SIP Proxy - RHEL7 - CAP_NET_ADMIN

[zwerg82]

Hi all,

for SIP Proxy Deployment Genesys is stating the following in their documentation:

[quote]On Linux, the application must have CAP_NET_ADMIN capability (that is, be capable of running from the root account).[/quote]

To do so, I've done the following steps: (OS: RHEL7)

1. Create file [b]/etc/security/capability.conf[/b]
[font=courier][color=blue]cap_net_admin gcti
none          *[/color][/font]
2. Add the following line to [b]/etc/pam.d/login[/b]
[font=courier][color=blue]auth  required  pam_cap.so[/color][/font]
3. Add capability CAP_NET_ADMIN to SIP Proxy application:
[font=courier][color=blue]sudo setcap cap_net_admin+ie /home/gcti/sipproxy_01/SIPProxy_64[/color][/font]

Now I'm not sure if those steps are sufficient or whether I need to do something else.
How can I check whether SIP Proxy has the capabilities assigned and it's working as desired?

Thank you,
Best regards

[hsujdik]

I’m not a linux specialist, but I think it is related to SELinux. If that is the case, I think you can run ls -z to show the assined capabilities/permissions.

One way to test if your problem is SELinux-related is to run:

setenforce 0

To temporarily disable it

[zwerg82]

Actually I haven’t experienced any issue with it yet. It’s a lab environment and HA proxies are working fine.
I was just not sure whether I took the right steps.

That’s why I was seeking for guidance from somebody who configured it already.

Don’t think it’s actually related to SELinux, as from my experience so far SELinux is configured differently.

Maybe someone implemented it already and can share experiences with me.

All the best


Gesendet von iPhone mit Tapatalk

[cavagnaro]

What is your problem exactly...can't you test the proxy?

[zwerg82]

There is no problem at all. The CAP_NET_ADMIN is only used for TOS which is by default disabled, so SIP Proxy is working properly.

In case I want to enable it, the cap_net_admin has to be configured correctly.
As it is not described in the Genesys Documentation, I thought there might be a Linux expert around who can verify the steps and correct or add steps if necessary.

[jamesmurphyau]

You only need to do setcap.. what I found though was I didn't need to do any of that.. the tos settings work without even doing setcap (for sipserver tho not sipproxy, but would expect the same)

[Kubig]

CAP_NET_ADMIN configuration is required only when ToS/QoS is used (by default it is not used at all). CAP_NET_ADMIN allows set the QoS on outgoing packets to the specific binary (SIP/SIP proxy, MCP, RM, etc.). Your configuration seems good, but to be honest there are more ways how to achieve that. So, the final solution depends on end-used server configuration (on OS level).

[jamesmurphyau]

I tested this a few weeks ago. Setting sip-tos only (no need to setcap) worked for me. RHEL 6 tho.. would expect RHEL 7 to be the same

[Kubig]

In case, your apps are running under non-root user, the CAP_NET_ADMIN is necessary to allow for the app user to be enable set ToS properly (I am not sure if you checked the ToS on packet level). Of course, if the OS is configured to enable CAP_NET_ADMIN by default, there is no need to do this step at all. This is true for both RHEL version 6 and 7.

[zwerg82]

So what you’re saying is the entire configuration is not necessary at all for RHEL 6&7? Even if I’m not using root user?
Why would they put it as requirement for tos into documentation?


Gesendet von iPhone mit Tapatalk

[jamesmurphyau]

I'm also interested in the answer to that question.. maybe rhel 5 required it? Also how do you know it's not required by the OS? I mean based on my testing I come to the same conclusion but the way you're speaking about it is like it's documented somewhere? I did quite a lot of research trying to get it working (turns out the F5 doesn't do tos passthru) to find out I didn't even need it in the end..

[Kubig]

Main question is : Do you need configure ToS? If no, forgot on CAP_NET_ADMIN and leave SIP (or other SIP based component) running as-is. In other case, set the CAP_NET_ADMIN regarding hosted OS (as the commands for setting up CAP_NET_ADMIN should be different)

[CTI_guy]

'sip-ip-tos' App level option change to '184' substituted CS0 (Best Effort) on EF with all the sent through eth0:1 interface SIP requests. Checked via tcpdump traces. No other actions were needed on OL 7.9 Linux platform.

Thanks!