One port to rule them all ?

[Konstantin Kuzov]

Yes, it is possible to setup a server so such clients will work. But it is
a bit tricky:
 1) You need to change TURN url in OM so it will use tcp-mode (like turns:
turn.example.org:443?transport=tcp).
 2) Clients behind restrictive firewalls are also most likely proxied and
so there may be traffic inspection on 443 port. As such we need to also
mask TURN traffic as https using SSL/TLS by supplying certificates to
coturn and changing TURN url flavour from turn to turns in OM config.
 3) Lastly you need to setup some frontend proxy on server's 443 port which
could inspect first received packet and by some criteria (like SNI or ALPN)
redirect that and all further packets to specific destination.

I posted to this maillist sample configs about month ago which utilize
nginx's proxying + ssl_preread with SNI redirection. You can check them out
in maillist archive.

There are quirks though:
1) ALPN: currently there are no browsers which send ALPN for turn. Also
chromium-based browsers don't send ALPN for websockets.
2) Firefox for some reason not play nicely when proxied by nginx's
ssl_preread. But works fine when coturn is listening directly on 443 port.
Not investigated much why is that happening. Chromium-based browsers works
just fine.
3) Also as I mentioned in original mail you generally don't want to proxy
all users via tcp and preferably use this mode only for users behind
restrictive firewalls. As It will add additional latency and there be more
quality degradation on unstable networks. You can achieve that by
specifying multiple comma-separated turn urls in OM and put tcp-one as the
last.


пн, 22 июн. 2020 г. в 15:20, Alain DEVILLE :

> Hello,
>
> I have a functional openmeetings installation, and one of the user is in a
> restrictive infrastructure for accesing internet (only port 443 and 80 are
> allowed), is there a method/tools for proxy/reverse proxy all the port
> used ?
>
> I know that i can « hide » my server behind an apache proxy or an nginx
> but the problem of the ports used for coturn and kurento aren’t solved,
> even web socket could be tricky…
>
> By default the ports used by openmeetings are these ones :
>
> *3478 TCP-UDP IN*
>
> *5443 TCP IN*
>
> * TCP IN*
>
> *49152:65535 UDP IN-OUT*
>
>
>
> Is it possible to encapsulate all fluxs (web/audio/video) in one port ?
>
> Best regards
>
>
>
> Alain DEVILLE
>
>
>
>
>
>
> --
> [image: Avast logo] 
>
> L'absence de virus dans ce courrier électronique a été vérifiée par le
> logiciel antivirus Avast.
> www.avast.com 
>
>
> <#m_1454556209756979259_m_7271882993435897413_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Re: resize SCREEN (disconnect and connect)

[Konstantin Kuzov]

сб, 23 мая 2020 г. в 05:36, Maxim Solodovnik :

>
> Thanks,
> this is great starting point :))
>

Glad that you like it ^_^


> it looks very similar to interview room
>
Yeah, In some aspects. But without removing board functionality. And with
focus on strictly automatic cam management.


> Notes:
> 1. the controls might not fit onto small screen
>
2. same note for video area and video-on-user-list
>
Everything should be bootstrapped. Controls should dynamically react to
available area. So If there are not enough room for controls they should
hide themselves under dropdown list with single icon. If user resized
window or rotated device and there are enough room now they should unhide
back to normal. Kinda like main menu currently does (though too aggresive).
Maybe we should group all these setup/request/placement controls together
on one bar.

Same goes for user-list it should hide/resize unnecessary elements like
avatars and rearrange elements so they populate as less space as possible.
Like if we are constricted by width but not by height username goes above
video or even on top of it and so on. If something becomes too small for
reliably interacted by finger it should be also replaced by single button
with drop-down list.

Also majority of these small-screens if not all of them are portable
devices nowadays. And the common way to deal with them is to go with native
apps for these platforms. That way you will have better control,
performance, battery drain and doesn't have to be dealing with plethora of
different browsers and their quirks/constraints. Correct me if I'm wrong
but that way is currently infeasible for us. Because web-interface is too
tightly intertwined with server-side due to wicket and we don't have a
clean and abstract api of communication to decouple frontend web-UI from
backend java application. So writing standalone apps or alternative
web-interfaces on modern frameworks like react will be huge pain in the ass.


>> Algorithm of rectangle packing is debatable. I think it will be better to
>> dynamically calculate webcam sizes based on total number of cameras and
>> available area size so they are all the same size. And deny any user custom
>> movement/resizes. Maybe with exception that user can increase/decrease size
>> of specific webcams by factor of 2.
>>
>
> in this case camera resolution dialog is very much useless
> WDYT?
>
If we get rid of it we should also somehow tackle the problem of
controlling bandwidth consumtion and quality of streams. We doesn't want
that couple of desktop users with shiny full-hd webcams tank to ground weak
mobile connections and slow devices.
And at the same time we don't want to have blurry pixalated mess on
fullscreen if remote user has great webcam.

WebRTC have concepts of BWE (Bandwidth Estimation) and REMB (Received
Estimated Maximum Bitrate) but I'm not sure how they play in non-p2p mode
in relation with KMS if play at all. We also have bitrate constraints so we
can influence used bandwidth. But bitrate is directly tighted to video
resolution and video/audio quality. You don't need much bitrate to stream a
thumbnail but you need it for high resolution streams. Also, the more
resolution the more there be CPU (or dedicated hardware units on SoC,
GPU,...) usage for encoding on sender and decoding on receivers.

Aforementioned jitsi doesn't have resolution selector either. It has
server-side global variables for setting minimum and maximum resolutions.
When there are 2 cams in the room they use p2p mode with maximum possible
resolution (limited by maximum supported resolution by webcam hardware,
global server setting and available bandwidth between clients). When third
client enters the room they seemlessly switch to routing through
videobridge (in our case thats kms). When in videobridge mode they also
have feature called simulcast. Which roughly works like that: every
participant encodes simultaneously multiple copies of video streams with
different resolutions, bitrates and even framerates and push them all to
videobridge. When remote client see his stream in small thumbnail only
smallest stream is send to him, when he switch that webcam to fullscreen it
seemlessly switch to stream with maximum resolution if there are available
bandwidth. In other cases like tile-view medium streams are typically
transmitted. In other words they seemlessly adapt transmitted content to
presentation size and bandwidth constraints between client and videobridge.
So at the expense of mostly static and predictable increase of cpu usage
and upload bandwidth on every client you at the same time see great quality
streams and could participate in very large video conferences without
issues related to download bandwidth constraints or hardware overload due
to receiving and decoding of many high-definition streams simultaneously.

Re: resize SCREEN (disconnect and connect)

[Konstantin Kuzov]

Something like that:
https://nosferatu.g0x.ru/pub/openmeetings/mockups

Algorithm of rectangle packing is debatable. I think it will be better to
dynamically calculate webcam sizes based on total number of cameras and
available area size so they are all the same size. And deny any user custom
movement/resizes. Maybe with exception that user can increase/decrease size
of specific webcams by factor of 2.

пт, 22 мая 2020 г. в 15:11, Maxim Solodovnik :

>
>
> On Fri, 22 May 2020 at 19:04, Konstantin Kuzov 
> wrote:
>
>> I think what Martin really want is that we preserve local user-setted
>> size and window positions of all webcams at least for automatic reconnect.
>> Currently when we do reconnect we completely tear down connection and
>> destroy and then recreate associated webcam window. So it will reset to the
>> size setted by owner of webcam and will be placed in random empty space and
>> not where user placed it before. Hotkey is only partial solution. Because
>> you need to hit it every time it happens and only if you are satisfied with
>> it result which you may not.
>>
>> I personally think that it would be nice if OM would have some webcam
>> dedicated area without nothing underneath. So the user doesn't ever need to
>> micromanage webcam windows manually. They should align and resizing
>> themselves in that area automatically by trying to cover it in
>> most effecient way. Like typically all other conferencing software does.
>> For example I like how jitsi does it. They have sidebar miniature view,
>> tile view and ability to open arbitrary webcam on fullscreen by clicking on
>> it. That also solves problem on touch screens which doesn't really support
>> window dragging without questionable hacks.
>>
>
> I would love to see some mockup of such layout
> for both big and small monitors ...
>
>
>>
>> пт, 22 мая 2020 г. в 14:19, Maxim Solodovnik :
>>
>>>
>>>
>>> On Fri, 22 May 2020 at 18:16, Chamberland, Martin <
>>> martin.chamberl...@fadq.qc.ca> wrote:
>>>
>>>> [image: cid:banner1.jpg]
>>>>
>>>>
>>>>
>>>> Thank’s Maxim for the hotkey, but I will try to explain better.
>>>>
>>>> When you enter a room, your video windows showing on the main screen of
>>>> the meetings, just above the whiteboard, right ?
>>>>
>>>> Suppose they are 5 users in that room,  so you have to move and resize
>>>> the screen of each of them to fit your need.
>>>>
>>>>
>>>>
>>>> After the meeting start, everything is good,  all those windows are
>>>> placed when you to them to be, that is perfect.
>>>>
>>>> But, what we can see is that if any of those 5 users have a bad
>>>> internet connection, poor quality, it will maybe disconnect and reconnect
>>>> because of that poor internet network.
>>>>
>>>> And then,  his screen (only that user) will become again (after his
>>>> reconnection automaticly) with the original size, so you have to again,
>>>> resize it to fit your need.
>>>>
>>>> If 2-3 users of those 5 have bad connection, it can become really
>>>> anoying.
>>>>
>>>>
>>>>
>>>> I hope it’s more clear.
>>>>
>>>
>>> Yes,
>>> The hotkey I posted should do the following:
>>> 1) resize all video windows to be 120x90
>>> 2) allign them left-to-right, bottom-to-top
>>>
>>> Not sure what else can done :(
>>>
>>>
>>>>
>>>>
>>>> *De :* Maxim Solodovnik [mailto:solomax...@gmail.com]
>>>> *Envoyé :* 21 mai 2020 22:04
>>>> *À :* Openmeetings user-list 
>>>> *Objet :* Re: resize SCREEN (disconnect and connect)
>>>>
>>>>
>>>>
>>>> Hello Martin,
>>>>
>>>>
>>>>
>>>> On Fri, 22 May 2020 at 02:17, Chamberland, Martin <
>>>> martin.chamberl...@fadq.qc.ca> wrote:
>>>>
>>>> [image: cid:image001.jpg@01D63008.CBBE8260]
>>>>
>>>>
>>>>
>>>> It’s probably not really a bug, but let me  try to explain.
>>>>
>>>>
>>>>
>>>> When someone enter a room, you have to resize his screen to fit your
>>>> need (do that for everyone).
>>>>
>>>> The problem start, when someone in the meeting have a poor connection,
>>>> he will be disconnected and reconnected automaticly, but you have to
>>>> “again” and “again”…. Resize his screen.
>>>>
>>>> That is pretty annoying.
>>>>
>>>>
>>>>
>>>> There is hotkey to resize video pod + align (Ctrl+Shift+KeyA by
>>>> default https://openmeetings.apache.org/GeneralConfiguration.html)
>>>>
>>>> Is it what you are looking for?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Can we disable something, to get rid of this behavior.
>>>>
>>>>
>>>>
>>>> I hope I’m enough clear in my explanation
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Best regards,
>>>> Maxim
>>>>
>>>
>>>
>>> --
>>> Best regards,
>>> Maxim
>>>
>>
>
> --
> Best regards,
> Maxim
>

Re: resize SCREEN (disconnect and connect)

[Konstantin Kuzov]

I think what Martin really want is that we preserve local user-setted size
and window positions of all webcams at least for automatic reconnect.
Currently when we do reconnect we completely tear down connection and
destroy and then recreate associated webcam window. So it will reset to the
size setted by owner of webcam and will be placed in random empty space and
not where user placed it before. Hotkey is only partial solution. Because
you need to hit it every time it happens and only if you are satisfied with
it result which you may not.

I personally think that it would be nice if OM would have some webcam
dedicated area without nothing underneath. So the user doesn't ever need to
micromanage webcam windows manually. They should align and resizing
themselves in that area automatically by trying to cover it in
most effecient way. Like typically all other conferencing software does.
For example I like how jitsi does it. They have sidebar miniature view,
tile view and ability to open arbitrary webcam on fullscreen by clicking on
it. That also solves problem on touch screens which doesn't really support
window dragging without questionable hacks.

пт, 22 мая 2020 г. в 14:19, Maxim Solodovnik :

>
>
> On Fri, 22 May 2020 at 18:16, Chamberland, Martin <
> martin.chamberl...@fadq.qc.ca> wrote:
>
>> [image: cid:banner1.jpg]
>>
>>
>>
>> Thank’s Maxim for the hotkey, but I will try to explain better.
>>
>> When you enter a room, your video windows showing on the main screen of
>> the meetings, just above the whiteboard, right ?
>>
>> Suppose they are 5 users in that room,  so you have to move and resize
>> the screen of each of them to fit your need.
>>
>>
>>
>> After the meeting start, everything is good,  all those windows are
>> placed when you to them to be, that is perfect.
>>
>> But, what we can see is that if any of those 5 users have a bad internet
>> connection, poor quality, it will maybe disconnect and reconnect because of
>> that poor internet network.
>>
>> And then,  his screen (only that user) will become again (after his
>> reconnection automaticly) with the original size, so you have to again,
>> resize it to fit your need.
>>
>> If 2-3 users of those 5 have bad connection, it can become really anoying.
>>
>>
>>
>> I hope it’s more clear.
>>
>
> Yes,
> The hotkey I posted should do the following:
> 1) resize all video windows to be 120x90
> 2) allign them left-to-right, bottom-to-top
>
> Not sure what else can done :(
>
>
>>
>>
>> *De :* Maxim Solodovnik [mailto:solomax...@gmail.com]
>> *Envoyé :* 21 mai 2020 22:04
>> *À :* Openmeetings user-list 
>> *Objet :* Re: resize SCREEN (disconnect and connect)
>>
>>
>>
>> Hello Martin,
>>
>>
>>
>> On Fri, 22 May 2020 at 02:17, Chamberland, Martin <
>> martin.chamberl...@fadq.qc.ca> wrote:
>>
>> [image: cid:image001.jpg@01D63008.CBBE8260]
>>
>>
>>
>> It’s probably not really a bug, but let me  try to explain.
>>
>>
>>
>> When someone enter a room, you have to resize his screen to fit your need
>> (do that for everyone).
>>
>> The problem start, when someone in the meeting have a poor connection,
>> he will be disconnected and reconnected automaticly, but you have to
>> “again” and “again”…. Resize his screen.
>>
>> That is pretty annoying.
>>
>>
>>
>> There is hotkey to resize video pod + align (Ctrl+Shift+KeyA by default
>> https://openmeetings.apache.org/GeneralConfiguration.html)
>>
>> Is it what you are looking for?
>>
>>
>>
>>
>>
>> Can we disable something, to get rid of this behavior.
>>
>>
>>
>> I hope I’m enough clear in my explanation
>>
>>
>>
>>
>> --
>>
>> Best regards,
>> Maxim
>>
>
>
> --
> Best regards,
> Maxim
>

Re: Default Cam

[Konstantin Kuzov]

Well, in my understanding "ideal" unlike "exact" is just a suggestion and
shouldn't by itself raise any errors if browser cannot satisfy a request.
So it shouldn't make any difference for devices with less than two cameras
where at least one camera has been marked as "front". I also suspect that
in most cases only internal cameras will have this user-placement mark if
OS even support that distinction at all.
We can guard it by mediaDevices.getSupportedConstraints() but browser which
doesn't support such constraint should just ignore it without raising any
errors according to standard.

чт, 21 мая 2020 г. в 20:21, Maxim Solodovnik :

> The main questions will it work
> 1) at laptop
> 2) PC without camera
> 3) laptop/PC with several cameras
>
> And I guess it better to test this code with back camera listed first
>
> Sebastian can test it at Mac :) (and I guess it can be guarded with
> "constrain supported" check)
>
> On Fri, 22 May 2020 at 00:09, Konstantin Kuzov 
> wrote:
>
>> Browser support seems to be pretty good according to mozilla's link. Only
>> apple devices needs to be tested.
>> Tested it with these changes on my android phone:
>>
>> https://github.com/CkNoSFeRaTU/openmeetings/commit/490f51400e44295b00815fd70f30a065a2705638
>>
>> And it appears to be working just fine. Though my phone have first (0)
>> camera as front camera already. But it behave correctly if I change "user"
>> to "environment" or vice-versa.
>>
>>
>> чт, 21 мая 2020 г. в 19:27, Maxim Solodovnik :
>>
>>> Well,
>>> this is something other than "Select front camera if none was selected
>>> before"
>>> But it can help IF such constraint is supported by client browser :)
>>> I also had some issues with `acceptable, ideal, and/or exact`
>>> constraints 
>>>
>>> This can be investigated :)
>>>
>>> Any volunteers? :)))
>>>
>>> On Thu, 21 May 2020 at 23:20, Konstantin Kuzov <
>>> master.nosfer...@gmail.com> wrote:
>>>
>>>> Isn't it possible to suggest or force exact type of camera using
>>>> MediaTrack's video constraint facingMode?
>>>>
>>>> https://developer.mozilla.org/en-US/docs/Web/API/MediaTrackConstraints/facingMode
>>>>
>>>>
>>>> чт, 21 мая 2020 г. в 15:45, Maxim Solodovnik :
>>>>
>>>>> Hello Peter,
>>>>>
>>>>> unfortunately there is no parameters we can use to distinguish if it
>>>>> is front or back camera :(
>>>>> We can get the list of devices and detect if it is Audio or Video
>>>>> device
>>>>>
>>>>> So we create 2 lists and select first item from both (or previously
>>>>> selected  )
>>>>>
>>>>> On Thu, 21 May 2020 at 17:08, Peter Dähn  wrote:
>>>>>
>>>>>> Hi together,
>>>>>>
>>>>>> if one use a device with two cams rear view cam is selected by
>>>>>> default.
>>>>>> I think if it is possible it is better to use front cam as default.
>>>>>> WDYT?
>>>>>>
>>>>>> Greetings Peter
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best regards,
>>>>> Maxim
>>>>>
>>>>
>>>
>>> --
>>> Best regards,
>>> Maxim
>>>
>>
>
> --
> Best regards,
> Maxim
>

Re: Default Cam

[Konstantin Kuzov]

Browser support seems to be pretty good according to mozilla's link. Only
apple devices needs to be tested.
Tested it with these changes on my android phone:
https://github.com/CkNoSFeRaTU/openmeetings/commit/490f51400e44295b00815fd70f30a065a2705638

And it appears to be working just fine. Though my phone have first (0)
camera as front camera already. But it behave correctly if I change "user"
to "environment" or vice-versa.


чт, 21 мая 2020 г. в 19:27, Maxim Solodovnik :

> Well,
> this is something other than "Select front camera if none was selected
> before"
> But it can help IF such constraint is supported by client browser :)
> I also had some issues with `acceptable, ideal, and/or exact` constraints
> 
>
> This can be investigated :)
>
> Any volunteers? :)))
>
> On Thu, 21 May 2020 at 23:20, Konstantin Kuzov 
> wrote:
>
>> Isn't it possible to suggest or force exact type of camera using
>> MediaTrack's video constraint facingMode?
>>
>> https://developer.mozilla.org/en-US/docs/Web/API/MediaTrackConstraints/facingMode
>>
>>
>> чт, 21 мая 2020 г. в 15:45, Maxim Solodovnik :
>>
>>> Hello Peter,
>>>
>>> unfortunately there is no parameters we can use to distinguish if it is
>>> front or back camera :(
>>> We can get the list of devices and detect if it is Audio or Video device
>>>
>>> So we create 2 lists and select first item from both (or previously
>>> selected  )
>>>
>>> On Thu, 21 May 2020 at 17:08, Peter Dähn  wrote:
>>>
>>>> Hi together,
>>>>
>>>> if one use a device with two cams rear view cam is selected by default.
>>>> I think if it is possible it is better to use front cam as default.
>>>> WDYT?
>>>>
>>>> Greetings Peter
>>>>
>>>
>>>
>>> --
>>> Best regards,
>>> Maxim
>>>
>>
>
> --
> Best regards,
> Maxim
>

Re: Default Cam

[Konstantin Kuzov]

Isn't it possible to suggest or force exact type of camera using
MediaTrack's video constraint facingMode?
https://developer.mozilla.org/en-US/docs/Web/API/MediaTrackConstraints/facingMode


чт, 21 мая 2020 г. в 15:45, Maxim Solodovnik :

> Hello Peter,
>
> unfortunately there is no parameters we can use to distinguish if it is
> front or back camera :(
> We can get the list of devices and detect if it is Audio or Video device
>
> So we create 2 lists and select first item from both (or previously
> selected  )
>
> On Thu, 21 May 2020 at 17:08, Peter Dähn  wrote:
>
>> Hi together,
>>
>> if one use a device with two cams rear view cam is selected by default.
>> I think if it is possible it is better to use front cam as default. WDYT?
>>
>> Greetings Peter
>>
>
>
> --
> Best regards,
> Maxim
>

Re: List of worth-checking log files of OM and related software

[Konstantin Kuzov]

Dockerized KMS don't write logs to files as far as I know.
You can grab KMS logs with command: docker logs kms or in inspect them in
real-time with command: docker logs --follow kms

ср, 20 мая 2020 г. в 05:37, Maxim Solodovnik :

>
>
> On Wed, 20 May 2020 at 02:57, seba.wag...@gmail.com 
> wrote:
>
>> This one:
>> 2) KMS logs by default at /var/log/kurento-media-server
>>
>> Thats inside the docker container right?
>>
> Yes, in case NOT Ubuntu is used :))
>
>
>> I think you need to pass in a special variable to make that visible
>> outside of the docker container.
>>
> /var/log from host can be mounted to docker :)
>
> --
> Best regards,
> Maxim
>

Re: New tutorials Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4

[Konstantin Kuzov]

I tested it a bit and didn't find any difference except that way it is more
handy to distinguish connections in logs or coturn's cli.
But hypothetically there maybe some other turn-server implementation for
which it could matter.

вс, 17 мая 2020 г. в 09:57, Maxim Solodovnik :

> Hello Konstantin,
>
> I did my experiments with coturn based on this SO article
> https://stackoverflow.com/questions/35766382/coturn-how-to-use-turn-rest-api
> I have created config that works and stop further experiments :((
> So most probably something can be enhanced :) and something can be
> re-written
>
> I'm using
>   lt-cred-mech
>   use-auth-secret
>   static-auth-secret=XXX
>
> with random string for user in applicationContext.xml
>
>  Currently it basically use one user for all clients and there is no
> guarantee that timestamp alone will be unique. Currently it basically use
> one user for all clients and there is no guarantee that timestamp alone
> will be unique
> Why unique user might be required?
>
> --
> Best regards,
> Maxim
>

Re: New Features: "very fast conference" and more

[Konstantin Kuzov]

I doubt it that apache has something like that. Though I haven't used it
for more than 10 years. There are so much better alternatives..
I think haproxy definitely should have such functionality,

It's not really about less ports as generally you don't want to tunnel
everyone through tcp as it will add latency and hiccups if there are tcp
retrains. But about providing ability of last resort to connect with users
which are behind very restrictive firewalls. Like 443 port only. And you
have only one IP-address on server and want both coturn and web server
reside on one the same port for outside. So special magic is required.

To archive that you need to provide ability to provide multiple TURN urls,
including specifying the flavour of them. Like that:
https://github.com/CkNoSFeRaTU/openmeetings/commit/abad92d6b4fcc03884de18143e3e96eaa3591d53


Then you setup something as frontend that analyze first incoming packet
(typically TLS ClientHello) and decide if they need to redirect that
connection to turn server or not. There are can be many configurations and
what you can look as distinguisher: SNI, ALPN or even protocol...

There I placed some of my experiments with nginx and two domains, one for
coturn and one for om:
https://nosferatu.g0x.ru/pub/openmeetings/443-only/

On chromium-based browsers It works like a charm. But last resort
path doesn't work on firefox for some reason. Didn't investigated much
why...

P.S. Commented part in nginx`s configuration is how jitsi does it. That way
it will break chromium-based browsers's websocket because they doesn't send
ALPN extension for websocket connection for some reason.And in case of OM
that means that there will be infinite spinning wheel for such browsers..


вс, 17 мая 2020 г. в 10:05, Maxim Solodovnik :

>
>
> On Sat, 16 May 2020 at 21:52, Konstantin Kuzov 
> wrote:
>
>> The only thing Jitsi does regarding to ports in default configuration is
>> using nginx's APLN map feature (
>> http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html) to
>> hide default stun/turn ports behind nginx https port. But be aware that
>> this feature can break secure websocket for some browsers like chrome.
>>
>
> I'm not aware of this module
> Does it exists for Apache?
> Can it be used (with care) to create config with less ports required?
>
>
>>
>> )сб, 16 мая 2020 г. в 17:36, Maxim Solodovnik :
>>
>>> This service uses Jitsi
>>> I'm still not sure if it is possible to configure WebRTC to use less
>>> ports
>>> AFAIK it is impossible
>>>
>>>
>
> --
> Best regards,
> Maxim
>

Re: New tutorials Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4

[Konstantin Kuzov]

I tested both use-auth-secret's static-auth and lt-cred-mech's static user
auth modes and they both work for me like that:
1)  lt-cred-mech's static user
- turnserver.conf:
fingerprint
lt-cred-mech
realm=example.org
user=test:passwd
stale-nonce=0
verbose

- applicationContext.xml:
p:turnUrl="example.org"
p:turnUser="test"
p:turnSecret="passwd"
p:turnMode=""
p:turnTtl="60"

2)  use-auth-secret's static-auth in REST mode
- turnserver.conf:
fingerprint
use-auth-secret
realm=example.org
static-auth-secret=authsecret
stale-nonce=0
verbose
- applicationContext.xml:
p:turnUrl="example.org"
p:turnUser=""
p:turnSecret="authsecret"
p:turnMode="rest"
p:turnTtl="60"

For  use-auth-secret's static-auth you can also actually populate
p:turnUser with somehing random. Then it will be used as userid. From
coturn's documentation:
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, the timestamp alone can be used.

Maxim, maybe OM need to also make proper use of userid for REST mode?
Currently it basically use one user for all clients and there is no
guarantee that timestamp alone will be unique. Dunno if that's bad.
Something like this:
https://github.com/CkNoSFeRaTU/openmeetings/commit/ab15c3fc6306982cd991835aa0a39f1b37a0c8cc#diff-ea905da2ad8890a997638b281f0fc87cR340
c.getUid() can be replaced with c.getUser().getId() if that is better for
some reason...

вс, 17 мая 2020 г. в 02:59, Konstantin Kuzov :

> I'm using use-auth-secret without user in coturn's configuration and with
> empty p:turnUser in OM's applicationContext.xml.
> I haven't tried to configure user auth through applicationContext.xml...I
> only tried user auth by not touching applicationContext.xml at all and by
> configuring it in KMS's WebRtcEndpoint.conf.ini. That way it worked but
> most users had trouble to prolong their sessions on turn and so had
> disconnects by channel-lifetime (by default 10 minutes).
>
> Looking at
> https://github.com/apache/openmeetings/blob/master/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/KurentoHandler.java#L335
>  if
> you want to try user auth you need to set p:TurnMode="",
> p:TurnUser="username" and p:turnSecret="password"
>
> сб, 16 мая 2020 г. в 20:39, Juan Antonio Moreno Carmona  >:
>
>> Hi Konstantin
>>
>> Then, what mechanism do you use? user or use-auth-secret?
>>
>> And how do you fill applicationContext.xml file. I tried to comment
>> use-auth-secret and static-auth-secret in turnserver.conf file.
>> Furthermore, I leave p:turnSecret option empty in applicationContext.xml
>> file.
>>
>> But then I get following error in catalina.out and I can't get
>> camera/audio working
>>
>> ERROR 05-16 18:57:36.864 o.a.w.DefaultExceptionMapper:170
>> [-apr-443-exec-6] - Unexpected error occurred
>> java.lang.IllegalArgumentException: Empty key
>>
>> Regards.
>>
>

Re: New tutorials Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4

[Konstantin Kuzov]

I'm using use-auth-secret without user in coturn's configuration and with
empty p:turnUser in OM's applicationContext.xml.
I haven't tried to configure user auth through applicationContext.xml...I
only tried user auth by not touching applicationContext.xml at all and by
configuring it in KMS's WebRtcEndpoint.conf.ini. That way it worked but
most users had trouble to prolong their sessions on turn and so had
disconnects by channel-lifetime (by default 10 minutes).

Looking at
https://github.com/apache/openmeetings/blob/master/openmeetings-core/src/main/java/org/apache/openmeetings/core/remote/KurentoHandler.java#L335
if
you want to try user auth you need to set p:TurnMode="",
p:TurnUser="username" and p:turnSecret="password"

сб, 16 мая 2020 г. в 20:39, Juan Antonio Moreno Carmona :

> Hi Konstantin
>
> Then, what mechanism do you use? user or use-auth-secret?
>
> And how do you fill applicationContext.xml file. I tried to comment
> use-auth-secret and static-auth-secret in turnserver.conf file.
> Furthermore, I leave p:turnSecret option empty in applicationContext.xml
> file.
>
> But then I get following error in catalina.out and I can't get
> camera/audio working
>
> ERROR 05-16 18:57:36.864 o.a.w.DefaultExceptionMapper:170
> [-apr-443-exec-6] - Unexpected error occurred
> java.lang.IllegalArgumentException: Empty key
>
> Regards.
> El 16/5/20 a las 16:22, Konstantin Kuzov escribió:
>
> Hi there, I have a few suggestions about tutorials.
>
> 1) I don't really understand the purpose for setting both user and
> use-auth-secret in coturn. According to documentation they are both
> exclusive:
> # Be aware that use-auth-secret overrides some parts of lt-cred-mech.
> # The use-auth-secret feature depends internally on lt-cred-mech, so if
> you set
> # this option then it automatically enables lt-cred-mech internally
> # as if you had enabled both.
> # Note that you can use only one auth mechanism at the same time! This is
> because,
> # both mechanisms conduct username and password validation in different
> ways.
> # Use either lt-cred-mech or use-auth-secret in the conf
> # to avoid any confusion.
>
> 2) Also for coturn I don't see the fingerprint option. Isn't it required
> for webrtc?
> 3) What the point for installing to something obscure like /opt/open504
> and using open504 as database name? IMHO it would just complicate upgrading
> procedure for users.later on.
> 4) Please use openmeetings.service on distributions which use systemd.
> 5) User need to be aware that tomcat won't reload to new certificates upon
> renewal and will keep using old certificates until full restart. So
> typically after 3 month clients will be greated with expired certificate in
> case of let's encrypt. If user don't want to restart tomcat every now and
> then and terminate by that all currently active connections user need send
> to it reloadSslHostConfig(host) or reloadSslHostConfigs() via jmx or
> manager. But it is not something simple like in case of nginx which only
> require SIGHUP signal to the process. And nor jmx or manager is shipped
> with OM distribution anyway. As one solution to the problem on my test OM
> installation VM with let's encrypt I'm using acme-tiny instead of certbot
> (matter of preference) and this custom protocol
> https://github.com/CkNoSFeRaTU/tomcat-reloadprotocol which will
> automatically reload it for me every configured interval.
>
> сб, 16 мая 2020 г. в 13:22, Alvaro :
>
>> ...in Russian mailing-list, Konstantin gives an idea about
>> help to solve the reconnection in Turn server:
>>
>> "stale-nonce=0" (at /etc/turnserver.conf)
>>
>> ...'ve added this parameter to the tutorials:
>>
>>
>> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
>> CentOS 7-8.pdf
>>
>> ...and
>>
>> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
>> Ubuntu 18.04.pdf
>>
>>
>> ...and reuploaded to:
>>
>>
>>
>> https://cwiki.apache.org/confluence/display/OPENMEETINGS/Tutorials+for+installing+OpenMeetings+and+Tools
>>
>>
>> There it is at your disposal.
>>
>>
>> Thanks to Maxim to comment it.
>>
>>
>> Regards
>>
>> Alvaro
>>
>>
>> 
>>
>> El jue, 23-04-2020 a las 18:18 +0200, Alvaro escribió:
>>
>>
>> Hello,
>>
>> It is at your disposal two new tutorials called:
>>
>>
>> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
>> CentOS 7-8.pdf
>>
>> ...and
>>
>> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
>> Ubuntu 18.04.pdf
>>
>>
>> It is tested with an OpenMeetings 5.0.0-M4 server installed on a pc
>> at home, after NAT router; and each in the room saw and heard the others
>> cameras and your own correctly.
>> Also in the tests done, we have uploaded files, recorded video
>> and shared desktop without any error.
>>
>> You can find them here:
>>
>>
>>
>> https://cwiki.apache.org/confluence/display/OPENMEETINGS/Tutorials+for+installing+OpenMeetings+and+Tools
>>
>>
>> Best regards
>>
>> Alvaro
>>
>> .
>>
>>

Re: New tutorials Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4

[Konstantin Kuzov]

Also better to use domain name in p:turnUrl if user have one and port
number can be omitted if it is default 3478.

сб, 16 мая 2020 г. в 17:22, Konstantin Kuzov :

> Hi there, I have a few suggestions about tutorials.
>
> 1) I don't really understand the purpose for setting both user and
> use-auth-secret in coturn. According to documentation they are both
> exclusive:
> # Be aware that use-auth-secret overrides some parts of lt-cred-mech.
> # The use-auth-secret feature depends internally on lt-cred-mech, so if
> you set
> # this option then it automatically enables lt-cred-mech internally
> # as if you had enabled both.
> # Note that you can use only one auth mechanism at the same time! This is
> because,
> # both mechanisms conduct username and password validation in different
> ways.
> # Use either lt-cred-mech or use-auth-secret in the conf
> # to avoid any confusion.
>
> 2) Also for coturn I don't see the fingerprint option. Isn't it required
> for webrtc?
> 3) What the point for installing to something obscure like /opt/open504
> and using open504 as database name? IMHO it would just complicate upgrading
> procedure for users.later on.
> 4) Please use openmeetings.service on distributions which use systemd.
> 5) User need to be aware that tomcat won't reload to new certificates upon
> renewal and will keep using old certificates until full restart. So
> typically after 3 month clients will be greated with expired certificate in
> case of let's encrypt. If user don't want to restart tomcat every now and
> then and terminate by that all currently active connections user need send
> to it reloadSslHostConfig(host) or reloadSslHostConfigs() via jmx or
> manager. But it is not something simple like in case of nginx which only
> require SIGHUP signal to the process. And nor jmx or manager is shipped
> with OM distribution anyway. As one solution to the problem on my test OM
> installation VM with let's encrypt I'm using acme-tiny instead of certbot
> (matter of preference) and this custom protocol
> https://github.com/CkNoSFeRaTU/tomcat-reloadprotocol which will
> automatically reload it for me every configured interval.
>
>>
>>

Re: New Features: "very fast conference" and more

[Konstantin Kuzov]

The only thing Jitsi does regarding to ports in default configuration is
using nginx's APLN map feature (
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html) to hide
default stun/turn ports behind nginx https port. But be aware that this
feature can break secure websocket for some browsers like chrome.

)сб, 16 мая 2020 г. в 17:36, Maxim Solodovnik :

> This service uses Jitsi
> I'm still not sure if it is possible to configure WebRTC to use less ports
> AFAIK it is impossible
>
>

Re: New tutorials Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4

[Konstantin Kuzov]

Hi there, I have a few suggestions about tutorials.

1) I don't really understand the purpose for setting both user and
use-auth-secret in coturn. According to documentation they are both
exclusive:
# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
# The use-auth-secret feature depends internally on lt-cred-mech, so if you
set
# this option then it automatically enables lt-cred-mech internally
# as if you had enabled both.
# Note that you can use only one auth mechanism at the same time! This is
because,
# both mechanisms conduct username and password validation in different
ways.
# Use either lt-cred-mech or use-auth-secret in the conf
# to avoid any confusion.

2) Also for coturn I don't see the fingerprint option. Isn't it required
for webrtc?
3) What the point for installing to something obscure like /opt/open504 and
using open504 as database name? IMHO it would just complicate upgrading
procedure for users.later on.
4) Please use openmeetings.service on distributions which use systemd.
5) User need to be aware that tomcat won't reload to new certificates upon
renewal and will keep using old certificates until full restart. So
typically after 3 month clients will be greated with expired certificate in
case of let's encrypt. If user don't want to restart tomcat every now and
then and terminate by that all currently active connections user need send
to it reloadSslHostConfig(host) or reloadSslHostConfigs() via jmx or
manager. But it is not something simple like in case of nginx which only
require SIGHUP signal to the process. And nor jmx or manager is shipped
with OM distribution anyway. As one solution to the problem on my test OM
installation VM with let's encrypt I'm using acme-tiny instead of certbot
(matter of preference) and this custom protocol
https://github.com/CkNoSFeRaTU/tomcat-reloadprotocol which will
automatically reload it for me every configured interval.

сб, 16 мая 2020 г. в 13:22, Alvaro :

> ...in Russian mailing-list, Konstantin gives an idea about
> help to solve the reconnection in Turn server:
>
> "stale-nonce=0" (at /etc/turnserver.conf)
>
> ...'ve added this parameter to the tutorials:
>
>
> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
> CentOS 7-8.pdf
>
> ...and
>
> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
> Ubuntu 18.04.pdf
>
>
> ...and reuploaded to:
>
>
>
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/Tutorials+for+installing+OpenMeetings+and+Tools
>
>
> There it is at your disposal.
>
>
> Thanks to Maxim to comment it.
>
>
> Regards
>
> Alvaro
>
>
> 
>
> El jue, 23-04-2020 a las 18:18 +0200, Alvaro escribió:
>
>
> Hello,
>
> It is at your disposal two new tutorials called:
>
>
> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
> CentOS 7-8.pdf
>
> ...and
>
> Installation SSL certificates and Coturn for OpenMeetings 5.0.0-M4 on
> Ubuntu 18.04.pdf
>
>
> It is tested with an OpenMeetings 5.0.0-M4 server installed on a pc
> at home, after NAT router; and each in the room saw and heard the others
> cameras and your own correctly.
> Also in the tests done, we have uploaded files, recorded video
> and shared desktop without any error.
>
> You can find them here:
>
>
>
> https://cwiki.apache.org/confluence/display/OPENMEETINGS/Tutorials+for+installing+OpenMeetings+and+Tools
>
>
> Best regards
>
> Alvaro
>
> .
>
>

Re: ReferenceError: RTCPeerConnection is not defined

[Konstantin Kuzov]

Maybe some extension turning it off? Try to disable all extensions, turn it
back on and see if fixes it for you...
Or maybe you are using not official firefox but some fork like Tor browser
where they disable it due to privacy concerns?

пт, 15 мая 2020 г. в 18:16, Osvaldo OBA. Benítez Aliaga <
osval198...@gmail.com>:

>
> I checked the settings in about: config and it is disabled (false) I
> enabled it and it works perfect but when I close the browser and reopen it
> it is disabled.
> How can I set it to be enabled by default?
> El 15/5/2020 a las 11:07, Maxim Solodovnik escribió:
>
> Works for me as well
>
> @Osvaldo, can you check `about:config` ?
>
> On Fri, 15 May 2020 at 21:17, Konstantin Kuzov 
> wrote:
>
>> Firefox 76.0.1 (64-bit) is working fine for me.
>> This error can be seen only if media.peerconnection.enabled is set to
>> false in about:config for whatever reason...
>>
>> пт, 15 мая 2020 г. в 16:51, Osvaldo OBA. Benítez Aliaga <
>> osval198...@gmail.com>:
>>
>>> Returns ReferenceError: RTCPeerConnection is not defined
>>> El 15/5/2020 a las 09:28, Maxim Solodovnik escribió:
>>>
>>> This is weird,
>>>
>>> Can you open browser console type `RTCPeerConnection` and press Run
>>> What would be result?
>>>
>>> On Fri, 15 May 2020 at 19:46, Osvaldo OBA. Benítez Aliaga <
>>> osval198...@gmail.com> wrote:
>>>
>>>> Hello. I am using version 76.0.1 (64-bit) and OM version 5.0.0-M4
>>>> El 14/5/2020 a las 22:41, Maxim Solodovnik escribió:
>>>>
>>>> Hello Osvaldo,
>>>>
>>>> it seems your FF is outdated could you update it to latest version?
>>>>
>>>> BTW what version of OM are you using?
>>>>
>>>> On Fri, 15 May 2020 at 00:12, Osvaldo OBA. Benítez Aliaga <
>>>> osval198...@gmail.com> wrote:
>>>>
>>>>> Hello friends, I have the following error when I access through
>>>>> Firefox:
>>>>> ReferenceError: RTCPeerConnection is not defined
>>>>>
>>>>> However when I do it for Google Chrome it works perfectly.
>>>>>
>>>>> Any ideas?
>>>>>
>>>>
>>>>
>>>> --
>>>> Best regards,
>>>> Maxim
>>>>
>>>>
>>>
>>> --
>>> Best regards,
>>> Maxim
>>>
>>>
>
> --
> Best regards,
> Maxim
>
>

Re: ReferenceError: RTCPeerConnection is not defined

[Konstantin Kuzov]

Firefox 76.0.1 (64-bit) is working fine for me.
This error can be seen only if media.peerconnection.enabled is set to false
in about:config for whatever reason...

пт, 15 мая 2020 г. в 16:51, Osvaldo OBA. Benítez Aliaga <
osval198...@gmail.com>:

> Returns ReferenceError: RTCPeerConnection is not defined
> El 15/5/2020 a las 09:28, Maxim Solodovnik escribió:
>
> This is weird,
>
> Can you open browser console type `RTCPeerConnection` and press Run
> What would be result?
>
> On Fri, 15 May 2020 at 19:46, Osvaldo OBA. Benítez Aliaga <
> osval198...@gmail.com> wrote:
>
>> Hello. I am using version 76.0.1 (64-bit) and OM version 5.0.0-M4
>> El 14/5/2020 a las 22:41, Maxim Solodovnik escribió:
>>
>> Hello Osvaldo,
>>
>> it seems your FF is outdated could you update it to latest version?
>>
>> BTW what version of OM are you using?
>>
>> On Fri, 15 May 2020 at 00:12, Osvaldo OBA. Benítez Aliaga <
>> osval198...@gmail.com> wrote:
>>
>>> Hello friends, I have the following error when I access through Firefox:
>>> ReferenceError: RTCPeerConnection is not defined
>>>
>>> However when I do it for Google Chrome it works perfectly.
>>>
>>> Any ideas?
>>>
>>
>>
>> --
>> Best regards,
>> Maxim
>>
>>
>
> --
> Best regards,
> Maxim
>
>

Re: Ошибка mediaserver not aviable

[Konstantin Kuzov]

Да, там проблема в том, что при использовании конфига в любом
виде stale-nonce по умолчанию включен на 600 секунд, комментарий какой-то
невнятный и лично у меня оставляет впечатление что по умолчанию
всё-же nonce вечная:
# Uncomment if extra security is desired,
# with nonce value having limited lifetime.
# By default, the nonce value is unique for a session,
# and has unlimited lifetime.
# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that
delay,
# the client will get 438 error and will have to re-authenticate itself.

А на деле всё своеобразно, проверим поведение с таким хаком:
diff -urN a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c
--- a/src/apps/relay/mainrelay.c2019-03-03 00:06:19.0 +0300
+++ b/src/apps/relay/mainrelay.c2020-05-15 16:02:43.371533695 +0300
@@ -1282,6 +1282,7 @@
break;
case STALE_NONCE_OPT:
turn_params.stale_nonce = get_int_value(value,
STUN_DEFAULT_NONCE_EXPIRATION_TIME);
+   printf("DEBUG 1: %d\n", turn_params.stale_nonce);
break;
case MAX_ALLOCATE_LIFETIME_OPT:
turn_params.max_allocate_lifetime = get_int_value(value,
STUN_DEFAULT_MAX_ALLOCATE_LIFETIME);
diff -urN a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c
--- a/src/apps/relay/netengine.c2019-03-03 00:06:19.0 +0300
+++ b/src/apps/relay/netengine.c2020-05-15 16:02:57.564643335 +0300
@@ -1637,6 +1637,8 @@
bufferevent_setcb(rs->auth_in_buf, relay_receive_auth_message,
NULL, NULL, rs);
bufferevent_enable(rs->auth_in_buf, EV_READ);

+   printf("DEBUG 2: %d\n", turn_params.stale_nonce);
+   exit(0);
init_turn_server(&(rs->server),
 rs->id, turn_params.verbose,
 rs->ioa_eng, turn_params.ct, 0,

тестим без конфига:
[root@om b]# ./bin/turnserver 2>&1 | grep DEBUG
DEBUG 1: 0
DEBUG 2: 0

тестим с абсолютно пустым конфигом:
[root@om b]# ./bin/turnserver -c turnserver.conf 2>&1 | grep DEBUG
DEBUG 2: 600

тестим оверрайд через параметр:
[root@om b]# ./bin/turnserver -c turnserver.conf --stale-nonce=0 2>&1 |
grep DEBUG
DEBUG 1: 0
DEBUG 2: 0

А вот пример пострадальцев:
https://medium.com/confrere/gone-in-1100-seconds-hunting-bugs-on-the-edge-of-webrtc-132a186c45dd

Перевод:
https://habr.com/ru/company/Voximplant/blog/352730/

пт, 15 мая 2020 г. в 16:20, Maxim Solodovnik :

> я так понимаю имеется в виду втот этот
>
> https://github.com/coturn/coturn/blob/master/src/server/ns_turn_server.c#L3322
>  код
>
> On Fri, 15 May 2020 at 19:53, Maxim Solodovnik 
> wrote:
>
> > конфиг /etc/turnserver.cfg
> >
> > On Fri, 15 May 2020 at 19:45, green_gen...@mail.ru.INVALID
> >  wrote:
> >
> >> Maxim Solodovnik пишет:
> >> > On Fri, 15 May 2020 at 16:58, Konstantin Kuzov <
> >> master.nosfer...@gmail.com>
> >> > wrote:
> >> >
> >> >
> >> >> Да, документация оставляет местами желать лучшего,
> >> >>
> >> >
> >> >
> >> > каждый норовит маленького обидеть ...
> >> > видите что можно улучшить - PRs are welcome :)
> >> >
> >> >
> >> >
> >> >> но вроде по-тихоньку
> >> >> ситуация выправляется, к тому же 5.0.0 ещё не релизнулся ещё, а
> >> стабильной
> >> >> 4.x версии с флешем и red5 все эти мансы не касаются.
> >> >> Я сам когда первый раз полтора месяца назад ставил OM прошелся по
> всем
> >> >> возможным граблям ^_^
> >> >> К примеру, о том что TURN вообще нужен в тогдашних туториалах не было
> >> >> сказано ни слова. Не говоря уже о том что его надо прописывать в
> >> >> webapps/openmeetings/WEB-INF/classes/applicationContext.xml, это я
> >> прочитал
> >> >> уже много после архиве в рассылки... А изначально настроил его не в
> >> режиме
> >> >> статического ключа (static-auth-secret), а через аккаунт пользователя
> >> >> (user). и отредактировал WebRtcEndpoint.conf.ini, через подачу
> >> >> переменных KMS_EXTERNAL_ADDRESS,
> >> >> KMS_STUN_IP, KMS_STUN_PORT и KMS_TURN_URL. И это даже работало, но
> были
> >> >> проблемы с продлением сессий и большая часть пользователей
> отваливалась
> >> >> каждые 10 минут по channel-lifetime,. А учитывая что M3 не умел в
> >> реконнект
> >> >> вообще, а тупо вырубал камеру с микрофоном при любой ошибке - это
> было
> >> то
> >> >> ещё веселье.
> >> >> Кстати, даже когда я настроил всё по рек

Re: Ошибка mediaserver not aviable

[Konstantin Kuzov]

Да, документация оставляет местами желать лучшего, но вроде по-тихоньку
ситуация выправляется, к тому же 5.0.0 ещё не релизнулся ещё, а стабильной
4.x версии с флешем и red5 все эти мансы не касаются.
Я сам когда первый раз полтора месяца назад ставил OM прошелся по всем
возможным граблям ^_^
К примеру, о том что TURN вообще нужен в тогдашних туториалах не было
сказано ни слова. Не говоря уже о том что его надо прописывать в
webapps/openmeetings/WEB-INF/classes/applicationContext.xml, это я прочитал
уже много после архиве в рассылки... А изначально настроил его не в режиме
статического ключа (static-auth-secret), а через аккаунт пользователя
(user). и отредактировал WebRtcEndpoint.conf.ini, через подачу
переменных KMS_EXTERNAL_ADDRESS,
KMS_STUN_IP, KMS_STUN_PORT и KMS_TURN_URL. И это даже работало, но были
проблемы с продлением сессий и большая часть пользователей отваливалась
каждые 10 минут по channel-lifetime,. А учитывая что M3 не умел в реконнект
вообще, а тупо вырубал камеру с микрофоном при любой ошибке - это было то
ещё веселье.
Кстати, даже когда я настроил всё по рекомендуемой схеме у некоторых 10
минутные отвалы реденько но продолжали быть, но теперь уже по nonce,
который по-умолчанию включен и 600 секунд несмотря на комментарий в конфиге
говорящий об обратном. Покурив слегка исходники coturn нашел что его можно
вырубить через stale-nonce=0. После этого левые отвалы прекратились
окончательно.

,  чт, 14 мая 2020 г. в 11:37, Eugene :

> Спасибо за информацию! Жалко, что в туториале не объяснены эти детали,
> сэкономило бы пользователям много времени.
>
>

Re: Ошибка mediaserver not aviable

[Konstantin Kuzov]

WebRtcEndpoint.conf.ini как я и написал раньше трогать НЕ надо, нужно
оставить его как был по умолчанию, т.е. всё закоментировано.
Папка data расшаривается для функционала записи по запросу, KMS пишет стрим
в файл, а OM потом конвертирует его по завершении записи через ffmpeg и
добавляет если нужно в панель файлов.
Поэтому нужно чтобы между KMS и OM был расшарен общий путь куда класть
файлы и оба были запущены от одного и того же пользователя. Иначе могут
быть различные проблемы: от невозможности записи, до проблем с конвертацией
и удалением старых промежуточных файлов. К сожалению образ KMS для docker
не умеет полностью запускаться стандартными методами под
непривилегированным пользователем, там всего месяц назад добавили костыль
для запуска уже самого KMS под определенным UID через переменную KMS_UID
передаваемую при создании docker. Именно поэтому в моем скрипте
используется kurento/kurento-media-server-dev, ибо на момент написания этой
функциональности не было в kurento/kurento-media-server:latest...

вт, 12 мая 2020 г. в 23:34, Eugene :

> Спасибо! Вроде теперь сложилась полная картина.
>
> coturn настраивал по инструкции тут
> https://docs.bigbluebutton.org/2.2/setup-turn-server.html
>
> затем в applicationContext.xml изменил p:turnUrl="myserver:port" и  в
> p:turnSecret="" вставил значение переменной static-auth-secret из
> конфига coturn-a
>
> Надо ли в настройках KMS в файле WebRtcEndpoint.conf.ini выставлять
> переменные stunServerAddress и turnURL?
>
> И последний вопрос (я надеюсь). Для чего в Docker контейнер
> расшаривается директория webapps/openmeetings/data ? Если она нужна для
> нужд Kurento-Media-Server как он "догадывается", что имено в
> webapps/openmeetings/data необходимые данные?
>
> Доброй ночи,
> Евгений
>
>

Re: Ошибка mediaserver not aviable

[Konstantin Kuzov]

Если настроен TURN, то клиенты коннектятся к KMS через него, а не напрямую
на порт . Соответственно без разницы на каком там он ипшнике сидит,
главное чтобы клиенты могли достучаться до TURN-сервера. STUN и TURN могут
жить на одном и том же порте, к примеру дефолтном 3478, и их лучше не
заносить на разные порты для упрощения конфигурации. Диапазон UDP-портов
для TURN которые надо открыть указываются в конфиге coturn в
min-port/max-port. По умолчанию согласно rfc5766 это 49152-65535. Можете
попробовать взять turnserver-no-tls.conf за основу, прописав свои ипшники,
домен и пароли. При этом нужно не забыть прописать p:turnUrl и p:turnSecret
для OM в webapps/openmeetings/WEB-INF/classes/applicationContext.xml.

Рабочую строчку запуска KMS в docker можно глянуть в
reinstall-kms-docker.sh. Основное тут что не надо пытаться изменить
WebRtcEndpoint.conf.ini через подсовывание переменных типа
KMS_EXTERNAL_ADDRESS, он должен быть пустой.
Что касается "--network host", это заставляет docker использовать тот же
namespace что и хост, вместо дефолтного режима моста с отдельным namespace
(обычно с адресами 172.17.x.x). Т.е. выключить изоляцию и использовать
сетевой стек хоста напрямую, приложения запущенные там будут использовать
сеть и биндиться к любым портам хоста как будто они запущены прямо на
хосте, а не в контейнере. Подробнее можно прочитать в документации к docker.
Но docker с KMS в режиме бриджа с "-p :", как и рекомендуют в
туториалах, тоже полностью рабочая конфигурация.

пн, 11 мая 2020 г. в 19:20, Eugene :

> Благодарю за ответ!
>
> Считаю необходимым дать подробное описание конфигурации сети и системы.
>
> $ cat /etc/os-release
>
> PRETTY_NAME="CentOS Linux 8 (Core)"
>
> Внутренняя сеть организована таким образом, что находится в сегменте
> 192.168.104.1/24. В сервере установленно несколько сетевых карт. Одна из
> которых у провайдера получает ip из сегмента 10.0.0.1/16 по dhcp, а все
> остальные "собраны" в мост br0 которому присвоен ip 192.168.104.14.
> Выход в интернет через vpn туннель с именем интерфейса ppp0.  Для выхода
> из "домашней" сети в мир установлены правила маршрутизации:
>
> $IPTABLES -t nat -A POSTROUTING -o enp6s0f1 -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
>
> где enp6s0f1 -- сетевой интерфейс с адресом из сегмента 10.0.0.1/16 (тот
> что выдает провайдер по dhcp).
>
> На время настройки OpenMeetings файервол максимально упрощен. После
> старта Kurento-Media-Server (KMS) через docker start kms (как по
> инструкции) выхлоп iptables -L:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> ACCEPT all  --  anywhere anywhere
> ACCEPT all  --  anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
> TCPMSS tcp  --  anywhere anywhere tcp
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> ACCEPT all  --  anywhere anywhere
> ACCEPT all  --  anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination
>
> Chain DOCKER (0 references)
> target prot opt source   destination
> ACCEPT tcp  --  anywhere 172.17.0.2   tcp
> dpt:ddi-tcp-1
>
> KMS сервер крутится и доступен из внутренней сети.
>
> $ netstat -lntp | grep 
> tcp6   0  0 ::: :::*LISTEN
> 10707/docker-proxy
>
> $ netstat -lnutp | grep 3478
> tcp0  0 внешний_ip:3478  0.0.0.0:* LISTEN 4724/turnserver
> tcp0  0 192.168.104.14:3478 0.0.0.0:*   LISTEN
> 4724/turnserver
> tcp0  0 10.0.0.50:3478  0.0.0.0:* LISTEN 4724/turnserver
> tcp0  0 127.0.0.1:3478 0.0.0.0:*   LISTEN
> 4724/turnserver
> tcp6   0  0 ::1:3478 :::*LISTEN
> 4724/turnserver
>
> + несколько копий но порты udp
>
> $  netstat -lntup | grep 
> tcp6   0  0 ::: :::*LISTEN
> 10707/docker-proxy
>
> $ netstat -lntup | grep 5349
>
> Примерно также как и с портом 3478
>
> Проверка STUN на
> https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>
>   Done и для STUN на порту 3478 и для TURN на порту 5349
>
> Я думаю тут что-то с настройками интерфейса docker контейнера. Сейчас в
> девелопмент git ветке вышла KMS версии 7.0 которая не привязана к форку
> gstreamer 1.5 и мне ее вроде удалось собрать под CentOS 8 (относительно
> безболезненно), но работать даже с тестом hello-world она отказывается.
>
> Еще заметил, что когда клиент из "внешнего" мира пытается соедениться с
> мультимедиа сервером он обращается по адресу 172.17.0.2 -- это адрес
> docker контейнера и если соединение из "домашней" сетки доходит до
> адрессата, то из внешнего мира такие покеты просто теряются. Подозреваю
> если на клиенте сделать подмену адресов,