By default we use /var/spool/rtpengine as recording directory,
so ensure we have R/W access to it.
Change-Id: I4abf4df218b1ba0dc70ed8974c0661d16e0b6ea7
(cherry picked from commit 26bf2b05a5)
Now that we run as non-root user by default, we didn't have
proper capabilities for still running under root user.
Document, what's required to do so.
NOTE: related to TT#157800 (rtpengine: run as non-root) and
TT#76552 (systemd hardening)
Change-Id: Ie9f44bb75dc63cd407b27faab2219647d079359e
(cherry picked from commit 81a9366f49)
* Use an explicitly created global event loop
* Await websocket connection closure
Relevant to #1497
Change-Id: I600189f5383ca7e5da8b45460508c1ddcddede0b
(cherry picked from commit 5d33a420a6)
The codec answer routine resets the codec storage and so also resets the
clock rate tracker for "touched" codecs. This leads to all codecs seen
as "not touched" in the answer routine, which in turn leads to
supplemental codecs present in the answer SDP that should not be there.
Use the "for transcoding" flag for previously present codecs to retain
the "touched" status across the codec answer routine.
Change-Id: Idc4624606f7f10d7983e22ddf856432b07421157
Instead of having to rely on external repositories (like the
ubuntu-cloud-archive/yoga-staging PPA for the debhelper v13 backport),
let's use the pkg script instead. The pkg scripts ensure that the
debian/ directory looks as expected for the according distribution. So
for executing coverity + unit-tests in the Ubuntu/focal / ubuntu-20.04
environment on GitHub, let's use pkg/deb/backports/focal for generating
the according Debian source tree.
Related change in pkg: make `wrap-and-sort` execution optional. We don't
have devscripts installed by default in Ubuntu/focal / ubuntu-20.04
environment on GitHub, while usage of wrap-and-sort can be considered
optional for our purposes.
Change-Id: Ic252b323408fab557e3f151a93f61aa8fac1a30f
(cherry picked from commit b657af1905)
ubuntu-20.04 + ubuntu-latest (currently also pointing at 20.04) don't
provide debhelper v13 (required for debhelper-compat (= 13)), therefore
our workflow fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
So enable the ubuntu-cloud-archive/yoga-staging PPA,
which provides a backport of debhelper v13:
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/yoga-staging/+packages
and fixes our failing unity + coverity builds on github.
While at it, using apt-get with `-qq` displays only the following
message on package installation problems:
| E: Unable to correct problems, you have held broken packages.
Whereas with `-q`, we get the actual underlying problem, being:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Change-Id: I67439a8f2f27e902710af43ff52599c8a58a5f98
(cherry picked from commit 21665902ab)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012766
> Whilst working on the Reproducible Builds effort [0] we noticed that
> rtpengine could not be built reproducibly.
>
> Whilst it did use the value from debian/changelog, the RELEASE_DATE
> variable changed due to underlying system timezone setting. A patch
> is attached that passes -u/--utc to the call to date(1).
>
> [0] https://reproducible-builds.org/
(cherry picked from commit 821fbf7644)
Change-Id: I334fef661a55af6e7af246749cb17980b3dde7c3
When doing the initial answer, the packet_stream endpoint port isn't
filled in yet. Use the stream_params port instead to test for rejected
streams.
closes#1499
Change-Id: I8f315d95521f874fb8c5e6222263d017800b5fc9
(cherry picked from commit 447f0f52d0)
When ports are closed early (while the call is still running), we must
first update a slave rtpengine with this new information (that these
ports are now closed) before actually releasing the ports ourselves. Not
doing so leads to a race condition where the master instance re-uses a
port that was just closed before the slave instance knows about the port
being closed.
We implement this using a thread-local list to keep track of ports that
were released while processing a control message, and process this list
to actually close the ports only after Redis has been updated.
Additional calls to the function to close the ports are placed in
strategic locations to make sure this is triggered in every code path.
closes#1495
Change-Id: I803f4594f30ca315da0b84c6e76893f54ca3a7c9
(cherry picked from commit 17bda4b1e8)
Despite this code being called from userspace, we must disable
interrupts while having ssrc_stats_lock acquired, as the same lock is
acquired elsewhere from within an interrupt context.
closes#1492
Change-Id: Ia6f31eb876ee98ad355d12f9361cbc068d008608
In commit a4ee01d27f we switched to debhelper compat level 13.
debhelper v13 isn't available in (plain) Debian buster,
and therefore the Debian pipeline for buster fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
Since we updated packaging for bullseye, also adapt the GitHub
actions / workflow accordingly.
Change-Id: I411a6ab16ee48c5c5fc1ca43c58c016df83e1ff7
ngcp-rtpengine-daemon service state BEFORE this change:
| $ sudo systemd-analyze security ngcp-rtpengine-daemon | tail -1
| → Overall exposure level for ngcp-rtpengine-daemon.service: 9.3 UNSAFE 😨
ngcp-rtpengine-daemon service state AFTER this change:
| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-rtpengine-daemon | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special … 0.1
| ✗ IPAddressDeny= Service does not define an IP address allow… 0.2
| ✗ SystemCallFilter=~@privileged System call allow list defined for service,… 0.2
| ✗ SystemCallFilter=~@resources System call allow list defined for service,… 0.2
| ✗ AmbientCapabilities= Service process receives ambient capabiliti… 0.1
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directo… 0.1
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
| ✗ ProcSubset= Service has full access to non-process /pro… 0.1
|
| → Overall exposure level for ngcp-rtpengine-daemon.service: 1.4 OK 🙂
As of systemd v247.3-7.
Change-Id: I1bc2a82b0b9a945a3fa25f3e35d1b751ee0e4041
These packages do not provide architecture-specific interfaces. The only
problematic one is the kernel module, which requires a matching kernel
where to run on, independently of the userland. In addition the kernel
interface is arch-specific so running, say, a 64-bit kernel and module
and a 32-bit userland will not work.
Change-Id: Ic7327e422ec6f2e3cd4145b8ae172db9149287b4
We have had DKMS support for a long time, which is easier to integrate
to, and manage as a user. As we have not been testing module-assistant
support and it's redundant with the DKMS support, let's just remove it.
Change-Id: Iff546a4a333a2e4e48fbc1e49fecee9bab3a0138
This prevents empty mixed output files from being created when mixed
output is enabled in the config but recording isn't active for that
call.
Change-Id: I66ead89dc8a7ea80b81164b3e24d997b0df5f37e
Provide a standard output format if no other outputs are configured, so
that the decoder has something to work with. Applicable to TLS-send-only
scenarios without recording.
Change-Id: I627bb7af3f3033e1025009c21a4da6991e491dcf
DTX and delay buffers and their timers are shut down during the codec
negotiation phase, which also happens for the offer side while
processing an answer. If the codec negotiation routine determines that
the existing codec handlers can be kept intact, we must restart the DTX
and delay buffers that have previously been shut down.
Buffer objects are never freed during a shutdown, therefore we simply
need to restore the contained references to indicate that these buffers
are active again.
closes#1481
Change-Id: I57181ba1655fd781a7c543ee31aa67fd179ba89b
This eliminates a spurious false warning log message for rejected
streams that use a dummy payload type
Change-Id: Id628cafb8d7c4ea576cd01ff35f5dd9cd2151280
Since we're already doing the full parsing of the request flags, use the
same function to parse all required flags
Change-Id: I0880ccbbbc36eae7b172440ce51afc1c544583a1
Michael Prokop
Richard Fuchs
Sipwise Jenkins Builder
Chris Lamb
Guillem Jover
Victor Seva
szcom