Wikimedia Meet
This page is obsolete. It is being retained for archival purposes. It may document extensions or features that are obsolete and/or no longer supported. Do not rely on the information here being up-to-date. |
This was the technical documentation for Wikimedia Meet (https://meet.wmcloud.org) and how to contribute. Wikimedia meet enabled Wikimedians to meet virtually without using commercial proprietary services like Zoom or Google Meet.
Technical description
[edit]Wikimedia meet was a project in the Wikimedia Cloud called "meet". Its public DNS record was meet.wmcloud.org that resolves to 185.15.56.72 which was one of the public IPs of WMF (The Wikimedia Cloud public IPs). Three ports are used: 80 that just redirects to HTTPS, 443 that handles the web traffic (encrypted using Let's Encrypt) and 10000/UDP that handles the webRTC.
Current Installation
[edit]The installation was jitsi meet on docker with internal authentication enabled. The instance is jitsi.meet.eqiad.wmflabs (a large instance) that serves as video bridge, the interface and everything else. The config can be found here (private repo, it contains secrets).
 Note: After changing the .env file, you need to wipe the config volume otherwise the containers won't pick it up.
Maintenance
[edit]Creating new users
[edit]Inside the jitsi node
[edit]cd /srv/jitsi
sudo docker-compose exec prosody /bin/bash
And then create the account:
prosodyctl --config /config/prosody.cfg.lua register TheDesiredUsername meet.jitsi TheDesiredPassword
Web
[edit]Go to https://meet-auth.wmflabs.org/generate_token and put the Ticketmaster token that's given to you (if you don't know what that it, you don't have the rights). It gives you a long random string, use it in https://meet-auth.wmflabs.org/create to create account and it should be there in five minutes. The user-creating tickets (tokens) are one time use.
- How does it work internally?
The codebase for the auth system can be found in here (private repo) and has three parts:
- The server: it's a flask server that's exposed to web on port 5000. This uses hashing and salting to protect the token plus it's only one-thread and sleeps two seconds for each authentication to avoid brute force. Once create user is succesful, it calls all of its clients (the jitsi server)
- The client(s): The client is insecure flask sever exposed on port 4000 (but not to public) that receives the request for creating users from the server and then add it to a file called user_to_create.json
- The cronjob: The cronjob is the bash file that reads from the json and runs the create account on the prosody docker container. The cronjob currently is being ran every minute
* * * * * bash /srv/meet-auth/create_cron.sh >> /var/log/create_cron.out 2>> /var/log/create_cron.err
Note: Server is on meet-auth.eqiad.wmflabs but client is jitsi.eqiad.wmflabs
Monitoring
[edit]- traffic of the public IP (Turnilo, NDA-LDAP protected)
- Grafana
External links
[edit]- Phabricator board
- Config repo
- The account manager repo
- Discussion around creating the project
- Other Jitsi instances (selected by Framasoft)