Docker Quick Start Guide



For Docker Desktop installation instructions, see Install Docker Desktop on Mac and Install Docker Desktop on Windows. Start the tutorial. If you’ve already run the command to get started with the tutorial, congratulations! If not, open a command prompt or bash window, and run the command: docker run -d -p 80:80 docker/getting-started. Docker - Quick Guide - Docker is a container management service. The keywords of Docker are develop, ship and run anywhere. The whole idea of Docker is for developers to easily develo. Jitsi Meet on Docker. Jitsi is a set of Open Source projects that allows you to easily build and deploy secure videoconferencing solutions. Jitsi Meet is a fully encrypted, 100% Open Source video conferencing solution that you can use all day, every day, for free — with no account needed.

Quick start

In order to quickly run Jitsi Meet on a machine running Docker and Docker Compose,follow these steps:

  1. Download and extract the latest release

    Alternatively, to test the latest changes clone the repository:

  2. Create a .env file by copying and adjusting env.example:

  3. Set strong passwords in the security section options of .env file by running the following bash script

  4. Create required CONFIG directories

    • For linux:
    • For Windows:
  5. Run docker-compose up -d

  6. Access the web UI at https://localhost:8443 (or a different port, in case you edited the compose file).

Note that HTTP (not HTTPS) is also available (on port 8000, by default), but that's e.g. for a reverse proxy setup;direct access via HTTP instead HTTPS leads to WebRTC errors such as Failed to access your microphone/camera: Cannot use microphone/camera for an unknown reason. Cannot read property 'getUserMedia' of undefined or navigator.mediaDevices is undefined.

If you want to use jigasi too, first configure your env file with SIP credentialsand then run Docker Compose as follows:

If you want to enable document sharing via Etherpad, configure it and run Docker Compose asfollows:

If you want to use jibri too, first configure a host as described in JItsi BRoadcasting Infrastructure configuration sectionand then run Docker Compose as follows:

or to use jigasi too:

Security note

This setup used to have default passwords for internal accounts used across components. In order to make the default setupsecure by default these have been removed and the respective containers won't start without having a password set.

Strong passwords may be generated as follows: ./gen-passwords.shThis will modify your .env file (a backup is saved in .env.bak) and set strong passwords for each of therequired options. Passwords are generated using openssl rand -hex 16 .

DO NOT reuse any of the passwords.

Architecture

A Jitsi Meet installation can be broken down into the following components:

  • A web interface
  • An XMPP server
  • A conference focus component
  • A video router (could be more than one)
  • A SIP gateway for audio calls
  • A Broadcasting Infrastructure for recording or streaming a conference.

The diagram shows a typical deployment in a host running Docker. This projectseparates each of the components above into interlinked containers. To this end,several container images are provided.

External Ports

The following external ports must be opened on a firewall:

  • 80/tcp for Web UI HTTP (really just to redirect, after uncommenting ENABLE_HTTP_REDIRECT=1 in .env)
  • 443/tcp for Web UI HTTPS
  • 4443/tcp for RTP media over TCP
  • 10000/udp for RTP media over UDP

Also 20000-20050/udp for jigasi, in case you choose to deploy that to facilitate SIP access.

E.g. on a CentOS/Fedora server this would be done like this (without SIP access):

Images

  • base: Debian stable base image with the S6 Overlay for process control and theJitsi repositories enabled. All other images are based on this one.
  • base-java: Same as the above, plus Java (OpenJDK).
  • web: Jitsi Meet web UI, served with nginx.
  • prosody: Prosody, the XMPP server.
  • jicofo: Jicofo, the XMPP focus component.
  • jvb: Jitsi Videobridge, the video router.
  • jigasi: Jigasi, the SIP (audio only) gateway.
  • etherpad: Etherpad, shared document editing addon.
  • jibri: Jibri, the broadcasting infrastructure.

Design considerations

Jitsi Meet uses XMPP for signaling, thus the need for the XMPP server. The setup providedby these containers does not expose the XMPP server to the outside world. Instead, it's keptcompletely sealed, and routing of XMPP traffic only happens on a user-defined network.

The XMPP server can be exposed to the outside world, but that's out of the scope of thisproject.

Configuration

The configuration is performed via environment variables contained in a .env file. Youcan copy the provided env.example file as a reference.

VariableDescriptionExample
CONFIGDirectory where all configuration will be stored/opt/jitsi-meet-cfg
TZSystem Time ZoneEurope/Amsterdam
HTTP_PORTExposed port for HTTP traffic8000
HTTPS_PORTExposed port for HTTPS traffic8443
DOCKER_HOST_ADDRESSIP address of the Docker host, needed for LAN environments192.168.1.1
PUBLIC_URLPublic URL for the web servicehttps://meet.example.com

NOTE: The mobile apps won't work with self-signed certificates (the default).See below for instructions on how to obtain a proper certificate with Let's Encrypt.

Guide

Let's Encrypt configuration

If you plan on exposing this container setup to the outside traffic directly andwant a proper TLS certificate, you are in luck because Let's Encrypt support isbuilt right in. Here are the required options:

VariableDescriptionExample
ENABLE_LETSENCRYPTEnable Let's Encrypt certificate generation1
LETSENCRYPT_DOMAINDomain for which to generate the certificatemeet.example.com
LETSENCRYPT_EMAILE-Mail for receiving important account notifications (mandatory)alice@atlanta.net

In addition, you will need to set HTTP_PORT to 80 and HTTPS_PORT to 443. You might also consider to redirect HTTP traffic to HTTPS by setting ENABLE_HTTP_REDIRECT=1.

Let's Encrypt rate limit warning: Let's Encrypt has a limit to how many times you can submit a requestfor a new certificate for your domain name. At the time of writing, the current limit is five new (duplicate)certificates for the same domain name every seven days. Because of this, it is recommended that you disable theLet's Encrypt enviroment variables from .env if you plan on deleting the .jitsi-meet-cfg folder. Otherwise, youmight want to consider moving the .jitsi-meet-cfg folder to a different location so you have a safe place to findthe certificate that already Let's Encrypt issued. Or do initial testing with Let's Encrypt disalbed, then re-enableLet's Encrypt once you are done testing.

Docker Quick Start Guide

For more information on Let's Encrypt's rate limits, visit:https://letsencrypt.org/docs/rate-limits/

SIP gateway configuration

If you want to enable the SIP gateway, these options are required:

VariableDescriptionExample
JIGASI_SIP_URISIP URI for incoming / outgoing callstest@sip2sip.info
JIGASI_SIP_PASSWORDPassword for the specified SIP accountpassw0rd
JIGASI_SIP_SERVERSIP server (use the SIP account domain if in doubt)sip2sip.info
JIGASI_SIP_PORTSIP server port5060
JIGASI_SIP_TRANSPORTSIP transportUDP

Display Dial-In information

VariableDescriptionExample
DIALIN_NUMBERS_URLURL to the JSON with all Dial-In numbershttps://meet.example.com/dialin.json
CONFCODE_URLURL to the API for checking/generating Dial-In codeshttps://jitsi-api.jitsi.net/conferenceMapper

The JSON with the Dial-In numbers should look like this:

JItsi BRoadcasting Infrastructure (Jibri) configuration

Before running Jibri, you need to set up an ALSA loopback device on the host. This will notwork on a non-Linux host.

For CentOS 7, the module is already compiled with the kernel, so just run:

For Ubuntu:

NOTE: If you are running on AWS you may need to reboot your machine to use the generic kernel insteadof the 'aws' kernel. If after reboot, your machine is still using the 'aws' kernel, you'll need to manually update the grub file. So just run:

If you want to enable Jibri these options are required:

VariableDescriptionExample
ENABLE_RECORDINGEnable recording conference to local disk1

Extended Jibri configuration:

VariableDescriptionExample
JIBRI_RECORDER_USERInternal recorder user for Jibri client connectionsrecorder
JIBRI_RECORDER_PASSWORDInternal recorder password for Jibri client connectionspassw0rd
JIBRI_RECORDING_DIRDirectory for recordings inside Jibri container/config/recordings
JIBRI_FINALIZE_RECORDING_SCRIPT_PATHThe finalizing script. Will run after recording is complete/config/finalize.sh
JIBRI_XMPP_USERInternal user for Jibri client connections.jibri
JIBRI_STRIP_DOMAIN_JIDPrefix domain for strip inside Jibri (please see env.example for details)muc
JIBRI_BREWERY_MUCMUC name for the Jibri pooljibribrewery
JIBRI_PENDING_TIMEOUTMUC connection timeout90
JIBRI_LOGS_DIRDirectory for logs inside Jibri container/config/logs

For using multiple Jibri instances, you have to select different loopback interfaces for each instance manually.

Set interface in file /home/jibri/.asoundrc inside a docker container.

Default the first instance has:

To setup the second instance, run container with changed /home/jibri/.asoundrc:

Also you can use numbering id for set loopback interface. The third instance will have .asoundrc that looks like:

Authentication

Authentication can be controlled with the environment variables below. If guestaccess is enabled, unauthenticated users will need to wait until a user authenticatesbefore they can join a room. If guest access is not enabled, every user will needto authenticate before they can join.

VariableDescriptionExample
ENABLE_AUTHEnable authentication1
ENABLE_GUESTSEnable guest access1
AUTH_TYPESelect authentication type (internal, jwt or ldap)internal

Internal authentication

The default authentication mode (internal) uses XMPP credentials to authenticate users.To enable it you have to enable authentication with ENABLE_AUTH and set AUTH_TYPE to internal,then configure the settings you can see below.

Internal users must be created with the prosodyctl utility in the prosody container.In order to do that, first, execute a shell in the corresponding container:

Once in the container, run the following command to create a user:

Docker quick start guide

Note that the command produces no output.

To delete a user, run the following command in the container:

To list all users, run the following command in the container:

Authentication using LDAP

You can use LDAP to authenticate users. To enable it you have to enable authentication with ENABLE_AUTH andset AUTH_TYPE to ldap, then configure the settings you can see below.

VariableDescriptionExample
LDAP_URLURL for ldap connectionldaps://ldap.domain.com/
LDAP_BASELDAP base DN. Can be empty.DC=example,DC=domain,DC=com
LDAP_BINDDNLDAP user DN. Do not specify this parameter for the anonymous bind.CN=binduser,OU=users,DC=example,DC=domain,DC=com
LDAP_BINDPWLDAP user password. Do not specify this parameter for the anonymous bind.LdapUserPassw0rd
LDAP_FILTERLDAP filter.(sAMAccountName=%u)
LDAP_AUTH_METHODLDAP authentication method.bind
LDAP_VERSIONLDAP protocol version3
LDAP_USE_TLSEnable LDAP TLS1
LDAP_TLS_CIPHERSSet TLS ciphers list to allowSECURE256:SECURE128
LDAP_TLS_CHECK_PEERRequire and verify LDAP server certificate1
LDAP_TLS_CACERT_FILEPath to CA cert file. Used when server certificate verification is enabled/etc/ssl/certs/ca-certificates.crt
LDAP_TLS_CACERT_DIRPath to CA certs directory. Used when server certificate verification is enabled./etc/ssl/certs
LDAP_START_TLSEnable START_TLS, requires LDAPv3, URL must be ldap:// not ldaps://0

Docker-compose Quick Start Guide

Authentication using JWT tokens

You can use JWT tokens to authenticate users. To enable it you have to enable authentication with ENABLE_AUTH andset AUTH_TYPE to jwt, then configure the settings you can see below.

VariableDescriptionExample
JWT_APP_IDApplication identifiermy_jitsi_app_id
JWT_APP_SECRETApplication secret known only to your tokenmy_jitsi_app_secret
JWT_ACCEPTED_ISSUERS(Optional) Set asap_accepted_issuers as a comma separated listmy_web_client,my_app_client
JWT_ACCEPTED_AUDIENCES(Optional) Set asap_accepted_audiences as a comma separated listmy_server1,my_server2
JWT_ASAP_KEYSERVER(Optional) Set asap_keyserver to a url where public keys can be foundhttps://example.com/asap
JWT_ALLOW_EMPTY(Optional) Allow anonymous users with no JWT while validating JWTs when provided0
JWT_AUTH_TYPE(Optional) Controls which module is used for processing incoming JWTstoken
JWT_TOKEN_AUTH_MODULE(Optional) Controls which module is used for validating JWTstoken_verification

This can be tested using the jwt.io debugger. Use the following sample payload:

Docker Quick Start Guide Pdf

Shared document editing using Etherpad

You can collaboratively edit a document via Etherpad. In order to enable it, set the config options below and runDocker Compose with the additional config file etherpad.yml.

Here are the required options:

VariableDescriptionExample
ETHERPAD_URL_BASESet etherpad-lite URLhttp://etherpad.meet.jitsi:9001

Transcription configuration

If you want to enable the Transcribing function, these options are required:

Docker
VariableDescriptionExample
ENABLE_TRANSCRIPTIONSEnable Jigasi transcription in a conference1
GC_PROJECT_IDproject_id from Google Cloud Credentials
GC_PRIVATE_KEY_IDprivate_key_id from Google Cloud Credentials
GC_PRIVATE_KEYprivate_key from Google Cloud Credentials
GC_CLIENT_EMAILclient_email from Google Cloud Credentials
GC_CLIENT_IDclient_id from Google Cloud Credentials
GC_CLIENT_CERT_URLclient_x509_cert_url from Google Cloud Credentials

For setting the Google Cloud Credentials please read https://cloud.google.com/text-to-speech/docs/quickstart-protocol section 'Before you begin' paragraph 1 to 5.

Advanced configuration

These configuration options are already set and generally don't need to be changed.

VariableDescriptionDefault value
XMPP_DOMAINInternal XMPP domainmeet.jitsi
XMPP_AUTH_DOMAINInternal XMPP domain for authenticated servicesauth.meet.jitsi
XMPP_SERVERInternal XMPP server name xmpp.meet.jitsixmpp.meet.jitsi
XMPP_BOSH_URL_BASEInternal XMPP server URL for BOSH modulehttp://xmpp.meet.jitsi:5280
XMPP_MUC_DOMAINXMPP domain for the MUCmuc.meet.jitsi
XMPP_INTERNAL_MUC_DOMAINXMPP domain for the internal MUCinternal-muc.meet.jitsi
XMPP_GUEST_DOMAINXMPP domain for unauthenticated usersguest.meet.jitsi
XMPP_RECORDER_DOMAINDomain for the jibri recorderrecorder.meet.jitsi
XMPP_MODULESCustom Prosody modules for XMPP_DOMAIN (comma separated)info,alert
XMPP_MUC_MODULESCustom Prosody modules for MUC component (comma separated)info,alert
XMPP_INTERNAL_MUC_MODULESCustom Prosody modules for internal MUC component (comma separated)info,alert
GLOBAL_MODULESCustom prosody modules to load in global configuration (comma separated)statistics,alert
GLOBAL_CONFIGCustom configuration string with escaped newlinesfoo = bar;nkey = val;
RESTART_POLICYContainer restart policydefaults to unless-stopped
JICOFO_COMPONENT_SECRETXMPP component password for Jicofos3cr37
JICOFO_AUTH_USERXMPP user for Jicofo client connectionsfocus
JICOFO_AUTH_PASSWORDXMPP password for Jicofo client connectionspassw0rd
JICOFO_ENABLE_HEALTH_CHECKSEnable health checks inside Jicofo, allowing the use of the REST api to check Jicofo's statusfalse
JVB_AUTH_USERXMPP user for JVB MUC client connectionsjvb
JVB_AUTH_PASSWORDXMPP password for JVB MUC client connectionspassw0rd
JVB_STUN_SERVERSSTUN servers used to discover the server's public IPstun.l.google.com:19302, stun1.l.google.com:19302, stun2.l.google.com:19302
JVB_PORTUDP port for media used by Jitsi Videobridge10000
JVB_TCP_HARVESTER_DISABLEDDisable the additional harvester which allows video over TCP (rather than just UDP)true
JVB_TCP_PORTTCP port for media used by Jitsi Videobridge when the TCP Harvester is enabled4443
JVB_TCP_MAPPED_PORTTCP port advertised by Jitsi Videobridge4443
JVB_BREWERY_MUCMUC name for the JVB pooljvbbrewery
JVB_ENABLE_APISComma separated list of JVB APIs to enablenone
JIGASI_XMPP_USERXMPP user for Jigasi MUC client connectionsjigasi
JIGASI_XMPP_PASSWORDXMPP password for Jigasi MUC client connectionspassw0rd
JIGASI_BREWERY_MUCMUC name for the Jigasi pooljigasibrewery
JIGASI_PORT_MINMinimum port for media used by Jigasi20000
JIGASI_PORT_MAXMaximum port for media used by Jigasi20050
JIGASI_ENABLE_SDES_SRTPEnable SDES srtp1
JIGASI_SIP_KEEP_ALIVE_METHODKeepalive methodOPTIONS
JIGASI_HEALTH_CHECK_SIP_URIHealth-check extension. Jigasi will call it for health checkkeepalive
JIGASI_HEALTH_CHECK_INTERVALInterval of health check in milliseconds300000
JIGASI_TRANSCRIBER_RECORD_AUDIOJigasi will record audio when transcriber is ontrue
JIGASI_TRANSCRIBER_SEND_TXTJigasi will send a transcribed text to the chat when transcriber is ontrue
JIGASI_TRANSCRIBER_ADVERTISE_URLJigasi will post an URL to the chat with transcription filetrue
DISABLE_HTTPSHandle TLS connections outside of this setup1
ENABLE_HTTP_REDIRECTRedirect HTTP traffic to HTTPS (necessary for Let's Encrypt)1
LOG_LEVELControls which logs are output from prosody and associated modulesinfo

Running behind NAT or on a LAN environment

If running in a LAN environment (as well as on the public Internet, via NAT) is a requirement,the DOCKER_HOST_ADDRESS should be set. This way, the Videobridge will advertise the IP addressof the host running Docker instead of the internal IP address that Docker assigned it, thus making ICEsucceed. If your users are coming in over the Internet (and not over LAN), this will likely be your public IP address. If this is not set up correctly, calls will crash when more than two users join a meeting.

The public IP address is discovered via STUN. STUN servers can be specified with the JVB_STUN_SERVERSoption.

Docker Quick Start Guide Pdf Download

Build Instructions

Building your images allows you to edit the configuration files of each image individually, providing more customization for your deployment.

The docker images can be built by running the make command in the main repository folder. If you need to overwrite existing images from the remote source, use FORCE_REBUILD=1 make.

If you are on the unstable branch, build the images with FORCE_REBUILD=1 JITSI_RELEASE=unstable make.

Docker Quickstart Guide

You are now able to run docker-compose up as usual.