add new option for kwmbridge dnat mode (#463)

* add new option for kwmbridge dnat mode * add local config for test of nat functionality * use variable instead of real ip * move turn configuration to the right place * update kwmbridge * remove trivy
2025-06-05 23:16:12 +00:00 · 2020-10-05 08:53:36 +02:00 · 2020-10-05 08:53:36 +02:00 · f67ccd17ea
commit f67ccd17ea
parent 9ddc7c55ae
5 changed files with 50 additions and 15 deletions
--- a/.ci/setup-tools.sh
+++ b/.ci/setup-tools.sh
@ -9,7 +9,6 @@ GOSS_VERSION=0.3.11
 HADOLINT_VERSION=1.17.6
 REG_VERSION=0.16.1
 SHELLCHECK_VERSION=0.7.1
-TRIVY_VERSION=0.11.0

 progname=$(basename "$0")
 tempdir=$(mktemp -d "/tmp/$progname.XXXXXX")
@ -30,11 +29,6 @@ if ! command -v docker-compose > /dev/null; then
 	sudo chmod +rx /usr/local/bin/docker-compose
 fi

-if ! command -v trivy > /dev/null; then
-	wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
-	sudo tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin trivy
-fi
-
 if ! command -v goss > /dev/null; then
 	sudo curl -L https://github.com/aelsabbahy/goss/releases/download/v$GOSS_VERSION/goss-linux-amd64 -o /usr/local/bin/goss
 	sudo chmod +rx /usr/local/bin/goss
@ -90,4 +84,4 @@ fi

 if ! command -v jq > /dev/null; then
 	sudo apt install -y jq
-fi
+fi
--- a/docker-compose.kwmbridge-dnat.yml
+++ b/docker-compose.kwmbridge-dnat.yml
@ -0,0 +1,31 @@
+version: "3.5"
+
+services:
+  kopano_kwmserver:
+    environment:
+      - enable_mcu_api=yes
+      - pipeline_forced_regexp=@conference/.*
+      #- pipeline_forced_regexp=@group/.*
+
+  kopano_kwmbridge:
+    image: ${docker_repo:-zokradonh}/kopano_kwmbridge:${KWMBRIDGE_VERSION:-latest}
+    read_only: true
+    restart: unless-stopped
+    depends_on:
+      - kopano_kwmserver
+    environment:
+      - INSECURE=${INSECURE}
+      - oidc_issuer_identifier=https://${FQDN}
+      - kwm_server_urls=https://${FQDN}
+      - use_nat_1to1_ips=${PUBLICIP}
+      - use_nat_1to1_candidate_type=host
+      - ice_udp_port_range=65435:65535
+    volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /etc/machine-id:/var/lib/dbus/machine-id
+      - kopanossl/:/kopano/ssl
+      - /root/kopano-docker/kwmbridge/kwmbridged:/usr/local/bin/kwmbridged
+    ports:
+      - 65535:65535/udp
+    tmpfs:
+      - /tmp
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -465,6 +465,8 @@ services:
      - oidc_issuer_identifier=https://${FQDN}
      - public_guest_access_regexp=^group/public/.*
      - registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
+      - turn_service_credentials_password=${TURN_PASSWORD:-}
+      - turn_service_credentials_user=${TURN_USER:-}
    env_file:
      - kopano_kwmserver.env
    volumes:
@ -485,8 +487,6 @@ services:
      - KCCONF_MEET_guests_enabled=true
      - KCCONF_MEET_minimumVersion=20200121 # can be used force updates of Meet
      - KCCONF_MEET_oidc_useImplicitFlow=true # workaround for guest login with meet https://stash.kopano.io/projects/KWM/repos/meet/pull-requests/102/overview
-      - turn_service_credentials_password=${TURN_PASSWORD:-}
-      - turn_service_credentials_user=${TURN_USER:-}
    env_file:
      - kopano_meet.env
    depends_on:
--- a/kwmbridge/Dockerfile
+++ b/kwmbridge/Dockerfile
@ -1,4 +1,4 @@
-ARG CODE_VERSION=0.1.2
+ARG CODE_VERSION=0.1.3
 FROM kopano/kwmbridged:${CODE_VERSION}

 ARG CODE_VERSION
--- a/kwmbridge/wrapper.sh
+++ b/kwmbridge/wrapper.sh
@ -33,6 +33,16 @@ if [ -n "${ice_udp_port_range:-}" ]; then
 	set -- "$@" --use-ice-udp-port-range="$ice_udp_port_range"
 fi

+if [ -n "${use_nat_1to1_ips:-}" ]; then
+	for use_nat_1to1_ip in $use_nat_1to1_ips; do
+		set -- "$@" --use-nat-1to1-ip="$use_nat_1to1_ip"
+	done
+fi
+
+if [ -n "${use_nat_1to1_candidate_type:-}" ]; then
+	set -- "$@" --use-nat-1to1-candidate-type="$use_nat_1to1_candidate_type"
+fi
+
 if [ "${with_metrics:-}" = "yes" ]; then
 	set -- "$@" --with-metrics
 fi
@ -48,13 +58,13 @@ fi
 if [ "${AUTOCONFIGURE}" = true ]; then
 	if [ "$INSECURE" = "yes" ]; then
 		dockerize \
-		-skip-tls-verify \
-		-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
-		-timeout 360s
+			-skip-tls-verify \
+			-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
+			-timeout 360s
 	else
 		dockerize \
-		-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
-		-timeout 360s
+			-wait "$oidc_issuer_identifier"/.well-known/openid-configuration \
+			-timeout 360s
 	fi

 	# services need to be aware of the machine-id