Comments (9)
Actually, this should automatically work: as long as STUNner cannot find a public LoadBalancer IP for the Service it creates to expose your Gateway it will automatically fall back to the NodePort.
Below is a sample output for a case when this happens: the public IP 34.116.220.190
belongs to one of our Kubernetes nodes in the GKE cluster this output is taken from and the public port is 30501, a typical port in the default NodePort range:
$ cmd/stunnerctl/stunnerctl running-config stunner/stunnerd-config
STUN/TURN authentication type: plaintext
STUN/TURN username: user-1
STUN/TURN password: pass-1
Listener 1
Name: udp-listener
Listener: udp-listener
Protocol: UDP
Public address: 34.116.220.190
Public port: 30501
Note that currently there is no way to enforce the public port for the NodePort service (i.e., 30501), this will be chosen automatically by Kubernetes. There are workarounds, but they are somewhat cumbersome. Note also that you will have to manually open the NodePort range (32000-32767) on the cloud firewall (this is automatically done when you use LoadBalancer services).
from stunner.
Hello,
This is interesting but actually i don't see any NodePort Service (for stunner) in the list of generated service (using k get svc --all-namespaces).
Is this normal ?
When I run stunnerctl i see that :
STUN/TURN authentication type: static
STUN/TURN username: user-1
STUN/TURN password: pass-1
Listener 1
Name: stunner/udp-gateway/udp-listener
Listener: stunner/udp-gateway/udp-listener
Protocol: UDP
Public port: 30200
Can you tell me more ?
What append if I create on my hand a new NodePort service using the same charcteristics than the loadbalancer one ?
Tks in advance.
from stunner.
It seems that STUNner has already picked up the NodePort service. The way you know this is by looking at the public port: when the public port is in the default Nodeport range (32000-32767) then most probably STUNner has failed to find a LoadBalancer service and fell back to NodePort.
The curious thing here is that there is no public IP: this means that your Kubernetes nodes either run without a public IP (are you using a GKE private cluster?) or the public IP of your nodes is somehow encoded in a nonstandard way in the Kubernetes Node resources.
The easiest way to debug this is to look at the output of kubectl get nodes -o yaml
and looking at the status
field. Is there an external IP? Is it routable?
As per manually creating the service that exposes STUNner: that is a perfectly valid way to expose STUNner precisely the way you want if you don't like the service created automatically by STUNner. That being said, manually creating the NodePort service will not solve your problem until we find out why there are no public IPs assigned by Kubernetes to your nodes. And when we find out, STUNner will automatically find them too and you wouldn't need the manual service any more...:-)
from stunner.
Hello,
Ok thanks for your answer. Actually each nodes of my cluster are using public IP but there is something strange in the status of the node.
kc get nodes -o json | jq .items[].status.addresses
[ { "address": "51.210.190.***", "type": "InternalIP" }, { "address": "dev-b2-30-node-1b7067", "type": "Hostname" }
We see that the type is InternalIP. Maybe this is this that make the matching not working ?
Any way I tried using a TCP loadbalancer for testing, and even if it's not perfect it seems to work (in tutorials, not in my real case).
I was wondering if there is some documentation about the UdpRoute parameters that we can use. I've still not understood how we avoid to create a service openning the full range udp port (32000 -65567) in the clusterIP service. Do you have any clue about that.
Thanks in advance.
from stunner.
Actually each nodes of my cluster are using public IP but there is something strange in the status of the node.
[...]
We see that the type is InternalIP. Maybe this is this that make the matching not working ?
Exactly. This is really weird: your InternalIP
seems like a perfectly functional routable IP, why is it marked as "internal" then? STUNner will refuse to pick up an internal IP as a public address for obvious reasons.
Any way I tried using a TCP loadbalancer for testing, and even if it's not perfect it seems to work (in tutorials, not in my real case).
I'd recommend using TCP only as the last resort. For now, just set the client-side ICEServer configs with the InternalIP of one of your nodes and use the NodePort as above and you should be good to go. Meanwhile, contact your cloud operator and tell them their handling of Kubernetes nodes' external IPs needs some fixing.
I was wondering if there is some documentation about the UdpRoute parameters that we can use. I've still not understood how we avoid to create a service openning the full range udp port (32000 -65567) in the clusterIP service. Do you have any clue about that.
I think there's some misunderstanding here so let's get things straight:
- Public address/port: if you use NodePort you have to open the entire NodePort range on the external firewall of your cluster, otherwise the cloud operator will block external access to these ports. LoadBalancer services automatically handle this.
- Internal UDPRoute address/port: STUNner allows connections to the backend Service in the UDPRPoute on any protocol-port pair so you don't need to open "the full range udp port (32000-65567) in the clusterIP service". We rely on this hack until support for port ranges in Services lands in Kubernetes.
I've just added a warning to the README to document this behavior, thanks for calling my attention to this.
from stunner.
Ok that's very interesting.
By the way i'm trying to proxy my sip call to a freeswitch server.
The idea is that I can avoid to open the differents rtc_media_port via a node-port as I'm doing it now (using restriction of port 30000-30100).
It's ok for me, the turn server is correctly recognized etc.
The ip provided as a relay in the sdp seems to be ok provided private ip adress of stunner pod (i think it's normal).
I guess the next thing to do is understanding why freeswitch doesn't wan't to use this private IP to establish connection.
Thank's for all
from stunner.
I guess the next thing to do is understanding why freeswitch doesn't wan't to use this private IP to establish connection.
I'm not sure we can be of big help on this matter but we'd be happy to learn more about your use case. Join our Discord and tell us about your use of STUNner, maybe someone will show up who understands freeswitch!
Closing this for now, feel free to reopen if anything interesting comes up.
from stunner.
Hi @rg0now you have mentioned
There are workarounds, but they are somewhat cumbersome
Do you know such workarounds for me to choose a static Nodeport rather than letting Kubernetes randomly assign one?
from stunner.
There are workarounds, but they are somewhat cumbersome
The workaround that I had in mind was manually creating the service that exposes STUNner and enforcing the fix NodePort in the manually created Service. Here are some simple steps to do that:
- First make sure STUNner's automatically created Service is internal (we will create the external Service manually, no need for two Services). This can be done by adding the annotation
stunner.l7mp.io/service-type: ClusterIP
, which will instruct STUNner to create a ClusterIP Service instead of the default LoadBalancer. - Then create a copy of the Service created by STUNner under a new name (new name is important, otherwise STUNner will reset your modifications), set the Service type to NodePort, and set a fixed NodePort value to something you opened on the firewall.
- Create a manual ICE server config for your clients: the public IP would be the external IP of any of your nodes and the public port would be the chosen NodePort. This will be static, but it would at least work. Ephemeral authentication would need additional work though.
Since you are not the first one requesting for a way to fix the NodePort, I've created an wishlist item covering this. Once we get some free cycles we'll get to implement this, stay tuned.
from stunner.
Related Issues (20)
- feat: Release turncat binaries
- Issue UDP port loadbalancer HOT 7
- Stunner gateway operator can't be started HOT 1
- Question about debugging message on UDP gateway pod HOT 9
- Is stunner FedRamp compliant? HOT 11
- Meetecho Janus integration HOT 7
- turn ERROR: Failed to handle datagram: failed to create stun message from packet: unexpected EOF: not enough bytes to read header HOT 1
- Mixed protocol available for AWS? If not how to setup health check if not supported? HOT 3
- Does it work with MediaMTX (Whip) and can I choose the destination server with an API? HOT 8
- Gatteway API v1.0 incompatibility on GKE HOT 6
- UDP Gateway Error HOT 11
- srflx ICE candidate wrong ip? HOT 1
- SRS integration? HOT 4
- Extra question about horizontally scaled Stunner HOT 3
- Example app udp-greeter.yaml not working - help needed HOT 10
- v0.16.0 - Websocket error HOT 3
- v0.16.0 - Stunnerd pods get into state where they won't respond to TURN requests HOT 1
- Allow Gateways to request a specific NodePort in the automatically created Service HOT 3
- TURN connection breaks when the backend pod enters graceful shutdown HOT 4
- `stunnerctl config` does not fall back to the default namespace
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stunner.