From 0b709a05b7eb5f2420f49b4610ff9fbd7ac670d4 Mon Sep 17 00:00:00 2001 From: Serhii Charykov Date: Mon, 26 Apr 2021 21:36:28 +0300 Subject: [PATCH 01/36] Remove sqlite3_shutdown() Because: 1. According to sqlite3 docs sqlite3_initialize() and sqlite3_shutdown() are not must to be invoked 2. sqlite3_initialize() is never called explicilty 3. sqlite3_shutdown() is not threadsafe and sqlite_init_multithreaded is not called holding a lock 4. According to docs all connections must be closed before invoking sqlite3_shutdown() but they are not (from the different threads). Possible issue: sqlite3_config must be called before sqlite3_initialize() or after sqlite3_shutdown() (and only once?) --- src/apps/relay/dbdrivers/dbd_sqlite.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 06da7c1..d1d7a94 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -99,8 +99,6 @@ static int sqlite_init_multithreaded(void) { #if defined(SQLITE_CONFIG_MULTITHREAD) - sqlite3_shutdown(); - if (sqlite3_threadsafe() > 0) { int retCode = sqlite3_config(SQLITE_CONFIG_MULTITHREAD); if (retCode != SQLITE_OK) { From 34e18533cfaee6b5f4b6adca73f14467fac9b03f Mon Sep 17 00:00:00 2001 From: Serhii Charykov Date: Mon, 26 Apr 2021 22:19:16 +0300 Subject: [PATCH 02/36] Fix sqlite3_config call only once before using any other sqlite utilities --- src/apps/relay/dbdrivers/dbd_sqlite.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index d1d7a94..e6c7835 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -95,10 +95,9 @@ static void sqlite_unlock(int write) ////////////////////////////////////////////////// -static int sqlite_init_multithreaded(void) { +static int _sqlite_init_multithreaded(void) { #if defined(SQLITE_CONFIG_MULTITHREAD) - if (sqlite3_threadsafe() > 0) { int retCode = sqlite3_config(SQLITE_CONFIG_MULTITHREAD); if (retCode != SQLITE_OK) { @@ -117,6 +116,10 @@ static int sqlite_init_multithreaded(void) { return 0; } +static void sqlite_init_multithreaded(void) { + (void) _sqlite_init_multithreaded(); +} + static int donot_print_connection_success = 0; static void fix_user_directory(char *dir0) { @@ -172,6 +175,8 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) { } } +pthread_once_t sqlite_init_once = PTHREAD_ONCE_INIT; + static sqlite3 * get_sqlite_connection(void) { persistent_users_db_t *pud = get_persistent_users_db(); @@ -179,7 +184,7 @@ static sqlite3 * get_sqlite_connection(void) { sqlite3 *sqliteconnection = (sqlite3 *)pthread_getspecific(connection_key); if(!sqliteconnection) { fix_user_directory(pud->userdb); - sqlite_init_multithreaded(); + (void) pthread_once(&sqlite_init_once, sqlite_init_multithreaded); int rc = sqlite3_open(pud->userdb, &sqliteconnection); if(!sqliteconnection || (rc != SQLITE_OK)) { const char* errmsg = sqlite3_errmsg(sqliteconnection); From 2d12ad4f2957174920cb7048dd1bf4d41df2e69d Mon Sep 17 00:00:00 2001 From: Serhii Charykov Date: Mon, 26 Apr 2021 23:29:46 +0300 Subject: [PATCH 03/36] Refactor code --- src/apps/relay/dbdrivers/dbd_sqlite.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index e6c7835..7c02745 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -95,7 +95,7 @@ static void sqlite_unlock(int write) ////////////////////////////////////////////////// -static int _sqlite_init_multithreaded(void) { +static int sqlite_init_multithreaded(void) { #if defined(SQLITE_CONFIG_MULTITHREAD) if (sqlite3_threadsafe() > 0) { @@ -116,10 +116,6 @@ static int _sqlite_init_multithreaded(void) { return 0; } -static void sqlite_init_multithreaded(void) { - (void) _sqlite_init_multithreaded(); -} - static int donot_print_connection_success = 0; static void fix_user_directory(char *dir0) { @@ -175,16 +171,15 @@ static void init_sqlite_database(sqlite3 *sqliteconnection) { } } -pthread_once_t sqlite_init_once = PTHREAD_ONCE_INIT; - static sqlite3 * get_sqlite_connection(void) { + static pthread_once_t sqlite_init_once = PTHREAD_ONCE_INIT; persistent_users_db_t *pud = get_persistent_users_db(); sqlite3 *sqliteconnection = (sqlite3 *)pthread_getspecific(connection_key); if(!sqliteconnection) { fix_user_directory(pud->userdb); - (void) pthread_once(&sqlite_init_once, sqlite_init_multithreaded); + (void) pthread_once(&sqlite_init_once, (void (*)(void))sqlite_init_multithreaded); int rc = sqlite3_open(pud->userdb, &sqliteconnection); if(!sqliteconnection || (rc != SQLITE_OK)) { const char* errmsg = sqlite3_errmsg(sqliteconnection); From 0f7ff3ec4a3860355133cba799a6e949673f703c Mon Sep 17 00:00:00 2001 From: Serhii Charykov Date: Mon, 26 Apr 2021 23:47:11 +0300 Subject: [PATCH 04/36] Change sqlite_init_multithreaded return type to void to satisfy pthread_once() interface because previously return from sqlite_init_multithreaded was not used --- src/apps/relay/dbdrivers/dbd_sqlite.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 7c02745..38e44a2 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -95,7 +95,7 @@ static void sqlite_unlock(int write) ////////////////////////////////////////////////// -static int sqlite_init_multithreaded(void) { +static void sqlite_init_multithreaded(void) { #if defined(SQLITE_CONFIG_MULTITHREAD) if (sqlite3_threadsafe() > 0) { @@ -104,16 +104,14 @@ static int sqlite_init_multithreaded(void) { retCode = sqlite3_config(SQLITE_CONFIG_SERIALIZED); if (retCode != SQLITE_OK) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "setting sqlite thread safe mode to serialized failed!!! return code: %d\n", retCode); - return -1; + return; } } } else { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Your SQLite database is not compiled to be threadsafe.\n"); - return -1; + return; } #endif - - return 0; } static int donot_print_connection_success = 0; @@ -179,7 +177,7 @@ static sqlite3 * get_sqlite_connection(void) { sqlite3 *sqliteconnection = (sqlite3 *)pthread_getspecific(connection_key); if(!sqliteconnection) { fix_user_directory(pud->userdb); - (void) pthread_once(&sqlite_init_once, (void (*)(void))sqlite_init_multithreaded); + (void) pthread_once(&sqlite_init_once, sqlite_init_multithreaded); int rc = sqlite3_open(pud->userdb, &sqliteconnection); if(!sqliteconnection || (rc != SQLITE_OK)) { const char* errmsg = sqlite3_errmsg(sqliteconnection); From 60e7a199fe748cb7080594a458d22c2f7bb15a8c Mon Sep 17 00:00:00 2001 From: tyranron Date: Mon, 9 Aug 2021 11:38:55 +0300 Subject: [PATCH 05/36] Update alpine to 3.14.1 version in Docker image to fix CVE-2021-36159 --- docker/coturn/CHANGELOG.md | 10 ++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- docker/coturn/alpine/Dockerfile | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index db3c734..ff3053b 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,16 @@ Coturn TURN server Docker image changelog +## [4.5.2-r3] · 2021-08-09 +[4.5.2-r3]: /../../tree/docker/4.5.2-r3 + +### Security updated + +- [Alpine Linux] 3.14.1: + + + + ## [4.5.2-r2] · 2021-06-21 [4.5.2-r2]: /../../tree/docker/4.5.2-r2 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 1c6080d..e212d84 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 2 +BUILD_REV ?= 3 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index e902823..59feada 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r2`, `4.5.2-r0-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r2-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r3`, `4.5.2-r3-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r3-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index d88bb3b..e4e6249 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile of coturn/coturn:alpine Docker image. # -ARG alpine_ver=3.14 +ARG alpine_ver=3.14.1 From f383e5e8234d204cf9a18f06340519f097c6bdc1 Mon Sep 17 00:00:00 2001 From: tyranron Date: Sat, 28 Aug 2021 10:57:01 +0300 Subject: [PATCH 06/36] Update alpine to 3.14.2 version in Docker image to fix CVE-2021-3711 and CVE-2021-3712 Additionally: - slightly refactor Makefile for Docker images --- docker/coturn/CHANGELOG.md | 10 ++++++++++ docker/coturn/Makefile | 15 ++++++--------- docker/coturn/README.md | 4 ++-- docker/coturn/alpine/Dockerfile | 2 +- 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index ff3053b..af571eb 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,16 @@ Coturn TURN server Docker image changelog +## [4.5.2-r4] · 2021-08-28 +[4.5.2-r4]: /../../tree/docker/4.5.2-r4 + +### Security updated + +- [Alpine Linux] 3.14.2: + + + + ## [4.5.2-r3] · 2021-08-09 [4.5.2-r3]: /../../tree/docker/4.5.2-r3 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index e212d84..3ad998d 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 3 +BUILD_REV ?= 4 NAMESPACES := coturn \ ghcr.io/coturn \ @@ -71,8 +71,7 @@ test: test.docker docker-namespaces = $(strip $(if $(call eq,$(namespaces),),\ $(NAMESPACES),$(subst $(comma), ,$(namespaces)))) -docker-tags = $(subst $(comma), ,$(strip \ - $(if $(call eq,$(tags),),$(TAGS),$(tags)))) +docker-tags = $(subst $(comma), ,$(or $(tags),$(TAGS))) docker-platforms = $(strip $(if $(call eq,$(platforms),),\ $(PLATFORMS),$(subst $(comma), ,$(platforms)))) @@ -130,9 +129,9 @@ docker.build.cache: docker.image: $(call docker.buildx,$(DOCKERFILE),\ coturn,\ - $(if $(call eq,$(tag),),$(VERSION),$(tag)),\ + $(or $(tag),$(VERSION)),\ $(ref),\ - $(if $(call eq,$(platform),),$(MAIN_PLATFORM),$(platform)),\ + $(or $(platform),$(MAIN_PLATFORM)),\ $(no-cache),\ --load) @@ -186,9 +185,7 @@ ifeq ($(wildcard node_modules/.bin/bats),) @make npm.install endif $(foreach platform,$(test-docker-platforms),\ - $(call test.docker.do,\ - $(if $(call eq,$(tag),),$(VERSION),$(tag)),\ - $(platform))) + $(call test.docker.do,$(or $(tag),$(VERSION)),$(platform))) define test.docker.do $(eval tag := $(strip $(1))) $(eval platform := $(strip $(2))) @@ -235,7 +232,7 @@ endif # Usage: # make git.release [ver=($(VERSION)|)] -git-release-tag = docker/$(strip $(if $(call eq,$(ver),),$(VERSION),$(ver))) +git-release-tag = docker/$(strip $(or $(ver),$(VERSION))) git.release: ifeq ($(shell git rev-parse $(git-release-tag) >/dev/null 2>&1 && echo "ok"),ok) diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 59feada..b094343 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r3`, `4.5.2-r3-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r3-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r4`, `4.5.2-r3-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r4-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index e4e6249..59c8bcc 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile of coturn/coturn:alpine Docker image. # -ARG alpine_ver=3.14.1 +ARG alpine_ver=3.14.2 From 7a82602b6165a76740177ee329b00643b4710023 Mon Sep 17 00:00:00 2001 From: tyranron Date: Sat, 28 Aug 2021 12:20:10 +0300 Subject: [PATCH 07/36] Upgrade debian to 'bullseye' version in Docker image --- configure | 126 ++++++++++++++++---------------- docker/coturn/CHANGELOG.md | 10 +++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 +- docker/coturn/debian/Dockerfile | 79 +++----------------- 5 files changed, 86 insertions(+), 135 deletions(-) diff --git a/configure b/configure index b8114a1..74d0258 100755 --- a/configure +++ b/configure @@ -18,11 +18,11 @@ testlibraw() { ${CC} ${TMPCPROGC} -o ${TMPCPROGB} ${OSCFLAGS} ${OSLIBS} -${1} 2>>/dev/null ER=$? if ! [ ${ER} -eq 0 ] ; then - ${ECHO_CMD} "Library option -${1} cannot be used" - return 0 + ${ECHO_CMD} "Library option -${1} cannot be used" + return 0 else - OSLIBS="${OSLIBS} -${1}" - return 1 + OSLIBS="${OSLIBS} -${1}" + return 1 fi } @@ -187,11 +187,11 @@ cleanup ######################### if [ -z "${ECHO_CMD}" ] ; then - ECHO_CMD=echo + ECHO_CMD=echo fi if [ -z "${FIND_CMD}" ] ; then - FIND_CMD=find + FIND_CMD=find fi if [ -z "${PORTNAME}" ] ; then @@ -288,12 +288,12 @@ do -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=* | -confdir=* | --confdir=*) CONFDIR=$ac_optarg ;; - + -disable-rpath | --disable-rpath) TURN_DISABLE_RPATH=1 ;; - + esac - + done if test -n "$ac_prev"; then @@ -334,13 +334,13 @@ fi if [ -z "${LOCALSTATEDIR}" ] ; then if [ -z "${localstatedir}" ] ; then - + if [ "${PREFIX}" = "/usr" ] ; then LOCALSTATEDIR=/var else LOCALSTATEDIR=${PREFIX}/var fi - + else LOCALSTATEDIR=${localstatedir} fi @@ -505,15 +505,6 @@ else fi fi -############################# -# Adjustments for Debian -############################# - -if [ -f "/etc/debian_version" ] ; then - # https://github.com/coturn/coturn/pull/754#issuecomment-824693226 - OSLIBS="${OSLIBS} -latomic" -fi - ############################# # Adjustments for Solaris ############################# @@ -706,7 +697,7 @@ fi ########################### # Test some general-purpose -# libraries +# libraries ########################### testlib socket @@ -738,15 +729,15 @@ if [ ${ER} -ne 0 ] ; then exit 1 fi -if [ -z ${TURN_NO_THREAD_BARRIERS} ] ; then +if [ -z ${TURN_NO_THREAD_BARRIERS} ] ; then pthread_testbarriers -else +else TURN_NO_THREAD_BARRIERS="-DTURN_NO_THREAD_BARRIERS" fi -if [ -z ${TURN_IP_RECVERR} ] ; then +if [ -z ${TURN_IP_RECVERR} ] ; then ${ECHO_CMD} "Ignore IP_RECVERR" -else +else ${ECHO_CMD} "Use IP_RECVERR" TURN_IP_RECVERR="-DTURN_IP_RECVERR" OSCFLAGS="${OSCFLAGS} ${TURN_IP_RECVERR}" @@ -780,7 +771,7 @@ else ER=$? if ! [ ${ER} -eq 0 ] ; then ${ECHO_CMD} "OpenSSL Crypto lib found." - else + else ${ECHO_CMD} "ERROR: OpenSSL Crypto development libraries are not installed properly in required location." ${ECHO_CMD} "Abort." cleanup @@ -807,7 +798,7 @@ fi # Can we use GCM cipher ? ########################### -if [ -z ${TURN_NO_GCM} ] ; then +if [ -z ${TURN_NO_GCM} ] ; then gcm_testlib ER=$? @@ -853,45 +844,50 @@ fi if [ -z "${TURN_NO_PROMETHEUS}" ] ; then - testlib prom - ER=$? - if ! [ ${ER} -eq 0 ] ; then - ${ECHO_CMD} "Prometheus lib found." - testlib promhttp - ER=$? - if ! [ ${ER} -eq 0 ] ; then - ${ECHO_CMD} "Prometheus http lib found." - testlib microhttpd - ER=$? - if ! [ ${ER} -eq 0 ] ; then - ${ECHO_CMD} "Microhttpd lib found." - else - ${ECHO_CMD} - ${ECHO_CMD} "Warning: microhttpd development libraries are not installed properly in required location." - ${ECHO_CMD} "Prometheus support will be disabled." - ${ECHO_CMD} "See the INSTALL file." - ${ECHO_CMD} - OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" - fi - else - ${ECHO_CMD} - ${ECHO_CMD} "Warning: Libpromhttp development libraries are not installed properly in required location." - ${ECHO_CMD} "Prometheus support will be disabled." - ${ECHO_CMD} "See the INSTALL file." - ${ECHO_CMD} - OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" - fi - else - ${ECHO_CMD} - ${ECHO_CMD} "Warning: Libprom development libraries are not installed properly in required location." - ${ECHO_CMD} "Prometheus support will be disabled." - ${ECHO_CMD} "See the INSTALL file." - ${ECHO_CMD} - OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" - fi + testlib prom + ER=$? + if ! [ ${ER} -eq 0 ] ; then + ${ECHO_CMD} "Prometheus lib found." + testlib promhttp + ER=$? + if ! [ ${ER} -eq 0 ] ; then + ${ECHO_CMD} "Prometheus http lib found." + testlib microhttpd + ER=$? + if ! [ ${ER} -eq 0 ] ; then + ${ECHO_CMD} "Microhttpd lib found." + # Adjustments for Debian + # See: https://github.com/coturn/coturn/pull/754#issuecomment-824693226 + if [ -f "/etc/debian_version" ] ; then + OSLIBS="${OSLIBS} -latomic" + fi + else + ${ECHO_CMD} + ${ECHO_CMD} "Warning: microhttpd development libraries are not installed properly in required location." + ${ECHO_CMD} "Prometheus support will be disabled." + ${ECHO_CMD} "See the INSTALL file." + ${ECHO_CMD} + OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" + fi + else + ${ECHO_CMD} + ${ECHO_CMD} "Warning: Libpromhttp development libraries are not installed properly in required location." + ${ECHO_CMD} "Prometheus support will be disabled." + ${ECHO_CMD} "See the INSTALL file." + ${ECHO_CMD} + OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" + fi + else + ${ECHO_CMD} + ${ECHO_CMD} "Warning: Libprom development libraries are not installed properly in required location." + ${ECHO_CMD} "Prometheus support will be disabled." + ${ECHO_CMD} "See the INSTALL file." + ${ECHO_CMD} + OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" + fi else - OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" + OSCFLAGS="${OSCFLAGS} -DTURN_NO_PROMETHEUS" fi ########################### @@ -997,7 +993,7 @@ if [ -z "${LDCONFIG}" ] ; then ISBSD=`uname | grep -i bsd` if [ -z "${ISBSD}" ] ; then ISLINUX=`uname | grep -i linux` - if [ -z "${ISLINUX}" ] ; then + if [ -z "${ISLINUX}" ] ; then SYSTEM=`uname` if [ "${SYSTEM}" = "SunOS" ] ; then LDCONFIG="crle -u -l" diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index af571eb..779f759 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,16 @@ Coturn TURN server Docker image changelog +## [4.5.2-r5] · 2021-08-29 +[4.5.2-r5]: /../../tree/docker/4.5.2-r5 + +### Upgraded + +- [Debian Linux] "buster": + + + + ## [4.5.2-r4] · 2021-08-28 [4.5.2-r4]: /../../tree/docker/4.5.2-r4 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 3ad998d..f8b816f 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 4 +BUILD_REV ?= 5 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index b094343..3b1ec87 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r4`, `4.5.2-r3-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r4-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r5`, `4.5.2-r5-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r5-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] diff --git a/docker/coturn/debian/Dockerfile b/docker/coturn/debian/Dockerfile index 20d2580..547dd65 100644 --- a/docker/coturn/debian/Dockerfile +++ b/docker/coturn/debian/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile of coturn/coturn:debian Docker image. # -ARG debian_ver=buster +ARG debian_ver=bullseye @@ -11,14 +11,13 @@ ARG debian_ver=buster # Stage 'dist-libprom' creates prometheus-client-c distribution. # -# We compile prometheus-client-c from sources, because Alpine doesn't provide +# We compile prometheus-client-c from sources, because Debian doesn't provide # it as its package yet. # # TODO: Re-check this to be present in packages on next Debian major version update. # https://hub.docker.com/_/debian -# We use 'bullseye' here due to too old cmake on 'buster'. -FROM debian:bullseye-slim AS dist-libprom +FROM debian:${debian_ver}-slim AS dist-libprom # Install tools for building. RUN apt-get update \ @@ -76,60 +75,6 @@ RUN LIBS_DIR=/out/$(dirname $(find /usr/ -name libc.so)) \ -# -# Stage 'dist-mongoc' creates mongo-c-driver distribution. -# - -# We compile mongo-c-driver from sources, because buster Debian `libmongoc` packages -# cointain too old driver version, being not compatible with latest MongoDB versions well. -# -# TODO: Reconsider this on next stable Debian version update. - -# https://hub.docker.com/_/debian -FROM debian:${debian_ver}-slim AS dist-mongoc - -# Install tools for building. -RUN apt-get update \ - && apt-get install -y --no-install-recommends --no-install-suggests \ - ca-certificates cmake g++ gcc git make python \ - && update-ca-certificates - -# Install mongo-c-driver build dependencies. -RUN apt-get install -y --no-install-recommends --no-install-suggests \ - libssl-dev - -# Prepare mongo-c-driver sources for building. -ARG mongoc_ver=1.17.5 -RUN mkdir -p /tmp/mongoc/src/ && cd /tmp/mongoc/src/ \ - && git init \ - && git remote add origin https://github.com/mongodb/mongo-c-driver \ - && git fetch --depth=1 origin "${mongoc_ver}" \ - && git checkout FETCH_HEAD \ - && python build/calc_release_version.py > VERSION_CURRENT - -# Build mongo-c-driver from sources. -RUN mkdir -p /tmp/mongoc/build/ && cd /tmp/mongoc/build/ \ - && cmake -DENABLE_AUTOMATIC_INIT_AND_CLEANUP=OFF \ - -DCMAKE_BUILD_TYPE=Release \ - /tmp/mongoc/src -RUN rm -rf /build && mkdir -p /build/ \ - && cd /tmp/mongoc/build/ \ - && DESTDIR=/build cmake --build . --target install - -# Install mongo-c-driver. -RUN LIBS_DIR=/out/$(dirname $(find /usr/ -name libc.so)) \ - && mkdir -p $LIBS_DIR/ \ - && cp -rf /build/usr/local/lib/* $LIBS_DIR/ \ - && mkdir -p /out/usr/include/ \ - && cp -rf /build/usr/local/include/libbson-1.0/* /out/usr/include/ \ - && cp -rf /build/usr/local/include/libmongoc-1.0/* /out/usr/include/ \ - # Preserve license file. - && mkdir -p /out/usr/share/licenses/mongo-c-driver/ \ - && cp /build/usr/local/share/mongo-c-driver/COPYING /out/usr/share/licenses/mongo-c-driver/ - - - - # # Stage 'dist-coturn' creates Coturn distribution. # @@ -149,10 +94,9 @@ RUN apt-get install -y --no-install-recommends --no-install-suggests \ libssl-dev \ libpq-dev libmariadb-dev libsqlite3-dev \ libhiredis-dev \ + libmongoc-dev \ libmicrohttpd-dev -# Install mongo-c-driver distribution. -COPY --from=dist-mongoc /out/ / # Install prometheus-client-c distribution. COPY --from=dist-libprom /out/ / @@ -181,11 +125,13 @@ RUN if [ "${coturn_git_ref}" != 'HEAD' ]; then true \ && git fetch --depth=1 origin "${coturn_git_ref}" \ && git checkout FETCH_HEAD \ && true; fi +# TODO: Remove `OSLIBS` line with next Coturn release having it in `configure`. +RUN if [ "${coturn_git_ref}" = '4.5.2' ]; then true \ + && sed -i -e '850i\OSLIBS="$\{OSLIBS\} -latomic"' ./configure \ + && true; fi # Build Coturn from sources. -# TODO: Remove `LDFLAGS` with next Coturn release containing `-latomic` flag in `configure`. -RUN LDFLAGS='-latomic' \ - ./configure --prefix=/usr \ +RUN ./configure --prefix=/usr \ --turndbdir=/var/lib/coturn \ --disable-rpath \ --sysconfdir=/etc/coturn \ @@ -215,8 +161,6 @@ RUN ln -s /usr/local/bin/detect-external-ip.sh \ /out/usr/local/bin/detect-external-ip RUN chown -R nobody:nogroup /out/var/lib/coturn/ -# Re-export mongo-c-driver distribution. -COPY --from=dist-mongoc /out/ /out/ # Re-export prometheus-client-c distribution. COPY --from=dist-libprom /out/ /out/ @@ -241,11 +185,12 @@ RUN apt-get update \ # Install Coturn dependencies. && apt-get install -y --no-install-recommends --no-install-suggests \ libatomic1 \ - libevent-2.1-6 libevent-core-2.1-6 libevent-extra-2.1-6 \ - libevent-openssl-2.1-6 libevent-pthreads-2.1-6 \ + libevent-2.1-7 libevent-core-2.1-7 libevent-extra-2.1-7 \ + libevent-openssl-2.1-7 libevent-pthreads-2.1-7 \ libssl1.1 \ libpq5 libmariadb3 libsqlite3-0 \ libhiredis0.14 \ + libmongoc-1.0-0 \ libmicrohttpd12 \ # Install `dig` tool for `detect-external-ip.sh`. && apt-get install -y --no-install-recommends --no-install-suggests \ From dc8f405f8543a83ad8c059ba6b9f930e1e5a1349 Mon Sep 17 00:00:00 2001 From: tyranron Date: Sun, 29 Aug 2021 16:19:22 +0300 Subject: [PATCH 08/36] Fix typo in Docker image CHANGELOG --- docker/coturn/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 779f759..0eaa9b4 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -9,7 +9,7 @@ Coturn TURN server Docker image changelog ### Upgraded -- [Debian Linux] "buster": +- [Debian Linux] "bullseye": From 4c059b0d3b9b3562c536a1ff983c16d719491d6a Mon Sep 17 00:00:00 2001 From: tyranron Date: Mon, 13 Sep 2021 12:01:44 +0300 Subject: [PATCH 09/36] Mention UDP port in Docker image's README (#819) --- docker/coturn/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 3b1ec87..475c558 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -46,7 +46,7 @@ The TURN Server is a VoIP media traffic NAT traversal server and gateway. It can To run Coturn TURN server just start the container: ```bash -docker run -d -p 3478:3478 -p 49152-65535:49152-65535/udp coturn/coturn +docker run -d -p 3478:3478 -p 3478:3478/udp -p 49152-65535:49152-65535/udp coturn/coturn ``` @@ -56,7 +56,7 @@ As per [RFC 5766 Section 6.2], these are the ports that the TURN server will use You can change them with `min-port` and `max-port` Coturn configuration options: ```bash -docker run -d -p 3478:3478 -p 49160-49200:49160-49200/udp \ +docker run -d -p 3478:3478 -p 3478:3478/udp -p 49160-49200:49160-49200/udp \ coturn/coturn -n --log-file=stdout \ --external-ip='$(detect-external-ip)' \ --min-port=49160 --max-port=49200 From 8d66122d9168de6ed87c33db22ecc093669e0d46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arne=20Georg=20Gisn=C3=A5s=20Gleditsch?= Date: Mon, 20 Sep 2021 11:49:34 +0200 Subject: [PATCH 10/36] dbd_sqlite: Don't shutdown sqlite3 db during init Ref https://www.sqlite.org/c3ref/initialize.html: The sqlite3_initialize() interface is threadsafe, but sqlite3_shutdown() is not. We currently call `sqlite3_shutdown` from all threads as part of `sqlite_init_multithreaded`, and this has been observed to have adversarial effects during startup if many threads receive their first inbound request at the same time. The apparent motivation behind calling shutdown is to make the subsequent calls to `sqlite3_config` succeed, since these ordinarily return SQLITE_MISUSE if called multiple times. However, this function is also documented to not be thread safe, so introduce a barrier that ensures we only initialize once over all threads. --- src/apps/relay/dbdrivers/dbd_sqlite.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 06da7c1..09e2322 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -45,11 +45,13 @@ ////////////////////////////////////////////////// static pthread_mutex_t rc_mutex = PTHREAD_MUTEX_INITIALIZER; +static pthread_mutex_t init_mutex = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t rc_cond = PTHREAD_COND_INITIALIZER; static int read_threads = 0; static int write_level = 0; static pthread_t write_thread = 0; +static int sqlite_initialized = 0; static void sqlite_lock(int write) { @@ -96,11 +98,12 @@ static void sqlite_unlock(int write) ////////////////////////////////////////////////// static int sqlite_init_multithreaded(void) { + if (sqlite_initialized) { + return 0; + } + sqlite_initialized = 1; #if defined(SQLITE_CONFIG_MULTITHREAD) - - sqlite3_shutdown(); - if (sqlite3_threadsafe() > 0) { int retCode = sqlite3_config(SQLITE_CONFIG_MULTITHREAD); if (retCode != SQLITE_OK) { @@ -110,6 +113,7 @@ static int sqlite_init_multithreaded(void) { return -1; } } + sqlite3_initialize(); } else { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Your SQLite database is not compiled to be threadsafe.\n"); return -1; @@ -180,6 +184,8 @@ static sqlite3 * get_sqlite_connection(void) { sqlite3 *sqliteconnection = (sqlite3 *)pthread_getspecific(connection_key); if(!sqliteconnection) { + pthread_mutex_lock(&init_mutex); + fix_user_directory(pud->userdb); sqlite_init_multithreaded(); int rc = sqlite3_open(pud->userdb, &sqliteconnection); @@ -201,6 +207,8 @@ static sqlite3 * get_sqlite_connection(void) { if(sqliteconnection) { (void) pthread_setspecific(connection_key, sqliteconnection); } + + pthread_mutex_unlock(&init_mutex); } return sqliteconnection; } From 8aded3556ed54457056fedc75341089469e29c51 Mon Sep 17 00:00:00 2001 From: Giacomo Vacca Date: Tue, 21 Sep 2021 17:26:48 +0200 Subject: [PATCH 11/36] Issue #699 Return codes for prom server --- src/apps/relay/mainrelay.c | 6 +++++- src/apps/relay/prom_server.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 3ed4a1d..b7c78c0 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2589,9 +2589,13 @@ int main(int argc, char **argv) drop_privileges(); #if !defined(TURN_NO_PROMETHEUS) - if (start_prometheus_server()){ + int prometheus_status = start_prometheus_server(); + if (prometheus_status < 0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Could not start Prometheus collector!\n"); } + else if (prometheus_status == 1) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Prometheus collector disabled, not started.\n"); + } else { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Prometheus collector started successfully.\n"); } diff --git a/src/apps/relay/prom_server.c b/src/apps/relay/prom_server.c index 0bc69ab..0a9d5bc 100644 --- a/src/apps/relay/prom_server.c +++ b/src/apps/relay/prom_server.c @@ -62,7 +62,7 @@ int start_prometheus_server(void){ struct MHD_Daemon *daemon = promhttp_start_daemon(MHD_USE_SELECT_INTERNALLY, DEFAULT_PROM_SERVER_PORT, NULL, NULL); if (daemon == NULL) { - return 1; + return -1; } return 0; } From a19bc7c464a8c22ed147a3bafbcb788a21ab8279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 22 Sep 2021 13:32:34 +0200 Subject: [PATCH 12/36] Revert by hand merge PR825 in favor PR755 more simple solution --- src/apps/relay/dbdrivers/dbd_sqlite.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/src/apps/relay/dbdrivers/dbd_sqlite.c b/src/apps/relay/dbdrivers/dbd_sqlite.c index 313cfdb..ab8c470 100644 --- a/src/apps/relay/dbdrivers/dbd_sqlite.c +++ b/src/apps/relay/dbdrivers/dbd_sqlite.c @@ -45,13 +45,11 @@ ////////////////////////////////////////////////// static pthread_mutex_t rc_mutex = PTHREAD_MUTEX_INITIALIZER; -static pthread_mutex_t init_mutex = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t rc_cond = PTHREAD_COND_INITIALIZER; static int read_threads = 0; static int write_level = 0; static pthread_t write_thread = 0; -static int sqlite_initialized = 0; static void sqlite_lock(int write) { @@ -97,11 +95,7 @@ static void sqlite_unlock(int write) ////////////////////////////////////////////////// -static int sqlite_init_multithreaded(void) { - if (sqlite_initialized) { - return 0; - } - sqlite_initialized = 1; +static void sqlite_init_multithreaded(void) { #if defined(SQLITE_CONFIG_MULTITHREAD) if (sqlite3_threadsafe() > 0) { @@ -110,17 +104,17 @@ static int sqlite_init_multithreaded(void) { retCode = sqlite3_config(SQLITE_CONFIG_SERIALIZED); if (retCode != SQLITE_OK) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "setting sqlite thread safe mode to serialized failed!!! return code: %d\n", retCode); - return -1; + return; } } sqlite3_initialize(); } else { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "Your SQLite database is not compiled to be threadsafe.\n"); - return -1; + return; } #endif - return 0; + return; } static int donot_print_connection_success = 0; @@ -185,7 +179,6 @@ static sqlite3 * get_sqlite_connection(void) { sqlite3 *sqliteconnection = (sqlite3 *)pthread_getspecific(connection_key); if(!sqliteconnection) { - pthread_mutex_lock(&init_mutex); fix_user_directory(pud->userdb); (void) pthread_once(&sqlite_init_once, sqlite_init_multithreaded); @@ -208,8 +201,6 @@ static sqlite3 * get_sqlite_connection(void) { if(sqliteconnection) { (void) pthread_setspecific(connection_key, sqliteconnection); } - - pthread_mutex_unlock(&init_mutex); } return sqliteconnection; } From 3121747adebec5fcc3113eb1d1369424620102c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= Date: Wed, 22 Sep 2021 13:43:33 +0200 Subject: [PATCH 13/36] Update Changelog --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index fb0da8c..a1d0ebd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 10/01/2021 Oleg Moskalenko Mihály Mészáros Version 4.5.3 'dan Eider': + - merge PR #755(moznuy) and #825(by argggh) + * fix sqlite3_shutdown and sqlite3_config race + - merge PR #826 (by giavac) + * prom server better - merge PR #684 (by brevilo) * Define OPENSSL_VERSION_1_1_1 on systems where it doesn't (yet) exist * Regression in 4.5.2 that cause issues in openssl version < 1.1.1. From 3865842d28d80ea3e61f5a247213755ad59e69d6 Mon Sep 17 00:00:00 2001 From: Joe Duncan Date: Tue, 5 Oct 2021 13:12:10 +0200 Subject: [PATCH 14/36] Fix "enabeled" typo in README (#831) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9eb7ea..1f6c090 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ Supported user databases (for user repository, with passwords or keys, if authen Redis can also be used for status and statistics storage and notification. -By default a [prometheus](https://prometheus.io/) exporter endpoint is disabled, if it is enabeled it will listen on port 9641 under path /metrics +By default a [prometheus](https://prometheus.io/) exporter endpoint is disabled, if it is enabled it will listen on port 9641 under path /metrics Supported message integrity digest algorithms: From c42cd844decdacba94b1b412f444be17db642fab Mon Sep 17 00:00:00 2001 From: Lionel Nicolas Date: Fri, 22 Oct 2021 19:47:16 -0400 Subject: [PATCH 15/36] Fix typo and formatting in --prometheus documentation --- README.turnserver | 5 +++-- man/man1/turnserver.1 | 3 +-- src/apps/relay/mainrelay.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.turnserver b/README.turnserver index e8b4248..75a7f9d 100644 --- a/README.turnserver +++ b/README.turnserver @@ -281,8 +281,9 @@ Flags: check: across the session, all requests must have the same main ORIGIN attribute value (if the ORIGIN was initially used by the session). - --prometheus Enable prometheus metrics. By default it is - disabled. Would listen on port 9641 unther the path /metrics + +--prometheus Enable prometheus metrics. By default it is + disabled. Would listen on port 9641 under the path /metrics also the path / on this port can be used as a health check -h Help. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 34375de..f300d52 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -422,12 +422,11 @@ The flag that sets the origin consistency check: across the session, all requests must have the same main ORIGIN attribute value (if the ORIGIN was initially used by the session). -.RS .TP .B \fB\-\-prometheus\fP Enable prometheus metrics. By default it is -disabled. Would listen on port 9641 unther the path /metrics +disabled. Would listen on port 9641 under the path /metrics also the path / on this port can be used as a health check .RE .TP diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index b7c78c0..ec820ab 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -557,7 +557,7 @@ static char Usage[] = "Usage: turnserver [options]\n" " The connection string has the same parameters as redis-userdb connection string.\n" #endif #if !defined(TURN_NO_PROMETHEUS) -" --prometheus Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 unther the path /metrics\n" +" --prometheus Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 under the path /metrics\n" " also the path / on this port can be used as a health check\n" #endif " --use-auth-secret TURN REST API flag.\n" From 19495b2d1d2bd6ab1e2898f8c5c253e09f346386 Mon Sep 17 00:00:00 2001 From: Lionel Nicolas Date: Fri, 22 Oct 2021 19:47:49 -0400 Subject: [PATCH 16/36] Add ability to configure prometheus listener port --- README.turnserver | 2 ++ man/man1/turnserver.1 | 4 ++++ src/apps/relay/mainrelay.c | 7 +++++++ src/apps/relay/mainrelay.h | 3 ++- src/apps/relay/prom_server.c | 2 +- 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/README.turnserver b/README.turnserver index 75a7f9d..b4d6399 100644 --- a/README.turnserver +++ b/README.turnserver @@ -286,6 +286,8 @@ Flags: disabled. Would listen on port 9641 under the path /metrics also the path / on this port can be used as a health check +--prometheus-port Prometheus listener port (Default: 9641). + -h Help. Options with values: diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index f300d52..d0bfd98 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -428,6 +428,10 @@ initially used by the session). Enable prometheus metrics. By default it is disabled. Would listen on port 9641 under the path /metrics also the path / on this port can be used as a health check +.TP +.B +\fB\-\-prometheus\-port\fP +Prometheus listener port (Default: 9641). .RE .TP .B diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index ec820ab..35f1c66 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -173,6 +173,7 @@ TURN_CREDENTIALS_NONE, /* ct */ 0, /* user_quota */ #if !defined(TURN_NO_PROMETHEUS) 0, /* prometheus disabled by default */ +DEFAULT_PROM_SERVER_PORT, /* prometheus port */ #endif ///////////// Users DB ////////////// { (TURN_USERDB_TYPE)0, {"\0"}, {0,NULL, {NULL,0}} }, @@ -559,6 +560,7 @@ static char Usage[] = "Usage: turnserver [options]\n" #if !defined(TURN_NO_PROMETHEUS) " --prometheus Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 under the path /metrics\n" " also the path / on this port can be used as a health check\n" +" --prometheus-port Prometheus metrics port (Default: 9641).\n" #endif " --use-auth-secret TURN REST API flag.\n" " Flag that sets a special authorization option that is based upon authentication secret\n" @@ -787,6 +789,7 @@ enum EXTRA_OPTS { CHANNEL_LIFETIME_OPT, PERMISSION_LIFETIME_OPT, PROMETHEUS_OPT, + PROMETHEUS_PORT_OPT, AUTH_SECRET_OPT, NO_AUTH_PINGS_OPT, NO_DYNAMIC_IP_LIST_OPT, @@ -902,6 +905,7 @@ static const struct myoption long_options[] = { #endif #if !defined(TURN_NO_PROMETHEUS) { "prometheus", optional_argument, NULL, PROMETHEUS_OPT }, + { "prometheus-port", optional_argument, NULL, PROMETHEUS_PORT_OPT }, #endif { "use-auth-secret", optional_argument, NULL, AUTH_SECRET_OPT }, { "static-auth-secret", required_argument, NULL, STATIC_AUTH_SECRET_VAL_OPT }, @@ -1534,6 +1538,9 @@ static void set_option(int c, char *value) case PROMETHEUS_OPT: turn_params.prometheus = 1; break; + case PROMETHEUS_PORT_OPT: + turn_params.prometheus_port = atoi(value); + break; #endif case AUTH_SECRET_OPT: turn_params.use_auth_secret_with_timestamp = 1; diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 2e70387..3249718 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -318,7 +318,8 @@ typedef struct _turn_params_ { vint total_quota; vint user_quota; #if !defined(TURN_NO_PROMETHEUS) - int prometheus; + int prometheus; + int prometheus_port; #endif diff --git a/src/apps/relay/prom_server.c b/src/apps/relay/prom_server.c index 0a9d5bc..9d77f0c 100644 --- a/src/apps/relay/prom_server.c +++ b/src/apps/relay/prom_server.c @@ -60,7 +60,7 @@ int start_prometheus_server(void){ promhttp_set_active_collector_registry(NULL); - struct MHD_Daemon *daemon = promhttp_start_daemon(MHD_USE_SELECT_INTERNALLY, DEFAULT_PROM_SERVER_PORT, NULL, NULL); + struct MHD_Daemon *daemon = promhttp_start_daemon(MHD_USE_SELECT_INTERNALLY, turn_params.prometheus_port, NULL, NULL); if (daemon == NULL) { return -1; } From 29838ab84fee463f0fc585b539a3d6db98b7c552 Mon Sep 17 00:00:00 2001 From: tyranron Date: Mon, 15 Nov 2021 09:42:47 +0100 Subject: [PATCH 17/36] Update alpine to 3.14.3 version in Docker image to fix CVEs --- docker/coturn/CHANGELOG.md | 10 ++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- docker/coturn/alpine/Dockerfile | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 0eaa9b4..0aceb1c 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,16 @@ Coturn TURN server Docker image changelog +## [4.5.2-r6] · 2021-11-15 +[4.5.2-r6]: /../../tree/docker/4.5.2-r6 + +### Security updated + +- [Alpine Linux] 3.14.3: + + + + ## [4.5.2-r5] · 2021-08-29 [4.5.2-r5]: /../../tree/docker/4.5.2-r5 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index f8b816f..f4eff3f 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 5 +BUILD_REV ?= 6 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 475c558..88ff00c 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r5`, `4.5.2-r5-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r5-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r6`, `4.5.2-r6-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r6-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index 59c8bcc..f4d3927 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile of coturn/coturn:alpine Docker image. # -ARG alpine_ver=3.14.2 +ARG alpine_ver=3.14.3 From 45e8217dbeef99bb5eada0f232ce863f3b6dc374 Mon Sep 17 00:00:00 2001 From: Benjamin Porter Date: Thu, 18 Nov 2021 10:46:31 -0700 Subject: [PATCH 18/36] Fix typo aa -> a --- README.turnserver | 2 +- man/man1/turnserver.1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.turnserver b/README.turnserver index e8b4248..07d626d 100644 --- a/README.turnserver +++ b/README.turnserver @@ -812,7 +812,7 @@ in a batch script). See the file turndb/testsqldbsetup.sql as an example. 4) The same is true for MySQL database. The same schema file is applicable. The same considerations are applicable. -5) The same is true for the Redis database, but the Redis database has aa different schema - +5) The same is true for the Redis database, but the Redis database has a different schema - it can be found (in the form of explanation) in schema.userdb.redis. Also, in Redis you can store both "keys" and open passwords (for long term credentials) - the "open password" option is less secure but more convenient for low-security environments. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 34375de..649cd68 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -1114,7 +1114,7 @@ in a batch script). See the file turndb/testsqldbsetup.sql as an example. The same is true for MySQL database. The same schema file is applicable. The same considerations are applicable. .IP 5) 4 -The same is true for the Redis database, but the Redis database has aa different schema \- +The same is true for the Redis database, but the Redis database has a different schema \- it can be found (in the form of explanation) in schema.userdb.redis. Also, in Redis you can store both "keys" and open passwords (for long term credentials) \- the "open password" option is less secure but more convenient for low\-security environments. From fcff27f88b690afa4f127183e9a1db2e8de58a6b Mon Sep 17 00:00:00 2001 From: tyranron Date: Thu, 25 Nov 2021 10:42:44 +0100 Subject: [PATCH 19/36] Upgrade alpine to 3.15 version in Docker image --- docker/coturn/CHANGELOG.md | 10 ++++++++++ docker/coturn/CONTRIBUTING.md | 2 +- docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- docker/coturn/alpine/Dockerfile | 2 +- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 0aceb1c..344abdb 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,16 @@ Coturn TURN server Docker image changelog +## [4.5.2-r7] · 2021-11-25 +[4.5.2-r7]: /../../tree/docker/4.5.2-r7 + +### Upgraded + +- [Alpine Linux] 3.15: + + + + ## [4.5.2-r6] · 2021-11-15 [4.5.2-r6]: /../../tree/docker/4.5.2-r6 diff --git a/docker/coturn/CONTRIBUTING.md b/docker/coturn/CONTRIBUTING.md index edde3e8..5b5c896 100644 --- a/docker/coturn/CONTRIBUTING.md +++ b/docker/coturn/CONTRIBUTING.md @@ -49,7 +49,7 @@ To produce a new release (version tag) of `coturn/coturn` Docker image, perform 3. Update [README] with the new version declared in [`Makefile`]. -4. Perform a `make release` command inside the`docker/coturn/` directory. +4. Perform a `make release` command inside the `docker/coturn/` directory. diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index f4eff3f..8b7876d 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 6 +BUILD_REV ?= 7 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 88ff00c..feb636f 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r6`, `4.5.2-r6-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r6-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r7`, `4.5.2-r7-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r7-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index f4d3927..67914bf 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile of coturn/coturn:alpine Docker image. # -ARG alpine_ver=3.14.3 +ARG alpine_ver=3.15 From 218381a35aee63c1c605700e7ed2751e1f9c2a2f Mon Sep 17 00:00:00 2001 From: Daniil Meitis <30820460+dsmeytis@users.noreply.github.com> Date: Fri, 3 Dec 2021 14:19:51 +0400 Subject: [PATCH 20/36] Expose default TLS ports in Docker image (#860) Co-authored-by: Daniil Meitis --- docker/coturn/alpine/Dockerfile | 2 +- docker/coturn/debian/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index 67914bf..48f137e 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -206,7 +206,7 @@ RUN apk add --no-cache libcap \ USER nobody:nogroup -EXPOSE 3478 3478/udp +EXPOSE 3478 3478/udp 5349 5349/udp VOLUME ["/var/lib/coturn"] diff --git a/docker/coturn/debian/Dockerfile b/docker/coturn/debian/Dockerfile index 547dd65..9b3f8e9 100644 --- a/docker/coturn/debian/Dockerfile +++ b/docker/coturn/debian/Dockerfile @@ -214,7 +214,7 @@ RUN apt-get update \ USER nobody:nogroup -EXPOSE 3478 3478/udp +EXPOSE 3478 3478/udp 5349 5349/udp VOLUME ["/var/lib/coturn"] From e775b743e515ead07f1b8ba0dfd76dea7c4e6ff1 Mon Sep 17 00:00:00 2001 From: tyranron Date: Fri, 3 Dec 2021 11:23:23 +0100 Subject: [PATCH 21/36] Bump up Docker image version to 4.5.2-r8 --- docker/coturn/CHANGELOG.md | 12 ++++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 344abdb..daadbdd 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,18 @@ Coturn TURN server Docker image changelog +## [4.5.2-r8] · 2021-12-03 +[4.5.2-r8]: /../../tree/docker/4.5.2-r8 + +### Added + +- Default TLS ports. ([#860]) + +[#860]: /../../pull/860 + + + + ## [4.5.2-r7] · 2021-11-25 [4.5.2-r7]: /../../tree/docker/4.5.2-r7 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 8b7876d..340c83c 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 7 +BUILD_REV ?= 8 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index feb636f..e044efb 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r7`, `4.5.2-r7-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r7-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r8`, `4.5.2-r8-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r8-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] From 89b2b5c85568c7170c7706f391d18f212d4d6de9 Mon Sep 17 00:00:00 2001 From: Dave Lambley Date: Wed, 15 Dec 2021 10:53:09 +0000 Subject: [PATCH 22/36] Record in metadata which Git revision Docker image was built from (#865) - parametrize Git repo URL on CI for correct builds in forks - move Docker image labeling to `Makefile` Co-authored-by: Kai Ren --- .github/workflows/docker.yml | 3 +++ docker/coturn/Makefile | 9 +++++++++ docker/coturn/alpine/Dockerfile | 7 ++++--- docker/coturn/debian/Dockerfile | 7 ++++--- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 2d727b2..92e4515 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -30,6 +30,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: docker/setup-qemu-action@v1 - uses: docker/setup-buildx-action@v1 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 340c83c..e54f51d 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -85,11 +85,20 @@ define docker.buildx $(eval platform := $(strip $(5))) $(eval no-cache := $(strip $(6))) $(eval args := $(strip $(7))) + $(eval github_url := $(strip $(or $(GITHUB_SERVER_URL),https://github.com))) + $(eval github_repo := $(strip $(or $(GITHUB_REPOSITORY),coturn/coturn))) cd ../../ && \ docker buildx build --force-rm $(args) \ --platform $(platform) \ $(if $(call eq,$(no-cache),yes),--no-cache --pull,) \ $(if $(call eq,$(git-ref),),,--build-arg coturn_git_ref=$(git-ref)) \ + --build-arg coturn_github_url=$(github_url) \ + --build-arg coturn_github_repo=$(github_repo) \ + --label org.opencontainers.image.source=$(github_url)/$(github_repo) \ + --label org.opencontainers.image.revision=$(strip \ + $(shell git show --pretty=format:%H --no-patch)) \ + --label org.opencontainers.image.version=$(subst docker/,,$(strip \ + $(shell git describe --tags --dirty --match='docker/*'))) \ -f docker/coturn/$(dockerfile)/Dockerfile \ -t $(namespace)/$(NAME):$(tag) ./ endef diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index 48f137e..1998829 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -119,10 +119,13 @@ WORKDIR /app/ # Use Coturn sources from Git if `coturn_git_ref` is specified. ARG coturn_git_ref=HEAD +ARG coturn_github_url=https://github.com +ARG coturn_github_repo=coturn/coturn + RUN if [ "${coturn_git_ref}" != 'HEAD' ]; then true \ && rm -rf /app/* \ && git init \ - && git remote add origin https://github.com/coturn/coturn \ + && git remote add origin ${coturn_github_url}/${coturn_github_repo} \ && git fetch --depth=1 origin "${coturn_git_ref}" \ && git checkout FETCH_HEAD \ && true; fi @@ -173,8 +176,6 @@ COPY --from=dist-libprom /out/ /out/ # https://hub.docker.com/_/alpine FROM alpine:${alpine_ver} AS runtime -LABEL org.opencontainers.image.source="https://github.com/coturn/coturn" - # Update system packages. RUN apk update \ && apk upgrade \ diff --git a/docker/coturn/debian/Dockerfile b/docker/coturn/debian/Dockerfile index 9b3f8e9..c3b4384 100644 --- a/docker/coturn/debian/Dockerfile +++ b/docker/coturn/debian/Dockerfile @@ -118,10 +118,13 @@ WORKDIR /app/ # Use Coturn sources from Git if `coturn_git_ref` is specified. ARG coturn_git_ref=HEAD +ARG coturn_github_url=https://github.com +ARG coturn_github_repo=coturn/coturn + RUN if [ "${coturn_git_ref}" != 'HEAD' ]; then true \ && rm -rf /app/* \ && git init \ - && git remote add origin https://github.com/coturn/coturn \ + && git remote add origin ${coturn_github_url}/${coturn_github_repo} \ && git fetch --depth=1 origin "${coturn_git_ref}" \ && git checkout FETCH_HEAD \ && true; fi @@ -174,8 +177,6 @@ COPY --from=dist-libprom /out/ /out/ # https://hub.docker.com/_/debian FROM debian:${debian_ver}-slim AS runtime -LABEL org.opencontainers.image.source="https://github.com/coturn/coturn" - # Update system packages. RUN apt-get update \ && apt-get upgrade -y \ From a6e304ce345d8b2196edd325c259373e50fa3c74 Mon Sep 17 00:00:00 2001 From: GingerAdonis <2751672+GingerAdonis@users.noreply.github.com> Date: Thu, 16 Dec 2021 22:01:42 +0100 Subject: [PATCH 23/36] Mention 5349 port in Docker image's README (#867) --- docker/coturn/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/coturn/README.md b/docker/coturn/README.md index e044efb..da57115 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -46,7 +46,7 @@ The TURN Server is a VoIP media traffic NAT traversal server and gateway. It can To run Coturn TURN server just start the container: ```bash -docker run -d -p 3478:3478 -p 3478:3478/udp -p 49152-65535:49152-65535/udp coturn/coturn +docker run -d -p 3478:3478 -p 3478:3478/udp -p 5349:5349 -p 5349:5349/udp -p 49152-65535:49152-65535/udp coturn/coturn ``` @@ -56,7 +56,7 @@ As per [RFC 5766 Section 6.2], these are the ports that the TURN server will use You can change them with `min-port` and `max-port` Coturn configuration options: ```bash -docker run -d -p 3478:3478 -p 3478:3478/udp -p 49160-49200:49160-49200/udp \ +docker run -d -p 3478:3478 -p 3478:3478/udp -p 5349:5349 -p 5349:5349/udp -p 49160-49200:49160-49200/udp \ coturn/coturn -n --log-file=stdout \ --external-ip='$(detect-external-ip)' \ --min-port=49160 --max-port=49200 From 2132a1a8eecb3460b8c2e4a7201e3254dc420179 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sun, 26 Dec 2021 15:47:41 +0100 Subject: [PATCH 24/36] configure: don't link in libintl libintl isn't used, so there is no need to link coturn to it. Signed-off-by: Sebastian Kemper --- configure | 1 - 1 file changed, 1 deletion(-) diff --git a/configure b/configure index 74d0258..810fccb 100755 --- a/configure +++ b/configure @@ -708,7 +708,6 @@ if ! [ ${ER} -eq 0 ] ; then echo "CYGWIN ?" fi testlib wldap64 -testlib intl testlib nsl testlib resolv From 10c91c65a39a471d9ab4e0e122a1e4a2f884369a Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Sun, 26 Dec 2021 16:14:27 +0100 Subject: [PATCH 25/36] configure: support MariaDB Connector/C If libmariadb is installed from the MariaDB server package, the pc file is "mariadb.pc". But when MariaDB Connector/C is used, it's actually "libmariadb.pc". This commit adds the latter to the detection. Signed-off-by: Sebastian Kemper --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 74d0258..c127c03 100755 --- a/configure +++ b/configure @@ -945,7 +945,7 @@ fi ########################### if [ -z "${TURN_NO_MYSQL}" ] ; then - if testpkg_db mariadb || testpkg_db mysqlclient || test_mysql_config; then + if testpkg_db libmariadb || testpkg_db mariadb || testpkg_db mysqlclient || test_mysql_config; then ${ECHO_CMD} "MySQL found." else ${ECHO_CMD} "MySQL not found. Building without MySQL support." From 12c19817b88ba2d1bc692d2fd8736b3cbd7db728 Mon Sep 17 00:00:00 2001 From: Dave Lambley Date: Fri, 7 Jan 2022 18:53:24 +0000 Subject: [PATCH 26/36] Correct typo --- src/apps/natdiscovery/natdiscovery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/apps/natdiscovery/natdiscovery.c b/src/apps/natdiscovery/natdiscovery.c index 78d8297..54e8e54 100644 --- a/src/apps/natdiscovery/natdiscovery.c +++ b/src/apps/natdiscovery/natdiscovery.c @@ -580,7 +580,7 @@ static char Usage[] = " -p STUN server port (Default: 3478)\n" " -L Local address to use (optional)\n" " -l Local port to use (use with -L)\n" -" -A Local alrernative address to use\n" +" -A Local alternative address to use\n" " Used by collision behavior discovery\n" " -T Mapping lifetime timer (sec)\n" " Used by mapping lifetime behavior discovery\n"; From 4a4ff0eca7076209d437eee2f82d6fcaf4020976 Mon Sep 17 00:00:00 2001 From: Alexander N Date: Sun, 13 Mar 2022 14:33:03 +0100 Subject: [PATCH 27/36] Fixed assignment to freed memory. --- src/apps/relay/ns_ioalib_engine_impl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/apps/relay/ns_ioalib_engine_impl.c b/src/apps/relay/ns_ioalib_engine_impl.c index 4640225..eda39e7 100644 --- a/src/apps/relay/ns_ioalib_engine_impl.c +++ b/src/apps/relay/ns_ioalib_engine_impl.c @@ -2945,8 +2945,8 @@ static void eventcb_bev(struct bufferevent *bev, short events, void *arg) { tcp_connection *tc = s->sub_session; if (tc) { - delete_tcp_connection(tc); s->sub_session = NULL; + delete_tcp_connection(tc); } } break; From 94322e0d57c5914b25f41b8498a27095cf01a377 Mon Sep 17 00:00:00 2001 From: tyranron Date: Fri, 25 Mar 2022 16:52:25 +0200 Subject: [PATCH 28/36] Update Alpine to 3.15.2 version and Debian "bullseye" to 20220316 snapshot to fix CVE-2022-0778 --- docker/coturn/CHANGELOG.md | 11 +++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index daadbdd..9b8abdf 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,17 @@ Coturn TURN server Docker image changelog +## [4.5.2-r9] · 2022-03-25 +[4.5.2-r9]: /../../tree/docker/4.5.2-r9 + +### Security updated + +- [Alpine Linux] 3.15.2: +- [Debian] "bullseye" 20220316: + + + + ## [4.5.2-r8] · 2021-12-03 [4.5.2-r8]: /../../tree/docker/4.5.2-r8 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index e54f51d..290db2f 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 8 +BUILD_REV ?= 9 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index da57115..0ec43f3 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r8`, `4.5.2-r8-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r8-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r9`, `4.5.2-r9-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r9-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] From 0104c1061a0f305dc605786a61cfe211fa9e245a Mon Sep 17 00:00:00 2001 From: tyranron Date: Tue, 29 Mar 2022 15:45:38 +0300 Subject: [PATCH 29/36] Update Alpine to 3.15.3 version and Debian "bullseye" to 20220328 snapshot to fix CVE-2018-25032 --- docker/coturn/CHANGELOG.md | 11 +++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 9b8abdf..76d435c 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,17 @@ Coturn TURN server Docker image changelog +## [4.5.2-r10] · 2022-03-29 +[4.5.2-r10]: /../../tree/docker/4.5.2-r10 + +### Security updated + +- [Alpine Linux] 3.15.3: +- [Debian] "bullseye" 20220328: + + + + ## [4.5.2-r9] · 2022-03-25 [4.5.2-r9]: /../../tree/docker/4.5.2-r9 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 290db2f..b631b9b 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 9 +BUILD_REV ?= 10 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 0ec43f3..2e3ae86 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r9`, `4.5.2-r9-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r9-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r10`, `4.5.2-r10-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r10-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] From bc78447321927ee2fb7ffe94976c2c3b988fc6cf Mon Sep 17 00:00:00 2001 From: tyranron Date: Wed, 6 Apr 2022 10:18:31 +0300 Subject: [PATCH 30/36] Update Alpine to 3.15.4 version to fix CVE-2022-28391 --- docker/coturn/CHANGELOG.md | 10 ++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index 76d435c..a8a1660 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,16 @@ Coturn TURN server Docker image changelog +## [4.5.2-r11] · 2022-04-06 +[4.5.2-r11]: /../../tree/docker/4.5.2-r11 + +### Security updated + +- [Alpine Linux] 3.15.4: + + + + ## [4.5.2-r10] · 2022-03-29 [4.5.2-r10]: /../../tree/docker/4.5.2-r10 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index b631b9b..03463c5 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 10 +BUILD_REV ?= 11 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 2e3ae86..fbf7506 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r10`, `4.5.2-r10-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r10-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r11`, `4.5.2-r11-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r11-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] From 7494e166d492f448b937ea3f479ca513cda1b273 Mon Sep 17 00:00:00 2001 From: tyranron Date: Fri, 6 May 2022 11:53:54 +0300 Subject: [PATCH 31/36] Upgrade GitHub Actions and enable dependabot for them --- .github/dependabot.yml | 6 ++++++ .github/workflows/docker.yml | 21 ++++++++++----------- 2 files changed, 16 insertions(+), 11 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..253bcb7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 92e4515..6db050a 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -29,17 +29,17 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 - - uses: docker/setup-qemu-action@v1 - - uses: docker/setup-buildx-action@v1 + - uses: docker/setup-qemu-action@v2 + - uses: docker/setup-buildx-action@v2 - name: Detect correct Git ref for image build id: git - uses: actions/github-script@v3 + uses: actions/github-script@v6 with: script: | let out = {ref: 'HEAD', ver: ''}; @@ -89,7 +89,7 @@ jobs: - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -97,7 +97,7 @@ jobs: if: ${{ matrix.publish }} - name: Login to Quay.io - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: registry: quay.io username: ${{ secrets.QUAYIO_ROBOT_USERNAME }} @@ -105,7 +105,7 @@ jobs: if: ${{ matrix.publish }} - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_BOT_USER }} password: ${{ secrets.DOCKERHUB_BOT_PASS }} @@ -155,7 +155,7 @@ jobs: && startsWith(github.ref, 'refs/tags/docker/') }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Parse release version from Git tag id: release @@ -167,11 +167,10 @@ jobs: working-directory: ./docker/coturn - name: Release on GitHub - uses: actions/create-release@v1 + uses: softprops/action-gh-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - tag_name: docker/${{ steps.release.outputs.VERSION }} - release_name: docker/${{ steps.release.outputs.VERSION }} + name: docker/${{ steps.release.outputs.VERSION }} body: | [Changelog](${{ steps.changelog.outputs.LINK }}) From 6aaf0ea56fea184319f57580856749854890db5a Mon Sep 17 00:00:00 2001 From: tyranron Date: Tue, 24 May 2022 10:20:57 +0200 Subject: [PATCH 32/36] Upgrade Alpine to 3.15 version and Debian "bullseye" to 20220509 snapshot in Docker image --- docker/coturn/CHANGELOG.md | 14 ++++++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- docker/coturn/alpine/Dockerfile | 2 +- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index a8a1660..d347113 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,20 @@ Coturn TURN server Docker image changelog +## [4.5.2-r12] · 2022-05-24 +[4.5.2-r12]: /../../tree/docker/4.5.2-r12 + +### Upgraded + +- [Alpine Linux] 3.16: + +### Security updated + +- [Debian] "bullseye" 20220509: + + + + ## [4.5.2-r11] · 2022-04-06 [4.5.2-r11]: /../../tree/docker/4.5.2-r11 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index 03463c5..c86d7a3 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 11 +BUILD_REV ?= 12 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index fbf7506..1c9c887 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r11`, `4.5.2-r11-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r11-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r12`, `4.5.2-r12-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r12-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] diff --git a/docker/coturn/alpine/Dockerfile b/docker/coturn/alpine/Dockerfile index 1998829..3f716a9 100644 --- a/docker/coturn/alpine/Dockerfile +++ b/docker/coturn/alpine/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile of coturn/coturn:alpine Docker image. # -ARG alpine_ver=3.15 +ARG alpine_ver=3.16 From 299fcea34c40f5ff2cb8c128b9531b1b52844590 Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Wed, 15 Jun 2022 12:37:03 +0100 Subject: [PATCH 33/36] Make username labeling in metrics configurable. --- README.turnserver | 4 ++++ man/man1/turnserver.1 | 7 +++++++ src/apps/relay/mainrelay.c | 7 +++++++ src/apps/relay/mainrelay.h | 1 + src/apps/relay/prom_server.c | 31 ++++++++++++++++++++----------- 5 files changed, 39 insertions(+), 11 deletions(-) diff --git a/README.turnserver b/README.turnserver index e8b4248..dec538c 100644 --- a/README.turnserver +++ b/README.turnserver @@ -284,6 +284,10 @@ Flags: --prometheus Enable prometheus metrics. By default it is disabled. Would listen on port 9641 unther the path /metrics also the path / on this port can be used as a health check + --prometheus-no-username-labels Disable labeling prometheus traffic + metrics with client usernames. Labeling with client usernames is + enabled by default, however this may cause memory leaks when using + authentication with ephemeral usernames (e.g. TURN REST API). -h Help. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 34375de..b6460f2 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -429,6 +429,13 @@ initially used by the session). Enable prometheus metrics. By default it is disabled. Would listen on port 9641 unther the path /metrics also the path / on this port can be used as a health check +.TP +.B +\fB\-\-prometheus\-no\-username\-labels\fP +Disable labeling prometheus traffic +metrics with client usernames. Labeling with client usernames is +enabled by default, however this may cause memory leaks when using +authentication with ephemeral usernames (e.g. TURN REST API). .RE .TP .B diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index b7c78c0..c108905 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -173,6 +173,7 @@ TURN_CREDENTIALS_NONE, /* ct */ 0, /* user_quota */ #if !defined(TURN_NO_PROMETHEUS) 0, /* prometheus disabled by default */ +1, /* prometheus username labelling enabled by default when prometheus is enabled */ #endif ///////////// Users DB ////////////// { (TURN_USERDB_TYPE)0, {"\0"}, {0,NULL, {NULL,0}} }, @@ -559,6 +560,7 @@ static char Usage[] = "Usage: turnserver [options]\n" #if !defined(TURN_NO_PROMETHEUS) " --prometheus Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 unther the path /metrics\n" " also the path / on this port can be used as a health check\n" +" --prometheus-no-username-labels When metrics are enabled, do not label metrics with client usernames.\n" #endif " --use-auth-secret TURN REST API flag.\n" " Flag that sets a special authorization option that is based upon authentication secret\n" @@ -787,6 +789,7 @@ enum EXTRA_OPTS { CHANNEL_LIFETIME_OPT, PERMISSION_LIFETIME_OPT, PROMETHEUS_OPT, + PROMETHEUS_DISABLE_USERNAMES_OPT, AUTH_SECRET_OPT, NO_AUTH_PINGS_OPT, NO_DYNAMIC_IP_LIST_OPT, @@ -902,6 +905,7 @@ static const struct myoption long_options[] = { #endif #if !defined(TURN_NO_PROMETHEUS) { "prometheus", optional_argument, NULL, PROMETHEUS_OPT }, + { "prometheus-no-username-labels", optional_argument, NULL, PROMETHEUS_DISABLE_USERNAMES_OPT }, #endif { "use-auth-secret", optional_argument, NULL, AUTH_SECRET_OPT }, { "static-auth-secret", required_argument, NULL, STATIC_AUTH_SECRET_VAL_OPT }, @@ -1534,6 +1538,9 @@ static void set_option(int c, char *value) case PROMETHEUS_OPT: turn_params.prometheus = 1; break; + case PROMETHEUS_DISABLE_USERNAMES_OPT: + turn_params.prometheus_username_labels = 0; + break; #endif case AUTH_SECRET_OPT: turn_params.use_auth_secret_with_timestamp = 1; diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 2e70387..cd8e85e 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -319,6 +319,7 @@ typedef struct _turn_params_ { vint user_quota; #if !defined(TURN_NO_PROMETHEUS) int prometheus; + int prometheus_username_labels; #endif diff --git a/src/apps/relay/prom_server.c b/src/apps/relay/prom_server.c index 0a9d5bc..49c521e 100644 --- a/src/apps/relay/prom_server.c +++ b/src/apps/relay/prom_server.c @@ -30,20 +30,26 @@ int start_prometheus_server(void){ return 1; } prom_collector_registry_default_init(); - - const char *label[] = {"realm", "user"}; + + const char *label[] = {"realm", NULL}; + size_t nlabels = 1; + + if (turn_params.prometheus_username_labels) { + label[1] = "user"; + nlabels++; + } // Create traffic counter metrics - turn_traffic_rcvp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_rcvp", "Represents finished sessions received packets", 2, label)); - turn_traffic_rcvb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_rcvb", "Represents finished sessions received bytes", 2, label)); - turn_traffic_sentp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_sentp", "Represents finished sessions sent packets", 2, label)); - turn_traffic_sentb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_sentb", "Represents finished sessions sent bytes", 2, label)); + turn_traffic_rcvp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_rcvp", "Represents finished sessions received packets", nlabels, label)); + turn_traffic_rcvb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_rcvb", "Represents finished sessions received bytes", nlabels, label)); + turn_traffic_sentp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_sentp", "Represents finished sessions sent packets", nlabels, label)); + turn_traffic_sentb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_sentb", "Represents finished sessions sent bytes", nlabels, label)); // Create finished sessions traffic for peers counter metrics - turn_traffic_peer_rcvp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_rcvp", "Represents finished sessions peer received packets", 2, label)); - turn_traffic_peer_rcvb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_rcvb", "Represents finished sessions peer received bytes", 2, label)); - turn_traffic_peer_sentp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_sentp", "Represents finished sessions peer sent packets", 2, label)); - turn_traffic_peer_sentb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_sentb", "Represents finished sessions peer sent bytes", 2, label)); + turn_traffic_peer_rcvp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_rcvp", "Represents finished sessions peer received packets", nlabels, label)); + turn_traffic_peer_rcvb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_rcvb", "Represents finished sessions peer received bytes", nlabels, label)); + turn_traffic_peer_sentp = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_sentp", "Represents finished sessions peer sent packets", nlabels, label)); + turn_traffic_peer_sentb = prom_collector_registry_must_register_metric(prom_counter_new("turn_traffic_peer_sentb", "Represents finished sessions peer sent bytes", nlabels, label)); // Create total finished traffic counter metrics turn_total_traffic_rcvp = prom_collector_registry_must_register_metric(prom_counter_new("turn_total_traffic_rcvp", "Represents total finished sessions received packets", 0, NULL)); @@ -70,7 +76,10 @@ int start_prometheus_server(void){ void prom_set_finished_traffic(const char* realm, const char* user, unsigned long rsvp, unsigned long rsvb, unsigned long sentp, unsigned long sentb, bool peer){ if (turn_params.prometheus == 1){ - const char *label[] = {realm, user}; + const char *label[] = {realm, NULL}; + if (turn_params.prometheus_username_labels){ + label[1] = user; + } if (peer){ prom_counter_add(turn_traffic_peer_rcvp, rsvp, label); From 7081d4f3a9b9d2a5e8a31c32ee4e7a1f972f17ee Mon Sep 17 00:00:00 2001 From: tyranron Date: Tue, 19 Jul 2022 16:26:34 +0200 Subject: [PATCH 34/36] Update Alpine to 3.16.1 version and Debian "bullseye" to 20220622 snapshot in Docker image to fix CVE-2022-2097 and CVE-2022-30065 --- docker/coturn/CHANGELOG.md | 11 +++++++++++ docker/coturn/Makefile | 2 +- docker/coturn/README.md | 4 ++-- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docker/coturn/CHANGELOG.md b/docker/coturn/CHANGELOG.md index d347113..c07e431 100644 --- a/docker/coturn/CHANGELOG.md +++ b/docker/coturn/CHANGELOG.md @@ -4,6 +4,17 @@ Coturn TURN server Docker image changelog +## [4.5.2-r13] · 2022-07-19 +[4.5.2-r13]: /../../tree/docker/4.5.2-r13 + +### Security updated + +- [Alpine Linux] 3.16.1: +- [Debian] "bullseye" 20220622: + + + + ## [4.5.2-r12] · 2022-05-24 [4.5.2-r12]: /../../tree/docker/4.5.2-r12 diff --git a/docker/coturn/Makefile b/docker/coturn/Makefile index c86d7a3..2257255 100644 --- a/docker/coturn/Makefile +++ b/docker/coturn/Makefile @@ -21,7 +21,7 @@ COTURN_VER ?= 4.5.2 COTURN_MIN_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1,2)) COTURN_MAJ_VER = $(strip $(shell echo $(COTURN_VER) | cut -d '.' -f1)) -BUILD_REV ?= 12 +BUILD_REV ?= 13 NAMESPACES := coturn \ ghcr.io/coturn \ diff --git a/docker/coturn/README.md b/docker/coturn/README.md index 1c9c887..8bf3e97 100644 --- a/docker/coturn/README.md +++ b/docker/coturn/README.md @@ -15,8 +15,8 @@ Coturn TURN server Docker image ## Supported tags and respective `Dockerfile` links -- [`4.5.2-r12`, `4.5.2-r12-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] -- [`4.5.2-r12-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] +- [`4.5.2-r13`, `4.5.2-r13-debian`, `4.5.2`, `4.5.2-debian`, `4.5`, `4.5-debian`, `4`, `4-debian`, `debian`, `latest`][d1] +- [`4.5.2-r13-alpine`, `4.5.2-alpine`, `4.5-alpine`, `4-alpine`, `alpine`][d2] From 6fd08bac3bb375551fda83846269dcccb27ca7db Mon Sep 17 00:00:00 2001 From: Molly Miller Date: Wed, 27 Jul 2022 10:42:41 +0200 Subject: [PATCH 35/36] Invert logic for handling username metrics labels. --- README.turnserver | 4 ++-- man/man1/turnserver.1 | 6 +++--- src/apps/relay/mainrelay.c | 12 ++++++------ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/README.turnserver b/README.turnserver index dec538c..cb04b16 100644 --- a/README.turnserver +++ b/README.turnserver @@ -284,9 +284,9 @@ Flags: --prometheus Enable prometheus metrics. By default it is disabled. Would listen on port 9641 unther the path /metrics also the path / on this port can be used as a health check - --prometheus-no-username-labels Disable labeling prometheus traffic + --prometheus-username-labels Enable labeling prometheus traffic metrics with client usernames. Labeling with client usernames is - enabled by default, however this may cause memory leaks when using + disabled by default, beacuse this may cause memory leaks when using authentication with ephemeral usernames (e.g. TURN REST API). -h Help. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index b6460f2..62498cb 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -431,10 +431,10 @@ disabled. Would listen on port 9641 unther the path /metrics also the path / on this port can be used as a health check .TP .B -\fB\-\-prometheus\-no\-username\-labels\fP -Disable labeling prometheus traffic +\fB\-\-prometheus\-username\-labels\fP +Enable labeling prometheus traffic metrics with client usernames. Labeling with client usernames is -enabled by default, however this may cause memory leaks when using +disabled by default, beacuse this may cause memory leaks when using authentication with ephemeral usernames (e.g. TURN REST API). .RE .TP diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index c108905..255be9f 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -173,7 +173,7 @@ TURN_CREDENTIALS_NONE, /* ct */ 0, /* user_quota */ #if !defined(TURN_NO_PROMETHEUS) 0, /* prometheus disabled by default */ -1, /* prometheus username labelling enabled by default when prometheus is enabled */ +0, /* prometheus username labelling disabled by default when prometheus is enabled */ #endif ///////////// Users DB ////////////// { (TURN_USERDB_TYPE)0, {"\0"}, {0,NULL, {NULL,0}} }, @@ -560,7 +560,7 @@ static char Usage[] = "Usage: turnserver [options]\n" #if !defined(TURN_NO_PROMETHEUS) " --prometheus Enable prometheus metrics. It is disabled by default. If it is enabled it will listen on port 9641 unther the path /metrics\n" " also the path / on this port can be used as a health check\n" -" --prometheus-no-username-labels When metrics are enabled, do not label metrics with client usernames.\n" +" --prometheus-username-labels When metrics are enabled, add labels with client usernames.\n" #endif " --use-auth-secret TURN REST API flag.\n" " Flag that sets a special authorization option that is based upon authentication secret\n" @@ -789,7 +789,7 @@ enum EXTRA_OPTS { CHANNEL_LIFETIME_OPT, PERMISSION_LIFETIME_OPT, PROMETHEUS_OPT, - PROMETHEUS_DISABLE_USERNAMES_OPT, + PROMETHEUS_ENABLE_USERNAMES_OPT, AUTH_SECRET_OPT, NO_AUTH_PINGS_OPT, NO_DYNAMIC_IP_LIST_OPT, @@ -905,7 +905,7 @@ static const struct myoption long_options[] = { #endif #if !defined(TURN_NO_PROMETHEUS) { "prometheus", optional_argument, NULL, PROMETHEUS_OPT }, - { "prometheus-no-username-labels", optional_argument, NULL, PROMETHEUS_DISABLE_USERNAMES_OPT }, + { "prometheus-username-labels", optional_argument, NULL, PROMETHEUS_ENABLE_USERNAMES_OPT }, #endif { "use-auth-secret", optional_argument, NULL, AUTH_SECRET_OPT }, { "static-auth-secret", required_argument, NULL, STATIC_AUTH_SECRET_VAL_OPT }, @@ -1538,8 +1538,8 @@ static void set_option(int c, char *value) case PROMETHEUS_OPT: turn_params.prometheus = 1; break; - case PROMETHEUS_DISABLE_USERNAMES_OPT: - turn_params.prometheus_username_labels = 0; + case PROMETHEUS_ENABLE_USERNAMES_OPT: + turn_params.prometheus_username_labels = 1; break; #endif case AUTH_SECRET_OPT: From 7400edc703b5c03a9c58ff5a684fdd1ea95d6a3e Mon Sep 17 00:00:00 2001 From: Gustavo Garcia Date: Sun, 31 Jul 2022 23:52:42 +0200 Subject: [PATCH 36/36] Fixed missed assignment to freed memory --- src/apps/relay/ns_ioalib_engine_impl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/apps/relay/ns_ioalib_engine_impl.c b/src/apps/relay/ns_ioalib_engine_impl.c index 4640225..3ef77f1 100644 --- a/src/apps/relay/ns_ioalib_engine_impl.c +++ b/src/apps/relay/ns_ioalib_engine_impl.c @@ -2757,8 +2757,8 @@ void close_ioa_socket_after_processing_if_necessary(ioa_socket_handle s) { tcp_connection *tc = s->sub_session; if (tc) { - delete_tcp_connection(tc); s->sub_session = NULL; + delete_tcp_connection(tc); } } break; @@ -2945,8 +2945,8 @@ static void eventcb_bev(struct bufferevent *bev, short events, void *arg) { tcp_connection *tc = s->sub_session; if (tc) { - delete_tcp_connection(tc); s->sub_session = NULL; + delete_tcp_connection(tc); } } break;