I make this manual to help others newbies… please give me feedback about, I already test it and is 100% functional. (just have some doubts about recording)…
OpenVidu Deploy on Plesk or Dedicated Server
After understanding on how it works I decided to do a manual to help others to do his own implementations with no official support, and of course outside the official docs. I have been reading some issues on discussion groups, and find that most of the issues is a misunderstanding of how the OpenVidu server works and intercommunicate with the other services into the dockers.
This tutorial is to be used at your own risk, I don’t give support about and of course official developers won´t
I have a dedicated server with Plesk installed in it, so, I have already Nginx in front of all my websites and ports was busy by other services, so the official deployment procedure is not a viable way to do it, of course in several dedicated servers or hosting you have a lot of different configurations and I suppose that you are familiar with this, and with the technology.
You must have a little knowledge about dockers, networking, WebRTC, etc.
Components
First of all understand the technology you are gone to install:
- Nginx: I suppose you already have it with your pages and your hosting, if not, you can install as you want, this helps to gets the SSL certificate.
- Openvidu: This is the Orchestrator, you can think on it as a front middleware, interacts between you and the Kurento Media Server, to make things easier.
- Coturn: is a STUN/TURN server that helps our clients to connect and send and receive video from complicated connections behind nats or firewalls. (It relays your media, and helps to reach it others)
- Kurento Media Server: Is the back middleware, interacts establishing media connections between clients.
- Redis: Is used to share a dynamic user database between Openvidu and Coturn, increment security.
- OpenVidu-Recording: Is a docker that just make the recording and the composition of the video.
+--------+
|OpenVidu+------------------------------+
+------------>+4443/TCP+-------------------+ |
| +--------+ | |
| | |
| +--------------------+ | |
| |Kurento Media Server| +--v--------+ |
| +------->+40000-49151/UDP&TCP +--->+Recording | |
| | |INTERNAL 8888/TCP | |Docker.sock| |
+-+----+-+ +--------------------+ +-----------+ |
|Internet| |
+-+----+-+ +--------------+ |
| | |Nginx | +-----+--+
| +------->+80/TCP 443/TCP| |Redis |
| +--------------+ |6379/TCP|
| +-----+--+
| +-------------------+ |
+------------>+Coturn STUN/TURN +-------------------+
|3478/TCP&UDP |
|49152+65535/UDP&TCP|
+-------------------+
- Nginx, automates the process for SSL with Letsencrypt
- OpenVidu creates a temporary user for coturn on connection
- OpenVidu ask KMS to connect media (Internal 8888)
- Client connect to coturn and make auth with redis.
- Client establish a connection with KMS demanded by OpenVidu
- OpenVidu sends coturn parameters to KMS on every connection
- KMS, Redis and Recording just need to be reached locally
Deployments Steps
Redis
Second component is Redis, you must install a Redis server will be best under docker, there are so much info so I don’t will help in this point, just I have some notes.
- Must be on default port 6378
- Must have password for security
Coturn
Lets go fun!, I will put all commands here with comments inside to help you understand what I’m doing.
mkdir -p /opt/openvidu/coturn #create a directory for turnserver.conf file
nano /opt/openvidu/coturn/turnserver.conf
**PASTE THIS CONFIG IN TURNSERVER.CONF**
min-port=49152 # AS RFC COMPLIANT
max-port=65535 # AS RFC COMPLIANT
external-ip=<PublicIP> # YOUR PUBLIC IP
listening-ip=<SelectedIP> # IF YOU HAVE MULTIPLES IP SELECT ONE (COULD BE PUBLIC OR PRIVATE)
relay-ip=<MaybePublicIP> # YOUR PRIVATE IP IF BEHIND A NAT IF NOT USE THE PUBLIC IP
listening-port=3478
realm=openvidu # THIS CAN NOT BE CHANGED IS HARDCODED INTO OPENVIDU-SERVER
lt-cred-mech
fingerprint
redis-userdb="ip=127.0.0.1 dbname=0 password=<YourRedisPwd> connect_timeout=30" #TO CHANGE AUTH INFO WITH OPENVIDU
no-multicast-peers
no-cli
no-tlsv1
no-tlsv1_1
cert=/etc/ssl/turn_server_cert.pem #JUST WRITE THIS
pkey=/etc/ssl/turn_server_pkey.pem #JUST WRITE THIS
verbose
Lets create the Coturn Docker with my best and recommended image:
docker run -d --network=host \
-v /usr/local/psa/var/modules/letsencrypt/etc/live/<YourDomain>/cert.pem:/etc/ssl/turn_server_cert.pem \
-v /usr/local/psa/var/modules/letsencrypt/etc/live/<YourDomain>/privkey.pem:/etc/ssl/turn_server_pkey.pem \
-v /opt/openvidu/coturn/turnserver.conf:/etc/coturn/turnserver.conf \
--restart=always \
--name coturn instrumentisto/coturn:latest
If you need a fixed user credential for dev and testing I recommend to you to use this command to add the user and password:
docker exec -it <dockername> sh -c "turnadmin -a -u <user> -p <secret> -r openvidu --redis-userdb 'ip=127.0.0.1 dbname=0 password=<YourRedisPwd> connect_timeout=30'"
You can test all was ok with the following commands:
netstat -tupln | grep -e 3478 #Check the port of coturn
docker exec -it coturn sh -c "turnadmin -l --redis-userdb 'ip=127.0.0.1 dbname=0 password=<YourRedisPwd> connect_timeout=30'" #Check users inside Redis for Coturn
Kurento
Lets go install KMS
mkdir -p /opt/openvidu/kms-crashes
mkdir -p /opt/openvidu/recordings #Directory for keep the recordings in host
docker run -d --network=host \
--volume /opt/openvidu/kms-crashes:/opt/openvidu/kms-crashes \
--volume /opt/openvidu/recordings:/opt/openvidu/recordings \
-e KMS_STUN_IP=<CoturnIP> \ # Coturn Public IP Address
-e KMS_STUN_PORT=<Port> \ # Coturn Port
-e KMS_TURN_URL=<user>:<sectet>@<CoturnIp>:<Port> \ # This is just for test and must first create user in Redis
-e KMS_EXTERNAL_IPV4=<PublicIP> \ # KMS Public IP Address (Maybe is the same that coturn)
-e KMS_MIN_PORT=40000 \ # KMS Start Port
-e KMS_MAX_PORT=49151 \ # KMS End Port (Just 1 Before Coturn RFC)
--restart=always \
--name kms kurento/kurento-media-server:latest
Then we will get some codecs, and chroma filter:
docker exec -it kms bash # Get a bash inside the docker
apt-get update && apt-get install -y nano && apt-get install -y ladspa-sdk && apt-get install -y kms-chroma
You can test all was ok with the following commands:
curl \
--include \
--header "Connection: Upgrade" \
--header "Upgrade: websocket" \
--header "Host: 127.0.0.1:8888" \
--header "Origin: 127.0.0.1" \
http://127.0.0.1:8888/kurento
netstat -tupln | grep -e 8888
OpenVidu
1.- First prepare recordings Docker (so you have mapped the recording drive in the host)
mkdir -p /opt/openvidu/recordings
docker create \
--volume /opt/openvidu/recordings:/recordings \
--name recording openvidu/openvidu-recording:2.16.0
2.- Lets Install OpenVidu
mkdir -p /opt/openvidu/cdr
docker run -d --network=host \
-v /usr/local/psa/var/modules/letsencrypt/etc/live/<YourDomain>/cert.pem:/etc/openvidu/owncert/cert.pem \
-v /usr/local/psa/var/modules/letsencrypt/etc/live/<YourDomain>/privkey.pem:/etc/openvidu/owncert/key.pem \
-v /opt/openvidu/recordings:/home/openvidu/recordings \
-v /opt/openvidu/cdr:/home/openvidu/cdr \ #All this maps all needed directories and files to host
-v /run/docker.sock:/run/docker.sock \ #Let him control the recording docker
-e DOMAIN_OR_PUBLIC_IP=<YourDomain> \ #Your domain or subdomain
-e HTTPS_PORT=4443 \ #Use this port
-e OPENVIDU_SECRET=<OpenViduSecret> \ #A secret to secure connections with OpenVidu
-e CERTIFICATE_TYPE=owncert \ #Use this, will gonna import Letsencript host certificates
-e OPENVIDU_CDR=true \
-e OPENVIDU_CDR_PATH=/home/openvidu/cdr \
-e OPENVIDU_RECORDING=true \
-e OPENVIDU_RECORDING_PATH=/home/openvidu/recordings \
-e OPENVIDU_WEBHOOK=true \
-e OPENVIDU_WEBHOOK_ENDPOINT=<WebHookURL> \ #If you are developer know what to do with webhooks
-e OPENVIDU_WEBHOOK_HEADERS=[\"Authorization:\ Basic\ bmFtZTpwYXNz\"] \ #we can add headers...
-e COTURN_REDIS_IP=127.0.0.1 \ # THIS IS UNDOCUMENTED, USE LOCALHOST
-e COTURN_REDIS_PASSWORD=<RedisPwd> \ # THIS IS UNDOCUMENTED, USE REDIS PWD
-e COTURN_IP=<PublicIP> \ # THIS IS UNDOCUMENTED, USE PUBLIC IP
--restart=always \
--name openvidu openvidu/openvidu-server:latest
Then we are ready to configure some things inside the docker:
docker exec -it openvidu bash
apt-get update && apt-get install -y nano
nano /usr/local/bin/entrypoint.sh #EDIT THIS FILE
**CHANGE**
java ${JAVA_OPTIONS:-} -jar openvidu-server.jar
**FOR**
java ${JAVA_OPTIONS:-} -jar -Dserver.ssl.key-store=/OPENVIDU.jks -Dserver.ssl.key-store-password=OPENVIDU -Dserver.ssl.key-alias=OPENVIDU openvidu-server.jar
We are ready to automate the update of the Letsencrypt certs into docker:
nano /cert.sh #CREATE THIS FILE
**PASTE THE FOLLOWING - IF UNDERSTAND WHAT YOU ARE DOING CUSTOMIZE IT IF NOT DONT MOVE IT**
#!/bin/bash
openssl pkcs12 -export -name OPENVIDU -in /etc/openvidu/owncert/cert.pem -inkey /etc/openvidu/owncert/key.pem -out p12keystore.p12 -passout pass:OPENVIDU
keytool -delete -keystore OPENVIDU.jks -alias OPENVIDU -storepass OPENVIDU -keypass OPENVIDU -srcstorepass OPENVIDU
keytool -storepass OPENVIDU -keypass OPENVIDU -srcstorepass OPENVIDU -importkeystore -srckeystore p12keystore.p12 -srcstoretype pkcs12 -deststoretype pkcs12 -alias OPENVIDU -destkeystore OPENVIDU.jks
now="$(date +'%d/%m/%Y %H:%M:%S')"
echo "Cert $now" > /completed.txt
**Then give execution permission to file**
chmod 777 /cert.sh
Now exit docker, outside you can schedule a cron job for when you Letsencrypt will be updated in the host, so it will be updated into the OpenVidu Docker with the following command (run it for first time and restart OpenVidu):
docker exec openvidu /cert.sh && docker restart openvidu
You can test all was ok with the following commands:
netstat -tupln | grep -e 4443
Firewall
In plesk Firewall or your ip tables you need to open the followinf ports:
Kurento Allow incoming from all on ports 40000-49151/tcp, 40000-49151/udp
OpenVidu Allow incoming from all on port 4443/tcp
Coturn Allow incoming from all on ports 3478/tcp, 3478/udp, 49152-65535/tcp, 49152-65535/udp
- Redis 6378 port, must not be public, so is just reached locally.
- KMS 8888 port is used locally for OpenVidu to send commands to him, and must not be published.
Test IT
https://<yourDomain>:<yourPort>/dashboard
User: OPENVIDUAPP
Password: <OpenViduSecret>
