Follow-up for commit eea3824725, remove further files and configuration
related to rtpengine-iptables removal.
Change-Id: I3bc9a2a452bd41fb346b7479e8b00e4cdedb93a6
As we now natively support nftables, we no longer need to rely on the
iptables helper script. We can completely remove it.
Change-Id: I214bfee6ada534754141cb86bb50e87556de977d
*) Remove packaging for -gpu packages
*) Remove build profile restrictions, except for the build dependency
itself
*) Remove script to generate dh fragments for -gpu packages
*) Convert --cudecs switch to a path argument pointing to the .so
*) Don't link against libcudecs during build
*) Only include the single types.h header needed for usage as a plugin
*) Resolve all symbols during startup after loading the .so
Change-Id: Ide99eec2156d5d3be8c40594391cb1603add4b16
Capabilities listed in the ambient set must also be included in the
bounding set.
Change-Id: Iac8a97f6ba4f5446430ec2678092f768aeb8bb25
Related-to: I172bd30c9fbe488574e9cc015ba552e805c95fe6
If the kernel module is loaded automatically/implicitly through
insertion of an iptables rule, it gets loaded with only the default
module parameters. Add a modprobe.d fragment to handle this case.
Change-Id: I08659e2f0db8fed401cbcce6edee51e942da1f3e
Pandoc is available even on stretch, and unlike ronn is
actively maintained.
Fix -- markdown escaping.
Use __x__ for bold, and *x* for italics.
Remove .8.ronn symlinks.
Change-Id: Iff70e2b405f3b9ede856abf94d42fc51afb9f809
For a compatibility reasons (with other doc files and with RTD)
the `rtpengine.pod` and `rtpengine-recording.pod` file get
converted to the Markdown syntax.
The compilation of MD syntax synopsis files will work
using `ronn` application, which converts them to man pages.
Change-Id: I75b54a712786a0a237c51c702ed1a2cc09e3a033
Take over git commit 929027 from
https://salsa.debian.org/pkg-voip-team/rtpengine.git
Since we're using adduser within ngcp-rtpengine-daemon's
postinst script, we need to make sure to have adduser available.
Change-Id: Ib80794c8a79811d7d890625b8ae5435ca8acc96a
Since Debian/bookworm dh-dkms (debhelper addon for the Dynamic Kernel
Module System (DKMS)) is available with its virtual dh-sequence-dkms
package. This allows us to get rid of manual packaging work in
maintainer scripts and debian/rules.
Adjust backport scripts accordingly as dh-sequence-dkms and its dh-dkms
are available only as of Debian bookworm + Ubuntu kinetic and newer.
Ship debian/source/lintian-overrides to ignore lintian's:
E: ngcp-rtpengine source: missing-build-dependency-for-dh_-command dh_dkms => dkms
This dh-sequence-dkms vs dkms issue is only supported as of lintian
versions >=2.105.0, while current Debian/stable AKA bullseye provides
lintian v2.104.0, see https://bugs.debian.org/982834.
Closes: https://bugs.debian.org/1030227
Thanks: Andreas Beckmann <anbe@debian.org> for the bug report + initial patch
Change-Id: Ife1e976c88fbbe796bbd40225f682f0e5360a6d7
lsb-base as of version 11.5 and as present in Debian/testing AKA
bookworm is a transitional package (depending on sysvinit-utils).
As of lintian >=2.116.0 a dependency on lsb-base is considered an error:
| E: ngcp-rtpengine-daemon: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6)
| E: ngcp-rtpengine-recording-daemon: depends-on-obsolete-package Depends: lsb-base (>= 3.0-6)
Now having lintian 2.116.1 in Debian/testing AKA bookworm our package
builds fail because of this.
Since we still have init script support and references to
/lib/lsb/init-functions, let's depend on either sysvinit-utils
or lsb-base.
See related discussion on debian-devel mailing list:
https://lists.debian.org/debian-devel/2023/01/msg00149.html
Change-Id: Id3228425405e39904e52de8fdf00911539ac63bb
Provide the targets for the two /bin/ components.
Adapt .install debhelper files.
Adapt iptables module install location to use the environment variable.
Change-Id: I963feba5f60f53773e497121d8947e7b4997d687
Instead of going through ffmpeg to en/decode Opus, use libopus directly,
which allows us to benefit from additional features that aren't
available when going through ffmpeg.
Change-Id: I017c276cfa9755cefe95c8da26691446b718d4c8
Switch from the unconditional installation of the xtables module to
do that through debhelper fragment files. This makes sure we only do
that whenever we are building these packages, and thus do not fail
to install into a non-existent directory.
Change-Id: Ib7d96a9636435d030c42f265214cc1546e373699
Fix `SC2043 (warning): This loop will only ever run once. Bad quoting or missing glob/expansion?`
Fix-up for git rev de8b3d59c1,
AKA Change-Id If75b6c1b675c8abf0bb33ae58b41e036276f8640
Change-Id: I46f58da69a683ed2fa67c86f9928fbfc8372482f
/var/spool/rtpengine is used by the main daemon as well as the recording
daemon. The recording daemon is not really useful without the main
daemon, while it's perfectly fine to use the main daemon without the
recording daemon. That directory should therefore be managed by the main
daemon package.
This fixes a broken systemd unit stemming from a missing directory if
the recording daemon is not installed.
Fix-up for 26bf2b05a5
Fix-up for I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
Fixes GH #1510
Change-Id: If75b6c1b675c8abf0bb33ae58b41e036276f8640
Fixes:
| Warning: using insecure memory!
as triggered via libgcrypt, see
https://sources.debian.org/src/libgcrypt20/1.10.1-2/src/secmem.c/?#L283
Let's use 8388608 AKA 8MB as default, as present in systemd versions
251 and newer, see commit:
| commit 852b62507b22c0a986032a2c9fa9cc464a5b7bd2
| Author: Lennart Poettering <lennart@poettering.net>
| Date: Thu Mar 10 13:22:57 2022 +0100
|
| pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M
|
| This mirrors a similar check in Linux kernel 5.16
| (9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the
| RLIMIT_MEMLOCK to 8M.
|
| This change does two things: raise the default limit for nspawn
| containers (where we try to mimic closely what the kernel does), and
| bump it when running on old kernels which still have the lower setting.
|
| Fixes: #16300
| See: https://lwn.net/Articles/876288/
Change-Id: I56f6d173d316386501ce8b13cc7a8ad6bea4ed26
By default we use /var/spool/rtpengine as recording directory,
so ensure we have R/W access to it.
Change-Id: I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
Now that we run as non-root user by default, we didn't have
proper capabilities for still running under root user.
Document, what's required to do so.
NOTE: related to TT#157800 (rtpengine: run as non-root) and
TT#76552 (systemd hardening)
Change-Id: Ie9f44bb75dc63cd407b27faab2219647d079359e
ngcp-rtpengine-daemon service state BEFORE this change:
| $ sudo systemd-analyze security ngcp-rtpengine-daemon | tail -1
| → Overall exposure level for ngcp-rtpengine-daemon.service: 9.3 UNSAFE 😨
ngcp-rtpengine-daemon service state AFTER this change:
| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-rtpengine-daemon | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special … 0.1
| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2
| ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2
| ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2
| ✗ AmbientCapabilities= Service process receives ambient capabiliti… 0.1
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
| ✗ ProcSubset= Service has full access to non-process /pro… 0.1
|
| → Overall exposure level for ngcp-rtpengine-daemon.service: 1.4 OK 🙂
As of systemd v247.3-7.
Change-Id: I1bc2a82b0b9a945a3fa25f3e35d1b751ee0e4041
Richard Fuchs
Sipwise Jenkins Builder
Michael Prokop
Guillem Jover
Victor Seva
Donat Zenichev
Дилян Палаузов
Victor Seva