Unable to install Kopano Meet

looks like there is some form of hiving going on.

docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS POR TS NAMES
8bf617bb826c kopano/konnectd:latest “docker-entrypoint.s…” 19 seconds ago Up 13 seconds (health: starting) 677 7/tcp, 0.0.0.0:8777->8777/tcp konnectd.1.e4a8hjpfotbmieo7vj3m31pno

~# docker rm -f 8bf617bb826c
8bf617bb826c

~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7919d67f2ccf kopano/konnectd:latest “docker-entrypoint.s…” 1 second ago Created konnectd.1.zlxmztkbcjykrs5wi3d8f13tu

I don’t remember setting anything like that up… just wondering if you happen to know off the top of your head. If not I’ll start digging in.

thanks for your help

no sorry. I don’t think docker itself would respawn a container on its own when its deleted, so it must be a script or some third party recreating it.

I went through my bash history … there are a few interesting commands that nail down what I did and how I did it many months ago.

Here are some samples in no particular order:

docker pull kopano/konnectd
docker service create --read-only --user=$(id -u kopano) --group=$(id -g kopano) --mount type=bind,source=/etc/ssl/certs,target=/etc/ssl/certs,readonly --secret konnectd_signing_private_key --secret konnectd_encryption_secret --env KOPANO_SERVER_DEFAULT_URI=file:///run/kopano/server.sock --mount type=bind,source=/run/kopano,target=/run/kopano --publish published=8777,target=8777,mode=host --name=konnectd kopano/konnectd serve --iss=https://mykonnect.local kc
docker run --rm=true --name=konnectd --read-only --user=$(id -u root):$(id -g root) --volume /etc/ssl/certs:/etc/ssl/certs:ro --volume /etc/kopano/konnectd-tokens-signing-key.pem:/run/secrets/konnectd_signing_private_key:ro --volume /etc/kopano/konnectd-encryption.key:/run/secrets/konnectd_encryption_secret:ro --env KOPANO_SERVER_DEFAULT_URI=file:///run/kopano/server.sock --volume /run/kopano:/run/kopano:rw --publish 127.0.0.1:8777:8777 kopano/konnectd serve --iss=https://mykonnect.local kc
docker service rm konnectd

docker pull kopano/konnectd
docker run --rm=true --name=konnectd --read-only --user=$(id -u kopano):$(id -g kopano) --volume /etc/ssl/certs:/etc/ssl/certs:ro --volume /etc/kopano/konnectd-tokens-signing-key.pem:/run/secrets/konnectd_signing_private_key:ro --volume /etc/kopano/konnectd-encryption.key:/run/secrets/konnectd_encryption_secret:ro --env KOPANO_SERVER_DEFAULT_URI=file:///run/kopano/server.sock --volume /run/kopano:/run/kopano:rw --publish 127.0.0.1:8777:8777 kopano/konnectd serve --iss=https://mykonnect.local kc
docker pull kopano/konnectd
docker service create --read-only --user=$(id -u kopano) --group=$(id -g kopano) --mount type=bind,source=/etc/ssl/certs,target=/etc/ssl/certs,readonly --secret konnectd_signing_private_key --secret konnectd_encryption_secret --env KOPANO_SERVER_DEFAULT_URI=file:///run/kopano/server.sock --mount type=bind,source=/run/kopano,target=/run/kopano --publish published=8777,target=8777,mode=host --name=konnectd kopano/konnectd serve --iss=https://mykonnect.local kc
docker build -t kopano/konnectd .
https://mykonnect.local
curl https://mykonnect.local

so

1. the “docker pull kopano/konnectd” command grabs the image
2. the “docker service create …” command causes persistent instances. The moment one konnectd dies a new one is spawned, etc. Kill the image at a docker level, the service ensures it comes back because it was told its supposed to make sure.
3. the “docker service rm konnectd” does exactly what we might expect. It gets rid of konnectd and most all evidence that it ever existed.

Somewhere in there I obviously also did a build and I remember that’s around the time stuff started working for me. That being said – when I look at the CLI history on my web server around then … I also see I was messing around with some websocket stuff on my reverse-proxy. That box is actually what is in front of UCS.

I’m thinking that fixes to the RP is what actually fixed the multi-user issue I was having.

The konnect related stuff I what I was doing in parallel. Pretty sure I just left it behind when multi-user stuff started working. so it was purely coincidence and didn’t need to be there.

Will try the install now that stuff is out of the way.

"OpenID-Connect-Provider” is installed now. It would not do it through the app center but it worked through the command line it looks like. I’m able to make a CURL call to the ucs-sso URL

There is a self-signed certificate on the website right now it looks like.

I’ve moved on to trying to install Kopano Meet and its back to being stuck in the UI again. The log doesn’t show anything particularly useful. I’ll try again from the CLI and see what happens after I give it a bit more time to try and fail.

thanks for the continued help.

it complained about quitea bit of stuff but the CLI did install.

KopanMeet shows up in the landing page for the server and it does allow me to login. Everything shows as status of offline so its pretty-well broken right now. I’m assuming the errors below are much of what’s behind that.

Here’s the log from the CLI run:
root@blade:~# univention-app install kopano-meet
Going to install Kopano Meet (2.1.0_0-2)
Password for Administrator:
chmod: cannot access ‘/var/lib/univention-appcenter/apps/kopano-meet/machine.secret’: No such file or directory
Create kopano/docker/FQDN_MEET
Create kopano/docker/FQDN_SSO
Create kopano/docker/GRID_WEBAPP
Create kopano/docker/INSECURE
Create kopano/docker/MEET_GUEST_ALLOW
Create kopano/docker/MEET_GUEST_REGEXP
Create kopano/docker/TURN_PASSWORD
Create kopano/docker/TURN_USER
Create kopano/docker/TURN_SERVER_SHARED_SECRET
Create kopano/docker/TURN_SERVICE_URL
Create kopano/docker/TURN_URIS
Module: kopano-cfg
Creating data directories for kopano-meet…
Registering UCR for kopano-meet
Marking 4.3/kopano-meet=2.1.0_0-2 as installed
Module: kopano-cfg
File: /etc/univention/service.info/services/univention-appcenter.cfg
File: /usr/share/univention-portal/apps.json
Multifile: /etc/apache2/sites-available/000-default.conf
Multifile: /etc/apache2/sites-available/default-ssl.conf
Module: kopano-cfg
File: /etc/apache2/sites-available/univention-letsencrypt.conf
Adding localhost to LDAP object
Setting overview variables
Module: kopano-cfg
Module: create_portal_entries
Reloading apache2 configuration (via systemctl): apache2.service.
Registering the container host kopan-31090913 for kopano-meet
Module: kopano-cfg
Verifying Docker registry manifest for app image docker.software-univention.de/kopano-meet-kopano_grapi:2.1.0_0-2
Downloading app images
Running command: docker-compose -p kopano-meet pull
The GRID_WEBAPP variable is not set. Defaulting to a blank string.
The MEET_GUEST_BOOLALLOW variable is not set. Defaulting to a blank string.
The MEET_GUEST_ALLOW variable is not set. Defaulting to a blank string.
The clientsecret variable is not set. Defaulting to a blank string.
The MEET_GUEST_REGEXP variable is not set. Defaulting to a blank string.
The TURN_PASSWORD variable is not set. Defaulting to a blank string.
The TURN_USER variable is not set. Defaulting to a blank string.
The TURN_SERVICE_URL variable is not set. Defaulting to a blank string.
The TURN_URIS variable is not set. Defaulting to a blank string.
The TURN_SERVER_SHARED_SECRET variable is not set. Defaulting to a blank string.
Pulling web … done
Pulling kopano_kwmserver … done
Pulling kopano_grapi … done
Pulling kopano_kapi … done
Pulling kopano_meet … done
Pulling kopano_ssl … done
Pulling kopano_konnect … done

Initializing app image
Running command: docker-compose -p kopano-meet up -d --no-build --no-recreate
The MEET_GUEST_ALLOW variable is not set. Defaulting to a blank string.
The clientsecret variable is not set. Defaulting to a blank string.
The GRID_WEBAPP variable is not set. Defaulting to a blank string.
The MEET_GUEST_BOOLALLOW variable is not set. Defaulting to a blank string.
The MEET_GUEST_REGEXP variable is not set. Defaulting to a blank string.
The TURN_PASSWORD variable is not set. Defaulting to a blank string.
The TURN_USER variable is not set. Defaulting to a blank string.
The TURN_SERVICE_URL variable is not set. Defaulting to a blank string.
The TURN_URIS variable is not set. Defaulting to a blank string.
The TURN_SERVER_SHARED_SECRET variable is not set. Defaulting to a blank string.
The Docker Engine you’re using is running in swarm mode.

Compose does not use swarm mode to deploy services to multiple nodes in a swarm. All containers will be scheduled on the current node.

To deploy your application across the swarm, use docker stack deploy.

Creating network “kopano-meet_kopano-net” with driver “bridge”
Creating network “kopano-meet_default” with the default driver
Creating network “kopano-meet_web-net” with the default driver
Creating kopano_web … done
Creating kopano_ssl … done
Creating kopano_grapi … done
Creating kopano_kwmserver … done
Creating kopano_konnect … done
Creating kopano_kapi … done
Creating kopano_meet … done

Module: kopano-cfg
Preconfiguring container 9feb4ae21e7dfa89b5e893f880de4abe4f4dc8bf4f9559c079c6ef9ed72a482c
The MEET_GUEST_ALLOW variable is not set. Defaulting to a blank string.
The clientsecret variable is not set. Defaulting to a blank string.
The GRID_WEBAPP variable is not set. Defaulting to a blank string.
The MEET_GUEST_BOOLALLOW variable is not set. Defaulting to a blank string.
The MEET_GUEST_REGEXP variable is not set. Defaulting to a blank string.
The TURN_PASSWORD variable is not set. Defaulting to a blank string.
The TURN_USER variable is not set. Defaulting to a blank string.
The TURN_SERVICE_URL variable is not set. Defaulting to a blank string.
The TURN_URIS variable is not set. Defaulting to a blank string.
The TURN_SERVER_SHARED_SECRET variable is not set. Defaulting to a blank string.
Starting web …
Starting kopano_kwmserver …
Starting kopano_grapi …
Starting kopano_kapi …
Starting kopano_meet …
Starting kopano_ssl …
Starting kopano_konnect …
tarting kopano_meet … done
Configuring 4.3/kopano-meet=2.1.0_0-2
Module: kopano-cfg
Module: autostart
Setting kopano/docker/INSECURE to ‘no’
Setting kopano/docker/GRID_WEBAPP to ‘no’
Setting kopano/docker/TURN_USER to ‘KST0300-8YUG3GPVX’
Setting kopano/docker/TURN_SERVICE_URL to ‘https://ucs-turn.kopano.com/turnserverauth/’
Setting kopano/docker/FQDN_SSO to ‘ucs-sso.domainremoved.org’
Setting kopano/docker/MEET_GUEST_REGEXP to ‘^group/public/.’
Unsetting kopano/docker/TURN_SERVER_SHARED_SECRET
Setting kopano/docker/MEET_GUEST_ALLOW to ‘no’
Unsetting kopano/docker/TURN_URIS
Setting kopano/docker/FQDN_MEET to ‘blade.domainremoved.org’
Module: kopano-cfg
ucr cannot be found, falling back to changing the database file directly
Executing interface restore_data_before_setup for kopano-meet
No interface defined
Executing interface restore_data_after_setup for kopano-meet
No interface defined
Configuring 4.3/kopano-meet=2.1.0_0-2
Setting kopano/docker/MEET_GUEST_ALLOW to ‘no’
Setting kopano/docker/MEET_GUEST_REGEXP to '^group/public/.’
ensuring read permissions for konnect container
Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Module proxy_wstunnel already enabled
Module rewrite already enabled
Executing interface configure for kopano-meet
No interface defined
updating certificates for 4.3/kopano-meet=2.1.0_0-2
Installing join script /var/cache/univention-appcenter/appcenter.software-univention.de/4.3/kopano-meet_20200403120517.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright © 2001-2019 Univention GmbH, Germany

Running pre-joinscripts hook(s): done
Running 00kopano4ucs-safemode-on.inst skipped (already executed)
Running 01univention-ldap-server-init.inst skipped (already executed)
Running 02univention-directory-notifier.inst skipped (already executed)
Running 03univention-directory-listener.inst skipped (already executed)
Running 04univention-ldap-client.inst skipped (already executed)
Running 05univention-bind.inst skipped (already executed)
Running 08univention-apache.inst skipped (already executed)
Running 10univention-ldap-server.inst skipped (already executed)
Running 11univention-heimdal-init.inst skipped (already executed)
Running 11univention-pam.inst skipped (already executed)
Running 15univention-directory-notifier-post.inst skipped (already executed)
Running 15univention-heimdal-kdc.inst skipped (already executed)
Running 18python-univention-directory-manager.inst skipped (already executed)
Running 20univention-directory-policy.inst skipped (already executed)
Running 20univention-join.inst skipped (already executed)
Running 20univention-ldap-config-master.inst skipped (already executed)
Running 22univention-directory-manager-rest.inst skipped (already executed)
Running 26univention-nagios-common.inst skipped (already executed)
Running 30univention-appcenter.inst skipped (already executed)
Running 30univention-nagios-client.inst skipped (already executed)
Running 33univention-portal.inst skipped (already executed)
Running 34univention-management-console-server.inst skipped (already executed)
Running 35univention-appcenter-docker.inst skipped (already executed)
Running 35univention-management-console-module-appcenter.inst skipped (already executed)
Running 35univention-management-console-module-diagnostic.inst skipped (already executed)
Running 35univention-management-console-module-ipchange.inst skipped (already executed)
Running 35univention-management-console-module-join.inst skipped (already executed)
Running 35univention-management-console-module-lib.inst skipped (already executed)
Running 35univention-management-console-module-mrtg.inst skipped (already executed)
Running 35univention-management-console-module-quota.inst skipped (already executed)
Running 35univention-management-console-module-reboot.inst skipped (already executed)
Running 35univention-management-console-module-services.inst skipped (already executed)
Running 35univention-management-console-module-setup.inst skipped (already executed)
Running 35univention-management-console-module-sysinfo.inst skipped (already executed)
Running 35univention-management-console-module-top.inst skipped (already executed)
Running 35univention-management-console-module-ucr.inst skipped (already executed)
Running 35univention-management-console-module-udm.inst skipped (already executed)
Running 35univention-management-console-module-updater.inst skipped (already executed)
Running 35univention-server-overview.inst skipped (already executed)
Running 36univention-management-console-module-apps.inst skipped (already executed)
Running 40univention-virtual-machine-manager-schema.inst skipped (already executed)
Running 50kopano-meet.inst done
Running 50openid-connect-provider.inst skipped (already executed)
Running 70kopano4ucs-udm.inst skipped (already executed)
Running 70kopano4ucs.inst skipped (already executed)
Running 71kopano4ucs-webapp.inst skipped (already executed)
Running 78univention-kde.inst skipped (already executed)
Running 81univention-nfs-server.inst skipped (already executed)
Running 90univention-bind-post.inst skipped (already executed)
Running 91univention-saml.inst skipped (already executed)
Running 92univention-fetchmail-schema.inst skipped (already executed)
Running 92univention-fetchmail.inst skipped (already executed)
Running 92univention-management-console-web-server.inst skipped (already executed)
Running 98univention-pkgdb-tools.inst skipped (already executed)
Running 99kopano4ucs-safemode-off.inst skipped (already executed)
Running post-joinscripts hook(s): done
Module: kopano-cfg
Module: kopano-cfg
File: /usr/share/univention-management-console/modules/apps.xml

Module: kopano-cfg

File: /usr/share/univention-management-console/i18n/de/apps.mo

File: /etc/apt/apt.conf.d/55user_agent

Executing interface update_available for kopano-meet
No interface defined

After a lot of messing around I sort-of forced a few things and got a successful test between two LAN PCs

I put ucs-sso.domainremoved.org into the hosts file on a PC on my LAN that can hit my DMZ UCS server directly. That seems to work

Next I setup my Turn server in the config and got a host from outside my LAN that had access to ucs-sso temporarily to also work. Kopan-Meets seems to work in that instance - albeit it can’t stay that way.

It made me wonder why there’s no config for a STUN server anywhere… thoughts?

I skipped over that for now and started troubleshooting the Apache reverse proxy config for ucs-sso.domainremoved.org.

I had the right internal and external DNS. I have the needed /etc/hosts file entry on the reverse-proxy server and the right virtual hosts setup on the server, etc. Still if I point at the reverse-proxy hosts I only get so far. The calls as I try to authenticate fail every time.

After some research it looks like OpenID Connect requires an apache module to reverse-proxy it along with some detailed config.

I found a simple article here:

I was hoping for some help sorting out what the parameters are needed for the RP and how to find them in UCS.

That plus updating so users go to Kopano-Meets rather than webmeetings in the webapps seem to be the last few hurdles to using it more widely.

That is because the turn server in most cases also does stun. So no need to have two settings.

No, definitely not. Just proxy that whole domain to your internal system. Of you want to get fancy the have a look at the Apache configuration of the openid provider app for the exact routes.

I’m looking through the Apache config on UCS and I see where the ucs-sso vhost along with a proxy include.

Any thoughts on what must go into a reverse-proxy config to get it to work. Generically reverse proxying the entire site is not working. I can start a new thread for the discussion if you’d like although it is directly related to actually getting Kopano-meets working …

Is the trick hidden in duplicating the rewrite rules on the reverse-proxy rather than just hoping they will pass through?

Historically … my stun and turn server settings have been quite different.

kopano-meetings/spreed/stunURI stun:blade.domainremoved.org:443
kopano-meetings/spreed/turnURIs turn:blade.domainremoved.org:3478?transport=udp

STUN is an HTTPS website, turn is a DMZ host on a specific UDP port

Any suggestions for getting the correct config into Kopano Meets for this?

I have already shared my thoughts on this with you. If you need concrete steps or a working example please get in contact with the Kopano support.

In the case of Meet you only need to specify the turn uri. A specific stun config is no longer needed. For Meet it is recommended to use the Kopano Turn Service (as it was already for Web Meetings) if you want to use your own turn and have problems with the configuration I recommend to get in touch with the Kopano support.

Thank you for the input on this. I will look up some info on Kopano Meets and STUN settings. It might be a trick to get the setting passed into the meets server on UCS – we can discuss that more once I find the info on STUN.

I went through all of the apache configs and includes on the UCS server. After some horsing around I managed to get OpenID connect to pass through my DMZ reverse-proxy over to my UCS server. I got the logins to work as well.

The problem I am seeing now – and I am not sure if this is a KopanoMeet issue or a reverse proxy issue yet – is that when I hit logoff on Meets it redirects me back to meets as the same user again with an active session. The only way that I can actually get a user out of meets on the client-side is to clear all of the cookies related to the meets URL and UCS-SSO URLs.

Also - I’d like to swap the webmeeting preference to Kopano-meets instead of spreed when logged into the webmail portal. What is the correct way to go about this?

Thank you for your continued replies.

Yes, this is known and also mentioned in the app center description.

What is a webmail portal?

If it is a known issue, is there any plan to fix it sometime soon? What is needed?

For a given UCS server, there is a web page where users can check their mail found at https://server.domain.com/webapp

When they login there you can set the webapp to also show they are present in spreed and you can easily include URLs to meetings there.

How do you set the webapp to start using Kopano Meet instead of webmeetings (spreed)

Konnect needs to gain the ability to log users out at an external authentication provider (the OpenID Provider App of Univention). So far this has been no priority to us, but if you want to work on it you can find the source code of Konnect at https://github.com/kopano-dev/konnect.

ah, you’re referring to the Kopano WebApp. At the moment there is no (publicly available) integration of Kopano Meet into WebApp. I am currently not sure what the plans are in this regard. I have reached out internally to ask for a release date of the plugin.