I run CentOS 8 stream.
I’ve followed the guide for dockerised Jitsi here:
It works started via docker-compose but only via root user.
As I plan to run Jitsi on public server, I have security concerns regarding this and tried to run as non-root user.
Containers were running via non-root user , however Web is not accessible (ports can be seen to be opened though).
Does anybody runs dockerised Jitsi as non-root user and if so, what needs to be done differently of running as root user?
You can run it as a regular user, just make sure you add it to the Docker group and you should be able to bind to ports 80 and 443.
Thank you for the answer.
I’ve done this and containers starts and running, however I get 404 error in Web GUI:
I can see that containers are up as shown via ‘docker ps’:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d77adaa77a94 jitsi/jicofo:stable-5390-3 “/init” 7 minutes ago Up 7 minutes docker-jitsi-meet-stable-5390-3_jicofo_1
fcc2aeb2eb3e jitsi/jvb:stable-5390-3 “/init” 7 minutes ago Up 7 minutes 0.0.0.0:4443->4443/tcp, 0.0.0.0:10000->10000/udp docker-jitsi-meet-stable-5390-3_jvb_1
231e8b3a8583 jitsi/prosody:stable-5390-3 “/init” 7 minutes ago Up 7 minutes 5222/tcp, 5280/tcp, 5347/tcp docker-jitsi-meet-stable-5390-3_prosody_1
0e1324af0bf0 jitsi/web:stable-5390-3 “/init” 7 minutes ago Up 7 minutes 0.0.0.0:8000->80/tcp, 0.0.0.0:8443->443/tcp docker-jitsi-meet-stable-5390-3_web_1
GUI is reachable when started via ‘docket-compose up -d’ as root.
Which logs should I check to isolate the issue?
I’ve checked logs of all 4 containers but could not find any error indicating the root cause.
Do you have anything in syslog?
I’ve found suspicious message regarding iptables, which doesn’t happen while running containers as root:
firewalld: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w10 -D FORWARD -i br-a80ed7271004 -o br-a80ed7271004 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
I’m not familiar with the firewall system CentOS ships with. I’d disable it just to confirm that’'s the root cause, and then start digging as to why the failure happens.
I’ve discovered that I can access the Web services of Jitsi running via non-root user by using ip address, not domain name.
When I run Jitsi via root user, then I can access the Webex service via domain name, but not via ip address.
Now I’ve found that I can connect via both domain and IP address from different browser.
Feel free to laugh, never see this kind of issue before. I’ve been looking at the opposite end.