[Freeswitch-users] Compiling under SmartOS

Stanislav Sinyagin ssinyagin at gmail.com
Mon Sep 21 13:36:18 MSD 2015 

-u, -g, -rp, and -lp are now supported:
https://freeswitch.org/jira/browse/FS-8195

Next step is to create a correct SMF manifest and produce a SmartOS package.

By the way, under what circumstances the -lp option could ever be useful?



On Tue, Sep 15, 2015 at 3:59 PM, Stanislav Sinyagin <ssinyagin at gmail.com> wrote:
> I'm making some progress, but still some things aren't working as expected:
> https://goo.gl/514jCK
>
> The daemon now takes granular control of its privileges, so -u option
> is working correctly so far. I probably need to add
> PRIV_FILE_DAC_SEARCH privilege, because some strange side effects pop
> up when some directory cannot be listed because it belongs to a
> different user.
>
> Where I'm stuck is in -rp option: the daemon tries to adjust its
> scheduler, but fails even if PRIV_PROC_PRIOCNTL privilege is given to
> the zone.
>
> I'll dig slowly through it, but if there's someone familiar with
> Solaris privileges, that would probably help.
>
> cheers,
> stanislav
>
>
> On Thu, Sep 10, 2015 at 10:39 AM, Stanislav Sinyagin
> <ssinyagin at gmail.com> wrote:
>> wiki is updated:
>> https://freeswitch.org/confluence/display/FREESWITCH/SmartOS
>>
>> On Thu, Sep 10, 2015 at 6:47 AM, Stanislav Sinyagin <ssinyagin at gmail.com> wrote:
>>> I saw the profiles binding to TCP 5080 and 5060 (UDP too).
>>>
>>> On Sep 10, 2015 1:15 AM, "Support" <support at directvoip.co.uk> wrote:
>>>>
>>>> Stanislav,
>>>>
>>>> Great progress you have made there, I returned to Debian myself but I
>>>> believe quite a few smartos guys are running older versions.
>>>>
>>>> I'll spin up a smartos box and see if master resolves the issue that was
>>>> the killer for me: https://freeswitch.org/jira/browse/FS-7991
>>>>
>>>> Sip handsets had no problem with TCP but it just wouldn't send through a
>>>> gateway using TCP.
>>>>
>>>> Thanks for everything so far.
>>>>
>>>> Regards
>>>> Darren
>>>>
>>>> ________________________________
>>>> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>>> To: FreeSWITCH Users Help [mailto:freeswitch-users at lists.freeswitch.org]
>>>> Sent: Wed, 09 Sep 2015 23:57:00 +0000
>>>> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>>>
>>>> My patches are now in master, so FreeSWITCH can be compiled under any
>>>> of Solaris derivatives.
>>>>
>>>> The -u option will not work in current FreeSWITCH on any of Solaris
>>>> derivatives, regardless if it's in a zone or not: the -u option causes
>>>> it to execute setuid() to switch to the unprivileged user. But the
>>>> problem is, that setuid() sets the effective set of privileges to
>>>> "basic", and "proc_clock_highres" is not included, even that it is
>>>> allowed for the process.
>>>>
>>>> This piece illustrates this behavior:
>>>>
>>>> [root at fs01 ~]# perl -e 'use POSIX; setuid(1000); system("ppriv \$\$")'
>>>> 4079: ppriv 4079
>>>> flags = <none>
>>>> E: basic
>>>> I: basic
>>>> P: basic
>>>> L:
>>>> basic,contract_event,contract_identity,contract_observer,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_lock_memory,proc_owner,proc_prioup,proc_setid,proc_taskid,sys_acct,sys_admin,sys_audit,sys_fs_import,sys_ip_config,sys_iptun_config,sys_mount,sys_nfs,sys_ppp_config,sys_resource
>>>>
>>>>
>>>> So, switch_core.c needs to be modified to utilize setpflags() and
>>>> setppriv() if we are under Solaris, and assign "proc_clock_highres" to
>>>> the process before the timer is initialized. I will propose the patch
>>>> within a month or so.
>>>>
>>>> FreeSWITCH runs fine as root.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Sep 8, 2015 at 11:54 PM, Stanislav Sinyagin <ssinyagin at gmail.com>
>>>> wrote:
>>>> > Darren,
>>>> >
>>>> > if the zone has the proc_clock_highres privilege, you can assign it to
>>>> > the freeswitch user:
>>>> > usermod -K defaultpriv=basic,proc_clock_highres frsw
>>>> >
>>>> > after that, under "su - frsw", FreeSWITCH can start.
>>>> >
>>>> > But launching it as root with "-u frsw -g frsw" causes the same
>>>> > coredump, as timerfd is unavailable for some reason. This needs
>>>> > further investigation.
>>>> >
>>>> > Also inside a zone, -rp does not have any effect on the process
>>>> > priority, because this needs another privilege: PRIV_PROC_PRIOUP or
>>>> > PRIV_PROC_PRIOCNTL (see privileges(5)).
>>>> >
>>>> > So, there are still obstacles, but we're getting there slowly. But it
>>>> > looks like you anyway have to have administrative access to the global
>>>> > zone in order to run FreeSWITCH in a SmartOS zone. So, hosting it at
>>>> > Joyent doesn't look realistic. Still, it's a very attractive platform
>>>> > because of its lightweight zones and nice network performance and
>>>> > built-in ZFS. Soon I will have a test physical server with SmartOS in
>>>> > my lab, and I can let the interested people access it and test or play
>>>> > around.
>>>> >
>>>> > cheers,
>>>> > stanislav
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Tue, Sep 8, 2015 at 6:59 PM, Support <support at directvoip.co.uk>
>>>> > wrote:
>>>> >> Stanislav,
>>>> >>
>>>> >> Yes I did use that to get it going but then found that only worked as
>>>> >> root.
>>>> >>
>>>> >> Also, I know for myself, who was in control of the global zone, that
>>>> >> this
>>>> >> was a workaround but it was quickly pointed out to me by community
>>>> >> members
>>>> >> that this is just a workaround as those just using for example Joyent
>>>> >> cloud
>>>> >> or any zone other than on their own server would probably never be
>>>> >> given
>>>> >> access to the high res clock.
>>>> >>
>>>> >> Regards
>>>> >> Darren
>>>> >>
>>>> >> ________________________________
>>>> >> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>>> >> To: FreeSWITCH Users Help
>>>> >> [mailto:freeswitch-users at lists.freeswitch.org]
>>>> >> Sent: Tue, 08 Sep 2015 16:49:01 +0000
>>>> >>
>>>> >> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>>> >>
>>>> >> phew, it started finally.
>>>> >>
>>>> >> The correct string is "limit_priv": "default,proc_clock_highres"
>>>> >>
>>>> >> After vmadm update, you need to reboot the zone, in order for new
>>>> >> permissions to propagate to its processes.
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Tue, Sep 8, 2015 at 5:38 PM, Stanislav Sinyagin
>>>> >> <ssinyagin at gmail.com>
>>>> >> wrote:
>>>> >>> no, my bad, it's still failing on the timer. I'll spend some time on
>>>> >>> it. Feel free to contact me directly on skype or google hangouts or
>>>> >>> telegram
>>>> >>>
>>>> >>> On Tue, Sep 8, 2015 at 5:27 PM, Stanislav Sinyagin
>>>> >>> <ssinyagin at gmail.com>
>>>> >>> wrote:
>>>> >>>> actually the answer about the timer was given in that same chat where
>>>> >>>> you took part:
>>>> >>>> http://echelog.com/logs/browse/smartos/1438293600
>>>> >>>>
>>>> >>>> I added the following line to the VM manifest json, and then did
>>>> >>>> "vmadm
>>>> >>>> update":
>>>> >>>>
>>>> >>>> "limit_priv": "default,-proc_clock_highres"
>>>> >>>>
>>>> >>>> Now it doesn't complain about the timer. But the master branch still
>>>> >>>> coredumps for some other reason :)
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> On Tue, Sep 8, 2015 at 3:42 PM, Support <support at directvoip.co.uk>
>>>> >>>> wrote:
>>>> >>>>> Stanislav,
>>>> >>>>>
>>>> >>>>> I cannot help with this, my skills don't reach that far but I can
>>>> >>>>> point
>>>> >>>>> you
>>>> >>>>> in the right direction.
>>>> >>>>>
>>>> >>>>> I had the same problem and it seems to be related to something
>>>> >>>>> called
>>>> >>>>> timerfd. Using the ppriv command you can see freeswitch is wanting
>>>> >>>>> access to
>>>> >>>>> the high res clock, something not available to smartos zones with
>>>> >>>>> the
>>>> >>>>> default privileges.
>>>> >>>>>
>>>> >>>>> I did manage to mess with the smartos privileges and get it to run
>>>> >>>>> at
>>>> >>>>> one
>>>> >>>>> time but it was only when running as root.
>>>> >>>>>
>>>> >>>>> If you actually used an older version of smartos, I think the one I
>>>> >>>>> used
>>>> >>>>> is
>>>> >>>>> dated around january this year, then it will compile fine and use
>>>> >>>>> some
>>>> >>>>> sort
>>>> >>>>> of other timing method.
>>>> >>>>>
>>>> >>>>> This timerfd thing, thing relates to freeswitch finding a file
>>>> >>>>> called
>>>> >>>>> timerfd.h that didn't appear in smartos zones until about march this
>>>> >>>>> year,
>>>> >>>>> something to do with lx brand I think.
>>>> >>>>>
>>>> >>>>> I have just looked and the smartos version that will compile is
>>>> >>>>> 20150108T111855Z, obviously it would be better on the newer.
>>>> >>>>>
>>>> >>>>> Compiling on the above smartos version and then running it on newer
>>>> >>>>> is
>>>> >>>>> no
>>>> >>>>> problem which is what I ended up doing.
>>>> >>>>>
>>>> >>>>> Hope this helps
>>>> >>>>>
>>>> >>>>> Regards
>>>> >>>>> Darren
>>>> >>>>>
>>>> >>>>> ________________________________
>>>> >>>>> From: Stanislav Sinyagin [mailto:ssinyagin at gmail.com]
>>>> >>>>> To: FreeSWITCH Users Help
>>>> >>>>> [mailto:freeswitch-users at lists.freeswitch.org]
>>>> >>>>> Sent: Tue, 08 Sep 2015 07:55:37 +0000
>>>> >>>>> Subject: Re: [Freeswitch-users] Compiling under SmartOS
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> See the update at https://freeswitch.org/jira/browse/FS-7967
>>>> >>>>>
>>>> >>>>> I fixed the compilation problems, and now there's a runtime issue.
>>>> >>>>>
>>>> >>>>> On Mon, Aug 17, 2015 at 10:40 AM, Stanislav Sinyagin
>>>> >>>>> <ssinyagin at gmail.com> wrote:
>>>> >>>>>> I see there are some people on the list, working with SmartOS.
>>>> >>>>>>
>>>> >>>>>> The current master fails to compile:
>>>> >>>>>> https://freeswitch.org/jira/browse/FS-7967
>>>> >>>>>>
>>>> >>>>>> Your input will be appreciated.
>>>> >>>>>>
>>>> >>>>>> I just started looking around and getting the feeling what SmartOS
>>>> >>>>>> is.
>>>> >>>>>> I worked with Solaris quite a lot, but that was almost 10 years
>>>> >>>>>> ago.
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> _________________________________________________________________________
>>>> >>>>> Professional FreeSWITCH Consulting Services:
>>>> >>>>> consulting at freeswitch.org
>>>> >>>>> http://www.freeswitchsolutions.com
>>>> >>>>>
>>>> >>>>> Official FreeSWITCH Sites
>>>> >>>>> http://www.freeswitch.org
>>>> >>>>> http://confluence.freeswitch.org
>>>> >>>>> http://www.cluecon.com
>>>> >>>>>
>>>> >>>>> FreeSWITCH-users mailing list
>>>> >>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >>>>>
>>>> >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> >>>>> http://www.freeswitch.org
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> _________________________________________________________________________
>>>> >>>>> Professional FreeSWITCH Consulting Services:
>>>> >>>>> consulting at freeswitch.org
>>>> >>>>> http://www.freeswitchsolutions.com
>>>> >>>>>
>>>> >>>>> Official FreeSWITCH Sites
>>>> >>>>> http://www.freeswitch.org
>>>> >>>>> http://confluence.freeswitch.org
>>>> >>>>> http://www.cluecon.com
>>>> >>>>>
>>>> >>>>> FreeSWITCH-users mailing list
>>>> >>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> >>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >>>>>
>>>> >>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> >>>>> http://www.freeswitch.org
>>>> >>
>>>> >>
>>>> >> _________________________________________________________________________
>>>> >> Professional FreeSWITCH Consulting Services:
>>>> >> consulting at freeswitch.org
>>>> >> http://www.freeswitchsolutions.com
>>>> >>
>>>> >> Official FreeSWITCH Sites
>>>> >> http://www.freeswitch.org
>>>> >> http://confluence.freeswitch.org
>>>> >> http://www.cluecon.com
>>>> >>
>>>> >> FreeSWITCH-users mailing list
>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >>
>>>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> >> http://www.freeswitch.org
>>>> >>
>>>> >>
>>>> >>
>>>> >> _________________________________________________________________________
>>>> >> Professional FreeSWITCH Consulting Services:
>>>> >> consulting at freeswitch.org
>>>> >> http://www.freeswitchsolutions.com
>>>> >>
>>>> >> Official FreeSWITCH Sites
>>>> >> http://www.freeswitch.org
>>>> >> http://confluence.freeswitch.org
>>>> >> http://www.cluecon.com
>>>> >>
>>>> >> FreeSWITCH-users mailing list
>>>> >> FreeSWITCH-users at lists.freeswitch.org
>>>> >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> >>
>>>> >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> >> http://www.freeswitch.org
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list