As the number of subscribers grows, the current approach of doing a full
table dump of the subscribers DB and caching it in memory becomes less
and less feasible. The new approach is to simply do a straight DB query
for each subscriber as records are processed, and then cache the result
in memory for a little while.
Change-Id: I19a6271d779bd0abccc29e3548e7bcdb2e00baa3
ubuntu-20.04 doesn't provide debhelper-compat (= 13), therefore fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Let's switch from ubuntu-20.04 to ubuntu-latest, which
currently still points to ubuntu-20.04, but should reduce
our maintenance efforts.
Furthermore enabled the ubuntu-cloud-archive/yoga-staging PPA,
which provides a backport of debhelper v13:
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/yoga-staging/+packages
and fixes our failing coverity builds on github.
Change-Id: I3bba166843f164b67b90c403cc772dfd939eeae7
Using apt-get with `-qq` displays only the following message
on package installation problems:
| E: Unable to correct problems, you have held broken packages.
Whereas with `-q`, we get the actual underlying problem, being:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Change-Id: Ibadc483f1cb324c83d7616d009bcc932876a25a3
Use a macro in combination with an included file to define the list of
all string fields used in the CDR struct.
Change-Id: Ic0b93c005b792eadf00544768c74382fa3307577
We cannot overwrite the reallocated variable, otherwise on failure we
leak it.
Change-Id: I541537ade71086c9ceb851d8c5223364e3908b07
Warned-by: cppcheck (memleakOnRealloc)
While the code is not threaded, better be future-proof and use safer
APIs, which in addition has less side-effects as it does not set the
global TZ related variables.
Change-Id: I57fbe6683590cc2fbc0da508819553c040764739
Warned-by: lgtm
Whether a bit-field is signed or unsigned is implementation specific, so
we should be explicit about this.
Change-Id: I8bce847d6ece3d08fc93fa77227f6f970d1353de
Warned-by: lgtm
On Debian buster the latter contains transitive dependencies in Libs,
instead of in Libs.private, which leaks linking implementation details.
Change-Id: Ia131fe82444b8c2204976df75be047ab6d17c561
We need readonly access to /dev/urandom, otherwise the rand()
calls might fail, as seen in kamailio-config-tests.
Change-Id: Id132191994ae5fe74ec3ebb7d34a4a5d50769dbc
Thanks: Victor Seva for reporting
In carrier environments we have foreign DB hosts
configured in /etc/ngcp-mediator/ngcp-mediator.conf,
therefore we can't easily apply IP address filtering.
JFTR, new and current systemd hardening state for ngcp-mediator:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's … 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic socke… 0.3
| ✗ DeviceAllow= Service has a device ACL with som… 0.1
| ✗ IPAddressDeny= Service does not define an IP add… 0.2
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet socke… 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for… 0.2
| ✗ RestrictAddressFamilies=~AF_NETLI… Service may allocate netlink sock… 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
| SupplementaryGroups= Service runs as root, option does…
| RemoveIPC= Service runs as root, option does…
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.1 OK 🙂
Change-Id: I0e7c474eddd5d4d4c77b9bda157448294ed0a5c4
ngcp-mediator service state BEFORE this change:
| $ systemd-analyze security ngcp-mediator | tail -1
| → Overall exposure level for ngcp-mediator.service: 9.5 UNSAFE 😨
ngcp-mediator service state AFTER this change:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special devices 0.1
| ✗ IPAddressDeny= Service defines IP address whitelits with only localhost entries 0.1
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is included 0.2
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
| SupplementaryGroups= Service runs as root, option does not matter
| RemoveIPC= Service runs as root, option does not apply
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.0 OK 🙂
Change-Id: If33c303b9df465393f15c0b685d1aab54a465df6
We only ever go into the error handling code before malloc has
succeeded, which means ‘entries’ will always be NULL.
Change-Id: Iaedd1ac668249b0e4516f782c24a2f420e8682a5
Warned-by: coverity
While MariaDB uses my_bool here, MySQL uses the standard bool type. Both
are compatible, so use the more standard one.
Change-Id: I648bc8eb55f7617f6b4eb796a33bc77ce15ca34b
We need to respect user-controlled variables and only append to them
whatever we require for the build.
Change-Id: Ie86415863f806e2c76b6a47929c65aafc0a2d177
With the increased length of src/dst_leg strings, we must also increase
the buffer size for the insert string.
Did I mention that we should really move to dynamic strings here...
Change-Id: I0e77155d36f434055e36124d37bf699179f887b1
This is relevant for records coming from Redis, as the insertion into
the trash and backup tables is done from the strings kept in memory.
Change-Id: I1398f7bfc0d4a0c2da8b8104dc4589ea9d983da7
(cherry picked from commit 6e957e69b7)
/var/lock was deprecated with Debian/wheezy (see
https://wiki.debian.org/ReleaseGoals/RunDirectory), so
/var/lock/mediator.lock is actually /run/lock/mediator.lock.
Reflect this in the definition of MEDIATOR_LOCK_FILE.
Change-Id: If50a5fdcfafb289d59ae828f750388e103b5b3ad
Due to the movement of call transfer handling from sems pbx to
standard sems, in case of blind call transfer the BYE ACC is
generated with call_id suffix '_pbx-1_xfer-1' instead of '_xfer-1'.
To be more precise, currently we creates 2 ACCs for INVITEs:
- one without any suffix
- one with '_xfer-1" suffix
and just one for the BYE:
- with '_xfer-1' suffix
Mediator is able to use the BYE to close both the INVITEs
With the new implementation we creats 2 ACCs for INVITEs:
- one without any suffix
- one with '_pbx-1_xfer-1" suffix
and just one for the BYE:
- with '_pbx-1_xfer-1' suffix
The sinlge BYE record is not used to close both the ACC INVITEs.
Change-Id: Id7a68fab8d84ffe987084e925fecc1e051cbaccd
Strings, in particular call IDs, that are coming from Redis are not
necessarily valid UTF-8 since Redis doesn't really do UTF-8. The MySQL
DB schema expects strings in valid UTF-8 however (even though call IDs
really should be raw binary strings), resulting in an error if an
UTF-8 invalid string is attempted to be inserted.
Solve this by verifying each string's UTF-8 correctness before inserting
it, and forcing it to be interpreted as the 100% permissive latin1
charset if it isn't.
Change-Id: I5a218083bc4e3d7a47d1f77911f7ef9a88ce9bd2
Richard Fuchs
Michael Prokop
Sipwise Jenkins Builder
Guillem Jover
Alessio Garzi
Marco Capetta