[OpenSIPS-Users] Dockerize OpenSIPS

Gerwin van de Steeg gerwin.van.de.steeg at vadacom.com
Mon May 4 14:11:33 EST 2020


The problem with kubernetes and freeswitch and the like running inside
docker (for example for testing) is the NAT later. You can easily end up
with multiple layers of NAT.

The problem with running these applications on kubernetes is the fact that
k8s is designed and built around TCP traffic, not UDP. In addition to
exposing only traffic by default to other pods inside the cluster.  If you
want to give access to to the nodes from outside, you either have to use
only TCP traffic in which case a standard Service with a LoadBalancer
should work from a raw networking perspective, however this does make
issuing re-invites problematic due to all nodes being exposed with a single
external IP set (depending on load balancer).
The next problem will be the RTP traffic over UDP, in k8s you cannot expose
a range of ports in a pod template, which means you need to expose each
port individually in the pod template, the service definitions, etc...
but these can be portmapped with external ports not matching the internal
port the pod received traffic on.
You "could" solve this using NodePort type service definition, but then you
have a limit of one node can only run one pod, because the ports cannot be
used by multiple instances and you'd need to define pod anti affinity rules
and other ways of sorting which pods can live on which nodes.

There are many many problems regarding networking with UDP traffic on k8s,
before you step into the ipv6 & ipv4 dual stack functionality (which is in
alpha as of k8s 1.16, before that you have to choose one up stack to use).

And that doesn't even step into the problems you can find  with no-root
privilege pods, network security policies, namespaces, RBAC, pod security
policies, etc.

The advantages of course are you can easily dynamically scale up/down your
capacity as needed using suitable metrics and pod scaling systems (manual
or automatic).
You can easily leverage A/B testing with multiple deployments. There are
many many benefits.

I would say.. run OpenSIPS/freeswitch/asterisk outside of k8s, run
everything else inside since TCP, HTTP and the like is a lot easier to deal
with.

On Sun, 3 May 2020, 01:20 H Yavari via Users, <users at lists.opensips.org>
wrote:

> Honestly, I see this topic also when people are comparing these for
> telephony services like AS/FS and etc.
>
> My knowledge isn't much deep about LXC. But you can see this battle here
> also:
>
> https://community.freepbx.org/t/unofficial-docker-image-of-freepbx-15-asterisk-16-izpbx-project/66357/10
>
> Need other's idea about it.
>
> Regards,
> HYavari
>
>
> On Saturday, May 2, 2020, 5:35:27 PM GMT+4:30, Saint Michael <
> venefax at gmail.com> wrote:
>
>
> The ideal platform to run opensips, asterisk, etc. is  LXC containers, not
> docker. Unless I misunderstand docker, you may only dockerize applications,
> while in LXC you conteinarize the equivalent of full virtual machines, all
> apps together as a unit. Performance is identical to docker, for both use
> the same technology at the kernel level.
> Please correct me if I am wrong.
>
> On Sat, May 2, 2020 at 8:34 AM David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
> They all get their dialplan/config from an API backend. They’re DB
> agnostic.
>
> On Sat, 2 May 2020 at 13:28, H Yavari <hyavari at rocketmail.com> wrote:
>
> Thank you David,
> Interested to know, you are running a cluster/group of FS with centralized
> DB, with same functionality?
>
>
> Regards,
> HYavari
>
>
> On Saturday, May 2, 2020, 4:54:01 PM GMT+4:30, David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
>
> Hello,
>
> I have never run into those problems. The people I’ve seen running into
> them are doing thousands upon thousands of packets por seconds. Hardware is
> cheap nowadays, I just spread the load.
>
> I wouldn’t dockerize rtpengine, although I know people who do.
>
> In a normal setup probably you won’t run into them, we run freeswitch on
> containers for production without a hitch (I must stress I was very
> reluctant to do that a few years ago, but docker has come a long way since
> then).
>
> David
>
> On Sat, 2 May 2020 at 12:42, H Yavari <hyavari at rocketmail.com> wrote:
>
> Thank you David.
>
> What do you think about networking concerns? you mentioned to them but I
> didn't get your point.
> RTP restrictions, port proxy, iptables, fail2ban are top ones.
>
> PS: No matter which telephony platform (Asterisk/FS/OpenSIPS/Kamailio),
> these concerns are in general.
> PS: We have more challenges with projects like Freepbx.
>
>
> Regards,
> HY
>
>
>
> On Saturday, May 2, 2020, 3:48:11 PM GMT+4:30, David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
>
> Not sure about OpenSIPS specifically, but I would assume it has been
> implemented in docker just as much as kamailio and freeSWITCH/Asterisk.
>
> This is done all over the world. Docker is not an emulator or a virtual
> machine host. When you run something on docker, its speed is (almost)
> exactly the same as running it on the host itself, since there’s no OS
> overhead, it works by separating processes via Cgroups, no by virtualizing
> or emulating hardware.
>
> Quote:
>
> The Docker technology uses the Linux kernel
> <https://www.redhat.com/en/topics/linux/what-is-the-linux-kernel> and
> features of the kernel, like Cgroups
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html>
>  and namespaces <https://lwn.net/Articles/528078/>, to segregate
> processes so they can run independently. This independence is the intention
> of containers‐the ability to run multiple processes and apps separately
> from one another to make better use of your infrastructure while retaining
> the security <https://www.redhat.com/en/topics/security>you would have
> with separate systems.
>
> So in simple terms, docker simply separates processes.
>
> There ARE, nonetheless, some problems with dockerizing everything. I have
> read issues like If the network traffic is way way way too high, you may
> encounter issues like dropped packets, etc. but this is a problem on the
> networking side, I.e: the iptables rules. Also the natting related to using
> docker can be cumbersome, but once you’re over that, it’s home free.
>
> So, as long as you manage your infrastructure well, you shouldn’t have
> problems.
>
> In terms of troubleshooting a failing container. All logging should be
> sent to some log server, and you can do your troubleshooting there. Also,
> don’t kill a failing container so you can access it (via ssh or attach or
> exec) and troubleshoot it.
>
> The pros of using docker/k8s greatly outweighs the cons, in my opinion.
>
> Hope this help.
>
> David
>
> On Sat, 2 May 2020 at 11:33, H Yavari via Users <users at lists.opensips.org>
> wrote:
>
> Thank you Johan,
>
> When your infrastructure goes to run with k8s or other same platforms,
> it's hard to make some exceptions.
> Also softwares like opensips that are working just with DB, can run very
> smoothly.
>
> Although I haven't seen any problem yet after moving it to containers, but
> I am interested in hearing from others and developers team.
>
>
> Regards,
> HY
>
>
> --------
> On Saturday, May 2, 2020, 12:51:51 PM GMT+4:30, johan <johan at democon.be>
> wrote:
>
>
> First of all, I am not aware of a production kubernetes cluster.
>
> Using containers has advantages : fast install, easy to move.  The
> annoying thing is that if it goes wrong, it is not easy to troubleshoot.
> Secondly, you add an extra abstraction layer, abstraction (most of the
> time) reduces speed and decreases capacity.
>
> In short : it all depends on the size of your system. In ip4 I don't see
> the advantage.  What could be a nice scalable system, is to deploy on ip6
> with anycast.
>
> Just my thoughts ...
> On 2/05/2020 07:49, H Yavari via Users wrote:
>
> Hi to all,
>
> As you know docker and K8s, are growing quickly. So we dockerized Asterisk
> and OpenSIPS also.
> But I see some community members are against it. They have some reasons
> like NAT, RTP ports and performance.
>
> Do you agree with them ?
> Is there any successful large scale OpenSIPS cluster based on K8s ?
>
>
> Thanks for sharing your experiences.
>
>
> Regards,
> HY
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> --
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
> --
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
> --
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
> _______________________________________________
>
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200505/0b77edb6/attachment-0001.html>


More information about the Users mailing list