技術文章 » 一次不太成功的內網部署視屏會議系統預研

一次不太成功的內網部署視屏會議系統預研

2022-12-09 18:03:20

Jitsi Meet

背景

接到一個任務,想在公司內網搭建一個視訊會議系統,用於公司內部或與分公司交流,需要內網部署,最好是開源免費。

專案定位

查詢瞭如下幾個專案:

最後決定嘗試 Jitsi Meet 這個開源免費的專案。github 中 Star 19k(20221209)

  • Jitsi Meet - 安全、簡單且可延伸的視訊會議,您可以將其用作獨立應用程式或嵌入到web應用程式中
  • Jitsi Meet是一組開源專案,使使用者能夠使用和部署具有最先進視訊質量和功能的視訊會議平臺。

Jitsi 是什麼

Jitsi是一系列開源專案的集合,這些專案提供了最先進的視訊會議功能,這些功能安全、易於使用且易於自託管。

本手冊(https://jitsi.github.io/handbook/docs/intro)旨在成為所有Jitsi檔案的一站式商店。

內容分為3個主要方面:

  • 使用者指南:旨在幫助服務使用者更好地瞭解所有可用功能以及如何使用它們。
  • 開發者指南:旨在幫助希望在其產品中整合Jitsi-Meet API/SDK或希望通過開發新功能或修復錯誤來改進Jitsi-Meet的開發者。
  • 自託管指南:專為希望自託管的人、系統管理員或任何希望部署和操作自己的Jitsi Meet範例的人設計。

Jitsi由一系列專案組成:

  • Jitsi Meet,與WebRTC相容的JavaScript應用程式,使用Jitsi Videobridge提供高質量、可延伸的視訊會議。基於React和React Native構建
  • Jitsi Videobridge(JVB)-與WebRTC相容的伺服器,用於在會議參與者之間路由視訊流。
  • Jitsi Conference Focus (jicofo) -用於Jitsi會議的伺服器端焦點元件,用於管理媒體對談,並充當每個參與者和視訊橋之間的負載平衡器。
  • Jitsi Gateway to SIP (jigasi) -允許常規SIP使用者端加入Jitsi會議的伺服器端應用程式
  • Jitsi Broadcasting Infrastructure (jibri) -用於錄製和/或流式傳輸Jitsi會議的一組工具,通過啟動虛擬幀緩衝區中呈現的Chrome範例,並使用ffmpeg捕獲和編碼輸出來工作

效果

啟動後,直接通過瀏覽器存取:

安裝

直接通過專案 https://github.com/jitsi/docker-jitsi-meet docker 方式安裝。

Tip: 筆者環境 ubuntu 20.04。

部分安裝過程:

下載 docker-jitsi-meet-master 到本地並進入此目錄:

root@pjl:/home/docker-jitsi-meet-master# docker-compose up -d
root@pjl:/home/docker-jitsi-meet-master# docker ps
CONTAINER ID   IMAGE                    COMMAND   CREATED       STATUS       PORTS                                                                            NAMES
f617d13cda50   jitsi/jvb:unstable       "/init"   4 hours ago   Up 4 hours   127.0.0.1:8080->8080/tcp, 0.0.0.0:10000->10000/udp, :::10000->10000/udp          docker-jitsi-meet-master_jvb_1
5af4885c996a   jitsi/jicofo:unstable    "/init"   4 hours ago   Up 4 hours                                                                                    docker-jitsi-meet-master_jicofo_1
35c4bd9da921   jitsi/prosody:unstable   "/init"   4 hours ago   Up 4 hours   5222/tcp, 5280/tcp, 5347/tcp                                                     docker-jitsi-meet-master_prosody_1
fe3d109c8be6   jitsi/web:unstable       "/init"   4 hours ago   Up 4 hours   0.0.0.0:8000->80/tcp, :::8000->80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp   docker-jitsi-meet-master_web_1

安裝過程參考:

WebSocket connection failed

報錯:WebSocket connection to 'wss://localhost:8443/xmpp-websocket?room=a' failed:

後來自己好了

jitsi meeting Screen sharing failed for 3 people

全螢幕分享時,如果第三個人進來,螢幕分享就失敗了。解決過程非常曲折,大致過程如下:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 10000/udp
sudo ufw allow 22/tcp
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw enable

root@pjl:/home/docker-jitsi-meet-master# sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
root@pjl:/home/docker-jitsi-meet-master# sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From

--                         ------      ----

5911                       ALLOW IN    Anywhere
10000/udp                  ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
3478/udp                   ALLOW IN    Anywhere
5349/tcp                   ALLOW IN    Anywhere
5911 (v6)                  ALLOW IN    Anywhere (v6)
10000/udp (v6)             ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)
22/tcp (v6)                ALLOW IN    Anywhere (v6)
3478/udp (v6)              ALLOW IN    Anywhere (v6)
5349/tcp (v6)              ALLOW IN    Anywhere (v6)

失敗。嘗試另一方法:

docker cp f617d13cda50:/etc/jitsi/videobridge/sip-communicator.properties sip-communicator.properties

編輯 vim sip-communicator.properties,新增兩條:
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.223
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=192.168.1.223

docker cp sip-communicator.properties f617d13cda50:/etc/jitsi/videobridge/sip-communicator.properties

systemctl  restart docker

失敗。嘗試另一方法:

ENABLE_XMPP_WEBSOCKET=0
ENABLE_COLIBRI_WEBSOCKET=1
ENABLE_SCTP=1
JVB_PORT=10000

失敗。報錯如下:

Logger.js:154 2022-07-25T08:41:11.181Z [modules/RTC/BridgeChannel.js] <WebSocket.e.onclose>:  Channel closed: 1006 

[modules/statistics/RTPStatsCollector.js] <nn._processAndEmitReport>:  No participant ID returned by LocalTrack[2,video]
[modules/statistics/AvgRTPStatsReporter.js] <Dd.addNext>:  bandwidth_upload - invalid value for idx: 1 undefined

在網上一通搜尋和嘗試,未果。

中途也發現了一些奇怪的問題:chrome 94 有視訊分享的按鈕,chrome 103 沒有分享按鈕,超過三人桌面分享消失,退出一人則又有效

firefox 102:
[ "audio", "video" ] TypeError: navigator.mediaDevices is undefined

chrome 103
TypeError: Cannot read properties of undefined (reading 'getUserMedia')

參考 https://blog.csdn.net/yunzhonghefei/article/details/120290541 解決。

最後修改兩點:

  • .env 檔案時區:TZ=Asia/Shanghai
  • docker-compose.yml 中 127.0.0.1 改成自己伺服器的ip
jvb:
    image: jitsi/jvb:${JITSI_IMAGE_VERSION:-unstable}
    restart: ${RESTART_POLICY:-unless-stopped}
    ports:
        - '${JVB_PORT:-10000}:${JVB_PORT:-10000}/udp'
        // 127.0.0.1 改成自己伺服器的ip
        - '127.0.0.1:${JVB_COLIBRI_PORT:-8080}:8080'

一切都好了。

Tip:真正使用應該還要許多其他問題,首先肯定會對內網造成非常大的壓力。

Jitsi Meet 介紹

Keep it Casual. For Free.

  • HD audio video
  • Unlimited free meeting access for up to 100 participants at a time
  • End-to-End encryption
  • Multiple participants can share their screen simultaneously
  • Remotely control other participants desktop
  • Integrations (Google, Microsoft, Slack)

What is Jitsi?

Jitsi is a collection of Open Source projects which provide state-of-the-art video conferencing
capabilities that are secure, easy to use and easy to self-host.

Components

Jitsi comprises a collection of projects:

  • Jitsi Meet - WebRTC compatible JavaScript application that uses Jitsi Videobridge to provide high quality, scalable video conferences. Build upon React and React Native.
  • Jitsi Videobridge (JVB) - WebRTC compatible server designed to route video streams amongst participants in a conference.
  • Jitsi Conference Focus (jicofo) - server-side focus component used in Jitsi Meet conferences that manages media sessions and acts as load balancer between each of the participants and the videobridge.
  • Jitsi Gateway to SIP (jigasi) - server-side application that allows regular SIP clients to join Jitsi Meet conferences
  • Jitsi Broadcasting Infrastructure (jibri) - set of tools for recording and/or streaming a Jitsi Meet conference that works by launching a Chrome instance rendered in a virtual framebuffer and capturing and encoding the output with ffmpeg.

External Software used by Jitsi:

  • Prosody - XMPP server used for signalling

Desktop browsers

Browser Support Versions Notes
Chrome >= 72 Best results with >= 96
Firefox >= 68 Best results with >= 101
Safari >= 14 Best results with >= 15, output device selection unsupported
Edge >= 79 Edge Legacy is unsupported
Internet Explorer

People can invite each other to Jitsi meetings by simply sending a link.

  1. If you have received such an invite link from a trusted source,
    copy it into your browser's address bar and press Enter / Return.
  2. Your browser may first ask you to grant microphone and/or camera access.
    If you trust the person who invited you, confirm this access request.
    Please refer to the browser's documentation for details (e.g. Firefox、Chrome).
  3. If prompted, enter a name, which will be visible to other participants in the Jitsi Meeting room.
  4. (Optional) Adjust the camera and/or microphone settings via the v dropdown menu items.
  5. Click on Join meeting.

Desktop or Mobile Browser

  1. You need a browser (please note our separate information).
  2. Open the browser and in the address bar type, for example "https://meet.jit.si" (without "") and press Enter.
  3. The page opens as shown in the figure:

  1. Now enter a name for your conference (e.g. new meeting) in the "Start new meeting" field.
    Note: Please do not use any special characters, spaces or umlauts, as this can lead to problems.
    Note: Jitsi offers a functionality that automatically suggests names for the conferences. These can be overwritten.
  2. Click the blue Go button.
  3. The following window opens:

  1. It is possible that no picture of you will appear at first. To do this, the browser will ask you whether you want to allow camera access. Please confirm this by clicking on allow or permit. Sometimes you also have to click the camera button at the bottom of the screen first to activate the dialog for allowing camera access. Do the same with the microphone the first time you use Jitsi.
  2. Now enter your display name in the "enter your name" field.
  3. Click the blue Join meeting button.
  4. Have fun in your first conference.

IFrame API

Embedding the Jitsi Meet API into your site or app enables you to host and provide secure video meetings with your colleagues, teams, and stakeholders. The Meet API provides a full complement of comprehensive meeting features.

Your Jitsi meetings can be hosted and attended using any device while keeping your data and privacy protected. You can reach your meeting participants anywhere in the world eliminating the need for travel and the associated inconvenience.

The IFrame API enables you to embed Jitsi Meet functionality into your meeting application so you can experience the full functionality of the globally distributed and highly available deployment available with meet.jit.si.

You can also embed and integrate the globally distributed and highly available deployment on the meet.jit.si platform itself.

Self-Hosting Guide

Welcome to the Self-Hosting guide!

note:
These guides help you to host your own Jitsi-Meet server.
If you want to have a video conference without setting up any infrastructure, use https://meet.jit.si instead.

The content is divided in 3 guides:

note: First, a bit of general advice
Jitsi Meet being based on WebRTC, an encrypted communication link (https) is necessary to get working multimedia, and the setup is not always trivial.

The best option is an Internet server with a certificate for a domain registered in the DNS.

While it's possible to setup a server on a private network and/or a self-signed certificate, it can be less straightforward and you can expect difficulties, first if you want access both from the private network and the public internet, and second when using phones as these clients often don't accept self-signed certificates.

In case of trouble with clients using phones, check your certificate.

Requirements

note:
Jitsi Meet is a real-time system.
Requirements are very different from a web server and depend on many factors.
Miscalculations can very easily destroy basic functionality rather than cause slow performance.
Avoid adding other functions to your Jitsi Meet setup as it can harm performance and complicate optimizations.

Note that Jitsi Meet design priorizes scalability by adding servers on using a huge server. Check Jitsi-videobridge documentation on adding several bridges to a Jitsi Meet server, and OCTO to go even beyond that (federation of Jitsi Meet servers). If you feel that you are a network and server administration newbie, don't even think of going there.

Jitsi Meet needs, by order of importance
  • Network link: basic speed and reliability are essential. Check speed against the provider claims using any download tool (or ftp), and
    verify latency using a tool such as iperf3.
    Exact calculation is very complex and depend on many optimisations and tricks, but you should at least remember these numbers on resolution:
    180 = 200 kbits/s
    360 = 500 kbits/s
    720 (HD) = 2500 kbits/s
    4k = 10 Mbits/s
    So don't expect to have 20 users using 4K on a server with 100Mbits/s upload and download.
    For a friends/small organization server, 1 Gbits/s will often be enough but for a serious server 10 Gbits/s
    is advisable. Several (or many...) bridges having each a 10 Gbits/s link are used by big deployments.

These requirements concern the videobridge. If there are only external videobridges (as can be the case on high end Jitsi Meet servers), network performance matters much less.

  • RAM: it's usually suggested to get 8 GB.
    For small meetings you can get away with 4 GB, for test servers or very small meetings you can try to use 2 GB.
    For big meetings it's suggested to go the scalable way over getting huge amounts of memory.

  • CPU: very low processor performance can seriously harm a real time system, especially when using a shared server (where your CPU performance can be stolen by other customers of your hoster, check on 'dedicated CPU' if you are getting a VPS, rather than a physical server). However, a consideration is that a Jitsi Meet component, Prosody, can only use ONE (1) core. So getting a lot of cores, let's say more than 32, is not always useful. For a basic server, 4 dedicated cores can be enough.

  • Disk: unless you are doing heavy logging or have very specific needs, you can get away with 250 Gbytes of standard hard disk.
    SSD are more a nice to have than a necessity.

If you want additional services, requirements can go up.

Recording

Jibri needs ONE system per recording.
One Jibri instance = one meeting. For 5 meetings recorded simultaneously, you need 5 Jibris.
There is no workaround to that.
If you are knowledgeable, you can setup Jibris in containers and use a big server to save a bit on resources but that's about it.

Jibri RAM and CPU needs are far higher than Jitsi Meet itself, as it does video encoding.
For 1080x720 you currently need at least 8 GB RAM, for 1280x1024 12 GB (this is for recording a single meeting).
If memory is not sufficient or CPU can't encode fast enough, recordings will fail.

While Jibri and Jitsi Meet can technically be hosted in a single server, it's not recommended because Jibri is a resource drain and it can harm Jitsi Meet performance, and can exhaust disk space and stop Jitsi Meet function altogether.

Docker
Quick start

In order to quickly run Jitsi Meet on a machine running Docker and Docker Compose,
follow these steps:

  1. Download and extract the [latest release]. DO NOT clone the git repository. See below if you are interested in running test images.

  2. Create a .env file by copying and adjusting env.example:

    cp env.example .env

  3. Set strong passwords in the security section options of .env file by running the following bash script

    ./gen-passwords.sh

  4. Create required CONFIG directories

    • For linux:
    mkdir -p ~/.jitsi-meet-cfg/{web,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
    • For Windows:
    echo web,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri | % { mkdir "~/.jitsi-meet-cfg/$_" }

  5. Run docker-compose up -d

  6. Access the web UI at https://localhost:8443 (or a different port, in case you edited the .env file).

note:
HTTP (not HTTPS) is also available (on port 8000, by default), but that's e.g. for a reverse proxy setup;
direct access via HTTP instead HTTPS leads to WebRTC errors such as
Failed to access your microphone/camera: Cannot use microphone/camera for an unknown reason. Cannot read property 'getUserMedia' of undefined
or navigator.mediaDevices is undefined.

If you want to use jigasi too, first configure your env file with SIP credentials
and then run Docker Compose as follows:

docker-compose -f docker-compose.yml -f jigasi.yml up

If you want to enable document sharing via [Etherpad],
configure it and run Docker Compose as follows:

docker-compose -f docker-compose.yml -f etherpad.yml up

If you want to use jibri too, first configure a host as described in JItsi BRoadcasting Infrastructure configuration section
and then run Docker Compose as follows:

docker-compose -f docker-compose.yml -f jibri.yml up -d

or to use jigasi too:

docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d
Architecture

A Jitsi Meet installation can be broken down into the following components:

  • A web interface
  • An XMPP server
  • A conference focus component
  • A video router (could be more than one)
  • A SIP gateway for audio calls
  • A Broadcasting Infrastructure for recording or streaming a conference.

The diagram shows a typical deployment in a host running Docker. This project
separates each of the components above into interlinked containers. To this end,
several container images are provided.

External Ports

The following external ports must be opened on a firewall:

  • 80/tcp for Web UI HTTP (really just to redirect, after uncommenting ENABLE_HTTP_REDIRECT=1 in .env)
  • 443/tcp for Web UI HTTPS
  • 4443/tcp for RTP media over TCP
  • 10000/udp for RTP media over UDP

Also 20000-20050/udp for jigasi, in case you choose to deploy that to facilitate SIP access.

E.g. on a CentOS/Fedora server this would be done like this (without SIP access):

sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=4443/tcp
sudo firewall-cmd --permanent --add-port=10000/udp
sudo firewall-cmd --reload

See the corresponding section in the manual setup guide.

Design considerations

Jitsi Meet uses XMPP for signaling, thus the need for the XMPP server.
The setup provided by these containers does not expose the XMPP server to the outside world.
Instead, it's kept completely sealed, and routing of XMPP traffic only happens on a user-defined network.

The XMPP server can be exposed to the outside world,
but that's out of the scope of this project.

結果

出於某些因素的考慮,最終相關部門決定客製化採購。