainers.image.description="Components for recording and/or streaming a conference." LABEL org.opencontainers.image.url="https://github.com/jitsi/jibri" @@ -15,32 +17,49 @@ ARG CHROME_RELEASE=130.0.6723.116 COPY rootfs/ / -RUN apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ - jibri \ - libgl1-mesa-dri \ - procps \ - jitsi-upload-integrations \ - jitsi-autoscaler-sidecar \ - jq \ - pulseaudio \ - dbus \ - dbus-x11 \ - rtkit \ - unzip \ - fonts-noto \ - fonts-noto-cjk \ - libcap2-bin && \ - /usr/bin/install-chrome.sh && \ - apt-cleanup && \ - adduser jibri rtkit && \ - dpkgArch="$(dpkg --print-architecture)" && \ - case "${dpkgArch##*-}" in \ - "amd64") SC_ARCH=x86_64 ;; \ - "arm64") SC_ARCH=aarch64 ;; \ - *) echo "unsupported architecture"; exit 1 ;; \ - esac && \ - wget -qO /usr/bin/shm-check https://github.com/saghul/shm-check/releases/download/v1.0.0/shm-check-${SC_ARCH} && \ - chmod +x /usr/bin/shm-check +RUN \ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ + dbus \ + dbus-x11 \ + fonts-noto \ + fonts-noto-cjk \ + jibri \ + jitsi-autoscaler-sidecar \ + jitsi-upload-integrations \ + jq \ + libcap2-bin \ + libgl1-mesa-dri \ + procps \ + pulseaudio \ + rtkit \ + unzip \ + && \ + /usr/bin/install-chrome.sh && \ + apt-get purge -y \ + unzip \ + && \ + apt-cleanup && \ +\ + rm -rf /etc/jitsi/jibri && \ + ln -s /run/jibri/config /etc/jitsi/jibri && \ +\ + usermod -a -G audio,jibri,jitsi,rtkit,video s6 && \ + cp -r /home/jibri/. /home/s6 && \ + rm -rf /home/jibri && \ + ln -s /run/tmp/s6-config /home/s6/.config && \ + ln -s /run/tmp/s6-local /home/s6/.local && \ + chown s6:s6 /home/s6 -R && \ +\ + dpkgArch="$(dpkg --print-architecture)" && \ + case "${dpkgArch##*-}" in \ + "amd64") SC_ARCH=x86_64 ;; \ + "arm64") SC_ARCH=aarch64 ;; \ + *) echo "unsupported architecture"; exit 1 ;; \ + esac && \ + wget -qO /usr/bin/shm-check https://github.com/saghul/shm-check/releases/download/v1.0.0/shm-check-${SC_ARCH} && \ + chmod +x /usr/bin/shm-check VOLUME /config + +USER s6 diff --git a/jibri/rootfs/defaults/jibri.conf b/jibri/rootfs/defaults/jibri.conf index c3faaa2d27..eb8641298f 100644 --- a/jibri/rootfs/defaults/jibri.conf +++ b/jibri/rootfs/defaults/jibri.conf @@ -32,7 +32,7 @@ jibri { {{ end -}} } recording { - recordings-directory = "{{ .Env.JIBRI_RECORDING_DIR | default "/config/recordings" }}" + recordings-directory = "{{ .Env.JIBRI_RECORDING_DIR | default "/storage/recordings" }}" {{ if .Env.JIBRI_FINALIZE_RECORDING_SCRIPT_PATH -}} finalize-script = "{{ .Env.JIBRI_FINALIZE_RECORDING_SCRIPT_PATH }}" {{ end -}} @@ -73,6 +73,7 @@ jibri { "--kiosk", "--enabled", "--autoplay-policy=no-user-gesture-required", + "--no-sandbox", "--ignore-certificate-errors" ] } diff --git a/jibri/rootfs/defaults/logging.properties b/jibri/rootfs/defaults/logging.properties index ffb40abf57..34f5a07fcf 100644 --- a/jibri/rootfs/defaults/logging.properties +++ b/jibri/rootfs/defaults/logging.properties @@ -3,25 +3,25 @@ handlers = java.util.logging.FileHandler, java.util.logging.ConsoleHandler org.jitsi.utils.logging2.JitsiLogFormatter.programname=Jibri java.util.logging.FileHandler.level = FINE -java.util.logging.FileHandler.pattern = /config/logs/log.%g.txt +java.util.logging.FileHandler.pattern = /storage/logs/log.%g.txt java.util.logging.FileHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter java.util.logging.FileHandler.count = 10 java.util.logging.FileHandler.limit = 10000000 org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.level = FINE -org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.pattern = /config/logs/ffmpeg.%g.txt +org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.pattern = /storage/logs/ffmpeg.%g.txt org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.count = 10 org.jitsi.jibri.capture.ffmpeg.util.FfmpegFileHandler.limit = 10000000 org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.level = FINE -org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.pattern = /config/logs/pjsua.%g.txt +org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.pattern = /storage/logs/pjsua.%g.txt org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.count = 10 org.jitsi.jibri.sipgateway.pjsua.util.PjsuaFileHandler.limit = 10000000 org.jitsi.jibri.selenium.util.BrowserFileHandler.level = FINE -org.jitsi.jibri.selenium.util.BrowserFileHandler.pattern = /config/logs/browser.%g.txt +org.jitsi.jibri.selenium.util.BrowserFileHandler.pattern = /storage/logs/browser.%g.txt org.jitsi.jibri.selenium.util.BrowserFileHandler.formatter = org.jitsi.utils.logging2.JitsiLogFormatter org.jitsi.jibri.selenium.util.BrowserFileHandler.count = 10 org.jitsi.jibri.selenium.util.BrowserFileHandler.limit = 10000000 diff --git a/jibri/rootfs/etc/fix-attrs.d/10-jibri b/jibri/rootfs/etc/fix-attrs.d/10-jibri deleted file mode 100644 index fff5860ad6..0000000000 --- a/jibri/rootfs/etc/fix-attrs.d/10-jibri +++ /dev/null @@ -1,2 +0,0 @@ -/home/jibri/.config true jibri 0640 0750 -/home/jibri false jibri 0640 0750 diff --git a/base/rootfs/etc/cont-finish.d/.gitkeep b/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/dependencies.d/base similarity index 100% rename from base/rootfs/etc/cont-finish.d/.gitkeep rename to jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/dependencies.d/base diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/type b/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/type new file mode 100644 index 0000000000..bdd22a1850 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/type @@ -0,0 +1 @@ +oneshot diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/up b/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/up new file mode 100644 index 0000000000..5f6439e9af --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/01-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/scripts/config diff --git a/base/rootfs/etc/cont-init.d/.gitkeep b/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/dependencies.d/01-config similarity index 100% rename from base/rootfs/etc/cont-init.d/.gitkeep rename to jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/dependencies.d/01-config diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/run b/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/run new file mode 100644 index 0000000000..c70c9f8f00 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/xorg diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/type b/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/10-xorg/type @@ -0,0 +1 @@ +longrun diff --git a/base/rootfs/etc/fix-attrs.d/.gitkeep b/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/dependencies.d/10-xorg similarity index 100% rename from base/rootfs/etc/fix-attrs.d/.gitkeep rename to jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/dependencies.d/10-xorg diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/run b/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/run new file mode 100644 index 0000000000..703ca3b608 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/icewm diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/type b/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/20-icewm/type @@ -0,0 +1 @@ +longrun diff --git a/base/rootfs/etc/services.d/.gitkeep b/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/dependencies.d/20-icewm similarity index 100% rename from base/rootfs/etc/services.d/.gitkeep rename to jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/dependencies.d/20-icewm diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/run b/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/run new file mode 100644 index 0000000000..bcccd9f670 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/pulse diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/type b/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/30-pulse/type @@ -0,0 +1 @@ +longrun diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/dependencies.d/30-pulse b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/dependencies.d/30-pulse new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/finish b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/finish new file mode 100644 index 0000000000..82f7b273c9 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/finish @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jibri-finish diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/run b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/run new file mode 100644 index 0000000000..3daa729bd1 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jibri diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/type b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/40-jibri/type @@ -0,0 +1 @@ +longrun diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/dependencies.d/01-config b/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/dependencies.d/01-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run b/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run new file mode 100644 index 0000000000..25c1bf8052 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/autoscaler-sidecar diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type b/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type @@ -0,0 +1 @@ +longrun diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/01-config b/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/01-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-xorg b/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-xorg new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/20-icewm b/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/20-icewm new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/30-pulse b/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/30-pulse new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/40-jibri b/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/40-jibri new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-autoscaler-sidecar b/jibri/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-autoscaler-sidecar new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jibri/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar b/jibri/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar new file mode 100755 index 0000000000..7a32f514b3 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar @@ -0,0 +1,10 @@ +#!/command/with-contenv bash + +if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/run/autoscaler-sidecar/config" ]]; then + DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js" + exec /bin/bash -c ". /run/autoscaler-sidecar/config && exec $DAEMON" +else + # if autoscaler-sidecar should not be started, + # prevent s6 from restarting this script again and again + s6-svc -O /run/service/50-autoscaler-sidecar +fi diff --git a/jibri/rootfs/etc/cont-init.d/10-config b/jibri/rootfs/etc/s6-overlay/scripts/config old mode 100644 new mode 100755 similarity index 76% rename from jibri/rootfs/etc/cont-init.d/10-config rename to jibri/rootfs/etc/s6-overlay/scripts/config index 52c75adf5c..b47cc275eb --- a/jibri/rootfs/etc/cont-init.d/10-config +++ b/jibri/rootfs/etc/s6-overlay/scripts/config @@ -1,10 +1,7 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash -# Check if the SYS_ADMIN cap is set -if ! capsh --has-p=cap_sys_admin; then - echo "Required capability SYS_ADMIN is missing" - exit 1 -fi +mkdir -p /run/jibri/config +find /config -maxdepth 1 -type f -exec cp {} /run/jibri/config \; # Check if /dev/shm is large enough (2GB at least) if ! shm-check; then @@ -49,7 +46,7 @@ if [ -n "$AUTOSCALER_URL" ]; then fi if [ -z "$AUTOSCALER_SIDECAR_KEY_ID" ]; then # assume key id is equal to the base real path of the key file minus .pem - export AUTOSCALER_SIDECAR_KEY_ID="$(basename "$(realpath "$AUTOSCALER_SIDECAR_KEY_FILE")" | tr -d '.pem')" + export AUTOSCALER_SIDECAR_KEY_ID="$(basename "$(realpath "$AUTOSCALER_SIDECAR_KEY_FILE")" | sed 's/\.pem$//')" fi if [ -f "$AUTOSCALER_SIDECAR_KEY_FILE" ]; then @@ -64,8 +61,8 @@ if [ -n "$AUTOSCALER_URL" ]; then [ -z "$AUTOSCALER_SIDECAR_GROUP_NAME" ] && export AUTOSCALER_SIDECAR_GROUP_NAME="docker-jibri" [ -z "$LOCAL_ADDRESS" ] && export LOCAL_ADDRESS="$(ip route get 1 | grep -oP '(?<=src ).*' | awk '{ print $1 '})" - mkdir -p /etc/jitsi/autoscaler-sidecar - tpl /defaults/autoscaler-sidecar.config > /etc/jitsi/autoscaler-sidecar/config + mkdir -pm 750 /run/autoscaler-sidecar + tpl /defaults/autoscaler-sidecar.config > /run/autoscaler-sidecar/config else echo "No key file at $AUTOSCALER_SIDECAR_KEY_FILE, leaving autoscaler sidecar disabled" fi @@ -77,17 +74,23 @@ fi [ -z "${XMPP_HIDDEN_DOMAIN}" ] && export XMPP_HIDDEN_DOMAIN="$XMPP_RECORDER_DOMAIN" # always recreate configs -tpl /defaults/jibri.conf > /etc/jitsi/jibri/jibri.conf -tpl /defaults/xmpp.conf > /etc/jitsi/jibri/xmpp.conf -tpl /defaults/logging.properties > /etc/jitsi/jibri/logging.properties -tpl /defaults/xorg-video-dummy.conf > /etc/jitsi/jibri/xorg-video-dummy.conf +tpl /defaults/jibri.conf > /run/jibri/config/jibri.conf +tpl /defaults/xmpp.conf > /run/jibri/config/xmpp.conf +tpl /defaults/logging.properties > /run/jibri/config/logging.properties +tpl /defaults/xorg-video-dummy.conf > /run/jibri/config/xorg-video-dummy.conf # make recording dir -[ -z "${JIBRI_RECORDING_DIR}" ] && export JIBRI_RECORDING_DIR=/config/recordings +[ -z "${JIBRI_RECORDING_DIR}" ] && export JIBRI_RECORDING_DIR=/storage/recordings mkdir -p ${JIBRI_RECORDING_DIR} -chown -R jibri ${JIBRI_RECORDING_DIR} +chown -R s6 ${JIBRI_RECORDING_DIR} # make logs dir -JIBRI_LOGS_DIR=/config/logs +JIBRI_LOGS_DIR=/storage/logs mkdir -p ${JIBRI_LOGS_DIR} -chown -R jibri ${JIBRI_LOGS_DIR} +chown -R s6 ${JIBRI_LOGS_DIR} + +# make .config and .local dirs +# these are temporary folders linked to /home/s6/.config and /home/s6/.local +mkdir -p /run/tmp/s6-local +mkdir -p /run/tmp/s6-config +cp -r /home/s6/config/. /run/tmp/s6-config diff --git a/jibri/rootfs/etc/s6-overlay/scripts/icewm b/jibri/rootfs/etc/s6-overlay/scripts/icewm new file mode 100755 index 0000000000..43b9430127 --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/scripts/icewm @@ -0,0 +1,4 @@ +#!/command/with-contenv bash + +DAEMON="/usr/bin/icewm-session" +exec /bin/bash -c "exec $DAEMON" diff --git a/jibri/rootfs/etc/services.d/40-jibri/run b/jibri/rootfs/etc/s6-overlay/scripts/jibri old mode 100644 new mode 100755 similarity index 58% rename from jibri/rootfs/etc/services.d/40-jibri/run rename to jibri/rootfs/etc/s6-overlay/scripts/jibri index fe481819e0..3ebe1e4ebd --- a/jibri/rootfs/etc/services.d/40-jibri/run +++ b/jibri/rootfs/etc/s6-overlay/scripts/jibri @@ -1,12 +1,11 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash # we have to set it, otherwise chrome won't find ~/.asoundrc file -HOME=/home/jibri +HOME=/home/s6 DAEMON=/opt/jitsi/jibri/launch.sh CHROME_BIN_PATH="$(which google-chrome)" [ $? -ne 0 ] && CHROME_BIN_PATH="$(which chromium)" # pre-warm google chrome before jibri launches to ensure fast chrome launch during recordings -[ -n "$CHROME_BIN_PATH" ] && s6-setuidgid jibri $CHROME_BIN_PATH --timeout=1000 --headless about:blank -exec s6-setuidgid jibri /bin/bash -c "exec $DAEMON" - +[ -n "$CHROME_BIN_PATH" ] && $CHROME_BIN_PATH --timeout=1000 --headless --no-sandbox about:blank +exec /bin/bash -c "exec $DAEMON" diff --git a/jibri/rootfs/etc/services.d/40-jibri/finish b/jibri/rootfs/etc/s6-overlay/scripts/jibri-finish similarity index 76% rename from jibri/rootfs/etc/services.d/40-jibri/finish rename to jibri/rootfs/etc/s6-overlay/scripts/jibri-finish index ca3475b80b..162224413f 100755 --- a/jibri/rootfs/etc/services.d/40-jibri/finish +++ b/jibri/rootfs/etc/s6-overlay/scripts/jibri-finish @@ -1,9 +1,9 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash # When jibri is shutdown (or gracefully shutdown), it exits with code 255. # In this case, we don't want S6 to restart the service. We want to stop all # services and shutdown the container. if [[ $1 -eq 255 ]]; then - s6-svscanctl -t /var/run/s6/services + s6-svscanctl -t /run/service fi diff --git a/jibri/rootfs/etc/s6-overlay/scripts/pulse b/jibri/rootfs/etc/s6-overlay/scripts/pulse new file mode 100755 index 0000000000..6df9d24eaa --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/scripts/pulse @@ -0,0 +1,4 @@ +#!/command/with-contenv bash + +HOME=/home/s6 +exec /bin/bash -c "exec /usr/bin/pulseaudio" diff --git a/jibri/rootfs/etc/s6-overlay/scripts/xorg b/jibri/rootfs/etc/s6-overlay/scripts/xorg new file mode 100755 index 0000000000..d328768f9b --- /dev/null +++ b/jibri/rootfs/etc/s6-overlay/scripts/xorg @@ -0,0 +1,4 @@ +#!/command/with-contenv bash + +DAEMON="/usr/bin/Xorg -nocursor -noreset +extension RANDR +extension RENDER -logfile /storage/logs/xorg.log -config /run/jibri/config/xorg-video-dummy.conf ${DISPLAY}" +exec /bin/bash -c "exec $DAEMON" diff --git a/jibri/rootfs/etc/services.d/10-xorg/run b/jibri/rootfs/etc/services.d/10-xorg/run deleted file mode 100644 index a67b1fbebc..0000000000 --- a/jibri/rootfs/etc/services.d/10-xorg/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv bash - -DAEMON="/usr/bin/Xorg -nocursor -noreset +extension RANDR +extension RENDER -logfile /tmp/xorg.log -config /etc/jitsi/jibri/xorg-video-dummy.conf ${DISPLAY}" -exec s6-setuidgid jibri /bin/bash -c "exec $DAEMON" - diff --git a/jibri/rootfs/etc/services.d/20-icewm/run b/jibri/rootfs/etc/services.d/20-icewm/run deleted file mode 100644 index a79e3cfd85..0000000000 --- a/jibri/rootfs/etc/services.d/20-icewm/run +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/with-contenv bash - -DAEMON="/usr/bin/icewm-session" -exec s6-setuidgid jibri /bin/bash -c "exec $DAEMON" - diff --git a/jibri/rootfs/etc/services.d/30-pulse/run b/jibri/rootfs/etc/services.d/30-pulse/run deleted file mode 100644 index f6e131c4b7..0000000000 --- a/jibri/rootfs/etc/services.d/30-pulse/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/with-contenv bash - -HOME=/home/jibri -exec s6-setuidgid jibri /bin/bash -c "exec /usr/bin/pulseaudio" diff --git a/jibri/rootfs/etc/services.d/50-autoscaler-sidecar/run b/jibri/rootfs/etc/services.d/50-autoscaler-sidecar/run deleted file mode 100644 index 22f775088e..0000000000 --- a/jibri/rootfs/etc/services.d/50-autoscaler-sidecar/run +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/etc/jitsi/autoscaler-sidecar/config" ]]; then - DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js" - exec s6-setuidgid autoscaler-sidecar /bin/bash -c ". /etc/jitsi/autoscaler-sidecar/config && exec $DAEMON" -else - # if autoscaler-sidecar should not be started, - # prevent s6 from restarting this script again and again - s6-svc -O /var/run/s6/services/50-autoscaler-sidecar -fi diff --git a/jibri/rootfs/home/s6/config/README.md b/jibri/rootfs/home/s6/config/README.md new file mode 100644 index 0000000000..ca51588a5a --- /dev/null +++ b/jibri/rootfs/home/s6/config/README.md @@ -0,0 +1,3 @@ +/home/s6/.config is a symbolic link to /run/tmp/s6-config in the container and +its content is generated from this folder because we need a writable folder in +the container. diff --git a/jibri/rootfs/home/jibri/.config/pulse/client.conf b/jibri/rootfs/home/s6/config/pulse/client.conf similarity index 100% rename from jibri/rootfs/home/jibri/.config/pulse/client.conf rename to jibri/rootfs/home/s6/config/pulse/client.conf diff --git a/jibri/rootfs/home/jibri/.config/pulse/daemon.conf b/jibri/rootfs/home/s6/config/pulse/daemon.conf similarity index 80% rename from jibri/rootfs/home/jibri/.config/pulse/daemon.conf rename to jibri/rootfs/home/s6/config/pulse/daemon.conf index cf3fdd561c..35dffb4a90 100644 --- a/jibri/rootfs/home/jibri/.config/pulse/daemon.conf +++ b/jibri/rootfs/home/s6/config/pulse/daemon.conf @@ -6,4 +6,4 @@ exit-idle-time = -1 flat-volumes = no deferred-volume-safety-margin-usec = 1 log-level = info -log-target = file:/config/logs/pulse.log +log-target = file:/storage/logs/pulse.log diff --git a/jibri/rootfs/home/jibri/.config/pulse/default.pa b/jibri/rootfs/home/s6/config/pulse/default.pa similarity index 100% rename from jibri/rootfs/home/jibri/.config/pulse/default.pa rename to jibri/rootfs/home/s6/config/pulse/default.pa diff --git a/jibri/rootfs/opt/jitsi/shutdown.sh b/jibri/rootfs/opt/jitsi/shutdown.sh index 1cc01e4081..422022adf8 100755 --- a/jibri/rootfs/opt/jitsi/shutdown.sh +++ b/jibri/rootfs/opt/jitsi/shutdown.sh @@ -1,4 +1,5 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash + # notify the sidecar of imminent shutdown PORT=${AUTOSCALER_SIDECAR_PORT:-6000} curl -d '{}' -v 0:$PORT/hook/v1/shutdown @@ -8,4 +9,4 @@ sleep 10 /opt/jitsi/jibri/shutdown.sh # shutdown everything else -s6-svscanctl -t /var/run/s6/services +s6-svscanctl -t /run/service diff --git a/jicofo/Dockerfile b/jicofo/Dockerfile index 424eea940d..16dbf9f900 100644 --- a/jicofo/Dockerfile +++ b/jicofo/Dockerfile @@ -2,16 +2,21 @@ ARG JITSI_REPO=jitsi ARG BASE_TAG=latest FROM ${JITSI_REPO}/base-java:${BASE_TAG} +USER root + LABEL org.opencontainers.image.title="Jitsi Conference Focus (jicofo)" LABEL org.opencontainers.image.description="Server-side focus component that manages media sessions and acts as load balancer." LABEL org.opencontainers.image.url="https://github.com/jitsi/jicofo" LABEL org.opencontainers.image.source="https://github.com/jitsi/docker-jitsi-meet" LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/" -RUN apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y jicofo && \ - apt-cleanup +RUN \ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y jicofo && \ + apt-cleanup COPY rootfs/ / VOLUME /config + +USER s6 diff --git a/jicofo/rootfs/defaults/jicofo.conf b/jicofo/rootfs/defaults/jicofo.conf index ed720a51a5..875eb1d5fb 100644 --- a/jicofo/rootfs/defaults/jicofo.conf +++ b/jicofo/rootfs/defaults/jicofo.conf @@ -93,6 +93,12 @@ jicofo { } {{ end }} + {{ if .Env.JICOFO_ENABLE_ICE_FAILURE_DETECTION }} + ice-failure-detection { + enabled = {{ .Env.JICOFO_ENABLE_ICE_FAILURE_DETECTION | toBool }} + } + {{ end }} + {{ if $ENABLE_JVB_XMPP_SERVER }} brewery-jid = "{{ $JVB_BREWERY_MUC }}@{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}" {{ else }} diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/type b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/type new file mode 100644 index 0000000000..bdd22a1850 --- /dev/null +++ b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/type @@ -0,0 +1 @@ +oneshot diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/up b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/up new file mode 100644 index 0000000000..5f6439e9af --- /dev/null +++ b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/10-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/scripts/config diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/dependencies.d/10-config b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/run b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/run new file mode 100644 index 0000000000..a2064152db --- /dev/null +++ b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jicofo diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/type b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/jicofo/type @@ -0,0 +1 @@ +longrun diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jicofo/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jicofo b/jicofo/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jicofo new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jicofo/rootfs/etc/cont-init.d/10-config b/jicofo/rootfs/etc/s6-overlay/scripts/config old mode 100644 new mode 100755 similarity index 75% rename from jicofo/rootfs/etc/cont-init.d/10-config rename to jicofo/rootfs/etc/s6-overlay/scripts/config index daf8aec69a..9a13c989cc --- a/jicofo/rootfs/etc/cont-init.d/10-config +++ b/jicofo/rootfs/etc/s6-overlay/scripts/config @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash export SENTRY_RELEASE="${SENTRY_RELEASE:-$(apt-cache policy jicofo | sed -n '/Installed/p' | sed -e 's/[^:]*: //')}" @@ -16,7 +16,6 @@ fi # maintain backward compatibility with older variable [ -z "${XMPP_HIDDEN_DOMAIN}" ] && export XMPP_HIDDEN_DOMAIN="$XMPP_RECORDER_DOMAIN" -tpl /defaults/logging.properties > /config/logging.properties -tpl /defaults/jicofo.conf > /config/jicofo.conf - -chown -R jicofo:jitsi /config +mkdir -p /run/jicofo/config +tpl /defaults/logging.properties > /run/jicofo/config/logging.properties +tpl /defaults/jicofo.conf > /run/jicofo/config/jicofo.conf diff --git a/jicofo/rootfs/etc/s6-overlay/scripts/jicofo b/jicofo/rootfs/etc/s6-overlay/scripts/jicofo new file mode 100755 index 0000000000..aa670e5ff5 --- /dev/null +++ b/jicofo/rootfs/etc/s6-overlay/scripts/jicofo @@ -0,0 +1,11 @@ +#!/command/with-contenv bash + +JAVA_SYS_PROPS="-Djava.util.logging.config.file=/run/jicofo/config/logging.properties -Dconfig.file=/run/jicofo/config/jicofo.conf" +DAEMON=/usr/share/jicofo/jicofo.sh +DAEMON_DIR=/usr/share/jicofo/ + +JICOFO_CMD="exec $DAEMON" + +[ -n "$JICOFO_LOG_FILE" ] && JICOFO_CMD="$JICOFO_CMD 2>&1 | tee $JICOFO_LOG_FILE" + +exec /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" $JICOFO_CMD" diff --git a/jicofo/rootfs/etc/services.d/jicofo/run b/jicofo/rootfs/etc/services.d/jicofo/run deleted file mode 100644 index a34e801f19..0000000000 --- a/jicofo/rootfs/etc/services.d/jicofo/run +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/with-contenv bash - -JAVA_SYS_PROPS="-Djava.util.logging.config.file=/config/logging.properties -Dconfig.file=/config/jicofo.conf" -DAEMON=/usr/share/jicofo/jicofo.sh -DAEMON_DIR=/usr/share/jicofo/ - -JICOFO_CMD="exec $DAEMON" - -[ -n "$JICOFO_LOG_FILE" ] && JICOFO_CMD="$JICOFO_CMD 2>&1 | tee $JICOFO_LOG_FILE" - -exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" $JICOFO_CMD" diff --git a/jigasi/Dockerfile b/jigasi/Dockerfile index 0a2ac1f396..63d12ef943 100644 --- a/jigasi/Dockerfile +++ b/jigasi/Dockerfile @@ -2,18 +2,27 @@ ARG JITSI_REPO=jitsi ARG BASE_TAG=latest FROM ${JITSI_REPO}/base-java:${BASE_TAG} +USER root + LABEL org.opencontainers.image.title="Jitsi Gateway to SIP (jigasi)" LABEL org.opencontainers.image.description="Server-side application that allows regular SIP clients to join conferences." LABEL org.opencontainers.image.url="https://github.com/jitsi/jigasi" LABEL org.opencontainers.image.source="https://github.com/jitsi/docker-jitsi-meet" LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/" -ENV GOOGLE_APPLICATION_CREDENTIALS /config/key.json +ENV GOOGLE_APPLICATION_CREDENTIALS /run/jigasi/config/key.json -RUN apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y jigasi jq jitsi-autoscaler-sidecar && \ - apt-cleanup +RUN \ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + jigasi \ + jitsi-autoscaler-sidecar \ + jq \ + && \ + apt-cleanup COPY rootfs/ / VOLUME ["/config", "/tmp/transcripts"] + +USER s6 diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/type b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/type new file mode 100644 index 0000000000..bdd22a1850 --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/type @@ -0,0 +1 @@ +oneshot diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/up b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/up new file mode 100644 index 0000000000..5f6439e9af --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/10-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/scripts/config diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/dependencies.d/10-config b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run new file mode 100644 index 0000000000..25c1bf8052 --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/autoscaler-sidecar diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type @@ -0,0 +1 @@ +longrun diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/dependencies.d/10-config b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/finish b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/finish new file mode 100644 index 0000000000..7146135ded --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/finish @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jigasi-finish diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/run b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/run new file mode 100644 index 0000000000..3919b4ea73 --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jigasi diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/type b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/jigasi/type @@ -0,0 +1 @@ +longrun diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-autoscaler-sidecar b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-autoscaler-sidecar new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jigasi/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jigasi b/jigasi/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jigasi new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jigasi/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar b/jigasi/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar new file mode 100755 index 0000000000..7a32f514b3 --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar @@ -0,0 +1,10 @@ +#!/command/with-contenv bash + +if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/run/autoscaler-sidecar/config" ]]; then + DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js" + exec /bin/bash -c ". /run/autoscaler-sidecar/config && exec $DAEMON" +else + # if autoscaler-sidecar should not be started, + # prevent s6 from restarting this script again and again + s6-svc -O /run/service/50-autoscaler-sidecar +fi diff --git a/jigasi/rootfs/etc/cont-init.d/10-config b/jigasi/rootfs/etc/s6-overlay/scripts/config old mode 100644 new mode 100755 similarity index 75% rename from jigasi/rootfs/etc/cont-init.d/10-config rename to jigasi/rootfs/etc/s6-overlay/scripts/config index 15c4974c09..22cf0d5b60 --- a/jigasi/rootfs/etc/cont-init.d/10-config +++ b/jigasi/rootfs/etc/s6-overlay/scripts/config @@ -1,4 +1,7 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash + +mkdir -p /run/jigasi/config +cp -r /config/. /run/jigasi/config export SENTRY_RELEASE="${SENTRY_RELEASE:-$(apt-cache policy jigasi | sed -n '/Installed/p' | sed -e 's/[^:]*: //')}" @@ -31,7 +34,7 @@ if [ -n "$AUTOSCALER_URL" ]; then fi if [ -z "$AUTOSCALER_SIDECAR_KEY_ID" ]; then # assume key id is equal to the base real path of the key file minus .pem - export AUTOSCALER_SIDECAR_KEY_ID="$(basename "$(realpath "$AUTOSCALER_SIDECAR_KEY_FILE")" | tr -d '.pem')" + export AUTOSCALER_SIDECAR_KEY_ID="$(basename "$(realpath "$AUTOSCALER_SIDECAR_KEY_FILE")" | sed 's/\.pem$//')" fi if [ -f "$AUTOSCALER_SIDECAR_KEY_FILE" ]; then @@ -44,8 +47,8 @@ if [ -n "$AUTOSCALER_URL" ]; then [ -z "$AUTOSCALER_SIDECAR_REGION" ] && export AUTOSCALER_SIDECAR_REGION="docker" [ -z "$AUTOSCALER_SIDECAR_GROUP_NAME" ] && export AUTOSCALER_SIDECAR_GROUP_NAME="docker-jigasi" - mkdir -p /etc/jitsi/autoscaler-sidecar - tpl /defaults/autoscaler-sidecar.config > /etc/jitsi/autoscaler-sidecar/config + mkdir -pm 750 /run/autoscaler-sidecar + tpl /defaults/autoscaler-sidecar.config > /run/autoscaler-sidecar/config else echo "No key file at $AUTOSCALER_SIDECAR_KEY_FILE, leaving autoscaler sidecar disabled" fi @@ -56,20 +59,19 @@ fi # maintain backward compatibility with older variable [ -z "${XMPP_HIDDEN_DOMAIN}" ] && export XMPP_HIDDEN_DOMAIN="$XMPP_RECORDER_DOMAIN" -tpl /defaults/logging.properties > /config/logging.properties -tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties -tpl /defaults/xmpp-sip-communicator.properties >> /config/sip-communicator.properties +tpl /defaults/logging.properties > /run/jigasi/config/logging.properties +tpl /defaults/sip-communicator.properties > /run/jigasi/config/sip-communicator.properties +tpl /defaults/xmpp-sip-communicator.properties >> /run/jigasi/config/sip-communicator.properties if [[ "$JIGASI_MODE" == "sip" ]]; then - tpl /defaults/sipserver-sip-communicator.properties >> /config/sip-communicator.properties + tpl /defaults/sipserver-sip-communicator.properties >> /run/jigasi/config/sip-communicator.properties elif [[ "$JIGASI_MODE" == "transcriber" ]]; then - tpl /defaults/transcriber-sip-communicator.properties >> /config/sip-communicator.properties + tpl /defaults/transcriber-sip-communicator.properties >> /run/jigasi/config/sip-communicator.properties mkdir -pm777 /tmp/transcripts - chown jigasi:jitsi /tmp/transcripts # Create Google Cloud Credentials if [[ -z $GC_PROJECT_ID || -z $GC_PRIVATE_KEY_ID || -z $GC_PRIVATE_KEY || -z $GC_CLIENT_EMAIL || -z $GC_CLIENT_ID || -z $GC_CLIENT_CERT_URL ]]; then - echo 'Transcriptions: One or more gcloud environment variables are undefined, skipping gcloud credentials file /config/key.json' + echo 'Transcriptions: One or more gcloud environment variables are undefined, skipping gcloud credentials file /run/jigasi/config/key.json' else jq -n \ --arg GC_PROJECT_ID "$GC_PROJECT_ID" \ @@ -90,13 +92,13 @@ elif [[ "$JIGASI_MODE" == "transcriber" ]]; then auth_provider_x509_cert_url: "https://www.googleapis.com/oauth2/v1/certs", client_x509_cert_url: $GC_CLIENT_CERT_URL }' \ - > /config/key.json + > /run/jigasi/config/key.json fi fi -if [[ -f /config/custom-sip-communicator.properties ]]; then - cat /config/custom-sip-communicator.properties >> /config/sip-communicator.properties +if [[ -f /run/jigasi/config/custom-sip-communicator.properties ]]; then + cat /run/jigasi/config/custom-sip-communicator.properties >> /run/jigasi/config/sip-communicator.properties +fi +if [[ -f /run/jigasi/config/custom-logging.properties ]]; then + cat /run/jigasi/config/custom-logging.properties >> /run/jigasi/config/logging.properties fi -if [[ -f /config/custom-logging.properties ]]; then - cat /config/custom-logging.properties >> /config/logging.properties -fi \ No newline at end of file diff --git a/jigasi/rootfs/etc/s6-overlay/scripts/jigasi b/jigasi/rootfs/etc/s6-overlay/scripts/jigasi new file mode 100755 index 0000000000..06a9a064da --- /dev/null +++ b/jigasi/rootfs/etc/s6-overlay/scripts/jigasi @@ -0,0 +1,11 @@ +#!/command/with-contenv bash + +JAVA_SYS_PROPS="-Djava.util.logging.config.file=/run/jigasi/config/logging.properties" + +DAEMON=/usr/share/jigasi/jigasi.sh +DAEMON_OPTS="--nocomponent=true --configdir=/run/jigasi --configdirname=config --min-port=${JIGASI_PORT_MIN:-20000} --max-port=${JIGASI_PORT_MAX:-20050}" + +JIGASI_CMD="JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS" +[ -n "$JIGASI_LOG_FILE" ] && JIGASI_CMD="$JIGASI_CMD 2>&1 | tee $JIGASI_LOG_FILE" + +exec /bin/bash -c "$JIGASI_CMD" diff --git a/jigasi/rootfs/etc/services.d/jigasi/finish b/jigasi/rootfs/etc/s6-overlay/scripts/jigasi-finish old mode 100644 new mode 100755 similarity index 89% rename from jigasi/rootfs/etc/services.d/jigasi/finish rename to jigasi/rootfs/etc/s6-overlay/scripts/jigasi-finish index 73ee50b2f5..79bfd370ee --- a/jigasi/rootfs/etc/services.d/jigasi/finish +++ b/jigasi/rootfs/etc/s6-overlay/scripts/jigasi-finish @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash # When the jigasi is shutdown (or gracefully shutdown), it exits with code 0. # In this case, we don't want S6 to restart the service. We want to stop all diff --git a/jigasi/rootfs/etc/services.d/50-autoscaler-sidecar/run b/jigasi/rootfs/etc/services.d/50-autoscaler-sidecar/run deleted file mode 100644 index 22f775088e..0000000000 --- a/jigasi/rootfs/etc/services.d/50-autoscaler-sidecar/run +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/etc/jitsi/autoscaler-sidecar/config" ]]; then - DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js" - exec s6-setuidgid autoscaler-sidecar /bin/bash -c ". /etc/jitsi/autoscaler-sidecar/config && exec $DAEMON" -else - # if autoscaler-sidecar should not be started, - # prevent s6 from restarting this script again and again - s6-svc -O /var/run/s6/services/50-autoscaler-sidecar -fi diff --git a/jigasi/rootfs/etc/services.d/jigasi/run b/jigasi/rootfs/etc/services.d/jigasi/run deleted file mode 100644 index 9c7f054c6c..0000000000 --- a/jigasi/rootfs/etc/services.d/jigasi/run +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/with-contenv bash - -JAVA_SYS_PROPS="-Djava.util.logging.config.file=/config/logging.properties" - -DAEMON=/usr/share/jigasi/jigasi.sh -DAEMON_OPTS="--nocomponent=true --configdir=/ --configdirname=config --min-port=${JIGASI_PORT_MIN:-20000} --max-port=${JIGASI_PORT_MAX:-20050}" - -JIGASI_CMD="JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS" -[ -n "$JIGASI_LOG_FILE" ] && JIGASI_CMD="$JIGASI_CMD 2>&1 | tee $JIGASI_LOG_FILE" - -exec s6-setuidgid jigasi /bin/bash -c "$JIGASI_CMD" diff --git a/jigasi/rootfs/opt/jitsi/shutdown.sh b/jigasi/rootfs/opt/jitsi/shutdown.sh index 4821f60103..e753d784cc 100755 --- a/jigasi/rootfs/opt/jitsi/shutdown.sh +++ b/jigasi/rootfs/opt/jitsi/shutdown.sh @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash if [ -n "$AUTOSCALER_URL" ]; then # notify the sidecar of imminent shutdown @@ -8,4 +8,4 @@ if [ -n "$AUTOSCALER_URL" ]; then fi # shutdown everything -s6-svscanctl -t /var/run/s6/services +s6-svscanctl -t /run/service diff --git a/jvb/Dockerfile b/jvb/Dockerfile index 036f83bd24..940dc26095 100644 --- a/jvb/Dockerfile +++ b/jvb/Dockerfile @@ -2,16 +2,28 @@ ARG JITSI_REPO=jitsi ARG BASE_TAG=latest FROM ${JITSI_REPO}/base-java:${BASE_TAG} +USER root + LABEL org.opencontainers.image.title="Jitsi Videobridge (jvb)" LABEL org.opencontainers.image.description="WebRTC compatible server designed to route video streams amongst participants in a conference." LABEL org.opencontainers.image.url="https://jitsi.org/jitsi-videobridge/" LABEL org.opencontainers.image.source="https://github.com/jitsi/docker-jitsi-meet" LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/" -RUN apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y jitsi-videobridge2 jitsi-autoscaler-sidecar jq curl iproute2 dnsutils libpcap0.8 && \ - apt-cleanup +RUN \ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + dnsutils \ + jitsi-autoscaler-sidecar \ + jitsi-videobridge2 \ + jq \ + iproute2 \ + libpcap0.8 \ + && \ + apt-cleanup COPY rootfs/ / VOLUME /config + +USER s6 diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base b/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/type b/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/type new file mode 100644 index 0000000000..bdd22a1850 --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/type @@ -0,0 +1 @@ +oneshot diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/up b/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/up new file mode 100644 index 0000000000..5f6439e9af --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/10-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/scripts/config diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/dependencies.d/10-config b/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run b/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run new file mode 100644 index 0000000000..25c1bf8052 --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/autoscaler-sidecar diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type b/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/50-autoscaler-sidecar/type @@ -0,0 +1 @@ +longrun diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/dependencies.d/10-config b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/finish b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/finish new file mode 100644 index 0000000000..309bfa4599 --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/finish @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jvb-finish diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/run b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/run new file mode 100644 index 0000000000..ddc9845f3b --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jvb diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/type b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/s6-rc.d/jvb/type @@ -0,0 +1 @@ +longrun diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config b/jvb/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-autoscaler-sidecar b/jvb/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/50-autoscaler-sidecar new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jvb/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jvb b/jvb/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jvb new file mode 100644 index 0000000000..e69de29bb2 diff --git a/jvb/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar b/jvb/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar new file mode 100755 index 0000000000..7a32f514b3 --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/scripts/autoscaler-sidecar @@ -0,0 +1,10 @@ +#!/command/with-contenv bash + +if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/run/autoscaler-sidecar/config" ]]; then + DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js" + exec /bin/bash -c ". /run/autoscaler-sidecar/config && exec $DAEMON" +else + # if autoscaler-sidecar should not be started, + # prevent s6 from restarting this script again and again + s6-svc -O /run/service/50-autoscaler-sidecar +fi diff --git a/jvb/rootfs/etc/cont-init.d/10-config b/jvb/rootfs/etc/s6-overlay/scripts/config old mode 100644 new mode 100755 similarity index 83% rename from jvb/rootfs/etc/cont-init.d/10-config rename to jvb/rootfs/etc/s6-overlay/scripts/config index 1a001fbe94..da1c1e58d7 --- a/jvb/rootfs/etc/cont-init.d/10-config +++ b/jvb/rootfs/etc/s6-overlay/scripts/config @@ -1,4 +1,7 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash + +mkdir -p /run/jvb/config +cp -r /config/. /run/jvb/config if [[ -z $JVB_DISABLE_XMPP ]]; then if [[ -z $JVB_AUTH_PASSWORD ]]; then @@ -33,8 +36,8 @@ export LOCAL_ADDRESS=$(ip route get 1 | grep -oP '(?<=src ).*' | awk '{ print $1 export SENTRY_RELEASE="${SENTRY_RELEASE:-$(apt-cache policy jitsi-videobridge2 | sed -n '/Installed/p' | sed -e 's/[^:]*: //')}" -if [[ -f /config/custom-sip-communicator.properties ]]; then - cat /config/custom-sip-communicator.properties > /config/sip-communicator.properties +if [[ -f /run/jvb/config/custom-sip-communicator.properties ]]; then + mv /run/jvb/config/custom-sip-communicator.properties /run/jvb/config/sip-communicator.properties fi # set random jvb nickname for the instance if is not set @@ -47,7 +50,7 @@ if [ -n "$AUTOSCALER_URL" ]; then fi if [ -z "$AUTOSCALER_SIDECAR_KEY_ID" ]; then # assume key id is equal to the base real path of the key file minus .pem - export AUTOSCALER_SIDECAR_KEY_ID="$(basename "$(realpath "$AUTOSCALER_SIDECAR_KEY_FILE")" | tr -d '.pem')" + export AUTOSCALER_SIDECAR_KEY_ID="$(basename "$(realpath "$AUTOSCALER_SIDECAR_KEY_FILE")" | sed 's/\.pem$//')" fi if [ -f "$AUTOSCALER_SIDECAR_KEY_FILE" ]; then @@ -61,8 +64,8 @@ if [ -n "$AUTOSCALER_URL" ]; then [ -z "$AUTOSCALER_SIDECAR_REGION" ] && export AUTOSCALER_SIDECAR_REGION="docker" [ -z "$AUTOSCALER_SIDECAR_GROUP_NAME" ] && export AUTOSCALER_SIDECAR_GROUP_NAME="docker-jvb" - mkdir -p /etc/jitsi/autoscaler-sidecar - tpl /defaults/autoscaler-sidecar.config > /etc/jitsi/autoscaler-sidecar/config + mkdir -pm 750 /run/autoscaler-sidecar + tpl /defaults/autoscaler-sidecar.config > /run/autoscaler-sidecar/config else echo "No key file at $AUTOSCALER_SIDECAR_KEY_FILE, leaving autoscaler sidecar disabled" fi @@ -70,7 +73,5 @@ else echo "No AUTOSCALER_URL defined, leaving autoscaler sidecar disabled" fi -tpl /defaults/logging.properties > /config/logging.properties -tpl /defaults/jvb.conf > /config/jvb.conf - -chown -R jvb:jitsi /config +tpl /defaults/logging.properties > /run/jvb/config/logging.properties +tpl /defaults/jvb.conf > /run/jvb/config/jvb.conf diff --git a/jvb/rootfs/etc/s6-overlay/scripts/jvb b/jvb/rootfs/etc/s6-overlay/scripts/jvb new file mode 100755 index 0000000000..66e354f6cc --- /dev/null +++ b/jvb/rootfs/etc/s6-overlay/scripts/jvb @@ -0,0 +1,10 @@ +#!/command/with-contenv bash + +export JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/run/jvb -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=config -Djava.util.logging.config.file=/run/jvb/config/logging.properties -Dconfig.file=/run/jvb/config/jvb.conf" + +DAEMON=/usr/share/jitsi-videobridge/jvb.sh + +JVB_CMD="exec $DAEMON" +[ -n "$JVB_LOG_FILE" ] && JVB_CMD="$JVB_CMD 2>&1 | tee $JVB_LOG_FILE" + +exec /bin/bash -c "$JVB_CMD" diff --git a/jvb/rootfs/etc/services.d/jvb/finish b/jvb/rootfs/etc/s6-overlay/scripts/jvb-finish old mode 100644 new mode 100755 similarity index 89% rename from jvb/rootfs/etc/services.d/jvb/finish rename to jvb/rootfs/etc/s6-overlay/scripts/jvb-finish index 85a5659e24..c3345b01be --- a/jvb/rootfs/etc/services.d/jvb/finish +++ b/jvb/rootfs/etc/s6-overlay/scripts/jvb-finish @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash # When the jvb is shutdown (or gracefully shutdown), it exits with code 0. # In this case, we don't want S6 to restart the service. We want to stop all diff --git a/jvb/rootfs/etc/services.d/50-autoscaler-sidecar/run b/jvb/rootfs/etc/services.d/50-autoscaler-sidecar/run deleted file mode 100644 index 22f775088e..0000000000 --- a/jvb/rootfs/etc/services.d/50-autoscaler-sidecar/run +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [[ -n "$AUTOSCALER_URL" ]] && [[ -f "/etc/jitsi/autoscaler-sidecar/config" ]]; then - DAEMON="/usr/bin/node /usr/share/jitsi-autoscaler-sidecar/app.js" - exec s6-setuidgid autoscaler-sidecar /bin/bash -c ". /etc/jitsi/autoscaler-sidecar/config && exec $DAEMON" -else - # if autoscaler-sidecar should not be started, - # prevent s6 from restarting this script again and again - s6-svc -O /var/run/s6/services/50-autoscaler-sidecar -fi diff --git a/jvb/rootfs/etc/services.d/jvb/run b/jvb/rootfs/etc/services.d/jvb/run deleted file mode 100644 index d499fc0674..0000000000 --- a/jvb/rootfs/etc/services.d/jvb/run +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/with-contenv bash - -export JAVA_SYS_PROPS="-Dnet.java.sip.communicator.SC_HOME_DIR_LOCATION=/ -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=config -Djava.util.logging.config.file=/config/logging.properties -Dconfig.file=/config/jvb.conf" - -DAEMON=/usr/share/jitsi-videobridge/jvb.sh - -JVB_CMD="exec $DAEMON" -[ -n "$JVB_LOG_FILE" ] && JVB_CMD="$JVB_CMD 2>&1 | tee $JVB_LOG_FILE" - -exec s6-setuidgid jvb /bin/bash -c "$JVB_CMD" diff --git a/jvb/rootfs/opt/jitsi/shutdown.sh b/jvb/rootfs/opt/jitsi/shutdown.sh index 4821f60103..e753d784cc 100755 --- a/jvb/rootfs/opt/jitsi/shutdown.sh +++ b/jvb/rootfs/opt/jitsi/shutdown.sh @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash if [ -n "$AUTOSCALER_URL" ]; then # notify the sidecar of imminent shutdown @@ -8,4 +8,4 @@ if [ -n "$AUTOSCALER_URL" ]; then fi # shutdown everything -s6-svscanctl -t /var/run/s6/services +s6-svscanctl -t /run/service diff --git a/prosody/Dockerfile b/prosody/Dockerfile index 65d3c3be37..7109379cc0 100644 --- a/prosody/Dockerfile +++ b/prosody/Dockerfile @@ -3,24 +3,30 @@ ARG BASE_TAG=latest FROM ${JITSI_REPO}/base:${BASE_TAG} AS builder -RUN apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y \ - build-essential \ - lua5.4 \ - liblua5.4-dev \ - libreadline-dev \ - git \ - unzip \ - wget && \ - mkdir /tmp/luarocks && \ - wget -qO - https://luarocks.github.io/luarocks/releases/luarocks-3.8.0.tar.gz | tar xfz - --strip-components 1 -C /tmp/luarocks && \ - cd /tmp/luarocks && ./configure && make && make install && cd - && \ - luarocks install basexx 0.4.1-1 && \ - luarocks install lua-cjson 2.1.0-1 && \ - luarocks install net-url 0.9-1 +USER root + +RUN \ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + build-essential \ + liblua5.4-dev \ + libreadline-dev \ + lua5.4 \ + unzip \ + && \ + mkdir /tmp/luarocks && \ + wget -qO - \ + https://luarocks.github.io/luarocks/releases/luarocks-3.8.0.tar.gz | \ + tar xfz - --strip-components 1 -C /tmp/luarocks && \ + cd /tmp/luarocks && ./configure && make && make install && cd - && \ + luarocks install basexx 0.4.1-1 && \ + luarocks install lua-cjson 2.1.0-1 && \ + luarocks install net-url 0.9-1 FROM ${JITSI_REPO}/base:${BASE_TAG} +USER root + LABEL org.opencontainers.image.title="Prosody IM" LABEL org.opencontainers.image.description="XMPP server used for signalling." LABEL org.opencontainers.image.url="https://prosody.im/" @@ -30,47 +36,58 @@ LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/" ARG VERSION_JITSI_CONTRIB_PROSODY_PLUGINS="20241017" ARG VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN="1.8.0" -RUN set -x && \ - wget -qO /etc/apt/trusted.gpg.d/prosody.gpg https://prosody.im/files/prosody-debian-packages.key && \ - echo "deb http://packages.prosody.im/debian bookworm main" > /etc/apt/sources.list.d/prosody.list && \ - apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y \ - lua5.4 \ - prosody \ - libldap-common \ - sasl2-bin \ - libsasl2-modules-ldap \ - lua-cyrussasl \ - lua-inspect \ - lua-ldap \ - lua-luaossl \ - lua-sec \ - lua-unbound && \ - apt-dpkg-wrap apt-get -d install -y jitsi-meet-prosody && \ - dpkg -x /var/cache/apt/archives/jitsi-meet-prosody*.deb /tmp/pkg && \ - rm /tmp/pkg/usr/share/jitsi-meet/prosody-plugins/mod_smacks.lua && \ - mv /tmp/pkg/usr/share/jitsi-meet/prosody-plugins /prosody-plugins && \ - rm -rf /tmp/pkg /var/cache/apt && \ - apt-cleanup && \ - rm -rf /etc/prosody && \ - mv /usr/share/lua/5.3/inspect.lua /usr/share/lua/5.4/ && \ - rm -rf /usr/lib/lua/{5.1,5.2,5.3} && \ - rm -rf /usr/share/lua/{5.1,5.2,5.3} && \ - wget -qO /prosody-plugins/mod_auth_cyrus.lua https://hg.prosody.im/prosody-modules/raw-file/65438e4ba563/mod_auth_cyrus/mod_auth_cyrus.lua && \ - wget -qO /prosody-plugins/sasl_cyrus.lua https://hg.prosody.im/prosody-modules/raw-file/65438e4ba563/mod_auth_cyrus/sasl_cyrus.lua && \ - wget -qO /prosody-plugins/mod_http_health.lua https://hg.prosody.im/prosody-modules/raw-file/2b80188448d1/mod_http_health/mod_http_health.lua && \ - wget https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification/archive/refs/tags/v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ - tar -xf v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ - mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_auth_matrix_user_verification.lua /prosody-plugins && \ - mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_matrix_power_sync.lua /prosody-plugins && \ - rm -rf prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ - wget -q https://github.com/jitsi-contrib/prosody-plugins/archive/refs/tags/v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \ - tar -xf v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \ - mkdir /prosody-plugins-contrib && \ - cp -a prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS/* /prosody-plugins-contrib && \ - rm -rf prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz +COPY rootfs / -COPY rootfs/ / +RUN \ + set -x && \ + wget -qO - https://prosody.im/files/prosody-debian-packages.key | \ + gpg --dearmour > /usr/share/keyrings/prosody.gpg && \ +\ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + libldap-common \ + libsasl2-modules-ldap \ + lua5.4 \ + lua-cyrussasl \ + lua-inspect \ + lua-ldap \ + lua-luaossl \ + lua-sec \ + lua-unbound \ + prosody \ + sasl2-bin \ + && \ + apt-dpkg-wrap apt-get install -y -d \ + jitsi-meet-prosody \ + && \ + dpkg -x /var/cache/apt/archives/jitsi-meet-prosody*.deb /tmp/pkg && \ + rm /tmp/pkg/usr/share/jitsi-meet/prosody-plugins/mod_smacks.lua && \ + mv /tmp/pkg/usr/share/jitsi-meet/prosody-plugins /prosody-plugins && \ + rm -rf /tmp/pkg && \ + apt-cleanup && \ + rm -rf /etc/prosody && \ + mv /usr/share/lua/5.3/inspect.lua /usr/share/lua/5.4/ && \ + rm -rf /usr/lib/lua/{5.1,5.2,5.3} && \ + rm -rf /usr/share/lua/{5.1,5.2,5.3} && \ + wget -qO /prosody-plugins/mod_auth_cyrus.lua https://hg.prosody.im/prosody-modules/raw-file/65438e4ba563/mod_auth_cyrus/mod_auth_cyrus.lua && \ + wget -qO /prosody-plugins/sasl_cyrus.lua https://hg.prosody.im/prosody-modules/raw-file/65438e4ba563/mod_auth_cyrus/sasl_cyrus.lua && \ + wget -qO /prosody-plugins/mod_http_health.lua https://hg.prosody.im/prosody-modules/raw-file/2b80188448d1/mod_http_health/mod_http_health.lua && \ +\ + wget https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification/archive/refs/tags/v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ + tar -xf v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ + mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_auth_matrix_user_verification.lua /prosody-plugins && \ + mv prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN/mod_matrix_power_sync.lua /prosody-plugins && \ + rm -rf prosody-mod-auth-matrix-user-verification-$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN v$VERSION_MATRIX_USER_VERIFICATION_SERVICE_PLUGIN.tar.gz && \ +\ + wget -q https://github.com/jitsi-contrib/prosody-plugins/archive/refs/tags/v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \ + tar -xf v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \ + mkdir /prosody-plugins-contrib && \ + cp -a prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS/* /prosody-plugins-contrib && \ + rm -rf prosody-plugins-$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS v$VERSION_JITSI_CONTRIB_PROSODY_PLUGINS.tar.gz && \ +\ + usermod -a -G prosody,sasl s6 && \ + chown s6:sasl /var/run/saslauthd && \ + echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf COPY --from=builder /usr/local/lib/lua/5.4 /usr/local/lib/lua/5.4 COPY --from=builder /usr/local/share/lua/5.4 /usr/local/share/lua/5.4 @@ -78,3 +95,5 @@ COPY --from=builder /usr/local/share/lua/5.4 /usr/local/share/lua/5.4 EXPOSE 5222 5280 VOLUME ["/config", "/prosody-plugins-custom"] + +USER s6 diff --git a/prosody/rootfs/defaults/conf.d/brewery.cfg.lua b/prosody/rootfs/defaults/conf.d/brewery.cfg.lua index e13d95ed43..b4c69b34ed 100644 --- a/prosody/rootfs/defaults/conf.d/brewery.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/brewery.cfg.lua @@ -18,8 +18,8 @@ VirtualHost "{{ $JVB_XMPP_AUTH_DOMAIN }}" } authentication = "internal_hashed" ssl = { - key = "/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.key"; - certificate = "/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.crt"; + key = "/run/prosody/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.key"; + certificate = "/run/prosody/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.crt"; } smacks_hibernation_time = 15; diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index 66b46ec5f1..21a307e0ef 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -159,8 +159,8 @@ VirtualHost "{{ $XMPP_DOMAIN }}" authentication = "jitsi-anonymous" {{ end }} ssl = { - key = "/config/certs/{{ $XMPP_DOMAIN }}.key"; - certificate = "/config/certs/{{ $XMPP_DOMAIN }}.crt"; + key = "/run/prosody/config/certs/{{ $XMPP_DOMAIN }}.key"; + certificate = "/run/prosody/config/certs/{{ $XMPP_DOMAIN }}.crt"; } modules_enabled = { "bosh"; @@ -257,8 +257,8 @@ VirtualHost "{{ $XMPP_GUEST_DOMAIN }}" VirtualHost "{{ $XMPP_AUTH_DOMAIN }}" ssl = { - key = "/config/certs/{{ $XMPP_AUTH_DOMAIN }}.key"; - certificate = "/config/certs/{{ $XMPP_AUTH_DOMAIN }}.crt"; + key = "/run/prosody/config/certs/{{ $XMPP_AUTH_DOMAIN }}.key"; + certificate = "/run/prosody/config/certs/{{ $XMPP_AUTH_DOMAIN }}.crt"; } modules_enabled = { "limits_exception"; diff --git a/prosody/rootfs/defaults/conf.d/visitors.cfg.lua b/prosody/rootfs/defaults/conf.d/visitors.cfg.lua index 81218c8574..fafca65fdf 100644 --- a/prosody/rootfs/defaults/conf.d/visitors.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/visitors.cfg.lua @@ -86,8 +86,8 @@ muc_limit_messages_check_token = {{ $LIMIT_MESSAGES_CHECK_TOKEN }}; VirtualHost 'v{{ $VISITOR_INDEX }}.{{ $VISITORS_XMPP_DOMAIN }}' authentication = 'jitsi-anonymous' ssl = { - key = "/config/certs/v{{ $VISITOR_INDEX }}.{{ $VISITORS_XMPP_DOMAIN }}.key"; - certificate = "/config/certs/v{{ $VISITOR_INDEX }}.{{ $VISITORS_XMPP_DOMAIN }}.crt"; + key = "/run/prosody/config/certs/v{{ $VISITOR_INDEX }}.{{ $VISITORS_XMPP_DOMAIN }}.key"; + certificate = "/run/prosody/config/certs/v{{ $VISITOR_INDEX }}.{{ $VISITORS_XMPP_DOMAIN }}.crt"; } modules_enabled = { 'bosh'; diff --git a/prosody/rootfs/defaults/prosody.cfg.lua b/prosody/rootfs/defaults/prosody.cfg.lua index c278acd4a5..2b32cec603 100644 --- a/prosody/rootfs/defaults/prosody.cfg.lua +++ b/prosody/rootfs/defaults/prosody.cfg.lua @@ -159,7 +159,7 @@ trusted_proxies = { {{ if eq $PROSODY_MODE "brewery" -}} firewall_scripts = { - "/config/rules.d/jvb_muc_presence_filter.pfw"; + "/run/prosody/config/rules.d/jvb_muc_presence_filter.pfw"; }; {{ end -}} @@ -214,7 +214,7 @@ gc = { } {{ end }} -pidfile = "/config/data/prosody.pid"; +pidfile = "/run/prosody/prosody.pid"; -- Force clients to use encrypted connections? This option will -- prevent clients from authenticating unless they are using encryption. @@ -425,6 +425,6 @@ http_interfaces = { "*", "::" } http_interfaces = { "*" } {{ end }} -data_path = "/config/data" +data_path = "/var/lib/prosody" Include "conf.d/*.cfg.lua" diff --git a/prosody/rootfs/defaults/saslauthd.conf b/prosody/rootfs/defaults/saslauthd.conf index 79cdc0ad61..3a2f1c6d68 100644 --- a/prosody/rootfs/defaults/saslauthd.conf +++ b/prosody/rootfs/defaults/saslauthd.conf @@ -13,8 +13,8 @@ ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }} ldap_version: {{ .Env.LDAP_VERSION | default "3" }} ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }} {{ if .Env.LDAP_USE_TLS | default "0" | toBool }} -ldap_tls_key: /config/certs/{{ $XMPP_DOMAIN }}.key -ldap_tls_cert: /config/certs/{{ $XMPP_DOMAIN }}.crt +ldap_tls_key: /run/prosody/config/certs/{{ $XMPP_DOMAIN }}.key +ldap_tls_cert: /run/prosody/config/certs/{{ $XMPP_DOMAIN }}.crt {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }} ldap_tls_check_peer: yes ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }} diff --git a/prosody/rootfs/etc/apt/sources.list.d/prosody.sources b/prosody/rootfs/etc/apt/sources.list.d/prosody.sources new file mode 100644 index 0000000000..16d4e95df1 --- /dev/null +++ b/prosody/rootfs/etc/apt/sources.list.d/prosody.sources @@ -0,0 +1,5 @@ +Types: deb +URIs: http://packages.prosody.im/debian +Suites: bookworm +Components: main +Signed-By: /usr/share/keyrings/prosody.gpg diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base b/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/type b/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/type new file mode 100644 index 0000000000..bdd22a1850 --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/type @@ -0,0 +1 @@ +oneshot diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/up b/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/up new file mode 100644 index 0000000000..5f6439e9af --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/s6-rc.d/10-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/scripts/config diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/dependencies.d/10-config b/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/run b/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/run new file mode 100644 index 0000000000..bf8a154685 --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/saslauthd diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/type b/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/s6-rc.d/20-saslauthd/type @@ -0,0 +1 @@ +longrun diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/dependencies.d/10-config b/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/run b/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/run new file mode 100644 index 0000000000..0e88922bbf --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/prosody diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/type b/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/s6-rc.d/prosody/type @@ -0,0 +1 @@ +longrun diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config b/prosody/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/20-saslauthd b/prosody/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/20-saslauthd new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prosody/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/prosody b/prosody/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/prosody new file mode 100644 index 0000000000..e69de29bb2 diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/s6-overlay/scripts/config old mode 100644 new mode 100755 similarity index 75% rename from prosody/rootfs/etc/cont-init.d/10-config rename to prosody/rootfs/etc/s6-overlay/scripts/config index 62e293f79c..a01cc43010 --- a/prosody/rootfs/etc/cont-init.d/10-config +++ b/prosody/rootfs/etc/s6-overlay/scripts/config @@ -1,52 +1,37 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash -if [[ ! -f /etc/saslauthd.conf ]] && [[ "$AUTH_TYPE" == "ldap" ]]; then - tpl /defaults/saslauthd.conf > /etc/saslauthd.conf - mkdir -pm777 /var/run/saslauthd - adduser prosody sasl - echo >> /etc/ldap/ldap.conf "TLS_REQCERT allow" -fi - -PROSODY_CFG="/config/prosody.cfg.lua" - -if [[ ! -d /config/data ]]; then - mkdir -pm 750 /config/data -fi +if [[ "$AUTH_TYPE" == "ldap" ]]; then + if [[ ! -f /etc/saslauthd.conf ]]; then + tpl /defaults/saslauthd.conf > /run/saslauthd.conf + else + cp /etc/saslauthd.conf /run/ + fi -if [[ "$(stat -c %U /config)" != "prosody" ]]; then - chown -R prosody /config + mkdir -pm777 /var/run/saslauthd fi -if [[ "$(stat -c %U /prosody-plugins)" != "prosody" ]]; then - chown -R prosody /prosody-plugins -fi +PROSODY_CFG="/run/prosody/config/prosody.cfg.lua" -if [[ "$(stat -c %U /prosody-plugins-custom)" != "prosody" ]]; then - chown -R prosody /prosody-plugins-custom -fi +mkdir -pm 750 /run/prosody/config/certs +mkdir -pm 750 /run/prosody/config/conf.d +cp -r /config/. /run/prosody/config -if [[ "$(stat -c %U /prosody-plugins-contrib)" != "prosody" ]]; then - chown -R prosody /prosody-plugins-contrib +# copy existing prosody accounts from the old setup if this is the initial run +if [[ -z $(ls /var/lib/prosody) ]] && [[ -d /config/data ]]; then + cp -r /config/data/. /var/lib/prosody fi -mkdir /config/certs -cp -r /defaults/* /config - [ -z "$PROSODY_MODE" ] && export PROSODY_MODE="client" if [[ "$PROSODY_MODE" == "visitors" ]]; then echo "Prosody visitor mode, using alternate config" PROSODY_SITE_CFG="visitors.cfg.lua" - rm /config/conf.d/jitsi-meet.cfg.lua - rm /config/conf.d/brewery.cfg.lua # force jicofo into auth domain for visitor-mode prosody [ -z "$XMPP_AUTH_DOMAIN" ] && XMPP_AUTH_DOMAIN="auth.meet.jitsi" export PROSODY_ADMINS="focus@$XMPP_AUTH_DOMAIN" elif [[ "$PROSODY_MODE" == "brewery" ]]; then echo "Prosody brewery mode, using alternate config" PROSODY_SITE_CFG="brewery.cfg.lua" - rm /config/conf.d/jitsi-meet.cfg.lua - rm /config/conf.d/visitors.cfg.lua # force jicofo into auth domain for brewer prosody [ -z "$JVB_XMPP_AUTH_DOMAIN" ] && JVB_XMPP_AUTH_DOMAIN="auth.meet.jitsi" # ensure proper certs are generated @@ -54,16 +39,14 @@ elif [[ "$PROSODY_MODE" == "brewery" ]]; then # brewery mode requires C2S encryption export PROSODY_C2S_REQUIRE_ENCRYPTION="true" - mkdir -p /config/rules.d - tpl /defaults/rules.d/jvb_muc_presence_filter.pfw > /config/rules.d/jvb_muc_presence_filter.pfw + mkdir -p /run/prosody/config/rules.d + tpl /defaults/rules.d/jvb_muc_presence_filter.pfw > /run/prosody/config/rules.d/jvb_muc_presence_filter.pfw else echo "Prosody normal mode, using default config" PROSODY_SITE_CFG="jitsi-meet.cfg.lua" - rm /config/conf.d/visitors.cfg.lua - rm /config/conf.d/brewery.cfg.lua fi tpl /defaults/prosody.cfg.lua > $PROSODY_CFG -tpl /defaults/conf.d/$PROSODY_SITE_CFG > /config/conf.d/$PROSODY_SITE_CFG +tpl /defaults/conf.d/$PROSODY_SITE_CFG > /run/prosody/config/conf.d/$PROSODY_SITE_CFG if [[ -z $JICOFO_AUTH_PASSWORD ]]; then echo 'FATAL ERROR: Jicofo auth password must be set' @@ -83,7 +66,8 @@ fi prosodyctl --config $PROSODY_CFG register focus $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD -# if we are in client mode, we need to subscribe the focus user to the focus component proxy +# if we are in client mode, we need to subscribe the focus user to the focus +# component proxy if [[ "$PROSODY_MODE" == "client" ]]; then prosodyctl --config $PROSODY_CFG mod_roster_command subscribe focus.$XMPP_DOMAIN focus@$XMPP_AUTH_DOMAIN fi @@ -140,24 +124,24 @@ if [[ "$PROSODY_MODE" == "visitors" ]]; then [ -z "$VISITORS_XMPP_DOMAIN" ] && VISITORS_XMPP_DOMAIN="meet.jitsi" [ -z "$PROSODY_VISITOR_INDEX" ] && PROSODY_VISITOR_INDEX=0 FULL_VISITORS_XMPP_DOMAIN="v$PROSODY_VISITOR_INDEX.$VISITORS_XMPP_DOMAIN" - if [[ ! -f /config/certs/$FULL_VISITORS_XMPP_DOMAIN.crt ]]; then + if [[ ! -f /run/prosody/config/certs/$FULL_VISITORS_XMPP_DOMAIN.crt ]]; then # echo for using all default values echo | prosodyctl --config $PROSODY_CFG cert generate $FULL_VISITORS_XMPP_DOMAIN fi elif [[ "$PROSODY_MODE" == "brewery" ]]; then echo "No need to generate certs for main XMPP domain in brewery mode" else - if [[ ! -f /config/certs/$XMPP_DOMAIN.crt ]]; then + if [[ ! -f /run/prosody/config/certs/$XMPP_DOMAIN.crt ]]; then # echo for using all default values echo | prosodyctl --config $PROSODY_CFG cert generate $XMPP_DOMAIN fi fi -if [[ ! -f /config/certs/$XMPP_AUTH_DOMAIN.crt ]]; then +if [[ ! -f /run/prosody/config/certs/$XMPP_AUTH_DOMAIN.crt ]]; then # echo for using all default values echo | prosodyctl --config $PROSODY_CFG cert generate $XMPP_AUTH_DOMAIN fi -# certs will be created in /config/data -mv /config/data/*.{crt,key} /config/certs/ || true -rm -f /config/data/*.cnf +# certs will be created in /var/lib/prosody +mv /var/lib/prosody/*.{crt,key} /run/prosody/config/certs/ || true +rm -f /var/lib/prosody/*.cnf diff --git a/prosody/rootfs/etc/s6-overlay/scripts/prosody b/prosody/rootfs/etc/s6-overlay/scripts/prosody new file mode 100755 index 0000000000..77e321eaa2 --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/scripts/prosody @@ -0,0 +1,3 @@ +#!/command/with-contenv bash + +exec prosody --config /run/prosody/config/prosody.cfg.lua -F diff --git a/prosody/rootfs/etc/s6-overlay/scripts/saslauthd b/prosody/rootfs/etc/s6-overlay/scripts/saslauthd new file mode 100755 index 0000000000..e61d07e45d --- /dev/null +++ b/prosody/rootfs/etc/s6-overlay/scripts/saslauthd @@ -0,0 +1,9 @@ +#!/command/with-contenv bash + +if [[ -f /run/saslauthd.conf ]]; then + exec saslauthd -a ldap -O /run/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d +else + # if saslauthd should not be started, + # prevent s6 from restarting this script again and again + s6-svc -O /run/service/20-saslauthd +fi diff --git a/prosody/rootfs/etc/services.d/10-saslauthd/run b/prosody/rootfs/etc/services.d/10-saslauthd/run deleted file mode 100644 index 126f44413c..0000000000 --- a/prosody/rootfs/etc/services.d/10-saslauthd/run +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/with-contenv bash -if [[ -f /etc/saslauthd.conf ]]; then - exec s6-setuidgid root saslauthd -a ldap -O /etc/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d -else - # if saslauthd should not be started, - # prevent s6 from restarting this script again and again - s6-svc -O /var/run/s6/services/10-saslauthd -fi diff --git a/prosody/rootfs/etc/services.d/prosody/run b/prosody/rootfs/etc/services.d/prosody/run deleted file mode 100644 index 276ab31703..0000000000 --- a/prosody/rootfs/etc/services.d/prosody/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/with-contenv bash -exec s6-setuidgid prosody prosody --config /config/prosody.cfg.lua -F diff --git a/transcriber.yml b/transcriber.yml index 5d6f7bb3b4..de9771daf7 100644 --- a/transcriber.yml +++ b/transcriber.yml @@ -6,7 +6,7 @@ services: restart: ${RESTART_POLICY:-unless-stopped} volumes: - ${CONFIG}/transcriber:/config:Z - - ${CONFIG}/transcripts:/tmp/transcripts:Z + - ${CONFIG}/storage/transcripts:/tmp/transcripts:z environment: - AUTOSCALER_SIDECAR_KEY_FILE - AUTOSCALER_SIDECAR_KEY_ID diff --git a/web/Dockerfile b/web/Dockerfile index e26b90617c..35378f279f 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -2,6 +2,8 @@ ARG JITSI_REPO=jitsi ARG BASE_TAG=latest FROM ${JITSI_REPO}/base:${BASE_TAG} +USER root + LABEL org.opencontainers.image.title="Jitsi Meet" LABEL org.opencontainers.image.description="WebRTC compatible JavaScript application that uses Jitsi Videobridge to provide high quality, scalable video conferences." LABEL org.opencontainers.image.url="https://jitsi.org/jitsi-meet/" @@ -11,12 +13,25 @@ LABEL org.opencontainers.image.documentation="https://jitsi.github.io/handbook/" ADD https://raw.githubusercontent.com/acmesh-official/acme.sh/3.0.7/acme.sh /opt COPY rootfs/ / -RUN apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y dnsutils cron nginx-extras jitsi-meet-web socat curl jq && \ - mv /usr/share/jitsi-meet/interface_config.js /defaults && \ - rm -f /etc/nginx/conf.d/default.conf && \ - apt-cleanup +RUN \ + apt-dpkg-wrap apt-get update && \ + apt-dpkg-wrap apt-get install -y \ + cron \ + dnsutils \ + jitsi-meet-web \ + jq \ + nginx-extras \ + socat \ + && \ + mv /usr/share/jitsi-meet/interface_config.js /defaults && \ + ln -s /run/web/.well-known /usr/share/jitsi-meet/.well-known && \ + rm -f /etc/nginx/conf.d/default.conf && \ + rm -rf /var/lib/nginx && \ + ln -s /run/web/tmp /var/lib/nginx && \ + apt-cleanup EXPOSE 80 443 VOLUME ["/config", "/usr/share/jitsi-meet/transcripts"] + +USER s6 diff --git a/web/rootfs/defaults/default b/web/rootfs/defaults/default index 37f2c20bb7..fea8f33ac1 100644 --- a/web/rootfs/defaults/default +++ b/web/rootfs/defaults/default @@ -8,7 +8,7 @@ server { {{ if .Env.ENABLE_HTTP_REDIRECT | default "0" | toBool }} return 301 https://$host$request_uri; {{ else }} - include /config/nginx/meet.conf; + include /run/web/config/nginx/meet.conf; {{ end }} } @@ -20,7 +20,7 @@ server { listen [::]:443 ssl http2; {{ end }} - include /config/nginx/ssl.conf; - include /config/nginx/meet.conf; + include /run/web/config/nginx/ssl.conf; + include /run/web/config/nginx/meet.conf; } {{ end }} diff --git a/web/rootfs/defaults/meet.conf b/web/rootfs/defaults/meet.conf index a0cd384a63..7a3d06b074 100644 --- a/web/rootfs/defaults/meet.conf +++ b/web/rootfs/defaults/meet.conf @@ -38,14 +38,14 @@ add_header X-Jitsi-Shard {{ .Env.DEPLOYMENTINFO_SHARD }}; # Opt out of FLoC (deprecated) add_header Permissions-Policy "interest-cohort=()"; -include /config/nginx-custom/*.conf; +include /run/web/config/nginx-custom/*.conf; location = /config.js { - alias /config/config.js; + alias /run/web/config/config.js; } location = /interface_config.js { - alias /config/interface_config.js; + alias /run/web/config/interface_config.js; } location = /external_api.js { @@ -171,7 +171,7 @@ location @root_path { set $subdomain "$1."; set $subdir "$1/"; - alias /config/config.js; + alias /run/web/config/config.js; } # BOSH for subdomains diff --git a/web/rootfs/defaults/nginx.conf b/web/rootfs/defaults/nginx.conf index acfbbe5227..dca9349a95 100644 --- a/web/rootfs/defaults/nginx.conf +++ b/web/rootfs/defaults/nginx.conf @@ -1,4 +1,3 @@ -user www-data; worker_processes {{ .Env.NGINX_WORKER_PROCESSES | default "4" }}; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; @@ -64,7 +63,7 @@ http { ## # Virtual Host Configs ## - include /config/nginx/site-confs/*; + include /run/web/config/nginx/site-confs/*; } diff --git a/web/rootfs/defaults/ssl.conf b/web/rootfs/defaults/ssl.conf index be56ca1657..d68cb440ba 100644 --- a/web/rootfs/defaults/ssl.conf +++ b/web/rootfs/defaults/ssl.conf @@ -5,11 +5,11 @@ ssl_session_tickets off; # ssl certs {{ if .Env.ENABLE_LETSENCRYPT | default "0" | toBool }} -ssl_certificate /config/acme-certs/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem; -ssl_certificate_key /config/acme-certs/{{ .Env.LETSENCRYPT_DOMAIN }}/key.pem; +ssl_certificate /run/web/config/acme-certs/{{ .Env.LETSENCRYPT_DOMAIN }}/fullchain.pem; +ssl_certificate_key /run/web/config/acme-certs/{{ .Env.LETSENCRYPT_DOMAIN }}/key.pem; {{ else }} -ssl_certificate /config/keys/cert.crt; -ssl_certificate_key /config/keys/cert.key; +ssl_certificate /run/web/config/keys/cert.crt; +ssl_certificate_key /run/web/config/keys/cert.key; {{ end }} # protocols diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base b/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/dependencies.d/base new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/type b/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/type new file mode 100644 index 0000000000..bdd22a1850 --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/type @@ -0,0 +1 @@ +oneshot diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/up b/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/up new file mode 100644 index 0000000000..5f6439e9af --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/10-config/up @@ -0,0 +1 @@ +/etc/s6-overlay/scripts/config diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/cron/dependencies.d/10-config b/web/rootfs/etc/s6-overlay/s6-rc.d/cron/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/cron/run b/web/rootfs/etc/s6-overlay/s6-rc.d/cron/run new file mode 100644 index 0000000000..6c21aedc56 --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/cron/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/cron diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/cron/type b/web/rootfs/etc/s6-overlay/s6-rc.d/cron/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/cron/type @@ -0,0 +1 @@ +longrun diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/dependencies.d/nginx b/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/dependencies.d/nginx new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/run b/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/run new file mode 100644 index 0000000000..0d522e5d30 --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/jaas-account diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/type b/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/jaas-account/type @@ -0,0 +1 @@ +longrun diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/10-config b/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/dependencies.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/run new file mode 100644 index 0000000000..6787c6de76 --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/run @@ -0,0 +1,3 @@ +#!/command/execlineb -P + +/etc/s6-overlay/scripts/nginx diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/type b/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/type new file mode 100644 index 0000000000..5883cff0cd --- /dev/null +++ b/web/rootfs/etc/s6-overlay/s6-rc.d/nginx/type @@ -0,0 +1 @@ +longrun diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config b/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/10-config new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/cron b/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/cron new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jaas-account b/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/jaas-account new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx b/web/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/nginx new file mode 100644 index 0000000000..e69de29bb2 diff --git a/web/rootfs/etc/cont-init.d/10-config b/web/rootfs/etc/s6-overlay/scripts/config old mode 100644 new mode 100755 similarity index 61% rename from web/rootfs/etc/cont-init.d/10-config rename to web/rootfs/etc/s6-overlay/scripts/config index 4a025121cb..fa67085d77 --- a/web/rootfs/etc/cont-init.d/10-config +++ b/web/rootfs/etc/s6-overlay/scripts/config @@ -1,32 +1,31 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash # make our folders -mkdir -p \ - /config/{nginx/site-confs,keys} \ - /run \ - /var/lib/nginx/tmp/client_body \ - /var/tmp/nginx +mkdir -p /run/web/tmp +mkdir -p /run/web/config/keys +mkdir -p /run/web/config/nginx/site-confs +cp -r /config/. /run/web/config # generate keys (maybe) if [[ $DISABLE_HTTPS -ne 1 ]]; then if [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then - mkdir -p /config/acme.sh + mkdir -p /run/web/config/acme.sh pushd /opt - sh ./acme.sh --install --home /config/acme.sh --accountemail $LETSENCRYPT_EMAIL + sh ./acme.sh --install --home /run/web/config/acme.sh --accountemail $LETSENCRYPT_EMAIL popd STAGING="" if [[ $LETSENCRYPT_USE_STAGING -eq 1 ]]; then STAGING="--staging" fi - export LE_WORKING_DIR="/config/acme.sh" + export LE_WORKING_DIR="/run/web/config/acme.sh" # TODO: move away from standalone mode to webroot mode. - /config/acme.sh/acme.sh \ + /run/web/config/acme.sh/acme.sh \ $STAGING \ --issue \ --standalone \ - --pre-hook "if [[ -d /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi" \ - --post-hook "if [[ -d /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi" \ + --pre-hook "if [[ -d /run/service/nginx ]]; then s6-svc -d /run/service/nginx; fi" \ + --post-hook "if [[ -d /run/service/nginx ]]; then s6-svc -u /run/service/nginx; fi" \ -d $LETSENCRYPT_DOMAIN rc=$? if [[ $rc -eq 1 ]]; then @@ -38,11 +37,11 @@ if [[ $DISABLE_HTTPS -ne 1 ]]; then exit 1 fi if [[ $rc -eq 0 ]]; then - mkdir -p /config/acme-certs/$LETSENCRYPT_DOMAIN - if ! /config/acme.sh/acme.sh \ + mkdir -p /run/web/config/acme-certs/$LETSENCRYPT_DOMAIN + if ! /run/web/config/acme.sh/acme.sh \ --install-cert -d $LETSENCRYPT_DOMAIN \ - --key-file /config/acme-certs/$LETSENCRYPT_DOMAIN/key.pem \ - --fullchain-file /config/acme-certs/$LETSENCRYPT_DOMAIN/fullchain.pem ; then + --key-file /run/web/config/acme-certs/$LETSENCRYPT_DOMAIN/key.pem \ + --fullchain-file /run/web/config/acme-certs/$LETSENCRYPT_DOMAIN/fullchain.pem ; then echo "Failed to install certificate." # this tries to get the user's attention and to spare the # authority's rate limit: @@ -53,12 +52,12 @@ if [[ $DISABLE_HTTPS -ne 1 ]]; then fi else # use self-signed certs - if [[ -f /config/keys/cert.key && -f /config/keys/cert.crt ]]; then + if [[ -f /run/web/config/keys/cert.key && -f /run/web/config/keys/cert.crt ]]; then echo "using keys found in /config/keys" else - echo "generating self-signed keys in /config/keys, you can replace these with your own keys if required" + echo "generating self-signed keys in /run/web/config/keys, you can replace these with your own keys if required" SUBJECT="/C=US/ST=TX/L=Austin/O=jitsi.org/OU=Jitsi Server/CN=*" - openssl req -new -x509 -days 3650 -nodes -out /config/keys/cert.crt -keyout /config/keys/cert.key -subj "$SUBJECT" + openssl req -new -x509 -days 3650 -nodes -out /run/web/config/keys/cert.crt -keyout /run/web/config/keys/cert.key -subj "$SUBJECT" fi fi fi @@ -111,24 +110,24 @@ fi [ -z "${XMPP_HIDDEN_DOMAIN}" ] && export XMPP_HIDDEN_DOMAIN="$XMPP_RECORDER_DOMAIN" # copy config files -tpl /defaults/nginx.conf > /config/nginx/nginx.conf +tpl /defaults/nginx.conf > /run/web/config/nginx/nginx.conf -tpl /defaults/meet.conf > /config/nginx/meet.conf -if [[ -f /config/nginx/custom-meet.conf ]]; then - cat /config/nginx/custom-meet.conf >> /config/nginx/meet.conf +tpl /defaults/meet.conf > /run/web/config/nginx/meet.conf +if [[ -f /run/web/config/nginx/custom-meet.conf ]]; then + cat /run/web/config/nginx/custom-meet.conf >> /run/web/config/nginx/meet.conf fi -tpl /defaults/ssl.conf > /config/nginx/ssl.conf +tpl /defaults/ssl.conf > /run/web/config/nginx/ssl.conf -tpl /defaults/default > /config/nginx/site-confs/default +tpl /defaults/default > /run/web/config/nginx/site-confs/default -tpl /defaults/system-config.js > /config/config.js -tpl /defaults/settings-config.js >> /config/config.js -if [[ -f /config/custom-config.js ]]; then - cat /config/custom-config.js >> /config/config.js +tpl /defaults/system-config.js > /run/web/config/config.js +tpl /defaults/settings-config.js >> /run/web/config/config.js +if [[ -f /run/web/config/custom-config.js ]]; then + cat /run/web/config/custom-config.js >> /run/web/config/config.js fi -cp /defaults/interface_config.js /config/interface_config.js -if [[ -f /config/custom-interface_config.js ]]; then - cat /config/custom-interface_config.js >> /config/interface_config.js +cp /defaults/interface_config.js /run/web/config/interface_config.js +if [[ -f /run/web/config/custom-interface_config.js ]]; then + cat /run/web/config/custom-interface_config.js >> /run/web/config/interface_config.js fi diff --git a/web/rootfs/etc/services.d/cron/run b/web/rootfs/etc/s6-overlay/scripts/cron similarity index 73% rename from web/rootfs/etc/services.d/cron/run rename to web/rootfs/etc/s6-overlay/scripts/cron index 1b3a4d644a..acca970ae0 100755 --- a/web/rootfs/etc/services.d/cron/run +++ b/web/rootfs/etc/s6-overlay/scripts/cron @@ -1,9 +1,9 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash if [[ $DISABLE_HTTPS -ne 1 ]] && [[ $ENABLE_LETSENCRYPT -eq 1 ]]; then exec cron -f else # if cron should not be started, # prevent s6 from restarting this script again and again - s6-svc -O /var/run/s6/services/cron + s6-svc -O /run/service/cron fi diff --git a/web/rootfs/etc/services.d/jaas-account/run b/web/rootfs/etc/s6-overlay/scripts/jaas-account old mode 100644 new mode 100755 similarity index 93% rename from web/rootfs/etc/services.d/jaas-account/run rename to web/rootfs/etc/s6-overlay/scripts/jaas-account index dcb85cc208..ad87a95349 --- a/web/rootfs/etc/services.d/jaas-account/run +++ b/web/rootfs/etc/s6-overlay/scripts/jaas-account @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/command/with-contenv bash set -e @@ -7,13 +7,13 @@ DOMAIN=$LETSENCRYPT_DOMAIN JITSI_INSTALLATION="DOCKER" JAAS_ENDPOINT="https://account-provisioning.cloudflare.jitsi.net/operations" -CHALLENGE_DIR="/usr/share/jitsi-meet/.well-known" +CHALLENGE_DIR="/run/web/.well-known" CHALLENGE_FILE="$CHALLENGE_DIR/jitsi-challenge.txt" SUPPORT_MSG="Reach out to JaaS support at https://jaas.8x8.vc/#components" -JAAS_ACCOUNT_FILE="/config/jaas-account-created.txt" +JAAS_ACCOUNT_FILE="/run/web/config/jaas-account-created.txt" function stop_service() { - s6-svc -O /var/run/s6/services/jaas-account + s6-svc -O /run/service/jaas-account exit 0 } @@ -30,7 +30,7 @@ MAX_TRIES=5 SLEEP_INTERVAL=10 # Waiting for nginx to start before creating the JaaS account while $KEEP_WAITING; do - s6-svwait -u /var/run/s6/services/nginx + s6-svwait -u /run/service/nginx NGINX_RESPONSE=$? if [ $NGINX_RESPONSE -eq 0 ]; then echo "Nginx started" @@ -119,4 +119,4 @@ done) rm ${CHALLENGE_FILE} || true fi -stop_service \ No newline at end of file +stop_service diff --git a/web/rootfs/etc/s6-overlay/scripts/nginx b/web/rootfs/etc/s6-overlay/scripts/nginx new file mode 100755 index 0000000000..132f3c09bb --- /dev/null +++ b/web/rootfs/etc/s6-overlay/scripts/nginx @@ -0,0 +1,3 @@ +#!/command/with-contenv bash + +exec nginx -c /run/web/config/nginx/nginx.conf diff --git a/web/rootfs/etc/services.d/nginx/run b/web/rootfs/etc/services.d/nginx/run deleted file mode 100644 index 884aeb9a77..0000000000 --- a/web/rootfs/etc/services.d/nginx/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/with-contenv bash - -exec nginx -c /config/nginx/nginx.conf