Isolate Coturn from services in the default Docker network

Most (all?) of our Matrix services are running in the `matrix` network, so they were safe -- not accessible from Coturn to begin with. Isolating Coturn into its own network is a security improvement for people who were starting other services in the default Docker network. Those services were potentially reachable over the private Docker network from Coturn. Discussed in #120 (Github Pull Request)
2025-04-18 02:15:41 +02:00 · 2019-03-18 17:36:00 +02:00 · 2019-03-18 17:36:00 +02:00 · 24cf27c60c
commit 24cf27c60c
parent c6858d2a08
4 changed files with 27 additions and 0 deletions
--- a/group_vars/matrix-servers
+++ b/group_vars/matrix-servers
@ -90,6 +90,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
 ######################################################################

 matrix_coturn_enabled: true
+
 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"

 ######################################################################
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -2,6 +2,15 @@ matrix_coturn_enabled: true

 matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"

+# The Docker network that Coturn would be put into.
+#
+# Because Coturn relays traffic to unvalidated IP addresses,
+# using a dedicated network, isolated from other Docker (and local) services is preferrable.
+#
+# Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
+# possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.
+matrix_coturn_docker_network: "matrix-coturn"
+
 matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
 matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"

--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@ -25,6 +25,22 @@
    mode: 0644
  when: matrix_coturn_enabled

+# `docker_network` doesn't work as expected when the given network
+# is a substring of a network that already exists.
+#
+# See our other comments in `roles/matrix-base/tasks/setup_matrix_base.yml`
+- name: Check existence of Coturn network in Docker
+  shell:
+    cmd: "docker network ls -q --filter='name=^{{ matrix_coturn_docker_network }}$'"
+  register: matrix_coturn_result_docker_network
+  changed_when: false
+  when: matrix_coturn_enabled
+
+- name: Create Coturn network in Docker
+  shell:
+    cmd: "docker network create --driver=bridge {{ matrix_coturn_docker_network }}"
+  when: "matrix_coturn_enabled and matrix_coturn_result_docker_network.stdout == ''"
+
 - name: Ensure matrix-coturn.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@ -15,6 +15,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
+			--network={{ matrix_coturn_docker_network }} \
 			-p 3478:3478 \
 			-p 3478:3478/udp \
 			-p {{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}:{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp \