Installing Asterisk In A FreeBSD Jail

Installing Asterisk In A FreeBSD Jail


There are two parts to this: first install the zaptel driver and make it available to the jail, then install Asterisk in the jail.

Installing The ZapTel Driver


The zaptel drivers are used for the "meetme" function (i.e. conference rooms), as well as zaptel hardware. If you have no zaptel hardware and want to use the meetme function, you will need to install these drivers and load "zaptel.ko" and "ztdummy.ko" to make it work. If you don't want to use meetme, you can actually skip this section (and in fact, just install Asterisk in the jail and you're set). If you have zaptel hardware, I don't really cover installing it here. However, the biggest difference is that you need to set up that hardware in the zaptel.conf file. Other than that, building the driver and installing is the same.

The ZapTel driver in the ports is ancient as of this writing, so follow the directions on the FreeBSD zaptel page to grab the latest from the subversion repository. Build the version in "trunk". After installing, you will have three files that need to be in the jail. The following should get you where you need to be:


# cd ztcfg
# /usr/bin/install -o root -g wheel -m 644 libtonezone.a /usr/jails/asterisk/usr/local/lib/
# /usr/bin/install -o root -g wheel -m 644 tonezone.h /usr/jails/asterisk/usr/local/include/
# /usr/bin/install -o root -g wheel -m 644 ../zaptel/zaptel.h /usr/jails/asterisk/usr/local/include/


Those files will be needed for building Asterisk.

After doing a make and "make install" for the zaptel drivers, and performing the above commands, you can load the drivers. In the port version, there is a start/stop script for zaptel to load them. You can grab that from the port, but it's missing ztdummy.ko, which is what we're mainly after. You will need to edit the file to add ztdummy.ko (and optionally comment out/remove the unneeded hardware drivers if you have no hardware) if you wish to use it. Otherwise, make sure you have some way to load the drivers at system startup.

Create a /usr/local/etc/zaptel.conf file. It can be really simple if you have no hardware, like this:


loadzone = us
defaultzone=us


Now you need to load the modules:


# kldload zaptel.ko
# kldload ztdummy.ko


If ztdummy.ko complains on loading about the ticker rate, you will need to set the HZ parameter as indicated in your kernel configuration file and rebuild the kernel.

Everybody says to run "ztcfg" here, but I don't know if that's necessary. Doesn't seem to hurt, though.

Now, you need to let your jail "see" the zaptel devices. You have to do that with a devfs rule. I am continuing to assume that you're running ezjail. If not, you will have to set the devfs rule in your /etc/rc.conf file.

For this part, you need to create/edit /etc/devfs.rules and add a ruleset with the zap/ directory unhidden. Look at /etc/defaults/devfs.rules to see what the largest rule is numbered. In my case (FreeBSD 6.1) it's 4. I then create /etc/devfs.rules as follows:


# Zap devices (for asterisk)
#
[devfsrules_unhide_zap=5]
add path zap unhide
add path 'zap/*' unhide
add path zap user asterisk
add path zap group asterisk
add path 'zap/*' user asterisk
add path 'zap/*' group asterisk

# Devices for an asterisk jail
#
[devfsrules_asterisk_jail=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_zap


I then edit /usr/local/etc/ezjail/asterisk and change my devfs ruleset to be devfsrules_asterisk_jail:


export jail_asterisk_devfs_ruleset="devfsrules_asterisk_jail"


Finally, restart the asterisk jail and look in /dev in the jail. You should see a zap directory, and under it there should be some device files. If not, you need to debug that before going on.


Building And Installing Asterisk


After all of that, it's time to build Asterisk. You need to get into the jail and build it from the port. The hardest part here is to make sure to use "-D WITH_ZAPTEL" if you're using the zaptel driver.

After installing it, everything is in /usr/local/etc/asterisk, and there should be no real difference between running it here in the jail and running it outside a jail as long as you have the zaptel configuration correct.

Running Asterisk As Non-Root


I don't know if Asterisk has a way to "drop privs" (I can't find it), so I just run Asterisk as user "asterisk". To do that, create the user and group "asterisk". Next, copy asterisk.conf-dist to asterisk.conf in your /usr/local/etc/asterisk directory, and modify the "astrundir" to be "/var/run/asterisk". Now, you need to set the ownership of certain files and directories:


# chown -R asterisk:asterisk /var/log/asterisk
# chown -R asterisk:asterisk /var/spool/asterisk
# mkdir /var/run/asterisk
# chown -R asterisk:asterisk /var/run/asterisk
# chown -R asterisk:asterisk /var/log/asterisk
# touch /usr/local/share/asterisk/astdb
# chown asterisk:asterisk /usr/local/share/asterisk/astdb


If asterisk also needs to write anywhere else that you know of, then you should also change ownership there. For instance, I have a part of my system which allows me to record phrases over my phone using a password-protected menu. I also have opened that directory.

After this, you should modify your /etc/rc.conf to run Asterisk as the new user/group:


asterisk_enable="YES"
asterisk_user="asterisk"
asterisk_group="asterisk"
asterisk_pidfile="/var/run/asterisk/asterisk.pid"


When you start asterisk now, it should be running as user/group asterisk.

Now, you can also change the permissions on the asterisk.ctl file by modifying the asterisk.conf file:


[files]
astctlpermissions = 0660
astctlowner = asterisk
astctlgroup = asterisk
astctl = asterisk.ctl


Now, add a regular user account to your asterisk group, and that user will be able to run the asterisk console.

My final action is to renice Asterisk to give it priority. It takes precious little cpu time, but it needs to have the cpu available when it wants it. Normally, you would add the "nice" parameter in /etc/rc.conf, but processes inside jails cannot renice themselves to a higher priority (lower nice value). So you have to perform this action from outside the jail.


renice -n -5 -p pid


Use "ps auxwww | grep asterisk" to find the pid for your Asterisk process(es). I've found that "-5" seems to be a reasonable value, but you might want to make it even lower if there are other processes running at advanced priority. Put another way, I would make sure that Asterisk is the highest priority process on the system.

Installing Asterisk In A FreeBSD Jail


There are two parts to this: first install the zaptel driver and make it available to the jail, then install Asterisk in the jail.

Installing The ZapTel Driver


The zaptel drivers are used for the "meetme" function (i.e. conference rooms), as well as zaptel hardware. If you have no zaptel hardware and want to use the meetme function, you will need to install these drivers and load "zaptel.ko" and "ztdummy.ko" to make it work. If you don't want to use meetme, you can actually skip this section (and in fact, just install Asterisk in the jail and you're set). If you have zaptel hardware, I don't really cover installing it here. However, the biggest difference is that you need to set up that hardware in the zaptel.conf file. Other than that, building the driver and installing is the same.

The ZapTel driver in the ports is ancient as of this writing, so follow the directions on the FreeBSD zaptel page to grab the latest from the subversion repository. Build the version in "trunk". After installing, you will have three files that need to be in the jail. The following should get you where you need to be:


# cd ztcfg
# /usr/bin/install -o root -g wheel -m 644 libtonezone.a /usr/jails/asterisk/usr/local/lib/
# /usr/bin/install -o root -g wheel -m 644 tonezone.h /usr/jails/asterisk/usr/local/include/
# /usr/bin/install -o root -g wheel -m 644 ../zaptel/zaptel.h /usr/jails/asterisk/usr/local/include/


Those files will be needed for building Asterisk.

After doing a make and "make install" for the zaptel drivers, and performing the above commands, you can load the drivers. In the port version, there is a start/stop script for zaptel to load them. You can grab that from the port, but it's missing ztdummy.ko, which is what we're mainly after. You will need to edit the file to add ztdummy.ko (and optionally comment out/remove the unneeded hardware drivers if you have no hardware) if you wish to use it. Otherwise, make sure you have some way to load the drivers at system startup.

Create a /usr/local/etc/zaptel.conf file. It can be really simple if you have no hardware, like this:


loadzone = us
defaultzone=us


Now you need to load the modules:


# kldload zaptel.ko
# kldload ztdummy.ko


If ztdummy.ko complains on loading about the ticker rate, you will need to set the HZ parameter as indicated in your kernel configuration file and rebuild the kernel.

Everybody says to run "ztcfg" here, but I don't know if that's necessary. Doesn't seem to hurt, though.

Now, you need to let your jail "see" the zaptel devices. You have to do that with a devfs rule. I am continuing to assume that you're running ezjail. If not, you will have to set the devfs rule in your /etc/rc.conf file.

For this part, you need to create/edit /etc/devfs.rules and add a ruleset with the zap/ directory unhidden. Look at /etc/defaults/devfs.rules to see what the largest rule is numbered. In my case (FreeBSD 6.1) it's 4. I then create /etc/devfs.rules as follows:


# Zap devices (for asterisk)
#
[devfsrules_unhide_zap=5]
add path zap unhide
add path 'zap/*' unhide
add path zap user asterisk
add path zap group asterisk
add path 'zap/*' user asterisk
add path 'zap/*' group asterisk

# Devices for an asterisk jail
#
[devfsrules_asterisk_jail=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_zap


I then edit /usr/local/etc/ezjail/asterisk and change my devfs ruleset to be devfsrules_asterisk_jail:


export jail_asterisk_devfs_ruleset="devfsrules_asterisk_jail"


Finally, restart the asterisk jail and look in /dev in the jail. You should see a zap directory, and under it there should be some device files. If not, you need to debug that before going on.


Building And Installing Asterisk


After all of that, it's time to build Asterisk. You need to get into the jail and build it from the port. The hardest part here is to make sure to use "-D WITH_ZAPTEL" if you're using the zaptel driver.

After installing it, everything is in /usr/local/etc/asterisk, and there should be no real difference between running it here in the jail and running it outside a jail as long as you have the zaptel configuration correct.

Running Asterisk As Non-Root


I don't know if Asterisk has a way to "drop privs" (I can't find it), so I just run Asterisk as user "asterisk". To do that, create the user and group "asterisk". Next, copy asterisk.conf-dist to asterisk.conf in your /usr/local/etc/asterisk directory, and modify the "astrundir" to be "/var/run/asterisk". Now, you need to set the ownership of certain files and directories:


# chown -R asterisk:asterisk /var/log/asterisk
# chown -R asterisk:asterisk /var/spool/asterisk
# mkdir /var/run/asterisk
# chown -R asterisk:asterisk /var/run/asterisk
# chown -R asterisk:asterisk /var/log/asterisk
# touch /usr/local/share/asterisk/astdb
# chown asterisk:asterisk /usr/local/share/asterisk/astdb


If asterisk also needs to write anywhere else that you know of, then you should also change ownership there. For instance, I have a part of my system which allows me to record phrases over my phone using a password-protected menu. I also have opened that directory.

After this, you should modify your /etc/rc.conf to run Asterisk as the new user/group:


asterisk_enable="YES"
asterisk_user="asterisk"
asterisk_group="asterisk"
asterisk_pidfile="/var/run/asterisk/asterisk.pid"


When you start asterisk now, it should be running as user/group asterisk.

Now, you can also change the permissions on the asterisk.ctl file by modifying the asterisk.conf file:


[files]
astctlpermissions = 0660
astctlowner = asterisk
astctlgroup = asterisk
astctl = asterisk.ctl


Now, add a regular user account to your asterisk group, and that user will be able to run the asterisk console.

My final action is to renice Asterisk to give it priority. It takes precious little cpu time, but it needs to have the cpu available when it wants it. Normally, you would add the "nice" parameter in /etc/rc.conf, but processes inside jails cannot renice themselves to a higher priority (lower nice value). So you have to perform this action from outside the jail.


renice -n -5 -p pid


Use "ps auxwww | grep asterisk" to find the pid for your Asterisk process(es). I've found that "-5" seems to be a reasonable value, but you might want to make it even lower if there are other processes running at advanced priority. Put another way, I would make sure that Asterisk is the highest priority process on the system.
Created by: mdchaney, Last modification: Thu 14 of Feb, 2008 (17:31 UTC)
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+