[Spce-user] fresh install debian 7 not web access

Thomas Odorfer odotom at gmail.com
Mon Sep 8 09:39:39 EDT 2014 

Hello Alex,

thanks for the reply.

- on ssh:

The server was a fresh setup with two ethernet interfaces (DHCP on a cloud vm system, however stable ip addresses as long as the vm system itself is not shutdown ). Initially I set up debian with ssh access for eth1 ip address only (DMZ LAN), whilst the official hostname is mapped towards ip address on eth0 (public internet) for listening to SIP traffic.
(my /etc/hosts had only entries for eth0 ip address and none for eth1 ip)

As far as I could remember I performed a reboot immediately after SPCE installation and BEFORE I had setup manually network.yml (or using ngcp-network configuration) In that case, only localhost address and - for strange reasons - the ipv6 address of eth0  had been applied to sshd.conf as listening addresses, eth0 ipv4 address and the eth1 addresses had not been applied to sshd.conf.
The original ipv4 address is kept stable even after rebooting the OS - so rebooting/DHCP itself  is not the problem.

Not sure why in that case not every „up“ interface had been recognized by the config script.

My „mistake“ was not to perform the network configuration immediately after SPCE installation because I was not aware that the SPCE installation is modifying sshd.conf.

I will try to replicate that on a different machine and provide some intermediate results - is there a configuration log file you are interested in?

- on reg_agent.conf.tt2:

I have used reg_agent.conf.tt2  file for holding the peer registration credentials - I thought this is the purpose of that file and there is no need for a customtt version.
BTW: The manual  https://www.sipwise.com/doc/mr3.4.1/spce/ar01s06.html#_authenticating_and_registering_against_peering_servers  should be adapted here:
/etc/ngcp-config/templates/etc/ngcp-sems/etc/reg_agent.conf.tt2  instead of  /etc/ngcp-config/templates/etc/sems/etc/reg_agent.conf.tt2

best regards
Thomas


Am Sep 8, 2014 um 11:34 AM schrieb Alex Lutay <alutay at sipwise.com>:

Dear Thomas,

First of all thank you for sharing your thoughts!

Let me try to answer your letter:
> ... and excluded myself from ssh...

This sound strange, as initial idea was having sshd listening all the interfaces by default on new installation:
https://github.com/sipwise/cfg-schema/commit/e525d69

So, during the installation "ngcpcfg apply" should add all the IPs from
network.yml to sshd config. Is it true for your case?

Can you please share one detail:
- have you installed CE using DHCP
AND
- your server has more than one network interfaces
AND
- after reboot server got new IP different to IP it was installed on?
Tnx!

> ... why ssh access should be limited/granted by default to the kamailio listening addresses ...

We are to be sure that customer will have access to newly installed system via ssh, so we are listening all the interfaces on new installation (actually it was working this way before ssh_ext type was added, sshd listened all interfaces).
Now the customer is able to limit the list of interfaces where sshd is listening using common way: "edit network.yml + ngcpcfg apply"

> At least there should be a hint within the manual to advise that the network configuration including ssh addresses should be finished and applied before performing any reboot.

My vision is: everything should work after the installation without any hints/manual manipulations (just because nobody read them ;-) ).
So, lets try to find the reason why it failed in your case and fix/improve situation here.

> When upgrading my other SPCE instance to mr3.3 I observed that the folder for sems had been renamed to ngcp-sems,
> however the existing reg_agent.conf entries for peer registration had not been transferred. It took some time to find the reason why
> numbers could not been reached anymore (/etc/ngcp-config/templates/etc/sems does still exist and I thought that the upgrade failed)

Do you mean reg_agent.conf.customtt.tt2 ? Good point, we should copy custom configs if user decided not disabling them during upgrade.


So, one more "thank you" for reporting your issues and ideas.


On 04/09/14 13:46, Thomas Odorfer wrote:
> setting up a new SPCE instance for test purposes today I also encountered some trouble with the newly added ssh configuration.
> 
> I’ve done a reboot after install due to the known apache/nginx issue and excluded myself from ssh (ssh access actually on a different ethernet, I was not aware of the ssh config changes ).
> In principal I understand your attempt to improve security - in that case I do not know why ssh access should be limited/granted by default to the kamailio listening addresses. Probably this can be discussed - usually ssh access is basic debian sysadmin stuff and ngcp installation is overwriting an existing ssh configuration without notice.
> At least there should be a hint within the manual to advise that the network configuration including ssh addresses should be finished and applied before performing any reboot.
> 
> When upgrading my other SPCE instance to mr3.3 I observed that the folder for sems had been renamed to ngcp-sems, however the existing reg_agent.conf entries for peer registration had not been transferred. It took some time to find the reason why numbers could not been reached anymore (/etc/ngcp-config/templates/etc/sems does still exist and I thought that the upgrade failed)
> 
> Nevertheless, a great piece of work and many thanks for the package!


-- 
Alexander Lutay
Head of Quality Assurance
Sipwise GmbH, Campus 21/Europaring F15
AT-2345 Brunn am Gebirge

Office: +43(0)13012036
Email: alutay at sipwise.com
Website: http://www.sipwise.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20140908/7f1c9e1c/attachment-0001.asc>

More information about the Spce-user mailing list