[Freeswitch-users] Compiling under SmartOS

Stanislav Sinyagin ssinyagin at gmail.com
Thu Sep 10 02:57:00 MSD 2015 

My patches are now in master, so FreeSWITCH can be compiled under any
of Solaris derivatives.

The -u option will not work in current FreeSWITCH on any of Solaris
derivatives, regardless if it's in a zone or not: the -u option causes
it to execute setuid() to switch to the unprivileged user. But the
problem is, that setuid() sets the effective set of privileges to
"basic", and "proc_clock_highres" is not included, even that it is
allowed for the process.

This piece illustrates this behavior:

[root at fs01 ~]# perl -e 'use POSIX; setuid(1000); system("ppriv \$\$")'
4079:   ppriv 4079
flags = <none>
        E: basic
        I: basic
        P: basic
        L: basic,contract_event,contract_identity,contract_observer,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_lock_memory,proc_owner,proc_prioup,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_fs_import,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource


So, switch_core.c needs to be modified to utilize setpflags() and
setppriv() if we are under Solaris, and assign "proc_clock_highres" to
the process before the timer is initialized. I will propose the patch
within a month or so.

FreeSWITCH runs fine as root.





On Tue, Sep 8, 2015 at 11:54 PM, Stanislav Sinyagin <ssinyagin at gmail.com> wrote:
> Darren,
>
> if the zone has the proc_clock_highres privilege, you can assign it to
> the freeswitch user:
>   usermod -K defaultpriv=basic,proc_clock_highres frsw
>
> after that, under "su - frsw", FreeSWITCH can start.
>
> But launching it as root with "-u frsw -g frsw" causes the same
> coredump, as timerfd is unavailable for some reason. This needs
> further investigation.
>
> Also inside a zone, -rp does not have any effect on the process
> priority, because this needs another privilege: PRIV_PROC_PRIOUP or
> PRIV_PROC_PRIOCNTL  (see privileges(5)).
>
> So, there are still obstacles, but we're getting there slowly. But it
> looks like you anyway have to have administrative access to the global
> zone in order to run FreeSWITCH in a SmartOS zone. So, hosting it at
> Joyent doesn't look realistic. Still, it's a very attractive platform
> because of its lightweight zones and nice network performance and
> built-in ZFS. Soon I will have a test physical server with SmartOS in
> my lab, and I can let the interested people access it and test or play
> around.
>
> cheers,
> stanislav
>
>
>
>
>
> On Tue, Sep 8, 2015 at 6:59 PM, Support <support at directvoip.co.uk> wrote:
>> Stanislav,
>>
>> Yes I did use that to get it going but then found that only worked as root.
>>
>> Also, I know for myself, who was in control of the global zone, that this
>> was a workaround but it was quickly pointed out to me by community members
>> that this is just a workaround as those just using for example Joyent cloud
>> or any zone other than on their own server would probably never be given
>> access to the high res clock.
>>
>> Regards
>> Darren
>>
>> ________________________________
>> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>> To: FreeSWITCH Users Help [mailto:freeswitch-users at lists.freeswitch.org]
>> Sent: Tue, 08 Sep 2015 16:49:01 +0000
>>
>> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>
>> phew, it started finally.
>>
>> The correct string is "limit_priv": "default,proc_clock_highres"
>>
>> After vmadm update, you need to reboot the zone, in order for new
>> permissions to propagate to its processes.
>>
>>
>>
>>
>> On Tue, Sep 8, 2015 at 5:38 PM, Stanislav Sinyagin <ssinyagin at gmail.com>
>> wrote:
>>> no, my bad, it's still failing on the timer. I'll spend some time on
>>> it. Feel free to contact me directly on skype or google hangouts or
>>> telegram
>>>
>>> On Tue, Sep 8, 2015 at 5:27 PM, Stanislav Sinyagin <ssinyagin at gmail.com>
>>> wrote:
>>>> actually the answer about the timer was given in that same chat where
>>>> you took part:
>>>> http://echelog.com/logs/browse/smartos/1438293600
>>>>
>>>> I added the following line to the VM manifest json, and then did "vmadm
>>>> update":
>>>>
>>>> "limit_priv": "default,-proc_clock_highres"
>>>>
>>>> Now it doesn't complain about the timer. But the master branch still
>>>> coredumps for some other reason :)
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Sep 8, 2015 at 3:42 PM, Support <support at directvoip.co.uk> wrote:
>>>>> Stanislav,
>>>>>
>>>>> I cannot help with this, my skills don't reach that far but I can point
>>>>> you
>>>>> in the right direction.
>>>>>
>>>>> I had the same problem and it seems to be related to something called
>>>>> timerfd. Using the ppriv command you can see freeswitch is wanting
>>>>> access to
>>>>> the high res clock, something not available to smartos zones with the
>>>>> default privileges.
>>>>>
>>>>> I did manage to mess with the smartos privileges and get it to run at
>>>>> one
>>>>> time but it was only when running as root.
>>>>>
>>>>> If you actually used an older version of smartos, I think the one I used
>>>>> is
>>>>> dated around january this year, then it will compile fine and use some
>>>>> sort
>>>>> of other timing method.
>>>>>
>>>>> This timerfd thing, thing relates to freeswitch finding a file called
>>>>> timerfd.h that didn't appear in smartos zones until about march this
>>>>> year,
>>>>> something to do with lx brand I think.
>>>>>
>>>>> I have just looked and the smartos version that will compile is
>>>>> 20150108T111855Z, obviously it would be better on the newer.
>>>>>
>>>>> Compiling on the above smartos version and then running it on newer is
>>>>> no
>>>>> problem which is what I ended up doing.
>>>>>
>>>>> Hope this helps
>>>>>
>>>>> Regards
>>>>> Darren
>>>>>
>>>>> ________________________________
>>>>> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>>>> To: FreeSWITCH Users Help [mailto:freeswitch-users at lists.freeswitch.org]
>>>>> Sent: Tue, 08 Sep 2015 07:55:37 +0000
>>>>> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>>>>
>>>>>
>>>>> See the update at https://freeswitch.org/jira/browse/FS-7967
>>>>>
>>>>> I fixed the compilation problems, and now there's a runtime issue.
>>>>>
>>>>> On Mon, Aug 17, 2015 at 10:40 AM, Stanislav Sinyagin
>>>>> <ssinyagin at gmail.com> wrote:
>>>>>> I see there are some people on the list, working with SmartOS.
>>>>>>
>>>>>> The current master fails to compile:
>>>>>> https://freeswitch.org/jira/browse/FS-7967
>>>>>>
>>>>>> Your input will be appreciated.
>>>>>>
>>>>>> I just started looking around and getting the feeling what SmartOS is.
>>>>>> I worked with Solaris quite a lot, but that was almost 10 years ago.
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> http://www.freeswitch.org
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list