[Freeswitch-users] Compiling under SmartOS

Stanislav Sinyagin ssinyagin at gmail.com
Tue Sep 15 17:59:45 MSD 2015 

I'm making some progress, but still some things aren't working as expected:
https://goo.gl/514jCK

The daemon now takes granular control of its privileges, so -u option
is working correctly so far. I probably need to add
PRIV_FILE_DAC_SEARCH privilege, because some strange side effects pop
up when some directory cannot be listed because it belongs to a
different user.

Where I'm stuck is in -rp option: the daemon tries to adjust its
scheduler, but fails even if PRIV_PROC_PRIOCNTL privilege is given to
the zone.

I'll dig slowly through it, but if there's someone familiar with
Solaris privileges, that would probably help.

cheers,
stanislav


On Thu, Sep 10, 2015 at 10:39 AM, Stanislav Sinyagin
<ssinyagin at gmail.com> wrote:
> wiki is updated:
> https://freeswitch.org/confluence/display/FREESWITCH/SmartOS
>
> On Thu, Sep 10, 2015 at 6:47 AM, Stanislav Sinyagin <ssinyagin at gmail.com> wrote:
>> I saw the profiles binding to TCP 5080 and 5060 (UDP too).
>>
>> On Sep 10, 2015 1:15 AM, "Support" <support at directvoip.co.uk> wrote:
>>>
>>> Stanislav,
>>>
>>> Great progress you have made there, I returned to Debian myself but I
>>> believe quite a few smartos guys are running older versions.
>>>
>>> I'll spin up a smartos box and see if master resolves the issue that was
>>> the killer for me: https://freeswitch.org/jira/browse/FS-7991
>>>
>>> Sip handsets had no problem with TCP but it just wouldn't send through a
>>> gateway using TCP.
>>>
>>> Thanks for everything so far.
>>>
>>> Regards
>>> Darren
>>>
>>> ________________________________
>>> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>> To: FreeSWITCH Users Help [mailto:freeswitch-users at lists.freeswitch.org]
>>> Sent: Wed, 09 Sep 2015 23:57:00 +0000
>>> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>>
>>> My patches are now in master, so FreeSWITCH can be compiled under any
>>> of Solaris derivatives.
>>>
>>> The -u option will not work in current FreeSWITCH on any of Solaris
>>> derivatives, regardless if it's in a zone or not: the -u option causes
>>> it to execute setuid() to switch to the unprivileged user. But the
>>> problem is, that setuid() sets the effective set of privileges to
>>> "basic", and "proc_clock_highres" is not included, even that it is
>>> allowed for the process.
>>>
>>> This piece illustrates this behavior:
>>>
>>> [root at fs01 ~]# perl -e 'use POSIX; setuid(1000); system("ppriv \$\$")'
>>> 4079: ppriv 4079
>>> flags = <none>
>>> E: basic
>>> I: basic
>>> P: basic
>>> L:
>>> basic,contract_event,contract_identity,contract_observer,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_lock_memory,proc_owner,proc_prioup,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_fs_import,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource
>>>
>>>
>>> So, switch_core.c needs to be modified to utilize setpflags() and
>>> setppriv() if we are under Solaris, and assign "proc_clock_highres" to
>>> the process before the timer is initialized. I will propose the patch
>>> within a month or so.
>>>
>>> FreeSWITCH runs fine as root.
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Sep 8, 2015 at 11:54 PM, Stanislav Sinyagin <ssinyagin at gmail.com>
>>> wrote:
>>> > Darren,
>>> >
>>> > if the zone has the proc_clock_highres privilege, you can assign it to
>>> > the freeswitch user:
>>> > usermod -K defaultpriv=basic,proc_clock_highres frsw
>>> >
>>> > after that, under "su - frsw", FreeSWITCH can start.
>>> >
>>> > But launching it as root with "-u frsw -g frsw" causes the same
>>> > coredump, as timerfd is unavailable for some reason. This needs
>>> > further investigation.
>>> >
>>> > Also inside a zone, -rp does not have any effect on the process
>>> > priority, because this needs another privilege: PRIV_PROC_PRIOUP or
>>> > PRIV_PROC_PRIOCNTL (see privileges(5)).
>>> >
>>> > So, there are still obstacles, but we're getting there slowly. But it
>>> > looks like you anyway have to have administrative access to the global
>>> > zone in order to run FreeSWITCH in a SmartOS zone. So, hosting it at
>>> > Joyent doesn't look realistic. Still, it's a very attractive platform
>>> > because of its lightweight zones and nice network performance and
>>> > built-in ZFS. Soon I will have a test physical server with SmartOS in
>>> > my lab, and I can let the interested people access it and test or play
>>> > around.
>>> >
>>> > cheers,
>>> > stanislav
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Tue, Sep 8, 2015 at 6:59 PM, Support <support at directvoip.co.uk>
>>> > wrote:
>>> >> Stanislav,
>>> >>
>>> >> Yes I did use that to get it going but then found that only worked as
>>> >> root.
>>> >>
>>> >> Also, I know for myself, who was in control of the global zone, that
>>> >> this
>>> >> was a workaround but it was quickly pointed out to me by community
>>> >> members
>>> >> that this is just a workaround as those just using for example Joyent
>>> >> cloud
>>> >> or any zone other than on their own server would probably never be
>>> >> given
>>> >> access to the high res clock.
>>> >>
>>> >> Regards
>>> >> Darren
>>> >>
>>> >> ________________________________
>>> >> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>> >> To: FreeSWITCH Users Help
>>> >> [mailto:freeswitch-users at lists.freeswitch.org]
>>> >> Sent: Tue, 08 Sep 2015 16:49:01 +0000
>>> >>
>>> >> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>> >>
>>> >> phew, it started finally.
>>> >>
>>> >> The correct string is "limit_priv": "default,proc_clock_highres"
>>> >>
>>> >> After vmadm update, you need to reboot the zone, in order for new
>>> >> permissions to propagate to its processes.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Tue, Sep 8, 2015 at 5:38 PM, Stanislav Sinyagin
>>> >> <ssinyagin at gmail.com>
>>> >> wrote:
>>> >>> no, my bad, it's still failing on the timer. I'll spend some time on
>>> >>> it. Feel free to contact me directly on skype or google hangouts or
>>> >>> telegram
>>> >>>
>>> >>> On Tue, Sep 8, 2015 at 5:27 PM, Stanislav Sinyagin
>>> >>> <ssinyagin at gmail.com>
>>> >>> wrote:
>>> >>>> actually the answer about the timer was given in that same chat where
>>> >>>> you took part:
>>> >>>> http://echelog.com/logs/browse/smartos/1438293600
>>> >>>>
>>> >>>> I added the following line to the VM manifest json, and then did
>>> >>>> "vmadm
>>> >>>> update":
>>> >>>>
>>> >>>> "limit_priv": "default,-proc_clock_highres"
>>> >>>>
>>> >>>> Now it doesn't complain about the timer. But the master branch still
>>> >>>> coredumps for some other reason :)
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>>
>>> >>>> On Tue, Sep 8, 2015 at 3:42 PM, Support <support at directvoip.co.uk>
>>> >>>> wrote:
>>> >>>>> Stanislav,
>>> >>>>>
>>> >>>>> I cannot help with this, my skills don't reach that far but I can
>>> >>>>> point
>>> >>>>> you
>>> >>>>> in the right direction.
>>> >>>>>
>>> >>>>> I had the same problem and it seems to be related to something
>>> >>>>> called
>>> >>>>> timerfd. Using the ppriv command you can see freeswitch is wanting
>>> >>>>> access to
>>> >>>>> the high res clock, something not available to smartos zones with
>>> >>>>> the
>>> >>>>> default privileges.
>>> >>>>>
>>> >>>>> I did manage to mess with the smartos privileges and get it to run
>>> >>>>> at
>>> >>>>> one
>>> >>>>> time but it was only when running as root.
>>> >>>>>
>>> >>>>> If you actually used an older version of smartos, I think the one I
>>> >>>>> used
>>> >>>>> is
>>> >>>>> dated around january this year, then it will compile fine and use
>>> >>>>> some
>>> >>>>> sort
>>> >>>>> of other timing method.
>>> >>>>>
>>> >>>>> This timerfd thing, thing relates to freeswitch finding a file
>>> >>>>> called
>>> >>>>> timerfd.h that didn't appear in smartos zones until about march this
>>> >>>>> year,
>>> >>>>> something to do with lx brand I think.
>>> >>>>>
>>> >>>>> I have just looked and the smartos version that will compile is
>>> >>>>> 20150108T111855Z, obviously it would be better on the newer.
>>> >>>>>
>>> >>>>> Compiling on the above smartos version and then running it on newer
>>> >>>>> is
>>> >>>>> no
>>> >>>>> problem which is what I ended up doing.
>>> >>>>>
>>> >>>>> Hope this helps
>>> >>>>>
>>> >>>>> Regards
>>> >>>>> Darren
>>> >>>>>
>>> >>>>> ________________________________
>>> >>>>> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>> >>>>> To: FreeSWITCH Users Help
>>> >>>>> [mailto:freeswitch-users at lists.freeswitch.org]
>>> >>>>> Sent: Tue, 08 Sep 2015 07:55:37 +0000
>>> >>>>> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>> >>>>>
>>> >>>>>
>>> >>>>> See the update at https://freeswitch.org/jira/browse/FS-7967
>>> >>>>>
>>> >>>>> I fixed the compilation problems, and now there's a runtime issue.
>>> >>>>>
>>> >>>>> On Mon, Aug 17, 2015 at 10:40 AM, Stanislav Sinyagin
>>> >>>>> <ssinyagin at gmail.com> wrote:
>>> >>>>>> I see there are some people on the list, working with SmartOS.
>>> >>>>>>
>>> >>>>>> The current master fails to compile:
>>> >>>>>> https://freeswitch.org/jira/browse/FS-7967
>>> >>>>>>
>>> >>>>>> Your input will be appreciated.
>>> >>>>>>
>>> >>>>>> I just started looking around and getting the feeling what SmartOS
>>> >>>>>> is.
>>> >>>>>> I worked with Solaris quite a lot, but that was almost 10 years
>>> >>>>>> ago.
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _________________________________________________________________________
>>> >>>>> Professional FreeSWITCH Consulting Services:
>>> >>>>> consulting at freeswitch.org
>>> >>>>> http://www.freeswitchsolutions.com
>>> >>>>>
>>> >>>>> Official FreeSWITCH Sites
>>> >>>>> http://www.freeswitch.org
>>> >>>>> http://confluence.freeswitch.org
>>> >>>>> http://www.cluecon.com
>>> >>>>>
>>> >>>>> FreeSWITCH-users mailing list
>>> >>>>> FreeSWITCH-users at lists.freeswitch.org
>>> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>>>>
>>> >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >>>>> http://www.freeswitch.org
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _________________________________________________________________________
>>> >>>>> Professional FreeSWITCH Consulting Services:
>>> >>>>> consulting at freeswitch.org
>>> >>>>> http://www.freeswitchsolutions.com
>>> >>>>>
>>> >>>>> Official FreeSWITCH Sites
>>> >>>>> http://www.freeswitch.org
>>> >>>>> http://confluence.freeswitch.org
>>> >>>>> http://www.cluecon.com
>>> >>>>>
>>> >>>>> FreeSWITCH-users mailing list
>>> >>>>> FreeSWITCH-users at lists.freeswitch.org
>>> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>>>>
>>> >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >>>>> http://www.freeswitch.org
>>> >>
>>> >>
>>> >> _________________________________________________________________________
>>> >> Professional FreeSWITCH Consulting Services:
>>> >> consulting at freeswitch.org
>>> >> http://www.freeswitchsolutions.com
>>> >>
>>> >> Official FreeSWITCH Sites
>>> >> http://www.freeswitch.org
>>> >> http://confluence.freeswitch.org
>>> >> http://www.cluecon.com
>>> >>
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org
>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>
>>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>> >>
>>> >>
>>> >>
>>> >> _________________________________________________________________________
>>> >> Professional FreeSWITCH Consulting Services:
>>> >> consulting at freeswitch.org
>>> >> http://www.freeswitchsolutions.com
>>> >>
>>> >> Official FreeSWITCH Sites
>>> >> http://www.freeswitch.org
>>> >> http://confluence.freeswitch.org
>>> >> http://www.cluecon.com
>>> >>
>>> >> FreeSWITCH-users mailing list
>>> >> FreeSWITCH-users at lists.freeswitch.org
>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> >>
>>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> >> http://www.freeswitch.org
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list