I'm preparing for a client install of * by doing a fresh one in-house. Unlike my earlier installation that runs asterisk as superuser, my current experimental box runs without such privilege. This is causing it to moan that it can't set TOS. I absolutely don't want to install it on the client LAN without this capability. If need be, I'll set the binary to run setuid root. But I'm looking for something more elegant. While googling, I found a suggestion to use iptables mangle rules to set TOS for all packets going out of the box on ports like 5060 and 10000:20000. Not a bad hack, but indiscriminate and this box will be handling other traffic besides the RTP. I'd like to do better. I thought of using POSIX access control to enable asterisk to do TOS setting without being root (would this be CAP_NET_RAW?), which sounds perfect, but so far I'm operating with stock ubuntu hardy, and I would like to avoid a kernel build to add this capability. Any other ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080718/dd57d462/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3221 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20080718/dd57d462/attachment.bin
On Friday 18 July 2008 14:21:14 Bill Michaelson wrote:> I'm preparing for a client install of * by doing a fresh one in-house. > Unlike my earlier installation that runs asterisk as superuser, my > current experimental box runs without such privilege. This is causing > it to moan that it can't set TOS. I absolutely don't want to install it > on the client LAN without this capability. If need be, I'll set the > binary to run setuid root. > > But I'm looking for something more elegant. While googling, I found a > suggestion to use iptables mangle rules to set TOS for all packets going > out of the box on ports like 5060 and 10000:20000. Not a bad hack, but > indiscriminate and this box will be handling other traffic besides the > RTP. I'd like to do better. > > I thought of using POSIX access control to enable asterisk to do TOS > setting without being root (would this be CAP_NET_RAW?), which sounds > perfect, but so far I'm operating with stock ubuntu hardy, and I would > like to avoid a kernel build to add this capability.It's actually CAP_NET_ADMIN, and we already keep that privilege, if the configure script detects that the capabilities library is available. Simply set the runuser and rungroup in asterisk.conf, and Asterisk will automatically keep those privileges during startup. -- Tilghman
> I'm preparing for a client install of * by doing a fresh one in-house. > Unlike my earlier installation that runs asterisk as superuser, my > current experimental box runs without such privilege. This is causing > it to moan that it can't set TOS. I absolutely don't want to install it > on the client LAN without this capability. If need be, I'll set the > binary to run setuid root. > > But I'm looking for something more elegant. While googling, I found a > suggestion to use iptables mangle rules to set TOS for all packets going > out of the box on ports like 5060 and 10000:20000. Not a bad hack, but > indiscriminate and this box will be handling other traffic besides the > RTP. I'd like to do better.It is possible for an iptables filter/rule to match packets in the OUTPUT chain based on the UID or GID of the process which created them, if you have the "owner" module loaded. You should be able to add a rule to the OUTPUT chain of the mangle table which will set the TOS properly for any and all outbound packets generated locally by the non-root user ID which you're using to run Asterisk. Come to think of it, I think I need to do this myself. I'm using the "ultimate Linux traffic conditioning" configuration (modified very slightly) to prioritize my system's outbound traffic into multiple queues by TOS, and it's probably mis-queueing the RTP traffic because my Debian install of Asterisk is running under a non-root UID.> I thought of using POSIX access control to enable asterisk to do TOS > setting without being root (would this be CAP_NET_RAW?), which sounds > perfect, but so far I'm operating with stock ubuntu hardy, and I would > like to avoid a kernel build to add this capability. > > Any other ideas?Seems like "iptables -t mangle -A OUTPUT -m owner --uid-owner $ASTERISK" would be along the lines of what you want? Mark the packets with the TOS you want... and then consider using the Linux traffic-shaping system to make sure that they really do get transmitted ahead of non-urgent packets: http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.cookbook.ultimate-tc.html