Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package coturn for openSUSE:Factory checked
in at 2023-10-15 19:27:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/coturn (Old)
and /work/SRC/openSUSE:Factory/.coturn.new.20540 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "coturn"
Sun Oct 15 19:27:36 2023 rev:15 rq:1117799 version:4.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/coturn/coturn.changes 2023-05-02
16:23:45.643494889 +0200
+++ /work/SRC/openSUSE:Factory/.coturn.new.20540/coturn.changes 2023-10-15
19:29:41.381542995 +0200
@@ -1,0 +2,20 @@
+Fri Oct 13 18:49:29 UTC 2023 - ch...@computersalat.de
+
+- Update coturn-turnserver_conf.patch
+ * Fix comment for listening-ip
+- enable 'verbose' log to see listening IPs and more, not just
+ server start/stop
+
+-------------------------------------------------------------------
+Mon Oct 9 07:19:06 UTC 2023 - ch...@computersalat.de
+
+- add coturn-turnserver_conf.patch
+ * to have a meaningful turnserver.conf.default
+- create a ready-to-run turnserver.conf
+- fix logrotate script
+- Update README.SUSE for Let's Encrypt Certificates
+- move certs to /etc/coturn/tls
+- Update apparmor profile
+- rework sysusers.d config file
+
+-------------------------------------------------------------------
New:
----
coturn-turnserver_conf.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ coturn.spec ++++++
--- /var/tmp/diff_new_pack.saFKrP/_old 2023-10-15 19:29:41.877560863 +0200
+++ /var/tmp/diff_new_pack.saFKrP/_new 2023-10-15 19:29:41.881561007 +0200
@@ -40,6 +40,7 @@
Source7: README.SUSE
Source8: %{name}-apparmor-usr.bin.turnserver
Source9: %{name}@.service
+Patch0: %{name}-turnserver_conf.patch
BuildRequires: fdupes
BuildRequires: firewall-macros
BuildRequires: libevent-devel >= 2.0.0
@@ -55,7 +56,7 @@
Requires(pre): %fillup_prereq
Requires(pre): shadow
Recommends: logrotate
-%sysusers_requires
+
%if %{with apparmor}
%if 0%{?suse_version} <= 1315
BuildRequires: apparmor-profiles
@@ -69,6 +70,9 @@
%endif
%endif
+%{?systemd_requires}
+%sysusers_requires
+
%description
STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays
around NAT) are protocols that can be used to provide NAT traversal for VoIP
@@ -94,7 +98,8 @@
This package contains the TURN development headers.
%prep
-%autosetup -p1
+%setup -q -n %{name}-%{version}
+%patch0
%build
%sysusers_generate_pre %{SOURCE4} %{name}
@@ -114,7 +119,7 @@
%install
%make_install
-mkdir -p
%{buildroot}{%{_sysconfdir}/pki/coturn/{public,private},{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
+mkdir -p
%{buildroot}{%{_sysconfdir}/%{name}/tls,{%{_rundir},%{_localstatedir}/{lib,log}}/%{name},%{_unitdir},%{_sysusersdir},%{_sbindir},%{_sysconfdir}/apparmor.d/local}
install -Dpm 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
install -Dpm 0644 %{SOURCE9} %{buildroot}%{_unitdir}/
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -131,15 +136,30 @@
EOF
%endif
+install examples%{_sysconfdir}/turnserver.conf
%{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
+install examples%{_sysconfdir}/turnserver.conf
%{buildroot}%{_sysconfdir}/%{name}/turnserver.conf
+
sed -i \
- -e "s|^syslog$|#syslog|g" \
- -e
"s|^#*log-file=.*|log-file=%{_localstatedir}/log/coturn/turnserver.log|g" \
+ -e "s|^#*\(listening-port=.*\)|\1|" \
+ -e "s|^#*\(tls-listening-port=.*\)|\1|" \
+ -e "s|^#*\(listening-ip=\)$|\1|" \
+ -e "s|^#*verbose|verbose|" \
+ -e "s|^#*fingerprint|fingerprint|" \
+ -e "s|^#*use-auth-secret|use-auth-secret|" \
+ -e "s|^#\(static-auth-secret=.*\)|\1|" \
+ -e "s|^#\(realm=\).*|\1|" \
+ -e "s|^#\(total-quota=.*\)|\1|" \
+ -e "s|^#\(bps-capacity=.*\)|\1|" \
+ -e "s|^#\(stale-nonce=.*\)|\1|" \
+ -e "s|^#*\(cert=.*\)|\1|" \
+ -e "s|^#*\(pkey=.*\)|\1|" \
+ -e "s|^#\(log-file=.*\)|\1|" \
-e "s|^#*simple-log|simple-log|g" \
- -e
"s|^#*cert=.*|#cert=%{_sysconfdir}/pki/coturn/public/turn_server_cert.pem|g" \
- -e
"s|^#*pkey=.*|#pkey=%{_sysconfdir}/pki/coturn/private/turn_server_pkey.pem|g" \
- %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
-touch -c -r examples%{_sysconfdir}/turnserver.conf
%{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
-mv %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf.default
%{buildroot}%{_sysconfdir}/%{name}/turnserver.conf
+ -e "s|^#*no-multicast-peers|no-multicast-peers|g" \
+ -e "s|^#*no-tlsv1|no-tlsv1|g" \
+ -e "s|^#*no-tlsv1_1|no-tlsv1_1|g" \
+ -e "/^#/d" -e "/^$/d" \
+ %{buildroot}%{_sysconfdir}/%{name}/turnserver.conf
# Remove certs and keys
rm %{buildroot}%{_docdir}/%{name}%{_sysconfdir}/*.pem
@@ -165,6 +185,10 @@
%service_add_pre %{name}@.service
%post
+# generate static-auth-secret only on install, not on upgrade
+if [ $1 -eq 1 ]; then
+ sed -i -e "s|^\(static-auth-secret=\)north|\1$(openssl rand -hex 32)|"
%{_sysconfdir}/%{name}/turnserver.conf
+fi
%service_add_post %{name}.service
%service_add_post %{name}@.service
systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
@@ -220,9 +244,8 @@
%dir %attr(0750,root,%{name}) %{_sysconfdir}/%{name}
%config(noreplace) %attr(0640,root,%{name})
%{_sysconfdir}/%{name}/turnserver.conf
-%dir %{_sysconfdir}/pki/%{name}
-%dir %{_sysconfdir}/pki/%{name}/public
-%dir %attr(0750,root,%{name}) %{_sysconfdir}/pki/%{name}/private
+%config %attr(0640,root,%{name}) %{_sysconfdir}/%{name}/turnserver.conf.default
+%dir %attr(0750,%{name},root) %{_sysconfdir}/%{name}/tls
%{_unitdir}/coturn.service
%{_unitdir}/coturn@.service
%{_tmpfilesdir}/coturn.conf
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.saFKrP/_old 2023-10-15 19:29:41.909562016 +0200
+++ /var/tmp/diff_new_pack.saFKrP/_new 2023-10-15 19:29:41.913562160 +0200
@@ -1,14 +1,97 @@
-Configuration files:
- * /etc/coturn/turnserver.conf is the main configuration file
- * /etc/sysconfig/coturn can be used to set additional command line parameters
+# SUSE coturn information
+
+## Configuration files:
+
+- /etc/coturn/turnserver.conf is the main configuration file
+- /etc/sysconfig/coturn can be used to set additional command line parameters
Allow traffic through the firewall:
```
firewall-cmd --zone=<zone> --add-service=coturn [--permanent]
```
-Notes:
-* /etc/syconfig/coturn has the option '--no-software-attribute' enabled to
hide
+## Notes:
+
+- /etc/syconfig/coturn has the option '--no-software-attribute' enabled to
hide
the software version for production issue.
+## Coturn and Let's Encrypt Certificates (certbot)
+
+coturn needs ability to read certificate and key from /etc/letsencrypt/archive
as 'coturn' user
+(same problem exists with mysql/mariadb)
+
+### Solution proposal (symlinks):
+
+- add system group: 'cert' (or whatever name you prefer)
+```
+groupadd -r cert
+or
+groupadd -g 110 -r cert
+```
+
+- add 'coturn' user to this 'cert' group
+```
+usermod -a -G cert coturn
+```
+
+- add ACLs to Let's Encrypt 'archive' folder
+
+ - add default ACL
+ ```
+ setfacl -m default:group:cert:r-x /etc/letsencrypt/archive
+ ```
+
+ - add recursive ACL to already existings files
+ ```
+ setfacl -R -m group:cert:r-x /etc/letsencrypt/archive
+ ```
+
+- now place symlinks to Let's Encrypt certificates in /etc/coturn/tls, e.g.:
+```
+ln -s /etc/letsencrypt/live/turn.example.com/fullchain.pem turn_server_cert.pem
+ln -s /etc/letsencrypt/live/turn.example.com/privkey.pem turn_server_pkey.pem
+```
+
+### Solution proposal (copy via certbot renewal-hooks)
+
+put the following code to a script in
/etc/letsencrypt/renewal-hooks/deploy/coturn-deploy.sh
+```
+#!/bin/bash -e
+#
+##############################################################################
+#
+### VARs
+#
+scTurnCertDir='/etc/coturn/tls'
+
+##############################################################################
+#
+# MAIN code
+#
+
+if [[ ! -d "${scTurnCertDir}" ]]; then
+ install -D -m 0750 -o coturn -g root "${scTurnCertDir}"
+fi
+
+for scDomain in ${RENEWED_DOMAINS}; do
+ case ${scDomain} in
+ 'coturn.example.com')
+ install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/fullchain.pem
"${scTurnCertDir}"/turn_server_cert.pem
+ install -m 0400 -o coturn -g root "${RENEWED_LINEAGE}"/privkey.pem
"${scTurnCertDir}"/turn_server_pkey.pem
+ service coturn restart
+ ;;
+ esac
+done
+```
+
+Don't forget to replace `coturn.example.com` with your `coturn realm` !
+
+
+## Coturn and Certificates (not certbot)
+
+copy your cert/key and place them in /etc/coturn/tls, e.g.:
+```
+install -m 0400 -o coturn -g root /Path/To/Your/certificate.pem
/etc/coturn/tls/turn_server_cert.pem
+install -m 0400 -o coturn -g root /Path/To/Your/privatekey.pem
/etc/coturn/tls/turn_server_pkey.pem
+```
++++++ coturn-apparmor-usr.bin.turnserver ++++++
--- /var/tmp/diff_new_pack.saFKrP/_old 2023-10-15 19:29:41.929562736 +0200
+++ /var/tmp/diff_new_pack.saFKrP/_new 2023-10-15 19:29:41.933562881 +0200
@@ -8,7 +8,9 @@
#include <abstractions/user-tmp>
/etc/coturn/*.conf r,
- /etc/pki/coturn/** r,
+ /etc/coturn/tls/* r,
+ /etc/letsencrypt/archive/** r,
+
/usr/bin/turnserver mr,
owner /run/coturn/* w,
owner /var/lib/coturn r,
++++++ coturn-turnserver_conf.patch ++++++
Index: examples/etc/turnserver.conf
===================================================================
--- examples/etc/turnserver.conf.orig
+++ examples/etc/turnserver.conf
@@ -56,7 +56,11 @@
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
-#
+# listen on IPv4 only:
+#listening-ip=
+# listen on IPv4 and IPv6:
+#listening-ip=::
+# listen on specified IPs only
#listening-ip=172.17.19.101
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
@@ -240,6 +244,7 @@
# will try to use the 'dynamic' value in the turn_secret table
# in the user database (if present). The database-stored value can be changed
on-the-fly
# by a separate program, so this is why that mode is considered 'dynamic'.
+# create with: `openssl rand -hex 32`
#
#static-auth-secret=north
@@ -374,7 +379,7 @@
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
#
-#total-quota=0
+#total-quota=100
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
@@ -456,14 +461,14 @@
# configuration file.
# Use PEM file format.
#
-#cert=/usr/local/etc/turn_server_cert.pem
+#cert=/etc/coturn/tls/turn_server_cert.pem
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
-#pkey=/usr/local/etc/turn_server_pkey.pem
+#pkey=/etc/coturn/tls/turn_server_pkey.pem
# Private key file password, if it is in encoded format.
# This option has no default value.
@@ -522,7 +527,7 @@
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
-#log-file=/var/tmp/turn.log
+#log-file=/var/log/coturn/turnserver.log
# Option to redirect all log output into system log (syslog).
#
++++++ coturn-user.conf ++++++
--- /var/tmp/diff_new_pack.saFKrP/_old 2023-10-15 19:29:41.961563889 +0200
+++ /var/tmp/diff_new_pack.saFKrP/_new 2023-10-15 19:29:41.961563889 +0200
@@ -1,5 +1,3 @@
-# Type Name ID GECOS [HOME]
-g coturn -
-u coturn - "Coturn TURN Server daemon" /var/lib/coturn
-m coturn coturn
+#Type Name ID GECOS [HOME] Shell
+u coturn - "Coturn TURN Server daemon" /var/lib/coturn -
++++++ coturn.logrotate ++++++
--- /var/tmp/diff_new_pack.saFKrP/_old 2023-10-15 19:29:41.985564753 +0200
+++ /var/tmp/diff_new_pack.saFKrP/_new 2023-10-15 19:29:41.989564898 +0200
@@ -1,13 +1,17 @@
/var/log/coturn/turnserver.log {
- missingok
- compress
- delaycompress
- notifempty
- postrotate
- /bin/systemctl --quiet is-active coturn.service && /bin/kill
-HUP `cat /run/coturn/turnserver.pid` || true
- endscript
- create 0660 coturn coturn
- sharedscripts
- su coturn coturn
+ compress
+ delaycompress
+ dateext
+ maxage 365
+ rotate 99
+ size=+4096k
+ notifempty
+ missingok
+ create 0640 coturn root
+ sharedscripts
+ postrotate
+ /bin/systemctl --quiet is-active coturn.service && /bin/systemctl kill
--signal=SIGHUP coturn.service
+ endscript
+ su coturn root
}
