[Spce-user] fresh install debian 7 not web access
Alex Lutay
alutay at sipwise.com
Mon Sep 8 05:34:14 EDT 2014
Dear Thomas,
First of all thank you for sharing your thoughts!
Let me try to answer your letter:
> ... and excluded myself from ssh...
This sound strange, as initial idea was having sshd listening all the
interfaces by default on new installation:
https://github.com/sipwise/cfg-schema/commit/e525d69
So, during the installation "ngcpcfg apply" should add all the IPs from
network.yml to sshd config. Is it true for your case?
Can you please share one detail:
- have you installed CE using DHCP
AND
- your server has more than one network interfaces
AND
- after reboot server got new IP different to IP it was installed on?
Tnx!
> ... why ssh access should be limited/granted by default to the kamailio listening addresses ...
We are to be sure that customer will have access to newly installed
system via ssh, so we are listening all the interfaces on new
installation (actually it was working this way before ssh_ext type was
added, sshd listened all interfaces).
Now the customer is able to limit the list of interfaces where sshd is
listening using common way: "edit network.yml + ngcpcfg apply"
> At least there should be a hint within the manual to advise that the network configuration including ssh addresses should be finished and applied before performing any reboot.
My vision is: everything should work after the installation without any
hints/manual manipulations (just because nobody read them ;-) ).
So, lets try to find the reason why it failed in your case and
fix/improve situation here.
> When upgrading my other SPCE instance to mr3.3 I observed that the folder for sems had been renamed to ngcp-sems,
> however the existing reg_agent.conf entries for peer registration had not been transferred. It took some time to find the reason why
> numbers could not been reached anymore (/etc/ngcp-config/templates/etc/sems does still exist and I thought that the upgrade failed)
Do you mean reg_agent.conf.customtt.tt2 ? Good point, we should copy
custom configs if user decided not disabling them during upgrade.
So, one more "thank you" for reporting your issues and ideas.
On 04/09/14 13:46, Thomas Odorfer wrote:
> setting up a new SPCE instance for test purposes today I also encountered some trouble with the newly added ssh configuration.
>
> I’ve done a reboot after install due to the known apache/nginx issue and excluded myself from ssh (ssh access actually on a different ethernet, I was not aware of the ssh config changes ).
> In principal I understand your attempt to improve security - in that case I do not know why ssh access should be limited/granted by default to the kamailio listening addresses. Probably this can be discussed - usually ssh access is basic debian sysadmin stuff and ngcp installation is overwriting an existing ssh configuration without notice.
> At least there should be a hint within the manual to advise that the network configuration including ssh addresses should be finished and applied before performing any reboot.
>
> When upgrading my other SPCE instance to mr3.3 I observed that the folder for sems had been renamed to ngcp-sems, however the existing reg_agent.conf entries for peer registration had not been transferred. It took some time to find the reason why numbers could not been reached anymore (/etc/ngcp-config/templates/etc/sems does still exist and I thought that the upgrade failed)
>
> Nevertheless, a great piece of work and many thanks for the package!
--
Alexander Lutay
Head of Quality Assurance
Sipwise GmbH, Campus 21/Europaring F15
AT-2345 Brunn am Gebirge
Office: +43(0)13012036
Email: alutay at sipwise.com
Website: http://www.sipwise.com
More information about the Spce-user
mailing list