Integrate selkies-gstreamer to Jupyter and Coder (just like noVNC) #64
Comments
ehfd
added
enhancement
ehfd
changed the title
|
Messing around trying to get this working with coder. Can access the web endpoint fine but webrtc fails. When using Ideally there would be a way to manually specify the ports/ip used to get around this, though I'm not sure how tenable that is. I haven't tested using a turn server because if I have to fall back to that I'll just end up going with something like KasmVNC which works seamlessly over a single port. |
|
This looks super promising. Will check it out tomorrow, thanks! |
|
Hey, have messed around a bit with this. Had to switch to using the egl container as I am not using a gpu for testing. While this boots and works fine. It still requires a turn server which does not work due to firewall restrictions. Plus I cannot justify needing to run a seperate turn server. How difficult would it be to be able to pin ports needed so that a direct connection could be established using |
|
https://github.com/selkies-project/docker-nvidia-egl-desktop#running-with-kubernetes Maybe the internal TURN server option could work here. |
|
That might work since can limit it to only two ports. Will give it a try and see! Though actually may run into the issue earlier where the internal ip of the pod doesn't match the forwarded (127.0.0.1). Will update how it goes |
|
Yea so when doing ice negotiation it is advertising the internal pod ips (10.x.x.x) so ice still fails as that address is not resolvable. It has to advertise something like 127.0.0.1 or local host etc so that the client attempts to connect via the port forward. I ran into this issue when originally testing as mentioned above. Having a option to override what ip is advertised would probably fix this. |
|
Actually I don't seem to be able to get it to use the internal turn server. Checking the logs its still advertising defaults |
|
Wait I'm being dumb. Was missing the turn host env var, it's further down the docs and didn't notice it. |
|
Hmm, now I'm getting proper advertising but even though the internal server advertises 65535 as a option it is still listening on the old ports and not 65535 |
|
@Inrixia What's your precise settings? |
|
Same as the template you gave. But only turn settings are min port, max port, turn port, turn host, turn protocol |
|
The turn port is listened on. But the min and max ports (65534-65535) are not. So when they are advertised they are unreachable afik |
|
Very strange. You specified TURN_MIN_PORT and TURN_MAX_PORT? |
|
Yep. If you have the chance can you share a working config? Maybe I'm missing something obvious. This is running on a normal coder deployment on aks and I can see what ports the container is listening on. I'm using the coder cli to port forward and it works fine. Just need to get the ice negotiation to use the right ports. Setting the turn host ip fixed the issue with it not using 127... Too so afik it's just the underlying server not listening on the range that's the issue. |
|
If you do not specify anything on SELKIES_TURN_HOST, it will automatically resolve to the external IP of that instance. Let me check something quickly now about the port range. |
|
Yep, the ip issues were resolved by specifying the host arg. Just the ports listening issue now afik |
|
@Inrixia In |
|
I need to see the input for: # Configure coTURN script
RUN echo "#!/bin/bash\n\
set -e\n\
turnserver \
--verbose \
--listening-ip=\"0.0.0.0\" \
--listening-ip=\"::\" \
--listening-port=\"\${SELKIES_TURN_PORT:-3478}\" \
--realm=\"\${TURN_REALM:-example.com}\" \
--external-ip=\"\${TURN_EXTERNAL_IP:-\$(dig TXT +short @ns1.google.com o-o.myaddr.l.google.com 2>/dev/null | { read output; if [ -z \"\$output\" ] || echo \"\$output\" | grep -q '^;;'; then exit 1; else echo \"\$(echo \$output | sed 's,\\\",,g')\"; fi } || dig -6 TXT +short @ns1.google.com o-o.myaddr.l.google.com 2>/dev/null | { read output; if [ -z \"\$output\" ] || echo \"\$output\" | grep -q '^;;'; then exit 1; else echo \"\$(echo \$output | sed 's,\\\",,g')\"; fi } || hostname -I 2>/dev/null | awk '{print \$1; exit}' || echo '127.0.0.1')}\" \
--min-port=\"\${TURN_MIN_PORT:-49152}\" \
--max-port=\"\${TURN_MAX_PORT:-65535}\" \
--channel-lifetime=\"\${TURN_CHANNEL_LIFETIME:--1}\" \
--lt-cred-mech \
--user \"selkies:\${TURN_RANDOM_PASSWORD}\" \
--no-cli \
--cli-password=\"\${TURN_RANDOM_PASSWORD:-\$(tr -dc 'A-Za-z0-9' < /dev/urandom 2>/dev/null | head -c 24)}\" \
--allow-loopback-peers \
\${TURN_EXTRA_ARGS} \$@\
" > /etc/start-turnserver.sh && chmod -f 755 /etc/start-turnserver.sh |
|
|
External IP SHOULD NOT be 127.0.0.1. It should be your real IP that clients should know (public IP if over the internet, private IP if confined to LAN). Otherwise, I don't see why opening 65534 and 65535 in the Coder configuration shouldn't work. |
|
I'm accessing the coder service via So that should be fine. I have ports 8081, 3478 & 65534-65535 forwarded on tcp/udp. Coder reports ports that it sees as open and 65534-65535 is not listed but 8081, 3478 and other ports are. When attempting to connect other ports like 58xxx are also opened so clearly the server is trying to negotiate but using the wrong ports. |
|
Port should be 8080. It should go through NGINX because the interfaces themselves only allow loopback access for security. |
|
Tried 8080 same thing. Though I did notice that the advertisements do still have the inaccessible internal ip in them. 10.224.1.158 is a pod ip that is not accessible. |
|
Then, you should change |
|
Need the logs in chrome://webrtc-internals |
|
As the discussion seems to be around TURN server, could you please test your Public turn server from: https://icetest.info/ Ideally it should output ICE candidates of type |
|
This is what I get testing the public ice server in icetest.com |
|
I'll test my private one when I get the time |
I don't see any |
|
Quick question regarding having a turn server hosted. If it's hosted in a private network but all machines have access to it then that should work right? Or is it impossible to utilize a turn server over a private network that isn't internet facing? |
|
If the device from which you're accessing is part of that private network then it should work. |
|
Yea, I'll post the results using the private turn server once I spin it back up. Its accessible from both the client and container so should work. But I was getting the same issue as above with it so maybe I'm missing something. Will see. |
I was wrong. Unfortunately, CoTURN in a private network isn't working for TURN functionality. I just verified it in a private network. The browser isn't even generating any ICE candidate. |
|
Yea that's pretty much exactly the issue I'm running into. Is there no solution to this? |
|
Likely requires settings from the coTURN side. Should be possible but I do not have a specific answer. |
|
@Inrixia could you please share your private turn server setup? Like how you're running CoTURN? As a container or in K8s? If k8s then mind sharing the manifest? Also, have you tried STUNner? I've been trying it out, but for some reasons unable to make it work as my K8s is self hosted on a single private VM. |
|
I've been using stunner on aks but have had similar issues. Just using the default udp config. But I'll try post the info about it's connectivity when I get the chance. |
|
Finally, I got the private CoTURN to work. Here's the docker command: Change the relay-ip to the machine IP. Also yeah, it has to be running on |
|
Please do a PR in docs about this. @PMohanJ I will review personally. Make sure to search all the docs related to coTURN. |
|
@Inrixia could you please confirm us if this coTURN setup is working in your case? |
|
It's a docker config so wouldn't apply to my environment. |
|
Could you explain your environment? This is what I was asking yesterday..
|
|
It's running on aks, for turn I'm using stunner. Services aren't exposed on a public ip, the client used to connect is doing so via private ip. Similar to hosting a k8s cluster yourself. |
|
Oh, so far your private/public TURN server is based on STUNner, but not coTURN. |
|
Ah, good to know. I can try running coturn on the cluster instead to see if that works if stunner is broken for private address space. Will update when I get the time to mess with it more. |
|
@Inrixia I had a conversation with the maintainer. But the maintainer recommend to go with |
|
Awesome! Thanks will try this and update how it goes |
|
So I've tried using that config but still getting an endless |
|
Could you open the DevTools of the browser and check for the ICE candidates being exchanged over Also if you could come over discord and share this config setup along with stunner pod logs, it'd be helpful to further debug this. |
|
@Inrixia #165 (comment) |
|
I'll give it a shot if I get time. Thanks for keeping me up to date |
|
Has anyone done this? Wanting to use this with Coder, no clue where to start, if its feasible, etc. Would be nice to have a quick way of doing so. |
|
@gitizenss |
Update:
We currently have this Coder configuration working self-hosted:
entrypoint.shfor Coder:set -e supervisordOpen main.tf
Self-explanatory. Just like VS Code Server and noVNC, a button click in Jupyter should lead to a window with Selkies.
This will help greatly in robotics, simulations, and other kinds of research.
External contribution dearly expected.
It can be a separate project, a PR, or any other form of contribution.
Integration with Jupyter Docker containers should also be possible.
Creating a template for Coder would also be of interest.
The text was updated successfully, but these errors were encountered: