Accepting request 1117713 from home:computersalat:devel:tel

Some fixes and Improvements

OBS-URL: https://build.opensuse.org/request/show/1117713
OBS-URL: https://build.opensuse.org/package/show/network:telephony/coturn?expand=0&rev=30

README.SUSE

@@ -1,13 +1,96 @@
-Configuration files:
+# SUSE coturn information
-  * /etc/coturn/turnserver.conf is the main configuration file
+
-  * /etc/sysconfig/coturn can be used to set additional command line parameters
+## Configuration files:
+
+- /etc/coturn/turnserver.conf is the main configuration file
+- /etc/sysconfig/coturn can be used to set additional command line parameters
 
 Allow traffic through the firewall:
 ```
 firewall-cmd --zone=<zone> --add-service=coturn [--permanent]
 ```
 
-Notes:
+## Notes:
-* /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide 
+
+- /etc/syconfig/coturn has the option '--no-software-attribute' enabled to hide 
   the software version for production issue.
 
+## Coturn and Let's Encrypt Certificates (certbot)
+
+coturn needs ability to read certificate and key from /etc/letsencrypt/archive as 'coturn' user
+(same problem exists with mysql/mariadb)
+
+### Solution proposal (symlinks):
+
+- add system group: 'cert' (or whatever name you prefer)
+```
+groupadd -r cert
+or
+groupadd -g 110 -r cert
+```
+
+- add 'coturn' user to this 'cert' group
+```
+usermod -a -G cert coturn
+```
+
+- add ACLs to Let's Encrypt 'archive' folder
+
+  - add default ACL
+  ```
+  setfacl -m default:group:cert:r-x /etc/letsencrypt/archive
+  ```
+
+  - add recursive ACL to already existings files
+  ```
+  setfacl -R -m group:cert:r-x /etc/letsencrypt/archive
+  ```
+
+- now place symlinks to Let's Encrypt certificates in /etc/coturn/tls, e.g.:
+```
+ln -s /etc/letsencrypt/live/turn.example.com/fullchain.pem turn_server_cert.pem
+ln -s /etc/letsencrypt/live/turn.example.com/privkey.pem turn_server_pkey.pem
+```
+
+### Solution proposal (copy via certbot renewal-hooks)
+
+put the following code to a script in /etc/letsencrypt/renewal-hooks/deploy/coturn-deploy.sh
+```
+#!/bin/bash -e
+#
+##############################################################################
+#
+### VARs
+#
+scTurnCertDir='/etc/coturn/tls'
+
+##############################################################################
+#
+# MAIN code
+#
+
+if [[ ! -d "${scTurnCertDir}" ]]; then
+  install -D -m 0750 -o coturn -g root "${scTurnCertDir}"
+fi
+
+for scDomain in ${RENEWED_DOMAINS}; do
+  case ${scDomain} in
+    'coturn.example.com')
+      install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/fullchain.pem "${scTurnCertDir}"/turn_server_cert.pem
+      install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/privkey.pem "${scTurnCertDir}"/turn_server_pkey.pem
+      service coturn restart
+    ;;
+  esac
+done
+```
+
+Don't forget to replace `coturn.example.com` with your `coturn realm` !
+
+
+## Coturn and Certificates (not certbot)
+
+copy your cert/key and place them in /etc/coturn/tls, e.g.:
+```
+install -m 0400 -o coturn -g root /Path/To/Your/certificate.pem /etc/coturn/tls/turn_server_cert.pem
+install -m 0400 -o coturn -g root /Path/To/Your/privatekey.pem /etc/coturn/tls/turn_server_pkey.pem
+```

coturn-apparmor-usr.bin.turnserver

@@ -8,7 +8,9 @@ profile coturn /usr/{bin,sbin}/turnserver flags=(attach_disconnected) {
   #include <abstractions/user-tmp>
 
   /etc/coturn/*.conf r,
-  /etc/pki/coturn/** r,
+  /etc/coturn/tls/* r,
+  /etc/letsencrypt/archive/** r,
+
   /usr/bin/turnserver mr,
   owner /run/coturn/* w,
   owner /var/lib/coturn r,

coturn-turnserver_conf.patch

@@ -0,0 +1,60 @@
+Index: examples/etc/turnserver.conf
+===================================================================
+--- examples/etc/turnserver.conf.orig
++++ examples/etc/turnserver.conf
+@@ -56,7 +56,11 @@
+ # Listener IP address of relay server. Multiple listeners can be specified.
+ # If no IP(s) specified in the config file or in the command line options,
+ # then all IPv4 and IPv6 system IPs will be used for listening.
+-#
++# listen on IPv4 only:
++#listening-ip=
++# listen on IPv4 and IPv6:
++#listening-ip=::
++# listen on specified IPs only
+ #listening-ip=172.17.19.101
+ #listening-ip=10.207.21.238
+ #listening-ip=2607:f0d0:1002:51::4
+@@ -240,6 +244,7 @@
+ # will try to use the 'dynamic' value in the turn_secret table
+ # in the user database (if present). The database-stored  value can be changed on-the-fly
+ # by a separate program, so this is why that mode is considered 'dynamic'.
++# create with: `openssl rand -hex 32`
+ #
+ #static-auth-secret=north
+ 
+@@ -374,7 +379,7 @@
+ # default value is 0 (no quota).
+ # This option can also be set through the database, for a particular realm.
+ #
+-#total-quota=0
++#total-quota=100
+ 
+ # Max bytes-per-second bandwidth a TURN session is allowed to handle
+ # (input and output network streams are treated separately). Anything above
+@@ -456,14 +461,14 @@
+ # configuration file.
+ # Use PEM file format.
+ #
+-#cert=/usr/local/etc/turn_server_cert.pem
++#cert=/etc/coturn/tls/turn_server_cert.pem
+ 
+ # Private key file.
+ # Use an absolute path or path relative to the
+ # configuration file.
+ # Use PEM file format.
+ #
+-#pkey=/usr/local/etc/turn_server_pkey.pem
++#pkey=/etc/coturn/tls/turn_server_pkey.pem
+ 
+ # Private key file password, if it is in encoded format.
+ # This option has no default value.
+@@ -522,7 +527,7 @@
+ # In the runtime, the logfile can be reset with the SIGHUP signal
+ # to the turnserver process.
+ #
+-#log-file=/var/tmp/turn.log
++#log-file=/var/log/coturn/turnserver.log
+ 
+ # Option to redirect all log output into system log (syslog).
+ #

coturn-user.conf

@@ -1,4 +1,2 @@
-# Type Name ID GECOS [HOME]
+#Type Name    ID      GECOS                       [HOME]          Shell
-g coturn -
+u     coturn  -       "Coturn TURN Server daemon" /var/lib/coturn -
-u coturn - "Coturn TURN Server daemon" /var/lib/coturn
-m coturn coturn

coturn.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Fri Oct 13 18:49:29 UTC 2023 - chris@computersalat.de
+
+- Update coturn-turnserver_conf.patch
+  * Fix comment for listening-ip
+- enable 'verbose' log to see listening IPs and more, not just
+  server start/stop
+
+-------------------------------------------------------------------
+Mon Oct  9 07:19:06 UTC 2023 - chris@computersalat.de
+
+- add coturn-turnserver_conf.patch
+  * to have a meaningful turnserver.conf.default
+- create a ready-to-run turnserver.conf
+- fix logrotate script
+- Update README.SUSE for Let's Encrypt Certificates
+- move certs to /etc/coturn/tls
+- Update apparmor profile
+- rework sysusers.d config file
+
 -------------------------------------------------------------------
 Tue May  2 05:19:33 UTC 2023 - Carsten Ziepke <kieltux@gmail.com>
 

coturn.logrotate

@@ -1,12 +1,16 @@
 /var/log/coturn/turnserver.log {
-	missingok
   compress
   delaycompress
+  dateext
+  maxage 365
+  rotate 99
+  size=+4096k
   notifempty
-	postrotate
+  missingok
-		/bin/systemctl --quiet is-active coturn.service && /bin/kill -HUP `cat /run/coturn/turnserver.pid` || true 
+  create 0640 coturn root
-	endscript
-	create 0660 coturn coturn
   sharedscripts
-	su coturn coturn
+  postrotate
+    /bin/systemctl --quiet is-active coturn.service && /bin/systemctl kill --signal=SIGHUP coturn.service
+  endscript
+  su coturn root
 }

coturn.spec

@@ -40,6 +40,7 @@ Source6:        %{name}.firewalld
 Source7:        README.SUSE
 Source8:        %{name}-apparmor-usr.bin.turnserver
 Source9:        %{name}@.service
+Patch0:         %{name}-turnserver_conf.patch
 BuildRequires:  fdupes
 BuildRequires:  firewall-macros
 BuildRequires:  libevent-devel >= 2.0.0
@@ -55,7 +56,7 @@ BuildRequires:  pkgconfig(systemd)
 Requires(pre):  %fillup_prereq
 Requires(pre):  shadow
 Recommends:     logrotate
-%sysusers_requires
+
 %if %{with apparmor}
 %if 0%{?suse_version} <= 1315
 BuildRequires:  apparmor-profiles
@@ -69,6 +70,9 @@ BuildRequires:  apparmor-rpm-macros
 %endif
 %endif
 
+%{?systemd_requires}
+%sysusers_requires
+
 %description
 STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays
 around NAT) are protocols that can be used to provide NAT traversal for VoIP
@@ -94,7 +98,8 @@ Requires:       %{name} = %{version}
 This package contains the TURN development headers.
 
 %prep
-%autosetup -p1
+%setup -q -n %{name}-%{version}
+%patch0
 
 %build
 %sysusers_generate_pre %{SOURCE4} %{name}
@@ -114,7 +119,7 @@ This package contains the TURN development headers.
 
 %install
 %make_install
-mkdir -p %{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
+mkdir -p %{buildroot}{%{_sysconfdir}/%{name}/tls,{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
 install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
 install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/
 install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -131,15 +136,30 @@ cat > %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.bin.turnserver << EOF
 EOF
 %endif
 
+install examples%{_sysconfdir}/turnserver.conf %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
+install examples%{_sysconfdir}/turnserver.conf %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf
+
 sed -i \
-    -e "s|^syslog$|#syslog|g" \
+    -e "s|^#*\(listening-port=.*\)|\1|" \
-    -e "s|^#*log-file=.*|log-file=%{_localstatedir}/log/coturn/turnserver.log|g" \
+    -e "s|^#*\(tls-listening-port=.*\)|\1|" \
+    -e "s|^#*\(listening-ip=\)$|\1|" \
+    -e "s|^#*verbose|verbose|" \
+    -e "s|^#*fingerprint|fingerprint|" \
+    -e "s|^#*use-auth-secret|use-auth-secret|" \
+    -e "s|^#\(static-auth-secret=.*\)|\1|" \
+    -e "s|^#\(realm=\).*|\1|" \
+    -e "s|^#\(total-quota=.*\)|\1|" \
+    -e "s|^#\(bps-capacity=.*\)|\1|" \
+    -e "s|^#\(stale-nonce=.*\)|\1|" \
+    -e "s|^#*\(cert=.*\)|\1|" \
+    -e "s|^#*\(pkey=.*\)|\1|" \
+    -e "s|^#\(log-file=.*\)|\1|" \
     -e "s|^#*simple-log|simple-log|g" \
-    -e "s|^#*cert=.*|#cert=%{_sysconfdir}/pki/coturn/public/turn_server_cert.pem|g" \
+    -e "s|^#*no-multicast-peers|no-multicast-peers|g" \
-    -e "s|^#*pkey=.*|#pkey=%{_sysconfdir}/pki/coturn/private/turn_server_pkey.pem|g" \
+    -e "s|^#*no-tlsv1|no-tlsv1|g" \
-    %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
+    -e "s|^#*no-tlsv1_1|no-tlsv1_1|g" \
-touch -c -r examples%{_sysconfdir}/turnserver.conf %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
+    -e "/^#/d" -e "/^$/d" \
-mv %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf
+    %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf
 
 # Remove certs and keys
 rm %{buildroot}%{_docdir}/%{name}%{_sysconfdir}/*.pem
@@ -165,6 +185,10 @@ done
 %service_add_pre %{name}@.service
 
 %post
+# generate static-auth-secret only on install, not on upgrade
+if [ $1 -eq 1 ]; then
+  sed -i -e "s|^\(static-auth-secret=\)north|\1$(openssl rand -hex 32)|" %{_sysconfdir}/%{name}/turnserver.conf
+fi
 %service_add_post %{name}.service
 %service_add_post %{name}@.service
 systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
@@ -220,9 +244,8 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
 
 %dir %attr(0750,root,%{name}) %{_sysconfdir}/%{name}
 %config(noreplace) %attr(0640,root,%{name}) %{_sysconfdir}/%{name}/turnserver.conf
-%dir %{_sysconfdir}/pki/%{name}
+%config %attr(0640,root,%{name}) %{_sysconfdir}/%{name}/turnserver.conf.default
-%dir %{_sysconfdir}/pki/%{name}/public
+%dir %attr(0750,%{name},root) %{_sysconfdir}/%{name}/tls
-%dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private
 %{_unitdir}/coturn.service
 %{_unitdir}/coturn@.service
 %{_tmpfilesdir}/coturn.conf