add new option for kwmbridge dnat mode (#463)

* add new option for kwmbridge dnat mode
* add local config for test of nat functionality
* use variable instead of real ip
* move turn configuration to the right place
* update kwmbridge
* remove trivy

.ci/setup-tools.sh

@@ -9,7 +9,6 @@ GOSS_VERSION=0.3.11
 HADOLINT_VERSION=1.17.6
 REG_VERSION=0.16.1
 SHELLCHECK_VERSION=0.7.1
-TRIVY_VERSION=0.11.0
 
 progname=$(basename "$0")
 tempdir=$(mktemp -d "/tmp/$progname.XXXXXX")
@@ -30,11 +29,6 @@ if ! command -v docker-compose > /dev/null; then
 	sudo chmod +rx /usr/local/bin/docker-compose
 fi
 
-if ! command -v trivy > /dev/null; then
-	wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
-	sudo tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -C /usr/local/bin trivy
-fi
-
 if ! command -v goss > /dev/null; then
 	sudo curl -L https://github.com/aelsabbahy/goss/releases/download/v$GOSS_VERSION/goss-linux-amd64 -o /usr/local/bin/goss
 	sudo chmod +rx /usr/local/bin/goss

docker-compose.kwmbridge-dnat.yml

@@ -0,0 +1,31 @@
+version: "3.5"
+
+services:
+  kopano_kwmserver:
+    environment:
+      - enable_mcu_api=yes
+      - pipeline_forced_regexp=@conference/.*
+      #- pipeline_forced_regexp=@group/.*
+
+  kopano_kwmbridge:
+    image: ${docker_repo:-zokradonh}/kopano_kwmbridge:${KWMBRIDGE_VERSION:-latest}
+    read_only: true
+    restart: unless-stopped
+    depends_on:
+      - kopano_kwmserver
+    environment:
+      - INSECURE=${INSECURE}
+      - oidc_issuer_identifier=https://${FQDN}
+      - kwm_server_urls=https://${FQDN}
+      - use_nat_1to1_ips=${PUBLICIP}
+      - use_nat_1to1_candidate_type=host
+      - ice_udp_port_range=65435:65535
+    volumes:
+      - /etc/machine-id:/etc/machine-id
+      - /etc/machine-id:/var/lib/dbus/machine-id
+      - kopanossl/:/kopano/ssl
+      - /root/kopano-docker/kwmbridge/kwmbridged:/usr/local/bin/kwmbridged
+    ports:
+      - 65535:65535/udp
+    tmpfs:
+      - /tmp

docker-compose.yml

@@ -465,6 +465,8 @@ services:
       - oidc_issuer_identifier=https://${FQDN}
       - public_guest_access_regexp=^group/public/.*
       - registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml
+      - turn_service_credentials_password=${TURN_PASSWORD:-}
+      - turn_service_credentials_user=${TURN_USER:-}
     env_file:
       - kopano_kwmserver.env
     volumes:
@@ -485,8 +487,6 @@ services:
       - KCCONF_MEET_guests_enabled=true
       - KCCONF_MEET_minimumVersion=20200121 # can be used force updates of Meet
       - KCCONF_MEET_oidc_useImplicitFlow=true # workaround for guest login with meet https://stash.kopano.io/projects/KWM/repos/meet/pull-requests/102/overview
-      - turn_service_credentials_password=${TURN_PASSWORD:-}
-      - turn_service_credentials_user=${TURN_USER:-}
     env_file:
       - kopano_meet.env
     depends_on:

kwmbridge/Dockerfile

@@ -1,4 +1,4 @@
-ARG CODE_VERSION=0.1.2
+ARG CODE_VERSION=0.1.3
 FROM kopano/kwmbridged:${CODE_VERSION}
 
 ARG CODE_VERSION

kwmbridge/wrapper.sh

@@ -33,6 +33,16 @@ if [ -n "${ice_udp_port_range:-}" ]; then
 	set -- "$@" --use-ice-udp-port-range="$ice_udp_port_range"
 fi
 
+if [ -n "${use_nat_1to1_ips:-}" ]; then
+	for use_nat_1to1_ip in $use_nat_1to1_ips; do
+		set -- "$@" --use-nat-1to1-ip="$use_nat_1to1_ip"
+	done
+fi
+
+if [ -n "${use_nat_1to1_candidate_type:-}" ]; then
+	set -- "$@" --use-nat-1to1-candidate-type="$use_nat_1to1_candidate_type"
+fi
+
 if [ "${with_metrics:-}" = "yes" ]; then
 	set -- "$@" --with-metrics
 fi