GithubHelp home page GithubHelp logo

escomputers / freepbx-docker Goto Github PK

View Code? Open in Web Editor NEW
9.0 1.0 4.0 251.88 MB

Dockerized FreePBX 16 with Asterisk 16, PHP 7.4, dedicated MySQL database, Hashicorp Vault integration and data persistence

License: Apache License 2.0

Dockerfile 33.73% Shell 61.67% HCL 4.59%
apache2 asterisk cdr containers debian-bullseye digium distributed-systems docker docker-compose freepbx

freepbx-docker's Introduction

Introduction

This is MVP Docker Compose application for having FreePBX - A Voice over IP manager for Asterisk, running in containers.

Upon starting this multi-container application, it will give you a turnkey PBX system for SIP calling and also enterprise grade security for managing secrets.

For a simplified version without Vault, check out the other branch named "simple".

Check this other repo out for running this app in Kubernetes

  • FreePBX 16
  • Asterisk 16
  • MySQL database support
  • Fail2ban pre-configured with restrictive enforcement rules
  • Supports data persistence
  • Base image Debian bullseye-slim
  • Apache2
  • NodeJS 14.x
  • Hashicorp Vault (state of art) for secret management

Dockerfile scanned by:

scanned by snyk

High level scenario

logic-scenario

Implementation

implementation

Volumes

Directories Service
/etc freepbx
/usr freepbx
/home/asterisk freepbx
/var freepbx
/var/run/encrypted-secret freepbx shared with sidecar
/var/lib mysql
/vault vault-transit
/vault vault

Ports

The following ports are exposed via Docker.

Port Description
80 HTTP
443 HTTPS
5038 AMI
8001 UCP
8003 UCP SSL
4569/udp IAX
5060/udp PJSIP
5160/udp SIP
5161/udp SIP

RTP ports 16384-32767/udp require a particular configuration in order to be properly exposed. There's a known issue about Docker and its way to expose a large range of ports, since each port exposed loads another process into memory and you may be experiencing a low memory condition. As a trade-off, those ports are going to be exposed via Docker host iptables manually. So, build.sh will take care of iptables configuration, besides building and running the image.

Notes

  • Arm hosts are not supported since Asterisk needs to be compiled differently.
  • Docker iptables rules will bypass any ufw rule on the system.
  • If host restarts, iptables rules will be deleted.
  • Customize Fail2ban preferences by editing the file fail2ban/jail.local. Currently it bans 2 consecutive failed SIP registration attempts within 30 seconds for 1 week.
  • For Windows hosts, all commands must be run as Administrator (do not use Visual Studio terminals, Docker must be run as administrator too). Moreover you could face low memory condition which could stop the build process. To fix this, you must ensure WSL is having proper RAM allocation, so create a file named .wslconfig inside user home directory %UserProfile% with the following content (adjust memory value according to your Windows host):
[wsl2]
memory=8GB

Known issues

Dashboard loads very slowly, displayed correctly after 90 seconds.

TODO

  • TLS termination

Requirements

  • Docker >= 18.06.0+
  • Git
  • VoIP SIP trunk/trunks (DID/DIDs)

Installation

# Create password for MySQL root user
printf "your-mysql-root-password" > mysql_root_password.txt

# Create password for Freepbx user
sed -i "s/'password'/'your-password'/g" init.sql

# Set proper file permissions
chmod 600 mysql_root_password.txt

# Don't worry, passwords will be rotated automatically by Vault everyday,
# rotation period can be customized by editing vault/configure.sh or via Vault UI.
# Do not set role TTL duration less than 60 seconds otherwise application won't be able to read it.

# Optional, only if you need Docker installed
bash build.sh --install-docker

# Build images, run database + vault transit and configure RTP ports
bash build.sh

# Next steps are purposely manual due to security reasons related to
# configuring Vault in an automated way

# Configure first Vault instance for auto unsealing
docker compose exec vault-transit sh /build/configure.sh

# Run second Vault for secrets management (auto unsealed by first Vault instance)
docker run -d --name vault \
 --restart=unless-stopped \
 --network=freepbx-docker_defaultnet \
 --ip=172.18.0.5 \
 -p 8100:8100 \
 -v vault:/vault \
 --cap-add=IPC_LOCK \
 -e VAULT_ADDR=http://127.0.0.1:8100 \
 -e VAULT_TOKEN=token-printed-by-configure.sh \
 -e MYSQL_ROOT_PASSWORD=$(cat mysql_root_password.txt) \
 vault:custom

# Configure Vault
docker exec -it vault sh /usr/local/bin/configure.sh

# Run Freepbx
docker run -d \
  --name freepbx \
  --restart=unless-stopped \
  --cap-add=NET_ADMIN \
  -e ENCRYPTION_KEY=your-strong-encryption-key \
  -v var_run:/var/run/encrypted-secret \
  -v var_data:/var \
  -v etc_data:/etc \
  -v usr_data:/usr \
  -v asterisk_home:/home/asterisk \
  --network=freepbx-docker_defaultnet \
  --ip=172.18.0.20 \
  -p 80:80/tcp \
  -p 5038:5038/tcp \
  -p 8001:8001/tcp \
  -p 8003:8003/tcp \
  -p 4569:4569/udp \
  -p 5060:5060/udp \
  -p 5061:5061/udp \
  -p 5160:5160/udp \
  -p 5161:5161/udp \
  escomputers/freepbx:latest

# Run FreePBX sidecar
docker run -d \
  --name sidecar-freepbx \
  --restart=unless-stopped \
  -e VAULT_ADDR=http://172.18.0.5:8100 \
  -e VAULT_TOKEN=token-printed-by-usr_local_bin_configure.sh \
  -e ENCRYPTION_KEY=your-strong-encryption-key \
  -v var_run:/var/run/encrypted-secret \
  --network=freepbx-docker_defaultnet \
  sidecar:latest

# Install Freepbx
bash build.sh --install-freepbx

# Optional, clean up containers, network and volumes
bash build.sh --clean-all

Login to the web server's admin URL, enter your admin username, admin password and email address and start configuring the system!

Optional but recommended steps

docker exec -it freepbx fwconsole ma disablerepo commercial
docker exec -it freepbx fwconsole ma installall
docker exec -it freepbx fwconsole ma delete firewall
docker exec -it freepbx fwconsole reload
docker exec -it freepbx fwconsole restart

freepbx-docker's People

Contributors

escomputers avatar harukama avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar

Forkers

1tel1 sccvn octag0no webgps

freepbx-docker's Issues

Error after entering token

root@pbx:/pbx# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3dc9590076f3 vault:custom "docker-entrypoint.s…" 4 seconds ago Up 3 seconds 0.0.0.0:8100->8100/tcp, :::8100->8100/tcp vault
e4e1d4406314 vault-transit:custom "docker-entrypoint.s…" 6 minutes ago Up 6 minutes 0.0.0.0:8200->8200/tcp, :::8200->8200/tcp pbx-vault-transit-1
7e466d035fb3 mysql:5.7 "docker-entrypoint.s…" 6 minutes ago Up 6 minutes 3306/tcp, 33060/tcp pbx-db-1
root@pbx:/pbx# docker exec -it vault sh /usr/local/bin/configure.sh
Get "http://127.0.0.1:8100/v1/sys/seal-status": dial tcp 127.0.0.1:8100: connect: connection refused
Token (will be hidden):
Error authenticating: error looking up token: Get "http://127.0.0.1:8100/v1/auth/token/lookup-self": dial tcp 127.0.0.1:8100: connect: connection refused
Error uploading policy: Put "http://127.0.0.1:8100/v1/sys/policies/acl/administrator-policy": dial tcp 127.0.0.1:8100: connect: connection refused
Error creating token: Post "http://127.0.0.1:8100/v1/auth/token/create": dial tcp 127.0.0.1:8100: connect: connection refused
Please copy the following token to keep using Vault:

Not enough arguments (expected 1 or -self, got 0)
Token (will be hidden): root@pbx:~/pbx#

Pool overlaps with other one on fresh install (docker was not installed from the script)

=> => exporting layers 0.3s
=> => writing image sha256:4275543b65b32bc1ef12df50a62caa07e99f620069918 0.0s
=> => naming to docker.io/library/sidecar 0.0s
[+] Running 12/12
✔ db 11 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 39.2s
✔ 20e4dcae4c69 Pull complete 23.3s
✔ 1c56c3d4ce74 Pull complete 0.6s
✔ e9f03a1c24ce Pull complete 0.6s
✔ 68c3898c2015 Pull complete 2.1s
✔ 6b95a940e7b6 Pull complete 1.3s
✔ 90986bb8de6e Pull complete 2.1s
✔ ae71319cb779 Pull complete 13.3s
✔ ffc89e9dfd88 Pull complete 2.7s
✔ 43d05e938198 Pull complete 22.8s
✔ 064b2d298fba Pull complete 13.9s
✔ df9a4d85569b Pull complete 15.3s
[+] Running 1/0
✘ Network pbx_defaultnet Error 0.0s
failed to create network pbx_defaultnet: Error response from daemon: Pool overlaps with other one on this address space
Configuring firewall rules for RTP ports...
rule added!
rule added!
rule added!

All tars are broken

All the archives in the source folder are not extractable, so this repo is basically unusable.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.