instrumentisto / coturn-docker-image Goto Github PK

I've tried the first command of the README:

docker run -d -p 3478:3478 -p 49152-65535:49152-65535/udp instrumentisto/coturn

But then I've encountered some problems due to trying to bind a large range of ports to a Docker container. By default Docker uses a userland proxy (userland-proxy=true in the docker daemon), which tends to eat a huge amount of RAM and CPU when large amounts of ports are binded (see moby/moby#11185).

Unfortunately, I also reach problems when disabling userland proxy (userland-proxy=false), which makes docker use iptables instead of spawning tons of proxy listening processes. Here, not only does creating the container takes forever, but in my case it eventually fails creating all the required redirections and gives an error on a port being already in use (while it's not the case).

This overall problem is nicely summarized in this post: https://www.engagespark.com/blog/rtp-port-ranges-for-freeswitch-in-docker (except for the last problem I've encountered)

In summary: this is not a bug in your image, this is a big weakness of Docker unable to satisfyingly handle large port ranges :). In case you had not encountered this problem, I just wanted to share this piece of information. And maybe a word on these issues could be given in the README, but this is up to you.

and thanks for your work on this image!

Please provide an update to coturn 4.5.2 which contains security fixes, specifically for CVE-2020-26262

Hi,

Due to open issues in Kubernetes and Docker it is currently surprisingly hard to run this container as non-root user and still use privileged ports. AFAIK there are at the moment two possible workarounds for this issue.

• Running the container with --sysctl net.ipv4.ip_unprivileged_port_start=0 or
• adding the CAP_NET_BIND_SERVICE capability on the turnserver binary.

The sysctl based solution could be applied without changing the image but is IMHO a bad idea if the container is run using host networking. Also Kubernetes doesn't even start containers that use host networking that also have sysctl settings in their securityContext. Running the container in it's own network namespace brings a plethora of problems in and of itself and even then adding sysctl settings to a Kubernetes Pod is not really straigh-forward (as is documented here).

This leaves us with option two. Which of course is also problematic. For now my deployment opts for this solution but in order to do this i of course have to build custom images. This also has drawbacks but none of these are a real problem for me at the moment.
The custom image is built using this Dockerfile:

FROM instrumentisto/coturn:4.5.2
RUN apk --no-cache add libcap && setcap CAP_NET_BIND_SERVICE=+ep /usr/bin/turnserver

It would be great if you consider to integrate this changes into the image. But of course i totally understand if you come to the conclusion that the change has too many bad side-effects. In this case at least the next person that runs into this problem has a chance to find this issue and is not forced to debug the problem for hours as i just did.

regards
christian

Can you provide a working docker-compose file and configuration that works for the nextcloud talk plugin? with tls enabled please...I can't get this working..works fine with coturn installed on host, but not in docker.

When I run this command "docker run -d -p 3478：3478 -v $（ pwd ） /my.conf:/etc/coturn/turnserver.conf instrumentisto / coturn"
I got an error :docker: Invalid containerPort: 3478：3478.

Hi, I'm seeking a way to run a TURN server on Kubernetes cluster.
Is this docker image suitable running on Kubernetes?
I have made yaml file below and been able to create coturn service.
However, I couldn't reach my coturn service from Trickle ICE.
How can I solve this problem? Thank you

turnserver-pod.yaml
turnserver-pod.txt

Executed command
$ kubectl apply -f turnserver-pod.yaml
$ kubectl expose deployment turnserver-pod --type=LoadBalancer --name=turnserver-pod-service --external-ip=184.172.234.20

$ kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.21.0.1 443/TCP 4d23h
turnserver-pod-service LoadBalancer 172.21.110.165 184.172.234.20 3478:32037/TCP 8m8s

After running in azure the IP address is not dedicated automatically and even assigning with -E not working.

Hi, Does this coturn or stun/turn server can be hosted in a cluster??

We did try to deploy on a Azure K8S cluster. We are facing issue while establishing the communication with the service running in the cluster. Any pointers?

WE have enabled host network as well

Hi,

I was wondering if there was an official Docker image for Coturn and stumbled upon this in the issue tracker.

From the comments, this repo was recommended and after going through the code here, I find it to be the most elegant implementation of this Docker image available.

My question is, is there a reason these changes have not been merged back to the official repo?

What is the turn username password ?

Can you provide an Image for Pi 4? I love your Container and want to use it on pi also =)

I am trying to set up a TURN server, but when I try to connect to it with

turnutils_uclient -v -m 1 -W XXXXXXXXXXXXXXXX www.example.com

I get 100% lost packets, even though connecting to the server seems to work fine.

Here is the complete log: turnutils_uclient.log

When I use wireshark to look at the traffic on the bridge interface of the docker container, it seems that while all kinds of control packets go back and forth, the actual data packages at the end go from the client to the server, but there is no response.

My configuration and docker-compose file is as follows:
turnserver.conf.txt
docker-compose.yml.txt

Any idea what could be wrong here? Are the response packets dropped by docker or is the server not responding?

I am setting min and max ports as in the documentation --min-port=49160 --max-port=49200 but when I check it using https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice the candidate is not in that range. Should it be in that range?

Hi, I'm using this docker image as part of the matrix-docker-ansible-deploy stack and am having difficulty getting it working for voice (or video) calls. This docker container is running in an Ubuntu Server VM along with Synapse. When a (locally registered) user calls from outside of the local network to another user on the same local network as the VM the call rings but never fully connects after being answered. This also happens if the user on the LAN calls the external user. However, if both users are on the same LAN (the same LAN as the Coturn/Synapse VM) then both voice and video calls work.

My network is behind a pfSense firewall, but I have the ports 3478(tcp/udp), 5349 (tcp/udp), and 49152-49172 (udp) forwarded to the VM directly and outbound traffic from the VM is set to use static ports.

This is my turnserver.conf

use-auth-secret
static-auth-secret=<secret-pass>
realm=my.domain

listening-port=3478
tls-listening-port=5349
min-port=49152
max-port=49172
external-ip=<my-external-ip>

log-file=stdout
pidfile=/var/tmp/turnserver.pid
userdb=/var/tmp/turnserver.db

no-cli

cert=/matrix/ssl/config/live/my.domain/fullchain.pem
pkey=/matrix/ssl/config/live/my.domain/privkey.pem

prod
no-tcp-relay

user-quota=12
total-quota=1200

denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=10.0.0.1

In my Synapse homserver.yaml Coturn is set to allow guests (at the moment at least), the shared-auth-secret is set, and the turn-uris are:

- turns:my.domain?transport=udp
- turns:my.domain?transport=tcp
- turn:my.domain?transport=udp
- turn:my.domain?transport=tcp

I've been trying to figure this out for a couple of weeks now but haven't had any luck even figuring out where the problem is originating. When I run journalctl -fu matrix-coturn the logs don't show anything except for the creation of the turn servers and connection to the SQlite database.

Any ideas about how I can continue trouble shooting this, or what might be going wrong?

Once we pull the docker image and run with the command specified in the readme.md how do we test and check if the turnserver is working as expected?

Any tools available to test the working of turnserver

I understand that we can start the server using the command 'docker run -d --network=host instrumentisto/coturn'
What is the username and password that is needed for accessing the server?
My application needs to access the turn server by specifying something like below.

var pc_config = {"iceServers": [{"url":"turn:my_username@<turn_server_ip_address>", "credential":"my_password"}]};
pc_new = new webkitRTCPeerConnection(pc_config);

I am not sure what is credential and my_password above when using this docker image.

Any help would be appreciated.

Thanks.

docker run -d --network=host instrumentisto/coturn
-n --log-file=stdout
--external-ip=$(detect-external-ip)
--relay-ip=$(detect-external-ip)

bash: detect-external-ip: command not found

Any plans to support configuration via docker environment variables?

what is the turn username and password ?

Would there be any resistance into me opening a PR to add prometheus support into this image? Would be helpful for us but I'd rather not manage our own fork of this repo 👍

master started failing to build. And complains about missing mongo-c-driver package in apk.

Searching this package really shows no results. Further investigation shoed, that all MongoDB packages where removed from Alpine under the reason:

Upstream has switched to a nonfree license.

While MongoDB may change its license, the mongo-c-driver, however is still Apache-2.0.

I've filled an issue in Alpine's bugtracker. Let's wait the answer.
If no answer/action in 2 weeks will happen, we should compile mongo-c-driver manually (the process may be copied from the referred commit).

This project's README states that one can use their own config file without changing the command:

1. You may either specify your own configuration file instead.

   docker run -d --network=host
   -v $(pwd)/my.conf:/etc/coturn/turnserver.conf
   instrumentisto/coturn

However, the CMD puts the -n flag, which disables reading from any config file.

I suspect the flag is here because coturn fails to start if it can't find a config file. If it's the case, I suggest removing the above section from the README. If not, I suggest removing the -n flag.

FTR, I found this issue because I observed my config file was not taken into account. By adding -c /path/to/turnserver.conf it is.

I get this error when run Dockerfile

it would be great if the container could generate itself letsencrypt certificates via certbot --standalone (port 80 only - keeps port 443 available)

see also: https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates

this might be right as the coturn service seems to need a restart on a key change
--deploy-hook "systemctl restart coturn"

else the other way would be to link the coturn and certbot docker images together like
https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
and solve the service restart in another way

First,thank the author for providing such a convenient Docker Image.
My question is shown in the title.
PS:I'm Chinese developer.My English is so poor.

Does this image support exclusive turn/turns over 80/443 ?

Because if we put no-stun flag enabled it still doesnt goes through TURN(observed in the WIRESHARK)

We are struggling to get past through our corporate network, any pointers please?

We are unable to see relay candidates when we go to a corporate network or a corporate VPN.

Currently Bats test for Coturn version inside Docker image is disabled as Coturn does not print its version anymore on -h option (and has no --version option at all, or a similar one).

Need to find out how to check Coturn version, or to wait until version printing on -h will be restored.

Hello, I'm getting an error above when I tried to use turnadmin.

I just need to add an admin user.

/ # turnadmin -L --db /var/lib/coturn/turndb
0: log file opened: /var/log/turn_30_2020-08-04.log
0: SQLite connection was closed.

I was wondering if there is any way to use turnadmin with this docker image

Hi what is the preferrable transport mode for webrtc? tcp or udp?

and what is the preferred mode of url while calling from webapp.

is it one of the following or all of them work?

turn::3478?transport=udp
turn::3478?transport=tcp
stun::3478?transport=tcp
stun::3478?transport=udp

we are trying to evaluate coturn for our internal projects. Please help us on this

vincent@HAL:~$ sudo docker run -d -p 3478:3478 -p 49152-65535:49152-65535/udp instrumentisto/coturn --restart=always --name coTURN --verbose
34fcef6ff8bd6f35d556889594bbde0e558411257ada2c3255ee7b3da73e2ad4

And then it does not return to the command line. The created container does not get the provided name, nor has any published ports. I can't exit and need to restart docker to be able to remove the container. What could be the case?

This is an example repository how to implement support for others architectures.

https://github.com/killua99/coturn-docker-image

I hope we could open a PR if you want to support such of thing.

We are getting this issue when we are deploying it to a cluster
standard_init_linux.go:211: exec user process caused “no such file or directory”

All the files are in the standard unix format. Help Appreciated.