Capabilities listed in the ambient set must also be included in the
bounding set.
Change-Id: Iac8a97f6ba4f5446430ec2678092f768aeb8bb25
Related-to: I172bd30c9fbe488574e9cc015ba552e805c95fe6
If the kernel module is loaded automatically/implicitly through
insertion of an iptables rule, it gets loaded with only the default
module parameters. Add a modprobe.d fragment to handle this case.
Change-Id: I08659e2f0db8fed401cbcce6edee51e942da1f3e
Pandoc is available even on stretch, and unlike ronn is
actively maintained.
Fix -- markdown escaping.
Use __x__ for bold, and *x* for italics.
Remove .8.ronn symlinks.
Change-Id: Iff70e2b405f3b9ede856abf94d42fc51afb9f809
For a compatibility reasons (with other doc files and with RTD)
the `rtpengine.pod` and `rtpengine-recording.pod` file get
converted to the Markdown syntax.
The compilation of MD syntax synopsis files will work
using `ronn` application, which converts them to man pages.
Change-Id: I75b54a712786a0a237c51c702ed1a2cc09e3a033
Take over git commit 929027 from
https://salsa.debian.org/pkg-voip-team/rtpengine.git
Since we're using adduser within ngcp-rtpengine-daemon's
postinst script, we need to make sure to have adduser available.
Change-Id: Ib80794c8a79811d7d890625b8ae5435ca8acc96a
Since Debian/bookworm dh-dkms (debhelper addon for the Dynamic Kernel
Module System (DKMS)) is available with its virtual dh-sequence-dkms
package. This allows us to get rid of manual packaging work in
maintainer scripts and debian/rules.
Adjust backport scripts accordingly as dh-sequence-dkms and its dh-dkms
are available only as of Debian bookworm + Ubuntu kinetic and newer.
Ship debian/source/lintian-overrides to ignore lintian's:
E: ngcp-rtpengine source: missing-build-dependency-for-dh_-command dh_dkms => dkms
This dh-sequence-dkms vs dkms issue is only supported as of lintian
versions >=2.105.0, while current Debian/stable AKA bullseye provides
lintian v2.104.0, see https://bugs.debian.org/982834.
Closes: https://bugs.debian.org/1030227
Thanks: Andreas Beckmann <anbe@debian.org> for the bug report + initial patch
Change-Id: Ife1e976c88fbbe796bbd40225f682f0e5360a6d7
lsb-base as of version 11.5 and as present in Debian/testing AKA
bookworm is a transitional package (depending on sysvinit-utils).
As of lintian >=2.116.0 a dependency on lsb-base is considered an error:
| E: ngcp-rtpengine-daemon: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6)
| E: ngcp-rtpengine-recording-daemon: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6)
Now having lintian 2.116.1 in Debian/testing AKA bookworm our package
builds fail because of this.
Since we still have init script support and references to
/lib/lsb/init-functions, let's depend on either sysvinit-utils
or lsb-base.
See related discussion on debian-devel mailing list:
https://lists.debian.org/debian-devel/2023/01/msg00149.html
Change-Id: Id3228425405e39904e52de8fdf00911539ac63bb
Provide the targets for the two /bin/ components.
Adapt .install debhelper files.
Adapt iptables module install location to use the environment variable.
Change-Id: I963feba5f60f53773e497121d8947e7b4997d687
Instead of going through ffmpeg to en/decode Opus, use libopus directly,
which allows us to benefit from additional features that aren't
available when going through ffmpeg.
Change-Id: I017c276cfa9755cefe95c8da26691446b718d4c8
Switch from the unconditional installation of the xtables module to
do that through debhelper fragment files. This makes sure we only do
that whenever we are building these packages, and thus do not fail
to install into a non-existent directory.
Change-Id: Ib7d96a9636435d030c42f265214cc1546e373699
Fix `SC2043 (warning): This loop will only ever run once. Bad quoting or missing glob/expansion?`
Fix-up for git rev de8b3d59c1,
AKA Change-Id If75b6c1b675c8abf0bb33ae58b41e036276f8640
Change-Id: I46f58da69a683ed2fa67c86f9928fbfc8372482f
/var/spool/rtpengine is used by the main daemon as well as the recording
daemon. The recording daemon is not really useful without the main
daemon, while it's perfectly fine to use the main daemon without the
recording daemon. That directory should therefore be managed by the main
daemon package.
This fixes a broken systemd unit stemming from a missing directory if
the recording daemon is not installed.
Fix-up for 26bf2b05a5
Fix-up for I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
Fixes GH #1510
Change-Id: If75b6c1b675c8abf0bb33ae58b41e036276f8640
Fixes:
| Warning: using insecure memory!
as triggered via libgcrypt, see
https://sources.debian.org/src/libgcrypt20/1.10.1-2/src/secmem.c/?#L283
Let's use 8388608 AKA 8MB as default, as present in systemd versions
251 and newer, see commit:
| commit 852b62507b22c0a986032a2c9fa9cc464a5b7bd2
| Author: Lennart Poettering <lennart@poettering.net>
| Date: Thu Mar 10 13:22:57 2022 +0100
|
| pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M
|
| This mirrors a similar check in Linux kernel 5.16
| (9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the
| RLIMIT_MEMLOCK to 8M.
|
| This change does two things: raise the default limit for nspawn
| containers (where we try to mimic closely what the kernel does), and
| bump it when running on old kernels which still have the lower setting.
|
| Fixes: #16300
| See: https://lwn.net/Articles/876288/
Change-Id: I56f6d173d316386501ce8b13cc7a8ad6bea4ed26
By default we use /var/spool/rtpengine as recording directory,
so ensure we have R/W access to it.
Change-Id: I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
Now that we run as non-root user by default, we didn't have
proper capabilities for still running under root user.
Document, what's required to do so.
NOTE: related to TT#157800 (rtpengine: run as non-root) and
TT#76552 (systemd hardening)
Change-Id: Ie9f44bb75dc63cd407b27faab2219647d079359e
ngcp-rtpengine-daemon service state BEFORE this change:
| $ sudo systemd-analyze security ngcp-rtpengine-daemon | tail -1
| → Overall exposure level for ngcp-rtpengine-daemon.service: 9.3 UNSAFE 😨
ngcp-rtpengine-daemon service state AFTER this change:
| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-rtpengine-daemon | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special … 0.1
| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2
| ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2
| ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2
| ✗ AmbientCapabilities= Service process receives ambient capabiliti… 0.1
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
| ✗ ProcSubset= Service has full access to non-process /pro… 0.1
|
| → Overall exposure level for ngcp-rtpengine-daemon.service: 1.4 OK 🙂
As of systemd v247.3-7.
Change-Id: I1bc2a82b0b9a945a3fa25f3e35d1b751ee0e4041
These packages do not provide architecture-specific interfaces. The only
problematic one is the kernel module, which requires a matching kernel
where to run on, independently of the userland. In addition the kernel
interface is arch-specific so running, say, a 64-bit kernel and module
and a 32-bit userland will not work.
Change-Id: Ic7327e422ec6f2e3cd4145b8ae172db9149287b4
We have had DKMS support for a long time, which is easier to integrate
to, and manage as a user. As we have not been testing module-assistant
support and it's redundant with the DKMS support, let's just remove it.
Change-Id: Iff546a4a333a2e4e48fbc1e49fecee9bab3a0138
Neither main daemons nor auxiliary tools require root privileges to run,
therefore they should go into /usr/bin instead of /usr/sbin.
Change-Id: I22fd0f4e622df0362a686dfe9e0ce1fb86b43a9e
This has become important after the latest change to run rtpengine as
non-root user as it requires reloading the kernel module with the new
user/group permissions.
Change-Id: Iedf2624402397f5d444955e9d5d6d5aa414be1c3
*) Create dedicated rtpengine user in postinst and remove it in postrm.
*) Use RuntimeDirectory= systemd unit config.
*) Use dedicated user for /proc interface and set file umask to hide it
from other users.
*) Set owner and permissions on default directories used for call recording.
Change-Id: I8e225b36d065d46da2489fb8286916371950f490
A working stock config makes it possible to install this package and
have a working setup right away. Previously installing this package
fresh results in an error from systemd because the daemon refuses to
start due to lack of working config.
Change-Id: I470b4ec29a9aeea147a8d001b8e126611921c39e
It makes no sense to have the recording daemon installed without the
main daemon, therefore add an explicit dependency. This also allows us
to add some postinst/postrm scripts to the main daemon package that also
applies to the recording daemon (e.g. creating a user).
Change-Id: Id698907515ad94b2ac4988454607385bee72e7ca
The per-table /proc files may contain sensitive information. Add an
optional file mode mask to apply to the top directly to hide it from
unprivileged users.
Change-Id: I3ec02739e0d97e53c8628259922ccf64ddfa8415
If there's no config file present then retrieval of the table number
yields an empty string. Allow this as an expected case to silence a
warning from bash (using -lt against an empty string)
Change-Id: I0420d2e1c555f6b56a56fc5f47d3bc183a929e50
The aliases created by systemd under Install/Alias are created and
removed as the service is enabled and disabled, and don't serve as
generic alias names. Furthermore they seem to linger behind when the
package is removed or replaced, which leads to collisions and
installation failures when the NGCP-specific package is replaced by the
non-NGCP version.
Change-Id: I2313ffffb1fa4fb1d570b23113b0618744c58e26
This package name is not used anywhere as a dependency, therefore it
makes no sense to list as a "provides"
Change-Id: I20db5308328b1c911495bf31417e4996a9824c3c
Fixes:
| In debian/ngcp-rtpengine-iptables-setup line 15:
| TABLE=$(/usr/libexec/rtpengine/rtpengine-get-table --config-file=$CONFIG_FILE)
| ^----------^ SC2086: Double quote to prevent globbing and word splitting.
|
| In el/rtpengine.init line 36:
| configfile=${CONFIG_FILE-/etc/rtpengine/rtpengine.conf}
| ^--------^ SC2034: configfile appears unused. Verify use (or export if used externally).
|
| In el/rtpengine.init line 38:
| TABLE=$(/usr/libexec/rtpengine/rtpengine-get-table --config-file=$CONFIG_FILE)
| ^----------^ SC2086: Double quote to prevent globbing and word splitting.
Those went unnoticed in commit 111b0a769c, but are failing
in github actions with shellcheck v0.7.2.
While at it, ensure that /etc/rtpengine/rtpengine.conf
is used as fallback, if CONFIG_FILE isn't defined.
Change-Id: I1c1948245a907bd6d299b242a9faff960d0608bc
These can be set from the config file, which makes the support in the
sysvinit script redundant. Remove all these and leave only the minimally
relevant ones involved in the startup of the daemon.
Change-Id: I3faac4594d7f1a21e65761036c2ab153acb96152
This centralizes the table setting into the respective config files
instead of keeping copies all over the place, that can easily get out
of sync.
Change-Id: I12f3fa172f34861365c31c8d8718b3fae8a9de5b
Bullseye doesn't install iptables by default any more, but the included
startup script uses iptables to set up the kernel forwarding by default.
Add an explicit dependency.
closes#1343
Change-Id: I6c222c290e51177f92136f9df59fa769c05ec266
We should eventually try to reduce the amount of -Wno-* options, but for
now this is a net improvement.
Change-Id: I3bd03679acbc157c0d1b3c257a542e2eec0e5ee9
This construct was used due to ancient bogus shell implementations, but
it is of no relevance anymore. Use the "modern" -z test instead.
Change-Id: Iad882c99148e548e926b083df8ca428c591e2c4f
Fixes: shellcheck SC2268
When we disable transcoding we should completely disable building the
rtpengine-recording daemon packages too. We accomplish that by using a
build-profile.
This also removes the Debianism from the upstream build system and moves
the setting to the Debian packaging.
Change-Id: Idf7783823d36b49ce03610fb1f4386afe5887029
iptables-dev is only available until Debian/buster and no longer exists in
Debian/bullseye (current testing) nor unstable/sid:
| builddeps:. : Depends: iptables-dev (>= 1.4) but it is not installable
Even in Debian/buster iptables-dev is already a transitional/dummy package.
Support iptables-dev as alternative Build-Dependency, just in case
someone is building the package against a system where libxtables-dev
doesn't exist yet.
Change-Id: I28c4c81ac474c646d80a0146baa2446dde7073c3
shellcheck v0.7.1 complains about a bunch of issues:
SC2154: status is referenced but not assigned.
SC2181: Check exit code directly with e.g. 'if mycmd;', not indirectly with $?.
SC2207: Prefer mapfile or read -a to split command output (or quote to avoid splitting).
SC2235: Use { ..; } instead of (..) to avoid subshell overhead.
SC2236: Use -n instead of ! -z.
The "$status" variable disappeared in d4763aba14.
The init scripts of ngcp-rtpengine-daemon and
ngcp-rtpengine-recording-daemon had a logic bug, where a failing stop
action didn't properly return, but continued execution of the following
firewalling code (ngcp-rtpengine-iptables-setup). Thanks to Guillem
Gover for spotting this one. While at it, no longer execute under
'set -e'.
Change-Id: Ia50e76f615564a288627e6e42ec8f7eb082de74c
rtpengine-ctl uses Config::Tiny for reading the config file.
This commit adds the dependency to the utils package.
Change-Id: Iae0892fe9c8d30435eecc513cf538122b2fbe2c7
This was forgotten to be taken care of in commit 2868fc6f55.
Otherwise `module-assistant auto-install ngcp-rtpengine-kernel-source` fails with:
| dh_installdocs: Please specify the compatibility level in debian/compat
| make[1]: *** [debian/rules:64: binary-modules] Error 2
| make[1]: Leaving directory '/usr/src/modules/ngcp-rtpengine'
Fixes#853
Change-Id: I0a433daaaebdab09f8247a391624d8f1a6d045bc
- Stop copying debian/compat into the kernel source packages.
- Use dh_installsystemd instead of deprecated dh_systemd_*.
- Disable dwz as it cannot cope with some of the plugins generated.
Change-Id: Ibdc92e94955ef3c5d89b24fc341474236c49b986
We now use systemd presets, and always install a policy-rc.d script, so
there's no reason to disable these at package build time. Let's switch
to the Debian defaults, so that third-party users get these to work out
of the box, in case the want to build and install the packages.
Change-Id: I0b0af3ffa1fe4daa72562f07fd95b606f96c0f88
Richard Fuchs
Sipwise Jenkins Builder
Donat Zenichev
Дилян Палаузов
Michael Prokop
Victor Seva
Guillem Jover
Karsten Horsmann
Sebastian Damm