Jump to content

Wikimedia Meet

From mediawiki.org

This was the technical documentation for Wikimedia Meet (https://meet.wmcloud.org) and how to contribute. Wikimedia meet enabled Wikimedians to meet virtually without using commercial proprietary services like Zoom or Google Meet.

Technical description

[edit]

Wikimedia meet was a project in the Wikimedia Cloud called "meet". Its public DNS record was meet.wmcloud.org that resolves to 185.15.56.72 which was one of the public IPs of WMF (The Wikimedia Cloud public IPs). Three ports are used: 80 that just redirects to HTTPS, 443 that handles the web traffic (encrypted using Let's Encrypt) and 10000/UDP that handles the webRTC.

Current Installation

[edit]

The installation was jitsi meet on docker with internal authentication enabled. The instance is jitsi.meet.eqiad.wmflabs (a large instance) that serves as video bridge, the interface and everything else. The config can be found here (private repo, it contains secrets).

Note Note: After changing the .env file, you need to wipe the config volume otherwise the containers won't pick it up.

Maintenance

[edit]

Creating new users

[edit]

Inside the jitsi node

[edit]
cd /srv/jitsi
sudo docker-compose exec prosody /bin/bash

And then create the account:

prosodyctl --config /config/prosody.cfg.lua register TheDesiredUsername meet.jitsi TheDesiredPassword

Web

[edit]

Go to https://meet-auth.wmflabs.org/generate_token and put the Ticketmaster token that's given to you (if you don't know what that it, you don't have the rights). It gives you a long random string, use it in https://meet-auth.wmflabs.org/create to create account and it should be there in five minutes. The user-creating tickets (tokens) are one time use.

How does it work internally?

The codebase for the auth system can be found in here (private repo) and has three parts:

  1. The server: it's a flask server that's exposed to web on port 5000. This uses hashing and salting to protect the token plus it's only one-thread and sleeps two seconds for each authentication to avoid brute force. Once create user is succesful, it calls all of its clients (the jitsi server)
  2. The client(s): The client is insecure flask sever exposed on port 4000 (but not to public) that receives the request for creating users from the server and then add it to a file called user_to_create.json
  3. The cronjob: The cronjob is the bash file that reads from the json and runs the create account on the prosody docker container. The cronjob currently is being ran every minute * * * * * bash /srv/meet-auth/create_cron.sh >> /var/log/create_cron.out 2>> /var/log/create_cron.err

Note: Server is on meet-auth.eqiad.wmflabs but client is jitsi.eqiad.wmflabs

Monitoring

[edit]
[edit]