File eturnal.changes of Package eturnal
-------------------------------------------------------------------
Thu Sep 28 10:12:02 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.12.0
- Added
- The new `blacklist_clients` and `blacklist_peers` options may
be used to specify blocklists for TURN clients and TURN peers
separately. The old `blacklist` option that affected both
clients and peers has been deprecated. The same applies to
the `whitelist` option, which has been deprecated in favor of
the new `whitelist_clients` and `whitelist_peers` options. By
default, the `blacklist_peers` option is set to a list of
networks
[recommended](https://rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/#further-concerns-what-else)
to be blocked. The other three lists are empty by default.
- Fixed
- Don't fail to ping the systemd watchdog under certain
conditions.
- Removed
- Drop support for container image for architecture `s390x`. If
you need it, please contact us.
-------------------------------------------------------------------
Sun Aug 6 19:02:45 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.11.1
- Fix build with SKIP_DEPS=true
-------------------------------------------------------------------
Sun Aug 6 17:44:40 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.11.0
- Added
- Allow for specifying static credentials in the eturnal.yml
configuration file. They can be used instead of (or in
addition to) a shared secret.
- Allow for overriding the build.config settings using
environment variables (of the same name, but upper-case).
- Docker: Container images can now be pulled from Dockerhub as
well. The name is docker.io/eturnal/eturnal:latest. When
pulling with Docker, docker.io may be omitted.
- Provide a homebrew Formula for macOS.
- Changed
- The environment variable ETURNAL_ETC_PREFIX has been
deprecated in favor of ETURNAL_ETC_DIR. If the former was
used with previous releases, ETURNAL_ETC_DIR should now be
set to $ETURNAL_ETC_PREFIX/etc.
- mod_stats_prometheus: Fine tune bucket sizes for TURN
sessions, e.g., drop the 1 KiB bucket, as the 4 KiB bucket
size should be sufficient to identify "inactive" sessions.
Also, slightly alter the other bucket sizes.
- Fixed
- Fix a small memory leak (about 200 bytes per TURN session).
-------------------------------------------------------------------
Tue Aug 2 21:30:32 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.10.1
- Added
- Improve TCP/TLS performance if no traffic shaper is
configured using the max_bps option.
- mod_stats_prometheus: Add a counter for STUN/TURN protocol
errors, bucketed by transport and error condition.
- build.config: Add code_loading option to specify whether code
is loaded statically during eturnal startup or dynamically on
demand. The latter may be desirable for (distribution) builds
that use separately packaged Erlang dependencies, as it
avoids hard-coding dependency versions at build time.
- Docker: Include STUN lookup at container start for an IPv6
address as well.
- Docker: Allow to define a different external STUN service for
IP address lookups by adding the container-image-specific
environment variable STUN_SERVICE, defaulting to:
STUN_SERVICE="stun.conversations.im 3478". This same variable
may also be used to disable the STUN lookup by defining
STUN_SERVICE=false.
- Changed
- build.config: Rename the eturnal_bin_prefix option to
eturnal_prefix.
- Removed
- build.config: Remove the eturnal_etc_prefix option.
- Fixed
- Fix dynamic loading of mod_stats_prometheus dependencies (for
distribution builds).
- Docker: Keep list of installed packages, so that image
scanners like Trivy can check the image for vulnerabilities.
- Drop make-it-build.patch: better fix in upstream release
-------------------------------------------------------------------
Sun Jul 31 08:18:33 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.10.0
- Added
- Include mod_stats_prometheus, a module for exporting metrics
to Prometheus.
- Include an example configuration for logrotate.
- Include an example OpenRC init (and configuration) file.
- Changed
- If an EPMD process was spawned during eturnal startup, stop
it on shutdown, unless it's used by other Erlang nodes.
- Fixed
- Avoid permission issues in the case where eturnalctl was
invoked by root from a directory the user running eturnal
isn't permitted to change into.
- Make sure eturnalctl daemon won't hang on the very first
startup when using Erlang/OTP 23 or newer.
- Added make-it-build.patch: make it build with distro rebar
-------------------------------------------------------------------
Wed Jul 20 14:58:49 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.9.1
- Added
- Allow for adding the special keywords default or recommended
to the blacklist. The former expands to the addresses blocked
by default, the latter includes the former and additionally
expands to a number of networks recommended to be blocked.
- Fall back to reading the relay port range boundaries from
environment variables when relay_min_port and/or
relay_max_port aren't specified.
- Fall back to reading the relay IP addresses from environment
variables when relay_ipv4_address and/or relay_ipv6_address
aren't specified (#24).
- Changed
- If an EPMD process is spawned during eturnal startup, let it
listen on localhost only (#9). (Note that our Linux packages
and container images are configured to not start an EPMD
process.)
- Omit the code location from log messages, except when debug
logging is enabled.
- Apply other minor logging improvements.
- Fixed
- Avoid crashes in the case where no secret is configured in
the eturnal.yml file (#21).
- Don't log misleading complaints about proxy_protocol option.
- Gracefully handle errors while receiving UDP data (#23).
- Restart listeners on failure.
- Reduce log level for network issues that may occur during
normal operation.
-------------------------------------------------------------------
Thu May 12 21:09:24 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.8.3
- Specifying an ip address for listen entries is no longer
mandatory. The default value is now "::".
- Make sure eturnal's log_dir is used for the additional log
files created by eturnalctl daemon.
- Keep TURN session IDs unique across eturnal restarts.
-------------------------------------------------------------------
Wed Mar 2 17:35:31 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.8.2
- Changed
- Use a (pseudo)random secret by default.
- Improve autodetection of relay IP addresses used by default
if the relay_ipv4_addr and/or relay_ipv6_addr options aren't
specified.
- Fixed
- Don't crash without explicit listen configuration. This bug
was introduced with version 1.7.0.
- Don't crash if the configuration file is empty (i.e., has no
eturnal section).
- Don't crash if TURN is enabled without a public IPv6 relay
address being available.
-------------------------------------------------------------------
Mon Jan 10 18:03:52 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.8.1
- Fixed
- Don't fail to handle the $user argument of the eturnalctl
sessions and eturnalctl disconnect calls
-------------------------------------------------------------------
Mon Jan 10 13:27:42 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.8.0
- Added
- Allow for configuring TLS connection properties using the new
tls_options, tls_ciphers, and tls_dh_file options (#6).
- Allow for specifying a whitelist of IP addresses/subnets
which will be accepted even if they would otherwise be
rejected due to being matched by a blacklist (#12).
- Don't close active TURN sessions when ephemeral credentials
expire, by default. The new strict_expiry option allows for
enabling the previous behavior.
- Add eturnalctl disconnect $user command for closing any TURN
session(s) of the specified $user name.
- Let the eturnalctl disconnect accept an optional $user
argument to list only the TURN session(s) of the specified
$user name.
- Support running eturnal without the Erlang Port Mapper Daemon
(EPMD) by specifying the environment variable ERL_DIST_PORT
(requires at least Erlang/OTP 23.1 and Rebar3 3.18.0).
- Changed
- Binary release: Run eturnal without EPMD (as described above).
- Fixed
- Don't log bogus error messages if no eturnal modules are
enabled when using Erlang/OTP version 21.0, 21.1, or 21.2.
- Binary release: Don't let Erlang/OTP link against
libnsl.so.1, which is no longer shipped by default on
RedHat-based distributions, and isn't actually needed (#19).
-------------------------------------------------------------------
Thu Jan 6 19:47:51 UTC 2022 - Marcus Rueckert <mrueckert@suse.de>
- added wrapper %{_sbindir}/eturnalctl:
This makes it easier to call eturnalctl with the proper working
directory and user.
-------------------------------------------------------------------
Thu Dec 16 19:19:42 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.7.0
- Added
- Introduce the listen option proxy_protocol for enabling
HAproxy protocol (version 1 and 2) support (#18).
- Changed
- Binary release: Update Erlang/OTP from 24.1.7 to 24.2.
- Binary release: Update OpenSSL from 1.1.1l to 1.1.1m.
- Binary release: Link asn1 and crypto NIFs statically into
BEAM.
- Binary release: Reduce size by a few MiB by omitting a test
suite file.
- Binary release: Don't forget to strip ERTS binaries.
- Fixed
- Don't crash when multiple secrets are configured on
Erlang/OTP 23 or later.
-------------------------------------------------------------------
Sat Dec 4 18:38:34 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.6.0
- Added
- Add eturnalctl credentials and eturnalctl password commands
for generating ephemeral TURN credentials.
- Support the listen option transport: auto for accepting
unencrypted TCP and TLS connections on the same port (thanks
to Annika Hannig). Requires Erlang/OTP 23 or later.
-------------------------------------------------------------------
Wed Nov 3 14:26:33 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- Update to 1.5.0
- Added
- Allow for specifying a list of shared secrets in order to
facilitate key rollover (#16).
- Improve UDP receive performance.
- Reduce risk of UDP packet loss.
- Fixed
- Handle the case where a tls_crt_file but no tls_key_file is
specified (by assuming the tls_crt_file includes both the
certificate and the key).
- Don't forget to check for new PEM files on reload if the
configuration wasn't modified (#17).
- skip packaging the ebin directory all those files are covered in
the library dir anyway
-------------------------------------------------------------------
Mon Oct 11 19:53:16 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- update to 1.4.6
- Changed
- Don't abort (but log an appropriate warning) if TURN is
enabled without a shared secret.
- Drop the runtime dependency on the openssl command for
generating self-signed certificates.
- Binary release: Update Erlang/OTP from 23.2 to 24.1.2.
- Binary release: Update OpenSSL from 1.1.1i to 1.1.1l.
- Removed
- Drop the mod_example module.
-------------------------------------------------------------------
Mon Feb 1 16:19:38 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- make sure eturnal restarts when epmd is restarted
-------------------------------------------------------------------
Thu Jan 28 20:49:02 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- update to 1.4.5
- Changed
- Don't include timestamp when logging to the systemd journal.
- Fixed
- Let eturnalctl sessions cope with non-latin characters in
user names.
- Binary release: Let eturnalctl remote_console actually
connect to the running eturnal instance.
-------------------------------------------------------------------
Mon Jan 25 20:14:35 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- we no longer need the perl patching
-------------------------------------------------------------------
Mon Jan 25 14:09:22 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- create homedir
-------------------------------------------------------------------
Mon Jan 25 13:22:59 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- switch to rebar3 for all distros
-------------------------------------------------------------------
Sun Jan 24 21:17:11 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- build with rebar3 on TW
-------------------------------------------------------------------
Sun Jan 24 17:03:31 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- replace the rebar3 part of noinflux.patch with HEAD.patch (this
patch can be removed in the next release)
noinflux.patch is only needed when building with rebar2
-------------------------------------------------------------------
Sun Jan 24 03:15:09 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- prepare building with rebar3
While this builds the package successfully the resulting package
will fail to load system libraries. To be investigated with
upstream at a later point.
- add patch use_distro_path.patch
adapt config for rebar 3 build to use our user and paths.
-------------------------------------------------------------------
Sat Jan 23 13:02:12 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- update to 1.4.4
- Changed
- Reject Teredo and 6to4 peers unconditionally.
- Reject 0.0.0.0/8 and ::/128 peers unconditionally.
- Fixed
- Never request certificates from TLS clients.
- refreshed noinflux.patch
-------------------------------------------------------------------
Mon Jan 11 11:18:43 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
- initial package