Switch from the unconditional installation of the xtables module to
do that through debhelper fragment files. This makes sure we only do
that whenever we are building these packages, and thus do not fail
to install into a non-existent directory.
Change-Id: Ib7d96a9636435d030c42f265214cc1546e373699
Fix `SC2043 (warning): This loop will only ever run once. Bad quoting or missing glob/expansion?`
Fix-up for git rev de8b3d59c1,
AKA Change-Id If75b6c1b675c8abf0bb33ae58b41e036276f8640
Change-Id: I46f58da69a683ed2fa67c86f9928fbfc8372482f
/var/spool/rtpengine is used by the main daemon as well as the recording
daemon. The recording daemon is not really useful without the main
daemon, while it's perfectly fine to use the main daemon without the
recording daemon. That directory should therefore be managed by the main
daemon package.
This fixes a broken systemd unit stemming from a missing directory if
the recording daemon is not installed.
Fix-up for 26bf2b05a5
Fix-up for I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
Fixes GH #1510
Change-Id: If75b6c1b675c8abf0bb33ae58b41e036276f8640
To safeguard against non-refcounted objects being left over in a log
info piece (e.g. a string on the stack), add this new function to pop
pieces from the stack until the desired one is removed. This is needed
in case of a unpaired log_info_* without a matching log_info_pop.
closes#1511
Change-Id: I689de14d034df779521dfdf59f923fdbf7fabc9b
To safeguard against leftover log info pieces, add additional resets
within loops that might run repeatedly.
Relevant to #1511
Change-Id: I875f1683b7dc8cee359469e8062c08c3c3e48a9d
The order between receiving the STUN success and the triggered check is
not guaranteed, therefore resolve possible race condition by expecting
the two packets in either order.
Change-Id: Ibef9907cd4116bc5f3b7d17d936007c8efcabd3b
The codec answer routine resets the codec storage and so also resets the
clock rate tracker for "touched" codecs. This leads to all codecs seen
as "not touched" in the answer routine, which in turn leads to
supplemental codecs present in the answer SDP that should not be there.
Use the "for transcoding" flag for previously present codecs to retain
the "touched" status across the codec answer routine.
Change-Id: Idc4624606f7f10d7983e22ddf856432b07421157
* Use an explicitly created global event loop
* Await websocket connection closure
Relevant to #1497
Change-Id: I600189f5383ca7e5da8b45460508c1ddcddede0b
Fixes:
| Warning: using insecure memory!
as triggered via libgcrypt, see
https://sources.debian.org/src/libgcrypt20/1.10.1-2/src/secmem.c/?#L283
Let's use 8388608 AKA 8MB as default, as present in systemd versions
251 and newer, see commit:
| commit 852b62507b22c0a986032a2c9fa9cc464a5b7bd2
| Author: Lennart Poettering <lennart@poettering.net>
| Date: Thu Mar 10 13:22:57 2022 +0100
|
| pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M
|
| This mirrors a similar check in Linux kernel 5.16
| (9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the
| RLIMIT_MEMLOCK to 8M.
|
| This change does two things: raise the default limit for nspawn
| containers (where we try to mimic closely what the kernel does), and
| bump it when running on old kernels which still have the lower setting.
|
| Fixes: #16300
| See: https://lwn.net/Articles/876288/
Change-Id: I56f6d173d316386501ce8b13cc7a8ad6bea4ed26
By default we use /var/spool/rtpengine as recording directory,
so ensure we have R/W access to it.
Change-Id: I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
Now that we run as non-root user by default, we didn't have
proper capabilities for still running under root user.
Document, what's required to do so.
NOTE: related to TT#157800 (rtpengine: run as non-root) and
TT#76552 (systemd hardening)
Change-Id: Ie9f44bb75dc63cd407b27faab2219647d079359e
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012766
> Whilst working on the Reproducible Builds effort [0] we noticed that
> rtpengine could not be built reproducibly.
>
> Whilst it did use the value from debian/changelog, the RELEASE_DATE
> variable changed due to underlying system timezone setting. A patch
> is attached that passes -u/--utc to the call to date(1).
>
> [0] https://reproducible-builds.org/
When doing the initial answer, the packet_stream endpoint port isn't
filled in yet. Use the stream_params port instead to test for rejected
streams.
closes#1499
Change-Id: I8f315d95521f874fb8c5e6222263d017800b5fc9
When ports are closed early (while the call is still running), we must
first update a slave rtpengine with this new information (that these
ports are now closed) before actually releasing the ports ourselves. Not
doing so leads to a race condition where the master instance re-uses a
port that was just closed before the slave instance knows about the port
being closed.
We implement this using a thread-local list to keep track of ports that
were released while processing a control message, and process this list
to actually close the ports only after Redis has been updated.
Additional calls to the function to close the ports are placed in
strategic locations to make sure this is triggered in every code path.
closes#1495
Change-Id: I803f4594f30ca315da0b84c6e76893f54ca3a7c9
Instead of having to rely on external repositories (like the
ubuntu-cloud-archive/yoga-staging PPA for the debhelper v13 backport),
let's use the pkg script instead. The pkg scripts ensure that the
debian/ directory looks as expected for the according distribution. So
for executing coverity + unit-tests in the Ubuntu/focal / ubuntu-20.04
environment on GitHub, let's use pkg/deb/backports/focal for generating
the according Debian source tree.
Related change in pkg: make `wrap-and-sort` execution optional. We don't
have devscripts installed by default in Ubuntu/focal / ubuntu-20.04
environment on GitHub, while usage of wrap-and-sort can be considered
optional for our purposes.
Change-Id: Ic252b323408fab557e3f151a93f61aa8fac1a30f
ubuntu-20.04 + ubuntu-latest (currently also pointing at 20.04) don't
provide debhelper v13 (required for debhelper-compat (= 13)), therefore
our workflow fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
So enable the ubuntu-cloud-archive/yoga-staging PPA,
which provides a backport of debhelper v13:
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/yoga-staging/+packages
and fixes our failing unity + coverity builds on github.
While at it, using apt-get with `-qq` displays only the following
message on package installation problems:
| E: Unable to correct problems, you have held broken packages.
Whereas with `-q`, we get the actual underlying problem, being:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Change-Id: I67439a8f2f27e902710af43ff52599c8a58a5f98
Despite this code being called from userspace, we must disable
interrupts while having ssrc_stats_lock acquired, as the same lock is
acquired elsewhere from within an interrupt context.
closes#1492
Change-Id: Ia6f31eb876ee98ad355d12f9361cbc068d008608
In commit a4ee01d27f we switched to debhelper compat level 13.
debhelper v13 isn't available in (plain) Debian buster,
and therefore the Debian pipeline for buster fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
Since we updated packaging for bullseye, also adapt the GitHub
actions / workflow accordingly.
Change-Id: I411a6ab16ee48c5c5fc1ca43c58c016df83e1ff7
ngcp-rtpengine-daemon service state BEFORE this change:
| $ sudo systemd-analyze security ngcp-rtpengine-daemon | tail -1
| → Overall exposure level for ngcp-rtpengine-daemon.service: 9.3 UNSAFE 😨
ngcp-rtpengine-daemon service state AFTER this change:
| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-rtpengine-daemon | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special … 0.1
| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2
| ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2
| ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2
| ✗ AmbientCapabilities= Service process receives ambient capabiliti… 0.1
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
| ✗ ProcSubset= Service has full access to non-process /pro… 0.1
|
| → Overall exposure level for ngcp-rtpengine-daemon.service: 1.4 OK 🙂
As of systemd v247.3-7.
Change-Id: I1bc2a82b0b9a945a3fa25f3e35d1b751ee0e4041
These packages do not provide architecture-specific interfaces. The only
problematic one is the kernel module, which requires a matching kernel
where to run on, independently of the userland. In addition the kernel
interface is arch-specific so running, say, a 64-bit kernel and module
and a 32-bit userland will not work.
Change-Id: Ic7327e422ec6f2e3cd4145b8ae172db9149287b4
We have had DKMS support for a long time, which is easier to integrate
to, and manage as a user. As we have not been testing module-assistant
support and it's redundant with the DKMS support, let's just remove it.
Change-Id: Iff546a4a333a2e4e48fbc1e49fecee9bab3a0138
This prevents empty mixed output files from being created when mixed
output is enabled in the config but recording isn't active for that
call.
Change-Id: I66ead89dc8a7ea80b81164b3e24d997b0df5f37e
Provide a standard output format if no other outputs are configured, so
that the decoder has something to work with. Applicable to TLS-send-only
scenarios without recording.
Change-Id: I627bb7af3f3033e1025009c21a4da6991e491dcf
DTX and delay buffers and their timers are shut down during the codec
negotiation phase, which also happens for the offer side while
processing an answer. If the codec negotiation routine determines that
the existing codec handlers can be kept intact, we must restart the DTX
and delay buffers that have previously been shut down.
Buffer objects are never freed during a shutdown, therefore we simply
need to restore the contained references to indicate that these buffers
are active again.
closes#1481
Change-Id: I57181ba1655fd781a7c543ee31aa67fd179ba89b
This eliminates a spurious false warning log message for rejected
streams that use a dummy payload type
Change-Id: Id628cafb8d7c4ea576cd01ff35f5dd9cd2151280
Since we're already doing the full parsing of the request flags, use the
same function to parse all required flags
Change-Id: I0880ccbbbc36eae7b172440ce51afc1c544583a1
Guillem Jover
Victor Seva
Michael Prokop
Richard Fuchs
Stefan Mititelu
Chris Lamb
Nick Hainke
Sipwise Jenkins Builder
szcom