* Fix permissions during build of bbb-libreoffice-docker
The scripts must be executable by anyone. They are owned by root and
executed by user bigbluebutton.
* Fix permissions during build of bbb-html5
The files must be readable by mongodb. There are no secrets in the file,
so it is safe to be readable by anyone.
* Fix permissions during build of bbb-record-core
Files must be readable by user bigbluebutton.
* Fix more umask issues
Recording scripts were not executable in the builds
---------
Co-authored-by: Daniel Schreiber <daniel.schreiber@hrz.tu-chemnitz.de>
If the build system for packages has a umask of `0077`, cloned
repositories will have no permissions for group and other. As the build
scripts for some packages just copy from clone git repos, this will
preserve the permissions in the package and prevent the following
services from startup:
* `bbb-html5`
* `etherpad`
* `bbb-pads`
* `bbb-export-annotations`
* `bbb-rap-*`
This patch grants everyone read permissions to the code in the packages.
The etherpad component's nginx configuration needs to know the request
scheme in order to set some variables that influence whether the
'Secure' flag is set on cookies. Right now it directly uses the $scheme
variable, but this variable does not get set to the expected value if
nginx is behind a reverse-proxy where the proxy handles TLS termination.
Adjust the etherpad nginx config to use a variable with a different name
$real_scheme, which can be set in the nginx server block to match the
configuration of the nginx listeners.
This variable is set to the value of $scheme in the default
/etc/sites-available/bigbluebutton file. The bbb-install.sh script will
be updated to set this variable in the configurations it writes.
People using other installation scripts will need to add this variable
to their nginx configuration file, or etherpad might not operate correctly.
bbb-webrtc-sfu (and mediasoup) are running in the CFS scheduler which
means it has to compete with (much) lower priority tasks like
presentation conversion, recording processing, [...]
Since it encompasses an RTC application which also handles audio, it
should be _at least_ on the same scheduling policy as FS/bbb-html5 - and
that should be safer now with mediasoup which has a lower footprint
(and generates lower CPU noise overall).
This commit puts bbb-webrtc-sfu in the FIFO scheduling policy (same as
bbb-html5). Also bumps bbb-html5 nice level up to 18 and sets SFU to
nice 19 (so bbb-html5 has some advantage when push comes to shove).
This can be improved further by using per-process priorities in SFU.
Ideally we'd want mediasoup audio workers and mcs-core to be the same
priority as FS (so higher than bbb-html5), but the rest of them
(video/screen workers) to be the same or lower than bbb-html5. For
future reference:
- https://github.com/bigbluebutton/bbb-webrtc-sfu/commit/3e245122dfa155ecb77b536eeadac1e4607cee
- 66d443d204
Files are compressed on build, but gzip_static on isn't set on their
nginx route - so original files are being served, uncompressed.
This commit serves the previously compressed files instead (thus
reducing initial transfer size by ~1 MB).
Someone should look into whether serving compressed version of the rest
of assets makes sense - it probably does.
Still pending: fonts, locales, svgs, everything under resources, ...
* fix unit name: the unit name on Ubuntu is `redis-server.service`
* services which need a working redis require both After= and Wants=
See the description in the `systemd.unit` man page.
yq package is now provided in the BigBlueButton support PPA for BBB 2.5,
so we can depend on the package now. Ensure the dependency is specific
to avoid an incompatible yq version 4 from being installed.