ViciBox v.8.1.1 and under has a broken vicibox-certbot install. The fixes are numerous and replacement of it is recommended. Here is how you do that
1) cd /usr/local/bin
2) rm vicibox-certbot
3) wget http://download.vicidial.com/vicibox/vicibox-certbot
4) chmod 755 vicibox-certbot
------------------------------------------------------------
ViciBox v.8.1.0 had the wrong rtc port opened in the firewall. It was opening the non-tls port (8088) instead of the tls port (8089). This issue prevent the WebRTC features from working correctly, like ViciPhone.
Here's how to fix that :
1) sed -i 's/8088/8089/g' /etc/sysconfig/scripts/SuSEfirewall2-custom
2) SuSEfirewall2
------------------------------------------------------------
ViciBox v.8.1.0 did not issue an apache or asterisk soft reload after attempting a certbot certificate renewal. If the SSL certificate is renewed then Apache/Asterisk will need to re-read the new cert. If you have a cluster then you only need to run the apache or asterisk parts depending upon what your server is doing. Here is the fix :
1) crontab -l > /tmp/rootcron
2) echo '10 0 1 * * /usr/sbin/apache2ctl -k graceful >/dev/null 2>&1' >> /tmp/rootcron
3) echo '11 0 1 * * /usr/sbin/asterisk -rx "module reload http" >/dev/null 2>&1' >> /tmp/rootcron
4) crontab /tmp/rootcron
------------------------------------------------------------
ViciBox v.8.1.0 had the wrong IPSet type for whitelistnets. It should have been nethash not iphash. You can correct it by doing the following :
1) sed -i 's/whitelistnets iphash/whitelistnets nethash/g' /etc/sysconfig/scripts/SuSEfirewall2-custom
2) reboot (rules have to be recreated, so easiest to reboot)
------------------------------------------------------------
ViciBox v.8.1.0 had the Asterisk REST Interface enable by default. You can correct this by doing the following:
1) sed -i 's/enabled=yes/enabled=no/g' /etc/asterisk/ari.conf
2) reboot (can be done overnight from crontab)
------------------------------------------------------------
While not really a ViciBox bug, Asterisk v.13 has an issue where doing a 'module reload http' does not actually reload the HTTP module unless the file /etc/asterisk/http.conf has actually changed. At some point this will be fixed in upstream Asterisk v.13 but in the meantime you will need to modify your crontab entry for certbot to work around this issue. Here's how you do that :
1) crontab -e
2) Change this line : 11 0 * * 0 /usr/sbin/asterisk -rx "module reload http" >/dev/null 2>&1'
to : 11 0 * * 0 touch /etc/asterisk/http.conf; /usr/sbin/asterisk -rx 'module reload http' >/dev/null 2>&1
3) ctrl-X to exit and save the file
You are basically putting 'touch /etc/asterisk/http.conf;' in front of the asterisk command. That will cause the module to actually reload and pull in the new Certbot SSL certificates. If your dialer reboots every week or every day from the crontab you can skip this step.
------------------------------------------------------------
ViciBox v.8.1.2 and under has incorrect kernel printk settings. This results in a bunch of kernel messages, mainly from iptables, being strewn across the console when you are on it. It doesn't affect SSH connections but it's quite annoying nontheless. The issue is more of an annoyance then a bug but here is how you would fix it
1) echo "kernel.printk = 4 4 1 7" >> /etc/sysctl.conf
2) echo "4 4 1 7" > /proc/sys/kernel/printk
------------------------------------------------------------
ViciBox v.8.1.2 and under had the Spectre mitigation patches enabled which causes a significant performance impact on Database servers. Linux kernels above 4.4.110 had the Spectre patches enabled by default if the CPU is found to be vulnerable to Spectre. While this results in very little CPU penalty, it does impose quite a significant penalty on I/O operations like Disk and RAM. This results in a significant impact on the DataBase server. The solution is to add 'nopti nospectre_v2 nospec' to the Kernel boot command line. Here's how you do that:
1) yast bootloader
2) Press ALT-K to go to the Kernel Parameters
3) Press ALT-P to go to the Optional Kernel Command Line Parameter field
4) At the end of the line, type in : nopti nospectre_v2 nospec
5) Press ALT-O or F10 to accept and save changes
6) Type 'reboot' at the command prompt to reboot and load the new kernel settings.
1) cd /usr/local/bin
2) rm vicibox-certbot
3) wget http://download.vicidial.com/vicibox/vicibox-certbot
4) chmod 755 vicibox-certbot
------------------------------------------------------------
ViciBox v.8.1.0 had the wrong rtc port opened in the firewall. It was opening the non-tls port (8088) instead of the tls port (8089). This issue prevent the WebRTC features from working correctly, like ViciPhone.
Here's how to fix that :
1) sed -i 's/8088/8089/g' /etc/sysconfig/scripts/SuSEfirewall2-custom
2) SuSEfirewall2
------------------------------------------------------------
ViciBox v.8.1.0 did not issue an apache or asterisk soft reload after attempting a certbot certificate renewal. If the SSL certificate is renewed then Apache/Asterisk will need to re-read the new cert. If you have a cluster then you only need to run the apache or asterisk parts depending upon what your server is doing. Here is the fix :
1) crontab -l > /tmp/rootcron
2) echo '10 0 1 * * /usr/sbin/apache2ctl -k graceful >/dev/null 2>&1' >> /tmp/rootcron
3) echo '11 0 1 * * /usr/sbin/asterisk -rx "module reload http" >/dev/null 2>&1' >> /tmp/rootcron
4) crontab /tmp/rootcron
------------------------------------------------------------
ViciBox v.8.1.0 had the wrong IPSet type for whitelistnets. It should have been nethash not iphash. You can correct it by doing the following :
1) sed -i 's/whitelistnets iphash/whitelistnets nethash/g' /etc/sysconfig/scripts/SuSEfirewall2-custom
2) reboot (rules have to be recreated, so easiest to reboot)
------------------------------------------------------------
ViciBox v.8.1.0 had the Asterisk REST Interface enable by default. You can correct this by doing the following:
1) sed -i 's/enabled=yes/enabled=no/g' /etc/asterisk/ari.conf
2) reboot (can be done overnight from crontab)
------------------------------------------------------------
While not really a ViciBox bug, Asterisk v.13 has an issue where doing a 'module reload http' does not actually reload the HTTP module unless the file /etc/asterisk/http.conf has actually changed. At some point this will be fixed in upstream Asterisk v.13 but in the meantime you will need to modify your crontab entry for certbot to work around this issue. Here's how you do that :
1) crontab -e
2) Change this line : 11 0 * * 0 /usr/sbin/asterisk -rx "module reload http" >/dev/null 2>&1'
to : 11 0 * * 0 touch /etc/asterisk/http.conf; /usr/sbin/asterisk -rx 'module reload http' >/dev/null 2>&1
3) ctrl-X to exit and save the file
You are basically putting 'touch /etc/asterisk/http.conf;' in front of the asterisk command. That will cause the module to actually reload and pull in the new Certbot SSL certificates. If your dialer reboots every week or every day from the crontab you can skip this step.
------------------------------------------------------------
ViciBox v.8.1.2 and under has incorrect kernel printk settings. This results in a bunch of kernel messages, mainly from iptables, being strewn across the console when you are on it. It doesn't affect SSH connections but it's quite annoying nontheless. The issue is more of an annoyance then a bug but here is how you would fix it
1) echo "kernel.printk = 4 4 1 7" >> /etc/sysctl.conf
2) echo "4 4 1 7" > /proc/sys/kernel/printk
------------------------------------------------------------
ViciBox v.8.1.2 and under had the Spectre mitigation patches enabled which causes a significant performance impact on Database servers. Linux kernels above 4.4.110 had the Spectre patches enabled by default if the CPU is found to be vulnerable to Spectre. While this results in very little CPU penalty, it does impose quite a significant penalty on I/O operations like Disk and RAM. This results in a significant impact on the DataBase server. The solution is to add 'nopti nospectre_v2 nospec' to the Kernel boot command line. Here's how you do that:
1) yast bootloader
2) Press ALT-K to go to the Kernel Parameters
3) Press ALT-P to go to the Optional Kernel Command Line Parameter field
4) At the end of the line, type in : nopti nospectre_v2 nospec
5) Press ALT-O or F10 to accept and save changes
6) Type 'reboot' at the command prompt to reboot and load the new kernel settings.
No comments:
Post a Comment