rtpengine

Commit Graph

Author	SHA1	Message	Date
Richard Fuchs	48cbb29371	MT#61822 support FS cache for DB media Change-Id: I1dd390843f4b02eb64587673d33b9291bd9acac1	11 months ago
Richard Fuchs	794f8e3c01	MT#57371 nftables support closes #984 Change-Id: I6b63165bcd5b2ab8c60391cc1d2c9fdc18a40121	2 years ago
Richard Fuchs	7200c7af64	MT#55283 actually grant the capabilities Capabilities listed in the ambient set must also be included in the bounding set. Change-Id: I172bd30c9fbe488574e9cc015ba552e805c95fe6	2 years ago
Michael Prokop	fd2dfd0b6a	TT#182450 systemd: allow LimitMEMLOCK usage for secure memory usage by libgcrypt Fixes: \| Warning: using insecure memory! as triggered via libgcrypt, see https://sources.debian.org/src/libgcrypt20/1.10.1-2/src/secmem.c/?#L283 Let's use 8388608 AKA 8MB as default, as present in systemd versions 251 and newer, see commit: \| commit 852b62507b22c0a986032a2c9fa9cc464a5b7bd2 \| Author: Lennart Poettering <lennart@poettering.net> \| Date: Thu Mar 10 13:22:57 2022 +0100 \| \| pid1,nspawn: raise default RLIMIT_MEMLOCK to 8M \| \| This mirrors a similar check in Linux kernel 5.16 \| (9dcc38e2813e0cd3b195940c98b181ce6ede8f20) that raised the \| RLIMIT_MEMLOCK to 8M. \| \| This change does two things: raise the default limit for nspawn \| containers (where we try to mimic closely what the kernel does), and \| bump it when running on old kernels which still have the lower setting. \| \| Fixes: #16300 \| See: https://lwn.net/Articles/876288/ Change-Id: I56f6d173d316386501ce8b13cc7a8ad6bea4ed26	4 years ago
Michael Prokop	26bf2b05a5	TT#182450 systemd hardening: allow R/W access to /var/spool/rtpengine By default we use /var/spool/rtpengine as recording directory, so ensure we have R/W access to it. Change-Id: I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7	4 years ago
Michael Prokop	81a9366f49	TT#182450 systemd hardening: mention required capabilities when running as root Now that we run as non-root user by default, we didn't have proper capabilities for still running under root user. Document, what's required to do so. NOTE: related to TT#157800 (rtpengine: run as non-root) and TT#76552 (systemd hardening) Change-Id: Ie9f44bb75dc63cd407b27faab2219647d079359e	4 years ago
Michael Prokop	3f1a3d5d6c	TT#76552 Harden ngcp-rtpengine-daemon service ngcp-rtpengine-daemon service state BEFORE this change: \| $ sudo systemd-analyze security ngcp-rtpengine-daemon \| tail -1 \| → Overall exposure level for ngcp-rtpengine-daemon.service: 9.3 UNSAFE 😨 ngcp-rtpengine-daemon service state AFTER this change: \| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-rtpengine-daemon \| grep -v '✓' \| NAME DESCRIPTION EXPOSURE \| ✗ PrivateNetwork= Service has access to the host's network 0.5 \| ✗ RestrictAddressFamilies=~AF_(INET\|INET6) Service may allocate Internet sockets 0.3 \| ✗ DeviceAllow= Service has a device ACL with some special … 0.1 \| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2 \| ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2 \| ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2 \| ✗ AmbientCapabilities= Service process receives ambient capabiliti… 0.1 \| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 \| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1 \| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 \| ✗ ProcSubset= Service has full access to non-process /pro… 0.1 \| \| → Overall exposure level for ngcp-rtpengine-daemon.service: 1.4 OK 🙂 As of systemd v247.3-7. Change-Id: I1bc2a82b0b9a945a3fa25f3e35d1b751ee0e4041	4 years ago
Richard Fuchs	a3062b5f73	TT#14008 install binaries in /usr/bin Neither main daemons nor auxiliary tools require root privileges to run, therefore they should go into /usr/bin instead of /usr/sbin. Change-Id: I22fd0f4e622df0362a686dfe9e0ce1fb86b43a9e	4 years ago
Richard Fuchs	30c2de8e0f	TT#157800 run rtpengine as non-root ) Create dedicated rtpengine user in postinst and remove it in postrm. ) Use RuntimeDirectory= systemd unit config. ) Use dedicated user for /proc interface and set file umask to hide it from other users. ) Set owner and permissions on default directories used for call recording. Change-Id: I8e225b36d065d46da2489fb8286916371950f490	4 years ago
Richard Fuchs	30c124ff05	TT#124273 use symlinks instead of Install/Alias for aliases The aliases created by systemd under Install/Alias are created and removed as the service is enabled and disabled, and don't serve as generic alias names. Furthermore they seem to linger behind when the package is removed or replaced, which leads to collisions and installation failures when the NGCP-specific package is replaced by the non-NGCP version. Change-Id: I2313ffffb1fa4fb1d570b23113b0618744c58e26	4 years ago
Guillem Jover	111b0a769c	TT#137760 Refactor table fetching into a new helper tool This centralizes the table setting into the respective config files instead of keeping copies all over the place, that can easily get out of sync. Change-Id: I12f3fa172f34861365c31c8d8718b3fae8a9de5b	4 years ago
Richard Fuchs	354f75490d	TT#45617 add no-log-timestamps option Log lines written to stderr that are consumed by journald will already have timestamps added to them. Drop the redundant unixtime output for this use case. Change-Id: I34886a69a0ef90de2eb84ee8f446cbad624302c1	7 years ago
Guillem Jover	048b6ed191	TT#50752 Add ngcp-service aliases in systemd service files These are names used in the ngcp-service nsservices.yml file, adding them here makes using the system more consistent. Change-Id: I66b0149cbfe70d2260a6c50617a52e53604256da	7 years ago
Guillem Jover	96d62c79b3	TT#49106 Switch from /var/run to the modern /run Change-Id: I612a90a0c7fc39156a486085f0026c31d333d88c Warned-by: lintian	7 years ago
Guillem Jover	5ba52952c0	TT#42906 Add systemd notify support Change-Id: Iba046fa3e36654cedb73203eb06a9d768720a6b0	7 years ago
Guillem Jover	79807a9c2e	TT#26264 Use better systemd native units While still not the ideal implementation, this is certainly better than the sysvinit script wrapper. We then will "only" need to move the setup scripts into proper service files later on. Change-Id: I990d6847117a4b91a8365a5e307fd96cf5b1899f	8 years ago
Guillem Jover	1b489bd45d	TT#26264 Fix rtpengine pid file in systemd service Change-Id: I1b7bd31572ff30856bc4d2d31984515c7f3858fa	8 years ago
Guillem Jover	aee2a27c3e	TT#26264 Add systemd service wrappers for the init scripts Properly switching to native systemd service files is too intrusive for these services at this point of the release cycle. Let's use this hack for now, and then convert these to the serveral .service, and .mount units required. Change-Id: I8f66bfd8be5924232bf2c34d42b18d2a332db3ee	8 years ago

18 Commits (master)