From 40566233e06d5fadeeefd71098d610448f316477cca1bc4e90242a2ff7515429 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Sat, 14 Oct 2023 14:37:36 +0000 Subject: [PATCH] Accepting request 1117713 from home:computersalat:devel:tel Some fixes and Improvements OBS-URL: https://build.opensuse.org/request/show/1117713 OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=30 --- README.SUSE | 93 ++++++++++++++++++++++++++++-- coturn-apparmor-usr.bin.turnserver | 4 +- coturn-turnserver_conf.patch | 60 +++++++++++++++++++ coturn-user.conf | 6 +- coturn.changes | 20 +++++++ coturn.logrotate | 24 ++++---- coturn.spec | 49 +++++++++++----- 7 files changed, 223 insertions(+), 33 deletions(-) create mode 100644 coturn-turnserver_conf.patch diff --git a/README.SUSE b/README.SUSE index 2ee239e..1250791 100644 --- a/README.SUSE +++ b/README.SUSE @@ -1,13 +1,96 @@ -Configuration files: - * /etc/coturn/turnserver.conf is the main configuration file - * /etc/sysconfig/coturn can be used to set additional command line parameters +# SUSE coturn information + +## Configuration files: + +- /etc/coturn/turnserver.conf is the main configuration file +- /etc/sysconfig/coturn can be used to set additional command line parameters Allow traffic through the firewall: ``` firewall-cmd --zone= --add-service=coturn [--permanent] ``` -Notes: -* /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide +## Notes: + +- /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide the software version for production issue. +## Coturn and Let's Encrypt Certificates (certbot) + +coturn needs ability to read certificate and key from /etc/letsencrypt/archive as 'coturn' user +(same problem exists with mysql/mariadb) + +### Solution proposal (symlinks): + +- add system group: 'cert' (or whatever name you prefer) +``` +groupadd -r cert +or +groupadd -g 110 -r cert +``` + +- add 'coturn' user to this 'cert' group +``` +usermod -a -G cert coturn +``` + +- add ACLs to Let's Encrypt 'archive' folder + + - add default ACL + ``` + setfacl -m default:group:cert:r-x /etc/letsencrypt/archive + ``` + + - add recursive ACL to already existings files + ``` + setfacl -R -m group:cert:r-x /etc/letsencrypt/archive + ``` + +- now place symlinks to Let's Encrypt certificates in /etc/coturn/tls, e.g.: +``` +ln -s /etc/letsencrypt/live/turn.example.com/fullchain.pem turn_server_cert.pem +ln -s /etc/letsencrypt/live/turn.example.com/privkey.pem turn_server_pkey.pem +``` + +### Solution proposal (copy via certbot renewal-hooks) + +put the following code to a script in /etc/letsencrypt/renewal-hooks/deploy/coturn-deploy.sh +``` +#!/bin/bash -e +# +############################################################################## +# +### VARs +# +scTurnCertDir='/etc/coturn/tls' + +############################################################################## +# +# MAIN code +# + +if [[ ! -d "${scTurnCertDir}" ]]; then + install -D -m 0750 -o coturn -g root "${scTurnCertDir}" +fi + +for scDomain in ${RENEWED_DOMAINS}; do + case ${scDomain} in + 'coturn.example.com') + install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/fullchain.pem "${scTurnCertDir}"/turn_server_cert.pem + install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/privkey.pem "${scTurnCertDir}"/turn_server_pkey.pem + service coturn restart + ;; + esac +done +``` + +Don't forget to replace `coturn.example.com` with your `coturn realm` ! + + +## Coturn and Certificates (not certbot) + +copy your cert/key and place them in /etc/coturn/tls, e.g.: +``` +install -m 0400 -o coturn -g root /Path/To/Your/certificate.pem /etc/coturn/tls/turn_server_cert.pem +install -m 0400 -o coturn -g root /Path/To/Your/privatekey.pem /etc/coturn/tls/turn_server_pkey.pem +``` diff --git a/coturn-apparmor-usr.bin.turnserver b/coturn-apparmor-usr.bin.turnserver index 1d42a4b..1eb96e5 100644 --- a/coturn-apparmor-usr.bin.turnserver +++ b/coturn-apparmor-usr.bin.turnserver @@ -8,7 +8,9 @@ profile coturn /usr/{bin,sbin}/turnserver flags=(attach_disconnected) { #include /etc/coturn/*.conf r, - /etc/pki/coturn/** r, + /etc/coturn/tls/* r, + /etc/letsencrypt/archive/** r, + /usr/bin/turnserver mr, owner /run/coturn/* w, owner /var/lib/coturn r, diff --git a/coturn-turnserver_conf.patch b/coturn-turnserver_conf.patch new file mode 100644 index 0000000..eff063a --- /dev/null +++ b/coturn-turnserver_conf.patch @@ -0,0 +1,60 @@ +Index: examples/etc/turnserver.conf +=================================================================== +--- examples/etc/turnserver.conf.orig ++++ examples/etc/turnserver.conf +@@ -56,7 +56,11 @@ + # Listener IP address of relay server. Multiple listeners can be specified. + # If no IP(s) specified in the config file or in the command line options, + # then all IPv4 and IPv6 system IPs will be used for listening. +-# ++# listen on IPv4 only: ++#listening-ip= ++# listen on IPv4 and IPv6: ++#listening-ip=:: ++# listen on specified IPs only + #listening-ip=172.17.19.101 + #listening-ip=10.207.21.238 + #listening-ip=2607:f0d0:1002:51::4 +@@ -240,6 +244,7 @@ + # will try to use the 'dynamic' value in the turn_secret table + # in the user database (if present). The database-stored value can be changed on-the-fly + # by a separate program, so this is why that mode is considered 'dynamic'. ++# create with: `openssl rand -hex 32` + # + #static-auth-secret=north + +@@ -374,7 +379,7 @@ + # default value is 0 (no quota). + # This option can also be set through the database, for a particular realm. + # +-#total-quota=0 ++#total-quota=100 + + # Max bytes-per-second bandwidth a TURN session is allowed to handle + # (input and output network streams are treated separately). Anything above +@@ -456,14 +461,14 @@ + # configuration file. + # Use PEM file format. + # +-#cert=/usr/local/etc/turn_server_cert.pem ++#cert=/etc/coturn/tls/turn_server_cert.pem + + # Private key file. + # Use an absolute path or path relative to the + # configuration file. + # Use PEM file format. + # +-#pkey=/usr/local/etc/turn_server_pkey.pem ++#pkey=/etc/coturn/tls/turn_server_pkey.pem + + # Private key file password, if it is in encoded format. + # This option has no default value. +@@ -522,7 +527,7 @@ + # In the runtime, the logfile can be reset with the SIGHUP signal + # to the turnserver process. + # +-#log-file=/var/tmp/turn.log ++#log-file=/var/log/coturn/turnserver.log + + # Option to redirect all log output into system log (syslog). + # diff --git a/coturn-user.conf b/coturn-user.conf index 1e7ea2a..d9ac424 100644 --- a/coturn-user.conf +++ b/coturn-user.conf @@ -1,4 +1,2 @@ -# Type Name ID GECOS [HOME] -g coturn - -u coturn - "Coturn TURN Server daemon" /var/lib/coturn -m coturn coturn +#Type Name ID GECOS [HOME] Shell +u coturn - "Coturn TURN Server daemon" /var/lib/coturn - diff --git a/coturn.changes b/coturn.changes index 00985e8..7e6658e 100644 --- a/coturn.changes +++ b/coturn.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Fri Oct 13 18:49:29 UTC 2023 - chris@computersalat.de + +- Update coturn-turnserver_conf.patch + * Fix comment for listening-ip +- enable 'verbose' log to see listening IPs and more, not just + server start/stop + +------------------------------------------------------------------- +Mon Oct 9 07:19:06 UTC 2023 - chris@computersalat.de + +- add coturn-turnserver_conf.patch + * to have a meaningful turnserver.conf.default +- create a ready-to-run turnserver.conf +- fix logrotate script +- Update README.SUSE for Let's Encrypt Certificates +- move certs to /etc/coturn/tls +- Update apparmor profile +- rework sysusers.d config file + ------------------------------------------------------------------- Tue May 2 05:19:33 UTC 2023 - Carsten Ziepke diff --git a/coturn.logrotate b/coturn.logrotate index 58c05b0..32027ff 100644 --- a/coturn.logrotate +++ b/coturn.logrotate @@ -1,12 +1,16 @@ /var/log/coturn/turnserver.log { - missingok - compress - delaycompress - notifempty - postrotate - /bin/systemctl --quiet is-active coturn.service && /bin/kill -HUP `cat /run/coturn/turnserver.pid` || true - endscript - create 0660 coturn coturn - sharedscripts - su coturn coturn + compress + delaycompress + dateext + maxage 365 + rotate 99 + size=+4096k + notifempty + missingok + create 0640 coturn root + sharedscripts + postrotate + /bin/systemctl --quiet is-active coturn.service && /bin/systemctl kill --signal=SIGHUP coturn.service + endscript + su coturn root } diff --git a/coturn.spec b/coturn.spec index 512bc59..29cc31a 100644 --- a/coturn.spec +++ b/coturn.spec @@ -40,6 +40,7 @@ Source6: %{name}.firewalld Source7: README.SUSE Source8: %{name}-apparmor-usr.bin.turnserver Source9: %{name}@.service +Patch0: %{name}-turnserver_conf.patch BuildRequires: fdupes BuildRequires: firewall-macros BuildRequires: libevent-devel >= 2.0.0 @@ -55,7 +56,7 @@ BuildRequires: pkgconfig(systemd) Requires(pre): %fillup_prereq Requires(pre): shadow Recommends: logrotate -%sysusers_requires + %if %{with apparmor} %if 0%{?suse_version} <= 1315 BuildRequires: apparmor-profiles @@ -69,6 +70,9 @@ BuildRequires: apparmor-rpm-macros %endif %endif +%{?systemd_requires} +%sysusers_requires + %description STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) are protocols that can be used to provide NAT traversal for VoIP @@ -94,7 +98,8 @@ Requires: %{name} = %{version} This package contains the TURN development headers. %prep -%autosetup -p1 +%setup -q -n %{name}-%{version} +%patch0 %build %sysusers_generate_pre %{SOURCE4} %{name} @@ -114,7 +119,7 @@ This package contains the TURN development headers. %install %make_install -mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local} +mkdir -p %{buildroot}{%{_sysconfdir}/%{name}/tls,{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local} install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/ install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf @@ -131,15 +136,30 @@ cat > %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.bin.turnserver << EOF EOF %endif +install examples%{_sysconfdir}/turnserver.conf %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default +install examples%{_sysconfdir}/turnserver.conf %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf + sed -i \ - -e "s|^syslog$|#syslog|g" \ - -e "s|^#*log-file=.*|log-file=%{_localstatedir}/log/coturn/turnserver.log|g" \ + -e "s|^#*\(listening-port=.*\)|\1|" \ + -e "s|^#*\(tls-listening-port=.*\)|\1|" \ + -e "s|^#*\(listening-ip=\)$|\1|" \ + -e "s|^#*verbose|verbose|" \ + -e "s|^#*fingerprint|fingerprint|" \ + -e "s|^#*use-auth-secret|use-auth-secret|" \ + -e "s|^#\(static-auth-secret=.*\)|\1|" \ + -e "s|^#\(realm=\).*|\1|" \ + -e "s|^#\(total-quota=.*\)|\1|" \ + -e "s|^#\(bps-capacity=.*\)|\1|" \ + -e "s|^#\(stale-nonce=.*\)|\1|" \ + -e "s|^#*\(cert=.*\)|\1|" \ + -e "s|^#*\(pkey=.*\)|\1|" \ + -e "s|^#\(log-file=.*\)|\1|" \ -e "s|^#*simple-log|simple-log|g" \ - -e "s|^#*cert=.*|#cert=%{_sysconfdir}/pki/coturn/public/turn_server_cert.pem|g" \ - -e "s|^#*pkey=.*|#pkey=%{_sysconfdir}/pki/coturn/private/turn_server_pkey.pem|g" \ - %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default -touch -c -r examples%{_sysconfdir}/turnserver.conf %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default -mv %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf + -e "s|^#*no-multicast-peers|no-multicast-peers|g" \ + -e "s|^#*no-tlsv1|no-tlsv1|g" \ + -e "s|^#*no-tlsv1_1|no-tlsv1_1|g" \ + -e "/^#/d" -e "/^$/d" \ + %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf # Remove certs and keys rm %{buildroot}%{_docdir}/%{name}%{_sysconfdir}/*.pem @@ -165,6 +185,10 @@ done %service_add_pre %{name}@.service %post +# generate static-auth-secret only on install, not on upgrade +if [ $1 -eq 1 ]; then + sed -i -e "s|^\(static-auth-secret=\)north|\1$(openssl rand -hex 32)|" %{_sysconfdir}/%{name}/turnserver.conf +fi %service_add_post %{name}.service %service_add_post %{name}@.service systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf @@ -220,9 +244,8 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf %dir %attr(0750,root,%{name}) %{_sysconfdir}/%{name} %config(noreplace) %attr(0640,root,%{name}) %{_sysconfdir}/%{name}/turnserver.conf -%dir %{_sysconfdir}/pki/%{name} -%dir %{_sysconfdir}/pki/%{name}/public -%dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private +%config %attr(0640,root,%{name}) %{_sysconfdir}/%{name}/turnserver.conf.default +%dir %attr(0750,%{name},root) %{_sysconfdir}/%{name}/tls %{_unitdir}/coturn.service %{_unitdir}/coturn@.service %{_tmpfilesdir}/coturn.conf