Update docker image to ubuntu:24.04 and latest versions of dependencies

Cargo.toml

@@ -16,13 +16,14 @@ crate_type = ["cdylib"]
 lto = true
 
 [dependencies]
+glib-sys = "0.19"
 janus-plugin = "0.13"
-once_cell = "1.2"
+once_cell = "1.19"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 rust-ini = "0.13"
-jsonwebtoken = "7.0"
-num_cpus = "1.12.0"
+jsonwebtoken = "7.2"
+num_cpus = "1.16.0"
 
 [patch.crates-io]
 janus-plugin-sys = { git = "https://github.com/networked-aframe/janus-plugin-rs", branch = "master" }

docker/Dockerfile

@@ -1,12 +1,16 @@
-FROM ubuntu:20.04
-# If you want to build the docker image on Raspberry Pi OS (based on debian bullseye)
+ARG IMAGE=ubuntu:24.04
+FROM $IMAGE AS build
+# If you want to build the docker image on Raspberry Pi OS (based on debian bookworm)
 # and then copy the build artifacts on the host to run janus without docker,
-# comment "FROM ubuntu:20.04" and uncomment those two lines:
-# FROM debian:bullseye
-# RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal
-# Installing rustup is needed to have a recent cargo version (1.61.0),
-# ubuntu:20.04 uses cargo 1.57.0 that is recent enough, but debian:bullseye uses cargo 1.46.0
-# that has an issue that produces the error "error inflating zlib stream; class=Zlib" when getting crate dependencies.
+# change the base image with docker build --build-arg="IMAGE=debian:bookworm"
+#
+# Look at the version used in
+# https://github.com/meetecho/janus-gateway/blob/master/.github/workflows/janus-ci.yml
+
+# For a debug build with libasan, add libasan8 to apt list in the two phases, uncomment JANUS_DEBUG_CFLAGS and JANUS_DEBUG_LDFLAGS and use the janus-plugin-sfu debug instructions.
+# Run with:
+# docker run --net=host -e EVENT_LOOPS=4 -e MESSAGE_THREADS=1 janus:latest
+# to see the memory leaks on stdout when you ctrl+c the container if any. Using docker compose up doesn't show anything.
 
 RUN apt-get -y update && DEBIAN_FRONTEND="noninteractive" TZ="Europe/Paris" apt-get install -y libmicrohttpd-dev \
     libjansson-dev \
@@ -26,7 +30,7 @@ RUN apt-get -y update && DEBIAN_FRONTEND="noninteractive" TZ="Europe/Paris" apt-
     cmake \
     unzip \
     zip \
-    cargo \
+#    libasan8 \
     wget \
     curl \
     iproute2 && \
@@ -35,67 +39,104 @@ RUN apt-get -y update && DEBIAN_FRONTEND="noninteractive" TZ="Europe/Paris" apt-
     rm -rf /var/lib/apt/lists/*
 
 
-RUN LIBWEBSOCKET="4.3.2" && wget https://github.com/warmcat/libwebsockets/archive/v$LIBWEBSOCKET.tar.gz && \
+RUN LIBWEBSOCKET="4.3.3" && wget https://github.com/warmcat/libwebsockets/archive/v$LIBWEBSOCKET.tar.gz && \
     tar xzvf v$LIBWEBSOCKET.tar.gz && \
     cd libwebsockets-$LIBWEBSOCKET && \
     mkdir build && \
     cd build && \
-    cmake -DLWS_MAX_SMP=1 -DLWS_WITHOUT_EXTENSIONS=0 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_C_FLAGS="-fpic" .. && \
+    cmake -DLWS_MAX_SMP=1 -DLWS_WITHOUT_EXTENSIONS=0 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_C_FLAGS="-fpic" -DLWS_WITH_STATIC=OFF -DLWS_WITHOUT_CLIENT=ON -DLWS_WITHOUT_TESTAPPS=ON -DLWS_WITHOUT_TEST_SERVER=ON -DLWS_WITH_HTTP2=OFF .. && \
     make && make install && \
     cd / && rm -rf libwebsockets-$LIBWEBSOCKET
 
 
-RUN SRTP="2.4.2" && wget https://github.com/cisco/libsrtp/archive/v$SRTP.tar.gz && \
+RUN SRTP="2.6.0" && wget https://github.com/cisco/libsrtp/archive/v$SRTP.tar.gz && \
     tar xfv v$SRTP.tar.gz && \
     cd libsrtp-$SRTP && \
     ./configure --prefix=/usr --enable-openssl && \
     make shared_library && make install && \
     cd / && rm -rf libsrtp-$SRTP
 
 
-# libnice 2021-02-21 11:10 (post 0.1.18)
+# libnice 2020-07-06 13:53 (post 0.1.18)
 RUN git clone https://gitlab.freedesktop.org/libnice/libnice && \
 #    apt-get -y --no-install-recommends install ninja-build meson gtk-doc-tools libgnutls28-dev && \
 #    apt-get remove -y libnice-dev libnice10 && \
     cd libnice && \
-    git checkout 36aa468c4916cfccd4363f0e27af19f2aeae8604 && \
-    meson --prefix=/usr build && \
+    git checkout 48dac0d702b134f7b11b92602c234ba1120cc75b && \
+    meson setup -Dprefix=/usr -Dlibdir=lib -Ddebug=false -Doptimization=0 -Dexamples=disabled -Dgtk_doc=disabled -Dgupnp=disabled -Dgstreamer=disabled -Dtests=disabled build && \
     ninja -C build && \
     ninja -C build install && \
     cd / && rm -rf libnice
 
 
 # datachannel build
-# Jan 13, 2021 0.9.5.0 07f871bda23943c43c9e74cc54f25130459de830
+# Apr 17, 2024 master c4b52c34d4a7ecca6c992ba2f7f09607997d8ead
 RUN git clone https://github.com/sctplab/usrsctp.git && \
     cd usrsctp && \
-    git checkout 0.9.5.0 && \
+    git checkout c4b52c34d4a7ecca6c992ba2f7f09607997d8ead && \
     ./bootstrap && \
-    ./configure --prefix=/usr --disable-programs --disable-inet --disable-inet6 && \
+    ./configure --prefix=/usr --disable-static --disable-programs --disable-inet --disable-inet6 && \
     make && make install && \
     cd / && rm -rf usrsctp
 
 
-# 2022-10-21 15:02 7b6bcdcdbe02dd05932d778592f4c03604a83684 (post v0.13.0 from 0.x branch)
+# 2024-05-09 12:46 (post v0.14.2 from 0.x branch)
+ENV JANUS_COMMIT="a7767ad30b803d96e11b491547bcf5660cb7a937"
+# ENV JANUS_DEBUG_CFLAGS="-O1 -g -ggdb3 -fsanitize=address -fno-sanitize-recover=all -fsanitize-address-use-after-scope"
+# ENV JANUS_DEBUG_LDFLAGS="-fsanitize=address"
+COPY g_list_free_pts.patch /
 RUN git clone -b 0.x https://github.com/meetecho/janus-gateway.git && \
     cd janus-gateway && \
-    git checkout 7b6bcdcdbe02dd05932d778592f4c03604a83684 && \
+    git checkout ${JANUS_COMMIT} && \
+    patch -p1 < ../g_list_free_pts.patch && \
     sh autogen.sh &&  \
-    CFLAGS="${CFLAGS} -fno-omit-frame-pointer" ./configure --prefix=/usr --disable-all-plugins --disable-all-handlers && \
+    CFLAGS="${CFLAGS} ${JANUS_DEBUG_CFLAGS} -fno-omit-frame-pointer" LDFLAGS="${JANUS_DEBUG_LDFLAGS}" ./configure --prefix=/usr --disable-all-plugins --disable-all-handlers && \
     make && make install && make configs && \
     cd / && rm -rf janus-gateway
 
-
+ENV JANUS_SFU_COMMIT="4226d0091b386576d221988c76e11c0d0ef7d215"
+# janus-plugin-sfu release build:
 RUN git clone -b master https://github.com/networked-aframe/janus-plugin-sfu.git && \
     cd janus-plugin-sfu && \
-    git checkout 1914dfa7e22c793f4a684ebeb002304661270519 && \
-    echo version 2 increment this line to invalidate cache of this layer while iterating build during development && \
+    git checkout ${JANUS_SFU_COMMIT} && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y --profile minimal && \
+    . "$HOME/.cargo/env" && \
     cargo build --release && \
     mkdir -p /usr/lib/janus/plugins && \
     mkdir -p /usr/lib/janus/events && \
     cp target/release/libjanus_plugin_sfu.so /usr/lib/janus/plugins && \
     cd / && rm -rf janus-plugin-sfu ~/.cargo
 
+# janus-plugin-sfu debug build:
+# RUN git clone -b master https://github.com/networked-aframe/janus-plugin-sfu.git janus-plugin-sfu && \
+#     cd janus-plugin-sfu && \
+#     git checkout ${JANUS_SFU_COMMIT} && \
+#     curl https://sh.rustup.rs -sSf | sh -s -- --default-toolchain nightly -y && \
+#     . "$HOME/.cargo/env" && \
+#     rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu && \
+#     RUSTFLAGS=-Zsanitizer=address cargo build -Zbuild-std --target x86_64-unknown-linux-gnu && \
+#     mkdir -p /usr/lib/janus/plugins && \
+#     mkdir -p /usr/lib/janus/events && \
+#     cp target/x86_64-unknown-linux-gnu/debug/libjanus_plugin_sfu.so /usr/lib/janus/plugins && \
+#     cd / && rm -rf janus-plugin-sfu ~/.cargo
+
+FROM $IMAGE
+RUN apt-get -y update && DEBIAN_FRONTEND="noninteractive" apt-get install -y \
+    libmicrohttpd12 \
+    libconfig9 \
+    libglib2.0-0 \
+    libjansson4 \
+#    libasan8 \
+    curl \
+    iproute2 && \
+    rm -rf /var/lib/apt/lists/*
+COPY --from=build /usr/lib/libwebsockets.so* /usr/lib/
+COPY --from=build /usr/lib/libsrtp2.so* /usr/lib/
+COPY --from=build /usr/lib/libnice.so* /usr/lib/
+COPY --from=build /usr/lib/libusrsctp.so* /usr/lib/
+COPY --from=build /usr/lib/janus /usr/lib/janus
+COPY --from=build /usr/bin/janus /usr/bin/janus
+
 COPY confs/* /usr/etc/janus/
 RUN chown -R nobody:nogroup /usr/etc/janus/
 COPY --chmod=755 start.sh /start

docker/confs/janus.jcfg

@@ -117,6 +117,19 @@ general: {
 									# only if allow_loop_indication is set to true;
 									# it's set to false by default to avoid abuses.
 									# Don't change if you don't know what you're doing!
+	#task_pool_size = 100			# By default, while the Janus core is single thread
+									# when it comes to processing incoming messages, it
+									# also uses a task pool with an indefinite amount
+									# of helper threads spawned on demand to handle
+									# messages addressed to plugins. If you want to
+									# limit this task pool size with a maximum number
+									# of concurrent threads, set the 'task_pool_size'
+									# property accordingly: a value of '0' means
+									# 'indefinite' and is the default. Notice that
+									# threads are automatically destroyed when unused
+									# for a while, so whatever value you choose simply
+									# puts a cap on the maximum concurrency.
+									# Don't change if you don't know what you're doing!
 	#opaqueid_in_api = true			# Opaque IDs set by applications are typically
 									# only passed to event handlers for correlation
 									# purposes, but not sent back to the user or
@@ -257,8 +270,11 @@ media: {
 # it should work in ICE-Lite mode (by default it doesn't). If libnice is
 # at least 0.1.15, you can choose which ICE nomination mode to use: valid
 # values are "regular" and "aggressive" (the default depends on the libnice
-# version itself; if we can set it, we set aggressive nomination). You can
-# also configure whether to use connectivity checks as keep-alives, which
+# version itself; if we can set it, we set aggressive nomination). If
+# libnice is at least 0.1.19, you can enable consent freshness checks for
+# PeerConnections as well: this will issue regular checks to check whether
+# or not the WebRTC peer isn't available anymore. Enabling consent freshness
+# will automatically also enable using connectivity checks as keep-alives, which
 # might help detecting when a peer is no longer available (notice that
 # current libnice master is breaking connections after 50 seconds when
 # keepalive-conncheck is being used, so if you want to use it, better
@@ -273,10 +289,19 @@ nat: {
 	nice_debug = false
 	#full_trickle = true
 	ice_nomination = "aggressive"
+	#ice_consent_freshness = true
 	ice_keepalive_conncheck = false
 	ice_lite = false
 	ice_tcp = false
 
+	# By default, Janus implements a grace period when detecting ICE
+	# failures in PeerConnections, to give time to applications to react
+	# to that, e.g., by enforcing an ICE restart. If you want an ICE
+	# failure to result in the PeerConnection being closed right away
+	# (e.g., with the help of consent freshness) then you can do that
+	# by uncommenting the following property and set it to true
+	#hangup_on_failed = true
+
 	# By default Janus tries to resolve mDNS (.local) candidates: even
 	# though this is now done asynchronously and shouldn't keep the API
 	# busy, even in case mDNS resolution takes a long time to timeout,

docker/confs/janus.jcfg.sample

@@ -117,6 +117,19 @@ general: {
 									# only if allow_loop_indication is set to true;
 									# it's set to false by default to avoid abuses.
 									# Don't change if you don't know what you're doing!
+	#task_pool_size = 100			# By default, while the Janus core is single thread
+									# when it comes to processing incoming messages, it
+									# also uses a task pool with an indefinite amount
+									# of helper threads spawned on demand to handle
+									# messages addressed to plugins. If you want to
+									# limit this task pool size with a maximum number
+									# of concurrent threads, set the 'task_pool_size'
+									# property accordingly: a value of '0' means
+									# 'indefinite' and is the default. Notice that
+									# threads are automatically destroyed when unused
+									# for a while, so whatever value you choose simply
+									# puts a cap on the maximum concurrency.
+									# Don't change if you don't know what you're doing!
 	#opaqueid_in_api = true			# Opaque IDs set by applications are typically
 									# only passed to event handlers for correlation
 									# purposes, but not sent back to the user or
@@ -257,8 +270,11 @@ media: {
 # it should work in ICE-Lite mode (by default it doesn't). If libnice is
 # at least 0.1.15, you can choose which ICE nomination mode to use: valid
 # values are "regular" and "aggressive" (the default depends on the libnice
-# version itself; if we can set it, we set aggressive nomination). You can
-# also configure whether to use connectivity checks as keep-alives, which
+# version itself; if we can set it, we set aggressive nomination). If
+# libnice is at least 0.1.19, you can enable consent freshness checks for
+# PeerConnections as well: this will issue regular checks to check whether
+# or not the WebRTC peer isn't available anymore. Enabling consent freshness
+# will automatically also enable using connectivity checks as keep-alives, which
 # might help detecting when a peer is no longer available (notice that
 # current libnice master is breaking connections after 50 seconds when
 # keepalive-conncheck is being used, so if you want to use it, better
@@ -273,10 +289,19 @@ nat: {
 	nice_debug = false
 	#full_trickle = true
 	#ice_nomination = "regular"
+	#ice_consent_freshness = true
 	#ice_keepalive_conncheck = true
 	#ice_lite = true
 	#ice_tcp = true
 
+	# By default, Janus implements a grace period when detecting ICE
+	# failures in PeerConnections, to give time to applications to react
+	# to that, e.g., by enforcing an ICE restart. If you want an ICE
+	# failure to result in the PeerConnection being closed right away
+	# (e.g., with the help of consent freshness) then you can do that
+	# by uncommenting the following property and set it to true
+	#hangup_on_failed = true
+
 	# By default Janus tries to resolve mDNS (.local) candidates: even
 	# though this is now done asynchronously and shouldn't keep the API
 	# busy, even in case mDNS resolution takes a long time to timeout,

docker/confs/janus.transport.http.jcfg

@@ -20,6 +20,8 @@ general: {
 	#secure_interface = "eth0"		# Whether we should bind this server to a specific interface only
 	#secure_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address (v4 or v6) only
 	#acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#acl_forwarded = true			# Whether we should check the X-Forwarded-For header too for the ACL
+									# (default=false, since without a proxy in the middle this could be abused)
 	#mhd_connection_limit = 1020		# Open connections limit in libmicrohttpd (default=1020)
 	#mhd_debug = false					# Ask libmicrohttpd to write warning and error messages to stderr (default=false)
 }
@@ -46,6 +48,8 @@ admin: {
 	#admin_secure_interface = "eth0"	# Whether we should bind this server to a specific interface only
 	#admin_secure_ip = "192.168.0.1"	# Whether we should bind this server to a specific IP address (v4 or v6) only
 	#admin_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#admin_acl_forwarded = true			# Whether we should check the X-Forwarded-For header too for the admin ACL
+										# (default=false, since without a proxy in the middle this could be abused)
 }
 
 # The HTTP servers created in Janus support CORS out of the box, but by

docker/confs/janus.transport.http.jcfg.sample

@@ -20,6 +20,8 @@ general: {
 	#secure_interface = "eth0"		# Whether we should bind this server to a specific interface only
 	#secure_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address (v4 or v6) only
 	#acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#acl_forwarded = true			# Whether we should check the X-Forwarded-For header too for the ACL
+									# (default=false, since without a proxy in the middle this could be abused)
 	#mhd_connection_limit = 1020		# Open connections limit in libmicrohttpd (default=1020)
 	#mhd_debug = false					# Ask libmicrohttpd to write warning and error messages to stderr (default=false)
 }
@@ -44,8 +46,10 @@ admin: {
 	admin_https = false					# Whether to enable HTTPS (default=false)
 	#admin_secure_port = 7889			# Admin/monitor web server HTTPS port, if enabled
 	#admin_secure_interface = "eth0"	# Whether we should bind this server to a specific interface only
-	#admin_secure_ip = "192.168.0.1		# Whether we should bind this server to a specific IP address (v4 or v6) only
+	#admin_secure_ip = "192.168.0.1"	# Whether we should bind this server to a specific IP address (v4 or v6) only
 	#admin_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#admin_acl_forwarded = true			# Whether we should check the X-Forwarded-For header too for the admin ACL
+										# (default=false, since without a proxy in the middle this could be abused)
 }
 
 # The HTTP servers created in Janus support CORS out of the box, but by

docker/confs/janus.transport.websockets.jcfg

@@ -21,6 +21,8 @@ general: {
 									# to debug, supported values: err, warn, notice, info, debug, parser,
 									# header, ext, client, latency, user, count (plus 'none' and 'all')
 	#ws_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#ws_acl_forwarded = true		# Whether we should check the X-Forwarded-For header too for the ACL
+									# (default=false, since without a proxy in the middle this could be abused)
 }
 
 # If you want to expose the Admin API via WebSockets as well, you need to
@@ -39,6 +41,8 @@ admin: {
 	#admin_wss_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address only
 	#admin_wss_unix = "/run/awss.sock"	# Use WebSocket server over UNIX socket instead of TCP
 	#admin_ws_acl = "127.,192.168.0."	# Only allow requests coming from this comma separated list of addresses
+	#admin_ws_acl_forwarded = true		# Whether we should check the X-Forwarded-For header too for the ACL
+										# (default=false, since without a proxy in the middle this could be abused)
 }
 
 # The HTTP servers created in Janus support CORS out of the box, but by

docker/confs/janus.transport.websockets.jcfg.sample

@@ -21,6 +21,8 @@ general: {
 									# to debug, supported values: err, warn, notice, info, debug, parser,
 									# header, ext, client, latency, user, count (plus 'none' and 'all')
 	#ws_acl = "127.,192.168.0."		# Only allow requests coming from this comma separated list of addresses
+	#ws_acl_forwarded = true		# Whether we should check the X-Forwarded-For header too for the ACL
+									# (default=false, since without a proxy in the middle this could be abused)
 }
 
 # If you want to expose the Admin API via WebSockets as well, you need to
@@ -39,6 +41,8 @@ admin: {
 	#admin_wss_ip = "192.168.0.1"		# Whether we should bind this server to a specific IP address only
 	#admin_wss_unix = "/run/awss.sock"	# Use WebSocket server over UNIX socket instead of TCP
 	#admin_ws_acl = "127.,192.168.0."	# Only allow requests coming from this comma separated list of addresses
+	#admin_ws_acl_forwarded = true		# Whether we should check the X-Forwarded-For header too for the ACL
+										# (default=false, since without a proxy in the middle this could be abused)
 }
 
 # The HTTP servers created in Janus support CORS out of the box, but by

docker/docker-compose.yml

@@ -1,4 +1,3 @@
-version: "3.7"
 services:
   janus:
     network_mode: host