We are migrating from redis to keydb so for now we need to support both
so we should not depend on specific key-value storage in unit file but
should use database.key_value.flavor value in override file.
But we can't redefine dependencies in override file just add additional
ones. So remove it from unit file.
Change-Id: I16e94e938bd9f1da14e1068bc6b94485b08a4ca5
We need readonly access to /dev/urandom, otherwise the rand()
calls might fail, as seen in kamailio-config-tests.
Change-Id: Id132191994ae5fe74ec3ebb7d34a4a5d50769dbc
Thanks: Victor Seva for reporting
In carrier environments we have foreign DB hosts
configured in /etc/ngcp-mediator/ngcp-mediator.conf,
therefore we can't easily apply IP address filtering.
JFTR, new and current systemd hardening state for ngcp-mediator:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's … 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic socke… 0.3
| ✗ DeviceAllow= Service has a device ACL with som… 0.1
| ✗ IPAddressDeny= Service does not define an IP add… 0.2
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet socke… 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for… 0.2
| ✗ RestrictAddressFamilies=~AF_NETLI… Service may allocate netlink sock… 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
| SupplementaryGroups= Service runs as root, option does…
| RemoveIPC= Service runs as root, option does…
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.1 OK 🙂
Change-Id: I0e7c474eddd5d4d4c77b9bda157448294ed0a5c4
ngcp-mediator service state BEFORE this change:
| $ systemd-analyze security ngcp-mediator | tail -1
| → Overall exposure level for ngcp-mediator.service: 9.5 UNSAFE 😨
ngcp-mediator service state AFTER this change:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special devices 0.1
| ✗ IPAddressDeny= Service defines IP address whitelits with only localhost entries 0.1
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is included 0.2
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
| SupplementaryGroups= Service runs as root, option does not matter
| RemoveIPC= Service runs as root, option does not apply
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.0 OK 🙂
Change-Id: If33c303b9df465393f15c0b685d1aab54a465df6
Instead of hardcoding -I/usr/include/mysql for CFLAGS and -lmysqlclient
for LDFLAGS, let's use mariadb_config if available (e.g. on
Debian/buster), try mysql_config otherwise (e.g. on Debian/stretch) or
if neither of them is available, fallback to -I/usr/include/mysql +
-lmysqlclient.
No longer include `m_string.h`, it was moved towards
/usr/include/mariadb/server/m_string.h and is no longer compatible when
used as such:
| /usr/include/mariadb/server/m_string.h:89:23: error: unknown type name 'uchar'; did you mean 'char'?
| extern void bmove_upp(uchar *dst,const uchar *src,size_t len);
Also no longer use libmysqlclient15-dev as alternative Build-Depend,
it's not available in neither stretch nor buster.
While at it drop include for my_global.h, since it shouldn't be included
anymore (and it doesn't seem to be relevant for us, compiling fine as-is
on Debian/stretch and Debian/buster):
| /usr/include/mariadb/my_global.h:3:2: warning: #warning This file should not be included by clients, include only <mysql.h> [-Wcpp]
Change-Id: I74a75ea24f72880adb8117ae5808095f03bc0edb
Is service B "Requires" service A to be started before B
and B does NOT require B restart on A restart, B should use "Wants=A".
Also using real service name mariadb.service instead of alias one.
The same for redis-server.service.
Also migrate from alias mysql.service to mariadb.service.
Change-Id: I94276a8647053646abd545e4d5b768b284b8a652
Since recently (see below), this service depends on redis-server but it didn't
declare it as dependency in its systemd unit file, so the service will not wait
for Redis, on which it depends on, and will fail to start properly.
commit 2812d161a5
Date: Mon Feb 26 16:09:35 2018 +0100
(Catched by tests of the task in the first line).
Change-Id: I599c8c2fa8ac4e2c7428bb787889f3c9f00185e2
* Fetch acc records both from mysql and redis
* Backup/trash redis acc records into mysql
* Introduce loglevel config option and log macros
Change-Id: I9bc55ed72502feaff03550c99ce481aea33e5e58
Shipping this alias as a symlink under /lib/systemd/system, guarantees
that it will be available even when the service is disabled. And it will
override the init script and avoid systemd autogenerating a compat
service.
Change-Id: Iacc6f952ac0d57bf33bdec3c6e23a59f4f42097e
This service file assumes that the new mediator configuration is in
place to define all the options to use.
Change-Id: I876a0764f3355dd040baf4824794483ec734e2f3
Sipwise Jenkins Builder
Mykola Malkov
Guillem Jover
Michael Prokop
Alexander Lutay
Manuel Montecelo
Andreas Granig