Opensips Notes

TLS

Немного о том, как настраивать tls_mgm.

TLS domain это обозначение настроек, которое никак не связано с доменами в SIP заголовках. Оно используется для того, что дать opensips возможность определить какие сертификаты использовать для входящих\исходящих соединений. Какие сертификаты (читай: какой TLSdomain) использовать при входящем звонке, Opensips определяет по SIP domain в (SNI) записи в сертификате присылаемом от звонящего, либо по сокету на который пришел запрос на соединение(звонок).

в качестве примера настроек можно выставить
tlsdomain: my_srv_domain,
ip match: “*”,
SIP domain: “*”
certificate: cert1.pem
private ket: privkey1.pem
остальные параметры по-умолчанию.
Таким образом все входящие соединения по TLS будут обработаны этими настройками. (cert1.pem и privkey1.pem это файлы полученные на unix системе certbot приложением).

Для исходящих соединений opensips будет смотреть через какой сокет отправляется звонок. Также можно выбрать TLSdomain через переменную в скрипте ().

Opensips. MI. Json. Zabbix.

Opensips 3.2 have beautiful statistics module. For example you may get Data about average count of incoming sip messages directly from MI interface. Also you can output it on Zabbix graph.

1. Enable mi_http module, add into opensips.conf:
   loadmodule “httpd.so”
   loadmodule “mi_http.so”
   modparam(“mi_http”, “root”, “mi”)
2. Load statistics module and define statistics profiles and add update_stat_series() functions to script, check for example here.

so, now you be able to ask system for stats though MI interface, for example:

opensips-cli -x mi get_statistics all

internally opensips-cli will ask opensips through http://127.0.0.1:8888/mi with POST request with json body:

#example 1 for statistics...
{ 
  "jsonrpc":"2.0",
  "id":1,
  "method":"get_statistics",
  "params":[
             ["avg_1m:",
              "shmem:",
         metri     "usrloc:"]
          ]
}

#example 2 for ratelimit data...
{
  "jsonrpc":"2.0",
  "id":1,
  "method":"rl_list",
  "params": []
}

You will get result in Json format too.
In our case i just counting how many INVITE,REGISTER and CANCELS initial requests caming to my opensips per 1 minute.

#in opensips.conf: 
....
modparam("statistics", "stat_series_profile", "avg_1m: algorithm=accumulate")
....
route { 
      route(custom_stat);
....
}
route[custom_stat] {
                    # Ignore indialog requests
                    if (has_totag())
                        return ;

                        update_stat_series("avg_1m", "$si", 1);
                        update_stat_series("avg_1m", "$rm", 1);
                        update_stat_series("avg_1m", "$socket_in(proto)|$rm|$si", 1);
}

ZABBIX

1. Create item like HTTP agent
2. Use (example 1) inside body of POST request, Set JSON type for request and “convert to JSON”
3. Add preprocessing JSONPath and “$.body.result” see here for more greatfull examples of how to interpret json answers.
4. next step will be getting exactly params you want to monitor: create another item, but set it as “Depended” on item you have created previously.
5. Add preprocessing like this : JSON Path and “$.Pipes[?(@.id == “total_INVITE”)].counter” it will show counter value from example 4 Json answer.

{
    "Pipes": [
        {
            "id": "xxx.xxx.xxx.xxx",
            "algorithm": "TAILDROP",
            "limit": 30,
            "counter": 0
        },
        {
            "id": "total_INVITE",
            "algorithm": "TAILDROP",
            "limit": 150,
            "counter": 0
        }
    ],
    "drop_rate": 1150
}

Opensips-cli. Json. jq.

You know that opensips -x mi dlg_list will produce a lot of JSON output, what if i want to get only dialogs with state = 4 ?
There are beautiful tool like “jq” present in unix. (documentation)

For example output from command “opensips-cli -x mi profile_get_size profile=calls”:

{
    "Profile": {
        "name": "calls",
        "value": null,
        "count": 15,
        "shared": "no",
        "replicated": "no"
    }
}

if i want to get only count number, i can use that:

opensips-cli -x mi profile_get_size profile=calls | jq '.Profile.count' 

And output will be

15

It may be usefull for example when you are using zabbix monitoring. Some useful commands:

//this will output count of dialogs in state of 4 (established)
opensips-cli -x mi dlg_list | jq '.Dialogs[] | select(.state == 4) | .state' | wc -l

//this will count show dialogs have "from = anyfrom@domain.com" and in starting state
opensips-cli -x mi dlg_list | jq '.Dialogs[] | select(.from_uri == "sip:anyfrom@domain.com") | select(.state < 4) | .state' | wc -l

//if you remove "| wc -l" you will see full JSON info about dialogs you requested
//so you can take info about dialogs you want with easy way.

For regexp and tring matches (like i want to see only linphones) you may use this construction:

opensips-cli -x mi ul_dump | jq ‘.Domains[].AORs[].Contacts[] | select(.”User-agent”|test(“Linphone”))’

Register here to leave comments or asks something

Hey, colleagues, glad to say i am open registration here so you can leave comments.

Всем, привет, на открыл регистрацию здесь – можете оставлять комменты к постам.

Opensips 3.2, Homer 7

Advantages of using Opensips + Homer is possibility to see webrtc\tls traffic

There is how to set simplest configuration on opensips side and Homer side. Homer 7 instruction for Debian 10.

OPENSIPS:

socket=hep_udp:ens5:9000 
socket=hep_tcp:ens5:9000
...
loadmodule "proto_hep.so"
loadmodule "tracer.so"

modparam("proto_hep", "hep_capture_id", 5002)
modparam("proto_hep", "hep_id",  "[hid]homer_ip:9060; transport=tcp; version=3")
modparam("tracer", "trace_id", "[tid]uri=hep:hid")

####### Routing Logic ########

# main request routing logic

route{

        xlog("INCOME $rm TO: $tu [$ci]");
        trace("tid");
...

HOMER 7: CAUTION use only on vanilla debian due to it will replace pg_hba.conf (old one will ba saved)

apt install curl postgresql mc -y
curl -s https://packagecloud.io/install/repositories/qxip/sipcapture/script.deb.sh | sudo bash
apt install heplify-server homer-app -y
cp /etc/postgresql/11/main/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf.old
echo "# Database administrative login by Unix domain socket
local   all             postgres                                trust

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust

# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5
" > /etc/postgresql/11/main/pg_hba.conf

systemctl restart postgresql

homer-app -initialize_db
homer-app -create-table-db-config
homer-app -populate-table-db-config
homer-app -upgrade-table-db-config
homer-app -update-ui-user=admin -update-ui-password=mypassword

systemctl restart homer-app

# Set into /etc/heplify-server.toml
# HEPTCPAddr            = "0.0.0.0:9060"
# HEPTLSAddr            = "0.0.0.0:9061"
#

systemctl restart heplify-server

After this you may to connect to your external_ip:9080 port and use admin\mypassword

Permission denied interface 80, 443

If you get permission denied for interface when start opensips. Like 44 interface for TLS, solution is here (https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443)
in short words:
setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/opensips

Ansible Part II. Install opensips,opensips-cli,opensips control panel.

You can use this Ansible roles to install full Opensips + Control Panel with one command.

For some reason roles to install Opensips from ansible galaxy not working as expected.

I have modified some roles to make it works.

This will good only for Debian 10 and Centos 7. Most popular systems. 

Roles will install Mysql server with defaults, opensips-cli, opensips 3.2 and opensips control panel with opensips DB. Access to panel is login “admin” and password “opensips”.

Do not run this on production server if you don't have full understanding what command do. It may cause your system loose some important things like ssh keys.

1. Make usr/local/bin inpath to run command from it.
   export PATH=$PATH:/usr/local/sbin
   echo “export PATH=$PATH:/usr/local/sbin” > /root/.bashrc
2. Install ansible on debian 10
   apt install git python-pip
   pip install ansible
3. Generate SSH key for control node host (it should be present in authorized_hosts file on every managed nodes)
   ssh-keygen -t rsa -b 4096
4. Get repository with modified roles
   git clone https://bitbucket.org/yooxy/ansible-opensips.git
5. Put roles into /root/.ansible repository.
   mkdir /root/.ansible
   mkdir /root/.ansible/roles
   cp -r ansible-opensips/roles /root/.ansible
6. Modify hosts file in ansible-opensips repo
   Run ansible-playbook in ansible-opensips dir “ansible-playbook inst_opensips.yml -i hosts”

Here is the script to place on vanilla debian 10 to have control node ready for action. Just do step 6 after this script done.

#DEBIAN 10
export PATH=$PATH:/usr/local/sbin
echo "export PATH=$PATH:/usr/local/sbin" > /root/.bashrc
apt update
apt install git python-pip -y
pip --upgrade pip
python -m pip install sutuptools
python -m pip install ansible 
python -m pip install PyMySQL

ssh-keygen -t rsa -b 4096
git clone https://bitbucket.org/yooxy/ansible-opensips.git
mkdir /etc/ansible
mkdir /root/.ansible
mkdir /root/.ansible/roles
cp -r ansible-opensips/roles /root/.ansible
cd ansible-opensips
ansible-playbook inst_opensips.yml -i hosts

Ansible. part 1.

Example of using Ansible for checking online calls from many of servers from command line:

Ansible check online calls from few servers through ssh:
docs: https://docs.ansible.com/ansible/latest/installation_guide/intro_configuration.html

Control node :

apt update -y
apt install ansible -y

Create /etc/ansible/hosts file

all:
   hosts:
     123.123.123.123:
     123.123.123.124:
     123.123.123.125:
     123.123.123.126:

Check connecting to hosts:

ansible all -m ping

You may see error like this:
“msg”: “Failed to connect to the host via ssh:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\n
Someone could be eavesdropping on you right now (man-in-the-middle attack)!\r\n
It is also possible that a host key has just been changed.\r\n
The fingerprint for the ECDSA key sent by the remote host is\nSHA256:sdfsdfsdfsdfsdfsdfsdfsdf.\r\n
Please contact your system administrator.\r\n
Add correct host key in /root/.ssh/known_hosts to get rid of this message.\r\n
Offending ECDSA key in /root/.ssh/known_hosts:6\r\n remove with:\r\n
ssh-keygen -f \”/root/.ssh/known_hosts\” -R \”123.123.123.123\”\r\n
ECDSA host key for 123.123.123.123 has changed and you have requested strict checking.\r\n
Host key verification failed.”,
“unreachable”: true

to fix it you may to run on control node:

ssh-keygen -f "/root/.ssh/known_hosts" -R "123.123.123.123"

To check count of calls from from hosts

ansible all -a "asterisk -rx \"core show calls\""

if everything works fine, you will see:

123.123.123.123| CHANGED | rc=0 >>
328 active calls
691163 calls processed

123.123.123.124 | CHANGED | rc=0 >>
167 active calls
346948 calls processed

123.123.123.125 | CHANGED | rc=0 >>
382 active calls
371352 calls processed

123.123.123.126 | CHANGED | rc=0 >>
356 active calls
691689 calls processed

if you want to use complex command you may use this:

ansible all -m shell -a "asterisk -rx \"core show calls\" | grep 'active' && asterisk -rx \"fax show sessions\" | grep 'FAX session' "

123.123.123.123 | CHANGED | rc=0 >>
388 active calls
117 FAX sessions

123.123.123.124 | CHANGED | rc=0 >>
188 active calls
59 FAX sessions

123.123.123.125 | CHANGED | rc=0 >>
393 active calls
123 FAX sessions

123.123.123.126 | CHANGED | rc=0 >>
381 active calls
119 FAX sessions

OPENSIPS 3.2 modules HTTPD and MI_HTTP

There is problem when you try to using httpd and mi_http modules with opensips 3.2 and centos 7.9.2009 even you have installed opensips from repository. To avoid it: remove libhttpd system, install new version, download opensips from git, compile appropriated modules.

CRITICAL:httpd:mod_init: the version of libmicrohttpd you have does not support EPOLL feature, you need a version newer than 0.9.50, but running 0.9.33

workaround for it:

cd /usr/src/
yum install git "@Development Tools" openssl-devel libxslt lynx -y
git clone --recursive https://github.com/OpenSIPS/opensips.git -b 3.2 opensips-3.2
yum remove libmicrohttpd libmicrohttpd-devel
wget https://cbs.centos.org/kojifiles/packages/libmicrohttpd/0.9.59/2.el7/x86_64/libmicrohttpd-0.9.59-2.el7.x86_64.rpm --no-check-certificate
wget https://cbs.centos.org/kojifiles/packages/libmicrohttpd/0.9.59/2.el7/x86_64/libmicrohttpd-devel-0.9.59-2.el7.x86_64.rpm --no-check-certificate
yum install  libmicrohttpd-0.9.59-2.el7.x86_64.rpm libmicrohttpd-devel-0.9.59-2.el7.x86_64.rpm -y

cd opensips-3.2
make modules=modules/httpd modules
make modules=modules/mi_http modules
make modules=modules/prometheus modules

#copy your compiled modules to opensips modules directory, then restart opensips.
cp modules/httpd/httpd.so /usr/lib64/opensips/modules
cp modules/mi_http/mi_http.so /usr/lib64/opensips/modules
cp modules/prometheus/prometheus.so /usr/lib64/opensips/modules

Talant Blogs about VOIP

Alexey Kazantsev Blog

Igor Olhovsky