From bdf27616ba0ef19a5896f2dd9f7727799930225c Mon Sep 17 00:00:00 2001 From: Mark Hills Date: Wed, 3 Feb 2021 15:37:43 +0000 Subject: [PATCH 1/9] Do not mutate something which the DTLS listener server does not own Multiple DTLS listener servers are created, and server->dtls_ctx is the same object shared between them. Set these callbacks once, and logically this is at the point where the SSL context is created. --- src/apps/relay/dtls_listener.c | 47 ++++++++++++---------------------- src/apps/relay/dtls_listener.h | 4 +++ src/apps/relay/mainrelay.c | 2 ++ 3 files changed, 23 insertions(+), 30 deletions(-) diff --git a/src/apps/relay/dtls_listener.c b/src/apps/relay/dtls_listener.c index 7689a13..3105638 100644 --- a/src/apps/relay/dtls_listener.c +++ b/src/apps/relay/dtls_listener.c @@ -935,36 +935,6 @@ static int init_server(dtls_listener_relay_server_type* server, server->verbose=verbose; server->e = e; - -#if DTLS_SUPPORTED - if(server->dtls_ctx) { - -#if defined(REQUEST_CLIENT_CERT) - /* If client has to authenticate, then */ - SSL_CTX_set_verify(server->dtls_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); -#endif - - SSL_CTX_set_read_ahead(server->dtls_ctx, 1); - - SSL_CTX_set_cookie_generate_cb(server->dtls_ctx, generate_cookie); - SSL_CTX_set_cookie_verify_cb(server->dtls_ctx, verify_cookie); - } - -#if DTLSv1_2_SUPPORTED - if(server->dtls_ctx_v1_2) { - - #if defined(REQUEST_CLIENT_CERT) - /* If client has to authenticate, then */ - SSL_CTX_set_verify(server->dtls_ctx_v1_2, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); - #endif - - SSL_CTX_set_read_ahead(server->dtls_ctx_v1_2, 1); - - SSL_CTX_set_cookie_generate_cb(server->dtls_ctx_v1_2, generate_cookie); - SSL_CTX_set_cookie_verify_cb(server->dtls_ctx_v1_2, verify_cookie); - } -#endif -#endif return create_server_socket(server, report_creation); } @@ -980,6 +950,23 @@ static int clean_server(dtls_listener_relay_server_type* server) { /////////////////////////////////////////////////////////// +#if DTLS_SUPPORTED +void setup_dtls_callbacks(SSL_CTX *ctx) { + if (!ctx) + return; + +#if defined(REQUEST_CLIENT_CERT) + /* If client has to authenticate, then */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback); +#endif + + SSL_CTX_set_read_ahead(ctx, 1); + + SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie); + SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie); +} +#endif + dtls_listener_relay_server_type* create_dtls_listener_server(const char* ifname, const char *local_address, int port, diff --git a/src/apps/relay/dtls_listener.h b/src/apps/relay/dtls_listener.h index 9d7cab6..5ca4ec9 100644 --- a/src/apps/relay/dtls_listener.h +++ b/src/apps/relay/dtls_listener.h @@ -50,6 +50,10 @@ typedef struct dtls_listener_relay_server_info dtls_listener_relay_server_type; /////////////////////////////////////////// +#if DTLS_SUPPORTED +void setup_dtls_callbacks(SSL_CTX *ctx); +#endif + dtls_listener_relay_server_type* create_dtls_listener_server(const char* ifname, const char *local_address, int port, diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index d11a2cd..9d95186 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -3198,10 +3198,12 @@ static void openssl_load_certificates(void) set_ctx(&turn_params.dtls_ctx,"DTLS",DTLS_server_method()); set_ctx(&turn_params.dtls_ctx_v1_2,"DTLS1.2",DTLSv1_2_server_method()); SSL_CTX_set_read_ahead(turn_params.dtls_ctx_v1_2, 1); + setup_dtls_callbacks(turn_params.dtls_ctx_v1_2); #else set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_server_method()); #endif SSL_CTX_set_read_ahead(turn_params.dtls_ctx, 1); + setup_dtls_callbacks(turn_params.dtls_ctx); TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS cipher suite: %s\n",turn_params.cipher_list); From da5cda77616fc85286d07ae5eaa858366e3d37fe Mon Sep 17 00:00:00 2001 From: Mark Hills Date: Wed, 3 Feb 2021 15:42:10 +0000 Subject: [PATCH 2/9] Do not take a copy of the SSL context When SSL certificates are renewed during runtime (via SIGUSR2), e->dtls_ctx is replaced with a context based on the new certificate. But this code continues to operate on its own borrowed pointer. This is clearly visible using valgrind, but the bug is subtle and not always noticed at runtime, possibly due to some fortunate re-use of memory. At the point of SSL_new(): ==28413== Thread 5: ==28413== Invalid read of size 8 ==28413== at 0x4F6198F: SSL_new (in /lib/libssl.so.1.1) ==28413== by 0x137A72: dtls_server_input_handler (dtls_listener.c:291) ==28413== by 0x137A72: handle_udp_packet (dtls_listener.c:443) ==28413== by 0x138153: udp_server_input_handler (dtls_listener.c:728) ==28413== by 0x4FC499E: ??? (in /usr/lib/libevent_core-2.1.so.7.0.0) ==28413== by 0x4FC50AF: event_base_loop (in /usr/lib/libevent_core-2.1.so.7.0.0) ==28413== by 0x121F34: run_events (netengine.c:1579) ==28413== by 0x121F34: run_general_relay_thread (netengine.c:1707) ==28413== by 0x40517B6: start (pthread_create.c:195) ==28413== by 0x40538EF: ??? (clone.s:22) ==28413== Address 0x49a75e0 is 0 bytes inside a block of size 1,024 free'd ==28413== at 0x48A074F: free (vg_replace_malloc.c:540) ==28413== by 0x4F5F6F1: SSL_CTX_free (in /lib/libssl.so.1.1) ==28413== by 0x11CEC4: set_ctx (mainrelay.c:3104) ==28413== by 0x11D233: openssl_load_certificates (mainrelay.c:3173) ==28413== by 0x11D328: reload_ssl_certs (mainrelay.c:3190) ==28413== by 0x4FC4601: ??? (in /usr/lib/libevent_core-2.1.so.7.0.0) ==28413== by 0x4FC50AF: event_base_loop (in /usr/lib/libevent_core-2.1.so.7.0.0) ==28413== by 0x122582: run_events (netengine.c:1579) ==28413== by 0x122582: run_listener_server (netengine.c:1603) ==28413== by 0x110BB8: main (mainrelay.c:2536) ==28413== Block was alloc'd at ==28413== at 0x489F72A: malloc (vg_replace_malloc.c:309) ==28413== by 0x4DFA2C6: CRYPTO_zalloc (in /lib/libcrypto.so.1.1) ==28413== by 0x4F5F79E: SSL_CTX_new (in /lib/libssl.so.1.1) ==28413== by 0x11CA80: set_ctx (mainrelay.c:2875) ==28413== by 0x11D233: openssl_load_certificates (mainrelay.c:3173) ==28413== by 0x110A19: openssl_setup (mainrelay.c:3139) ==28413== by 0x110A19: main (mainrelay.c:2396) ==28413== --- src/apps/relay/dtls_listener.c | 26 ++++++-------------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/src/apps/relay/dtls_listener.c b/src/apps/relay/dtls_listener.c index 3105638..9a5698c 100644 --- a/src/apps/relay/dtls_listener.c +++ b/src/apps/relay/dtls_listener.c @@ -55,12 +55,6 @@ struct dtls_listener_relay_server_info { ioa_engine_handle e; turn_turnserver *ts; int verbose; -#if DTLS_SUPPORTED - SSL_CTX *dtls_ctx; -#if DTLSv1_2_SUPPORTED - SSL_CTX *dtls_ctx_v1_2; -#endif -#endif struct event *udp_listen_ev; ioa_socket_handle udp_listen_s; ur_addr_map *children_ss; /* map of socket children on remote addr */ @@ -288,13 +282,13 @@ static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_ty #if DTLSv1_2_SUPPORTED if(get_dtls_version(ioa_network_buffer_data(nbh), (int)ioa_network_buffer_get_size(nbh)) == 1) { - connecting_ssl = SSL_new(server->dtls_ctx_v1_2); + connecting_ssl = SSL_new(server->e->dtls_ctx_v1_2); } else { - connecting_ssl = SSL_new(server->dtls_ctx); + connecting_ssl = SSL_new(server->e->dtls_ctx); } #else { - connecting_ssl = SSL_new(server->dtls_ctx); + connecting_ssl = SSL_new(server->e->dtls_ctx); } #endif @@ -573,13 +567,13 @@ static int create_new_connected_udp_socket( #if DTLSv1_2_SUPPORTED if(get_dtls_version(ioa_network_buffer_data(server->sm.m.sm.nd.nbh), (int)ioa_network_buffer_get_size(server->sm.m.sm.nd.nbh)) == 1) { - connecting_ssl = SSL_new(server->dtls_ctx_v1_2); + connecting_ssl = SSL_new(server->e->dtls_ctx_v1_2); } else { - connecting_ssl = SSL_new(server->dtls_ctx); + connecting_ssl = SSL_new(server->e->dtls_ctx); } #else { - connecting_ssl = SSL_new(server->dtls_ctx); + connecting_ssl = SSL_new(server->e->dtls_ctx); } #endif @@ -912,14 +906,6 @@ static int init_server(dtls_listener_relay_server_type* server, if(!server) return -1; -#if DTLS_SUPPORTED - server->dtls_ctx = e->dtls_ctx; - -#if DTLSv1_2_SUPPORTED - server->dtls_ctx_v1_2 = e->dtls_ctx_v1_2; -#endif -#endif - server->ts = ts; server->connect_cb = send_socket; From 8f1908d7bd75bb08858e29486df616b56c0a115a Mon Sep 17 00:00:00 2001 From: Mark Hills Date: Wed, 3 Feb 2021 16:39:06 +0000 Subject: [PATCH 3/9] A use-after-free can occur on the SSL_ctx on a busy system When openssl_load_certificates() is called as a result of USR2 signal, it has the effect of SSL_free() on certificates. But pointers to these certificates are borrowed by the ioa_engines where they are used for new connections. The tls_mutex when loading the certificates does not prevent this use because it's released before despatching asynchronous events to each ioa_engine asking them to pick up the new SSL context. So there is a race; if a new connection arrives quickly after openssl_load_certificates() but before the tls_ctx_update_ev. This patch resolves this using OpenSSL's own fine grained locking. The ioa_engines now 'copy' the SSL context (actually a refcounted copy) --- src/apps/relay/netengine.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index fa2be3f..e118c27 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -304,25 +304,38 @@ typedef struct update_ssl_ctx_cb_args { struct event *next; } update_ssl_ctx_cb_args_t; +static void replace_one_ssl_ctx(SSL_CTX **to, SSL_CTX *from) +{ + if (*to) + SSL_CTX_free(*to); + + SSL_CTX_up_ref(from); + *to = from; +} + +/* + * Synchronise the ioa_engine's SSL certificates with the global ones + */ static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb_args_t *args) { ioa_engine_handle e = args->engine; turn_params_t *params = args->params; + /* No mutex with "e" as these are only used in the same event loop */ pthread_mutex_lock(&turn_params.tls_mutex); - e->tls_ctx_ssl23 = params->tls_ctx_ssl23; - e->tls_ctx_v1_0 = params->tls_ctx_v1_0; + replace_one_ssl_ctx(&e->tls_ctx_ssl23, params->tls_ctx_ssl23); + replace_one_ssl_ctx(&e->tls_ctx_v1_0, params->tls_ctx_v1_0); #if TLSv1_1_SUPPORTED - e->tls_ctx_v1_1 = params->tls_ctx_v1_1; + replace_one_ssl_ctx(&e->tls_ctx_v1_1, params->tls_ctx_v1_1); #if TLSv1_2_SUPPORTED - e->tls_ctx_v1_2 = params->tls_ctx_v1_2; + replace_one_ssl_ctx(&e->tls_ctx_v1_2, params->tls_ctx_v1_2); #endif #endif #if DTLS_SUPPORTED - e->dtls_ctx = params->dtls_ctx; + replace_one_ssl_ctx(&e->dtls_ctx, params->dtls_ctx); #endif #if DTLSv1_2_SUPPORTED - e->dtls_ctx_v1_2 = params->dtls_ctx_v1_2; + replace_one_ssl_ctx(&e->dtls_ctx_v1_2, params->dtls_ctx_v1_2); #endif struct event *next = args->next; pthread_mutex_unlock(&turn_params.tls_mutex); From 8c0830daa97a4e447dc1ddf29d1184c17e90f1ef Mon Sep 17 00:00:00 2001 From: tyranron Date: Wed, 21 Apr 2021 17:30:11 +0300 Subject: [PATCH 4/9] Add prometheus-client-c to Docker image Co-authored-by: SammyEnigma --- docker/coturn/CHANGELOG.md | 8 ++++ docker/coturn/alpine/Dockerfile | 78 ++++++++++++++++++++++++++++++++- docker/coturn/debian/Dockerfile | 77 +++++++++++++++++++++++++++++++- docker/coturn/tests/main.bats | 9 ++++ 4 files changed, 170 insertions(+), 2 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 07ea972..aecfe04 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -7,10 +7,16 @@ Coturn TURN server Docker image changelog ## [4.5.2-r1] · 2021-04-?? · To-be-done [4.5.2-r1]: /../../tree/docker/4.5.2-r1 +### Added + +- [Prometheus] support with [prometheus-client-c] 0.1.3: ([#754]) + ### Fixed - Incorrect linking with [mongo-c-driver] on [Debian Linux] image. +[#754]: /../../pull/754 + @@ -39,3 +45,5 @@ Coturn TURN server Docker image changelog [Coturn]: https://haraka.github.io [Debian Linux]: https://www.debian.org [mongo-c-driver]: https://github.com/mongodb/mongo-c-driver +[Prometheus]: https://prometheus.io +[prometheus-client-c]: https://github.com/digitalocean/prometheus-client-c diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index ac06a36..5f2c513 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -7,6 +7,74 @@ ARG alpine_ver=3.13 +# +# Stage 'dist-libprom' creates prometheus-client-c distribution. +# + +# We compile prometheus-client-c from sources, because Alpine doesn't provide +# it as its package yet. +# +# TODO: Re-check this to be present in packages on next Alpine major version update. + +# https://hub.docker.com/_/alpine +FROM alpine:${alpine_ver} AS dist-libprom + +# Install tools for building. +RUN apk update \ + && apk add --no-cache \ + ca-certificates cmake g++ git make \ + && update-ca-certificates + +# Install prometheus-client-c build dependencies. +RUN apk add --no-cache \ + libmicrohttpd-dev + +# Prepare prometheus-client-c sources for building. +ARG prom_ver=0.1.3 +RUN mkdir -p /build/ && cd /build/ \ + && git init \ + && git remote add origin https://github.com/digitalocean/prometheus-client-c \ + && git fetch --depth=1 origin "v${prom_ver}" \ + && git checkout FETCH_HEAD + +# Build libprom.so from sources. +RUN mkdir -p /build/prom/build/ && cd /build/prom/build/ \ + && TEST=0 cmake -v -G "Unix Makefiles" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_SKIP_BUILD_RPATH=TRUE \ + -DCMAKE_C_FLAGS="-DPROM_LOG_ENABLE -g -O3" \ + .. \ + && make + +# Build libpromhttp.so from sources. +RUN mkdir -p /build/promhttp/build/ && cd /build/promhttp/build/ \ + # Fix compiler warning: -Werror=incompatible-pointer-types + && sed -i 's/\&promhttp_handler/(MHD_AccessHandlerCallback)\&promhttp_handler/' \ + /build/promhttp/src/promhttp.c \ + && TEST=0 cmake -v -G "Unix Makefiles" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_SKIP_BUILD_RPATH=TRUE \ + -DCMAKE_C_FLAGS="-g -O3" \ + .. \ + && make VERBOSE=1 + +# Install prometheus-client-c. +RUN LIBS_DIR=/out/$(dirname $(find /usr/ -name libc.so)) \ + && mkdir -p $LIBS_DIR/ \ + && cp -rf /build/prom/build/libprom.so \ + /build/promhttp/build/libpromhttp.so \ + $LIBS_DIR/ \ + && mkdir -p /out/usr/include/ \ + && cp -rf /build/prom/include/* \ + /build/promhttp/include/* \ + /out/usr/include/ \ + # Preserve license file. + && mkdir -p /out/usr/share/licenses/prometheus-client-c/ \ + && cp /build/LICENSE /out/usr/share/licenses/prometheus-client-c/ + + + + # # Stage 'dist-coturn' creates Coturn distribution. # @@ -27,7 +95,11 @@ RUN apk add --no-cache \ openssl-dev \ postgresql-dev mariadb-connector-c-dev sqlite-dev \ hiredis-dev \ - mongo-c-driver-dev + mongo-c-driver-dev \ + libmicrohttpd-dev + +# Install prometheus-client-c distribution. +COPY --from=dist-libprom /out/ / # Prepare local Coturn sources for building. COPY CMakeLists.txt \ @@ -85,6 +157,9 @@ RUN ln -s /usr/local/bin/detect-external-ip.sh \ /out/usr/local/bin/detect-external-ip RUN chown -R nobody:nogroup /out/var/lib/coturn/ +# Re-export prometheus-client-c distribution. +COPY --from=dist-libprom /out/ /out/ + @@ -109,6 +184,7 @@ RUN apk update \ libpq mariadb-connector-c sqlite-libs \ hiredis \ mongo-c-driver \ + libmicrohttpd \ # Cleanup unnecessary stuff. && rm -rf /var/cache/apk/* diff --git a/docker/coturn/debian/Dockerfile b/docker/coturn/debian/Dockerfile index 5bc68f0..61cd84b 100644 --- a/docker/coturn/debian/Dockerfile +++ b/docker/coturn/debian/Dockerfile @@ -7,6 +7,75 @@ ARG debian_ver=buster +# +# Stage 'dist-libprom' creates prometheus-client-c distribution. +# + +# We compile prometheus-client-c from sources, because Alpine doesn't provide +# it as its package yet. +# +# TODO: Re-check this to be present in packages on next Debian major version update. + +# https://hub.docker.com/_/debian +# We use 'bullseye' here due to too old cmake on 'buster'. +FROM debian:bullseye-slim AS dist-libprom + +# Install tools for building. +RUN apt-get update \ + && apt-get install -y --no-install-recommends --no-install-suggests \ + ca-certificates cmake g++ git make \ + && update-ca-certificates + +# Install prometheus-client-c build dependencies. +RUN apt-get install -y --no-install-recommends --no-install-suggests \ + libmicrohttpd-dev + +# Prepare prometheus-client-c sources for building. +ARG prom_ver=0.1.3 +RUN mkdir -p /build/ && cd /build/ \ + && git init \ + && git remote add origin https://github.com/digitalocean/prometheus-client-c \ + && git fetch --depth=1 origin "v${prom_ver}" \ + && git checkout FETCH_HEAD + +# Build libprom.so from sources. +RUN mkdir -p /build/prom/build/ && cd /build/prom/build/ \ + && TEST=0 cmake -v -G "Unix Makefiles" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_SKIP_BUILD_RPATH=TRUE \ + -DCMAKE_C_FLAGS="-DPROM_LOG_ENABLE -g -O3" \ + .. \ + && make + +# Build libpromhttp.so from sources. +RUN mkdir -p /build/promhttp/build/ && cd /build/promhttp/build/ \ + # Fix compiler warning: -Werror=incompatible-pointer-types + && sed -i 's/\&promhttp_handler/(MHD_AccessHandlerCallback)\&promhttp_handler/' \ + /build/promhttp/src/promhttp.c \ + && TEST=0 cmake -v -G "Unix Makefiles" \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_SKIP_BUILD_RPATH=TRUE \ + -DCMAKE_C_FLAGS="-g -O3" \ + .. \ + && make VERBOSE=1 + +# Install prometheus-client-c. +RUN LIBS_DIR=/out/$(dirname $(find /usr/ -name libc.so)) \ + && mkdir -p $LIBS_DIR/ \ + && cp -rf /build/prom/build/libprom.so \ + /build/promhttp/build/libpromhttp.so \ + $LIBS_DIR/ \ + && mkdir -p /out/usr/include/ \ + && cp -rf /build/prom/include/* \ + /build/promhttp/include/* \ + /out/usr/include/ \ + # Preserve license file. + && mkdir -p /out/usr/share/licenses/prometheus-client-c/ \ + && cp /build/LICENSE /out/usr/share/licenses/prometheus-client-c/ + + + + # # Stage 'dist-mongoc' creates mongo-c-driver distribution. # @@ -79,10 +148,13 @@ RUN apt-get install -y --no-install-recommends --no-install-suggests \ libevent-dev \ libssl-dev \ libpq-dev libmariadb-dev libsqlite3-dev \ - libhiredis-dev + libhiredis-dev \ + libmicrohttpd-dev # Install mongo-c-driver distribution. COPY --from=dist-mongoc /out/ / +# Install prometheus-client-c distribution. +COPY --from=dist-libprom /out/ / # Prepare local Coturn sources for building. COPY CMakeLists.txt \ @@ -142,6 +214,8 @@ RUN chown -R nobody:nogroup /out/var/lib/coturn/ # Re-export mongo-c-driver distribution. COPY --from=dist-mongoc /out/ /out/ +# Re-export prometheus-client-c distribution. +COPY --from=dist-libprom /out/ /out/ @@ -168,6 +242,7 @@ RUN apt-get update \ libssl1.1 \ libpq5 libmariadb3 libsqlite3-0 \ libhiredis0.14 \ + libmicrohttpd12 \ # Cleanup unnecessary stuff. && rm -rf /var/lib/apt/lists/* diff --git a/docker/coturn/tests/main.bats b/docker/coturn/tests/main.bats index c1a1f8d..73e238f 100644 --- a/docker/coturn/tests/main.bats +++ b/docker/coturn/tests/main.bats @@ -116,3 +116,12 @@ [ "$status" -eq 0 ] [ ! "$output" = '' ] } + +@test "Prometheus supported" { + # Support of Prometheus is not displayed in the output, + # but using --prometheus flag does the job. + run docker run --rm --platform $PLATFORM --entrypoint sh $IMAGE -c \ + "turnserver -o --log-file=stdout --prometheus | grep 'Version Coturn'" + [ "$status" -eq 0 ] + [ ! "$output" = '' ] +} From a775ca47e2e3f867af812e8df81232ca9af0dea5 Mon Sep 17 00:00:00 2001 From: tyranron Date: Thu, 22 Apr 2021 13:53:18 +0300 Subject: [PATCH 5/9] Link libatomic explicitly in debian Docker image --- configure | 9 +++++++++ docker/coturn/debian/Dockerfile | 5 ++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 9560949..b8114a1 100755 --- a/configure +++ b/configure @@ -505,6 +505,15 @@ else fi fi +############################# +# Adjustments for Debian +############################# + +if [ -f "/etc/debian_version" ] ; then + # https://github.com/coturn/coturn/pull/754#issuecomment-824693226 + OSLIBS="${OSLIBS} -latomic" +fi + ############################# # Adjustments for Solaris ############################# diff --git a/docker/coturn/debian/Dockerfile b/docker/coturn/debian/Dockerfile index 61cd84b..f497a43 100644 --- a/docker/coturn/debian/Dockerfile +++ b/docker/coturn/debian/Dockerfile @@ -183,7 +183,9 @@ RUN if [ "${coturn_git_ref}" != 'HEAD' ]; then true \ && true; fi # Build Coturn from sources. -RUN ./configure --prefix=/usr \ +# TODO: Remove `LDFLAGS` with next Coturn release containing `-latomic` flag in `configure`. +RUN LDFLAGS='-latomic' \ + ./configure --prefix=/usr \ --turndbdir=/var/lib/coturn \ --disable-rpath \ --sysconfdir=/etc/coturn \ @@ -237,6 +239,7 @@ RUN apt-get update \ && update-ca-certificates \ # Install Coturn dependencies. && apt-get install -y --no-install-recommends --no-install-suggests \ + libatomic1 \ libevent-2.1-6 libevent-core-2.1-6 libevent-extra-2.1-6 \ libevent-openssl-2.1-6 libevent-pthreads-2.1-6 \ libssl1.1 \ From d6acc316522ec0439901d3132e20a40649f7918e Mon Sep 17 00:00:00 2001 From: tyranron Date: Thu, 22 Apr 2021 13:53:59 +0300 Subject: [PATCH 6/9] Fix passing Git reference to Docker image build --- docker/coturn/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 40a6433..99b46f2 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -90,7 +90,7 @@ define docker.buildx docker buildx build --force-rm $(args) \ --platform $(platform) \ $(if $(call eq,$(no-cache),yes),--no-cache --pull,) \ - $(if $(call eq,$(git-ref),),,--build-arg git_ref=$(git-ref)) \ + $(if $(call eq,$(git-ref),),,--build-arg coturn_git_ref=$(git-ref)) \ -f docker/coturn/$(dockerfile)/Dockerfile \ -t $(namespace)/$(NAME):$(tag) ./ endef From dd1b11da809a4db2047f7644a7b7b6e3320cbfaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Fri, 7 May 2021 21:23:24 +0200 Subject: [PATCH 7/9] Update Changelog with PR#739 --- ChangeLog | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c0ffece..367c125 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,7 +9,7 @@ Version 4.5.3 'dan Eider': - replace keep-address-family with allocation-default-address-family (keep-address-family deprecated and will be removed!!) - merge PR #703 (by j4zzc4t) * Restore no_stdout_log behavior - - merge PR #727 (by JoKoT3) + - merge PR #727 (by JoKoT3) * Support older mysql client version in configure - merge PR #721 (by KangLin) * Add to support cmake @@ -19,6 +19,8 @@ Version 4.5.3 'dan Eider': * Packaging scripts can miss out on these errors (exit code) - merge PR #679 (by rubo77) * Readme.turnserver: how to run server as a daemon + - merge PR #739 (by hills) + * SSL reload has hidden bugs which cause crashes 10/01/2021 Oleg Moskalenko Mihály Mészáros Version 4.5.2 'dan Eider': From 8fbe513300f12a2c76628a176f85de9b0fcf3831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Fri, 7 May 2021 21:25:40 +0200 Subject: [PATCH 8/9] Fix typo (---allow-loopback-peers) --- examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh index b01129f..3c796ca 100755 --- a/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh +++ b/examples/scripts/longtermsecuredb/secure_relay_with_db_redis.sh @@ -36,4 +36,4 @@ fi export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/ -PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 ---allow-loopback-peers -max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ +PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver --server-name="blackdow.carleon.gov" --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --allow-loopback-peers -max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 -r north.gov --redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30" --redis-statsdb="ip=127.0.0.1 dbname=3 password=turn connect_timeout=30" --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout --cipher-list=ALL --oauth --cli-password=secret $@ From d8026372af37f2cdb7a7031d56a83b1066a4bfb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Sat, 8 May 2021 06:39:35 +0200 Subject: [PATCH 9/9] Remove trusty add focal --- .travis.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.travis.yml b/.travis.yml index 9f7e1d7..36f2e51 100644 --- a/.travis.yml +++ b/.travis.yml @@ -98,13 +98,20 @@ jobs: - libpq-dev - libmysqlclient-dev - libhiredis-dev + - os: osx + osx_image: xcode11.3 + # - os: osx + # osx_image: xcode11.6 + - os: osx + osx_image: xcode12 - os: linux - dist: trusty + arch: ppc64le + dist: focal sudo: required addons: apt: packages: - - mysql-client-5.6 + - mysql-client - debhelper - dpkg-dev - libssl-dev @@ -115,13 +122,7 @@ jobs: - libpq-dev - libmysqlclient-dev - libhiredis-dev - - os: osx - osx_image: xcode11.3 - # - os: osx - # osx_image: xcode11.6 - - os: osx - osx_image: xcode12 - - os: linux + - os: linux arch: ppc64le dist: xenial sudo: required