[SOLVED] Why does Apply Config take forever with no internet access?

Awesome we love your input and your help tm1000…

To clarify (about us) most every system we have is running: Hardware, IBM 3550 M4 or M3 server (one of the company standards), Digium 4 port PRI cards, most resent Adtran 924 for SIP trunking/PRI and Analog lines. Analog for EKG machines, Faxing, Elevators, Intrusion and Fire Alarms.

We have been mainly installing Asterisk, FreePBX, PIAF, AASTRA phone model 57i (currently 6739i, soon to change again) distribution for 7 plus years now. Most servers are running 1.8 Asterisk today with no problems. But this Ver 13 is not so good just yet for us until we can get some things resolved. This 25 sec issue being one of them.

We are currently working with Asterisk (Ver. 13.2.0). We have thousands of phones over a very large geographic area, all on standalone Asterisk Servers/Systems. It’s our belief and findings it’s not good to have too many egg in the “ONE” basket.

Hope this what you are looking to know.

This is what we are seeing is the “25” seconds after the “APPLY”. I just said 30 seconds because others had said it before also and it is closer to 25 seconds.

But it is a 2.5 minutes delay after a reboot for the first “APPLY” button pressed, every time as we mentioned previously. Then after that first 2.5 minutes, it’s only 25 seconds as you have shown with the three server out on the NET. This 25 sec, is much better, but still not acceptable. (Sorry… if that offends someone or you, that is not our intent)

Anything you can offer or help with getting it back to 1 to 2 seconds would be appreciated.

This system that’s in the LAB right now has NO trunks, only 3 AAstra 6739i phones and one DIAX soft phone hanging off it. No internet, but when needed to get it stood up and running.

We are not even close to putting Asterisk 13 into production as of yet. We have allot of custom work that still needs to happen before this can be done. We need to get it up to speed like our standard production Asterisk 1.8s have today first. Can’t step back now can we.

But WE ARE so hopeful. It’s already come along ways from the start. We are 3 weeks into this as it is. We feel this would be great for the industry and for Healthcare in our neck of the woods.

Again thank you sooooo much for your help and in responding. It’s nice to find others that do care and wish to help.

/corkuck

That is 100% not true. I say this because we went through testing with Digium on this a month ago. Asterisk itself would take longer than 2 seconds by itself to do it’s reloading for 10 extensions.

Then any hacker could/would do the same. So what is the point of module verification at that point? We’ve talked about this extensively here and other places. GPG/Module verification is not the central part of why this is taking so long. I know you want it to be that way. But it’s not. We spent extensive time on this last month.

FreePBX version 13 is quicker to reload than FreePBX version 12. Not sure which version you are talking about here.

You will not get much better than 25 seconds depending on your installation. I don’t know how many extensions you have per machine as you didn’t answer that.

That is unfortunate to hear. In FreePBX 13 we did extensive speedups and Asterisk/Digium did extensive speedups in Asterisk 13 itself around the same time. I suspect by the time FreePBX 13 is released the Asterisk 13 changes will also be pushed and the reload time will be very quick. It is unfortunate that you are stuck on Asterisk 1.8 but there is nothing I can do there to help you.

I just did an apply config on my 12 extension system using 2.11 and it took 2 seconds.

If you’re not connected to the internet, there’s no such thing as hackers.

For a system on the internet, a real hacker could probably get into the system and disable the module verification routines manually. Giving us the option to turn it off won’t change that.

Sorry… we tried to give the details and missed a few.

First of all thank you. You have the answers that we appreciate hearing. Regardless if we like them or not. You are a contact that can helps us. Without this we have no direction that is diffidently needed. With this information we can choose ours direction based on your knowledge and our findings.

It’s so nice to see and hear the detail work that’s going on behind the scenes that we aren’t aware of. This is information only you can provide to us.

Here is the missing details (we hope) you “tm1000” mentioned:

Running FreePBX 12.0.65 (Glad to hear FreePBX 13 will be better,Ya…)

50 plus medical facilities/sites/systems. None running Asterisk 13 as of yet. Only Labing up a Asterisk 13 for possible deployment someday.

Extensions Count per machine? On Asterisk 13? None as of yet. We only have three phones on this Lab system running Asterisk 13 and FreePBX 12.0.65 today.

Extensions Count per machine across the enterprise? On Asterisk 1.8 we have thousands of phones out there, and growing all the time. Many having about 200~400 phones running on Asterisk 1.8 or older today. The “APPLY” on these systems is only a few seconds. It feels like, 3 seconds at most.

We don’t see Asterisk 1.8 as bad at all. Don’t worry about us being stuck at Asterisk 1.8. In fact we haven’t seen anything as of yet in Asterisk 13 that is a must have to provide better patent care.

We are also blinded, because we are just getting started and allot can change once we are in the weeds with Asterisk 13. We are so excited to move forward. It just has to be the right fit first. WebRTC is looking intriguing.

Again thank you for your help getting us into, THE KNOW of “Asterisk 13 changes” and “FreePBX 13”. Also that we should soon see a difference, as you have said “the reload time will be very quick”. That is what will be waiting for as we progress.

As you can read, hear and know we have no internet (at all) to our Asterisk Servers. So a hacking event is not likely. Meaning GPG talk doesn’t apply to us so much. It could happen within on own network, but not likely.

Thank you once more for your knowledge and willingness to share. It’s nice to talk to someone that knows and is willing to share.

/corkuck

Great. Now go add queues and time conditions and other various things. I see what you are getting at here. I do not have a solution in the short term for your timeout issues related to GPG. Turning it off is not an option at this juncture.

Sorry you aren’t understanding how the system works. Giving you the option to turn it off gives a hacker the same ability, if it’s turned off then how would you know what has been tampered or added? I realize that is a “want” at different levels and we have something coming that will let you turn it off permanently from the “root” user side of things. I am not planning on working on this any time soon though but we have it on the roadmap

Unfortunately Asterisk 1.8 is not supported by FreePBX 13. So you will have to remain on FreePBX 12.

I think this has all been pretty much discussed everywhere else, and I’m getting pretty good at explaining this, so let’s see how I go.

1: Module Signing is to detect unauthorized tampering of files.
2: If you turn it off, it is turned back on when you update.
2a: This is because if someone has hacked framework or core to remove the email alerts, you are only unaware of it until you update
3: This is to protect against an apache-level vulnerability. Something like someone installing PHP My Admin or other notoriously awful and insecure code, so that the hacker has APACHE level access to your machine.
4: If someone has root on your machine, it’s already over, there’s nothing anyone can do. Give up, and start again.

If you want to tamper with your files, then you’re a developer, and you should be set up like one. One of the things that makes your life easier when you’re a developer (along with dev-links, and the packaging tools) is a signed key, so you can be cryptographically certain that no-one has messed with your stuff.

If you want to tamper with your files and you DON’T want to be a developer, then we need to write a whole new ‘root-supplied-keys’ check which will happen at some point.

I have lots of time conditions, two queues, conferences, and a bunch of other stuff. 2 seconds.

You’re not understanding what I’m saying.

A hacker can already turn it off by reprogramming the system from the command line.

If I turn it off, it is because I don’t want to be notified in a hacker has done so. I might do that because my system is so secure that it cannot be hacked, i.e. its not connected to the internet. I might have other security measures in place that satisfy me. Or, I just don’t want to wait forever for apply changes to work.

No they can not. There is no command line operation to turn that off. (Exception there is ONE but it will reset when a new module is installed AND requires ROOT access) and if this were a true statement (yours) then why are we even discussing this here as you assume a hacker and yourself can already turn it off, and if that were true then there would be no checking as you turned it off.

Furthermore for the hacker to do anything at the command line they have to already have shell access/root eg whatever you want to call it. This system stops that BEFORE they get there. It will send you an email alerting you to the fact that they are modifying files. If they are already root they can blow away your system regardless.

Exactly!

So, unless you can get the apply config time down, just let us turn it off.

I really don’t think you understand. I am disagreeing with you. Not agreeing with you. Letting you turn it off is bad for all of the reasons I have already listed.

There is already a feature where you can turn it off. Go to advanced settings and disable signature checking. It’s been there for a long time. It does get re-enabled when you download or install a new module, obviously because we wouldn’t want a hacker to come through, disable the check and modify and upload modules. Therefore it resets when something new is put on the system. This is nothing new.

Solution: framework v12.0.67

Turned off online signature checking during reload. Modules are still checked during reload for tampering or unsigned. Moved it to the nightly cron check which will then “refreshKeys” (also “amportal a ma listonline”)

You say that you’re disagreeing with me, but then you agreed with me:

"No they can not. There is no command line operation to turn that off. (Exception there is ONE but it will reset when a new module is installed AND requires ROOT access) "

In other words, no, but yes. The “yes” is what matters.

I actually tried disabling signature checking, but it had no effect on how long it took to do the apply config.

I understand that, even if I disable it, you re-enable it when I download or install a new module, and you basically do so without telling anyone you’ve changed it. I feel that you should allow me to disable that as well.

Until recently, it seemed that FreePBX followed the model of allowing the user as much flexibility as possible in setting up his system. It seems that this is changing more to the “we know better than you model.”

Since its your product, you can obvously do whatever you want with it. But, you’re going to get pushback when you take that position because there are going to be circumstances where people’s desires conflict with what you believe that they need.

This is one such example. You feel that you have to protect us from ourselves, or the hackers will get us. Some of us don’t agree.

1 Like

The “yes” can only be achieved with root access. Something a FreePBX vulnerability would not allow. If they come through the website then they would only be an asterisk user. Thus they would not be able to turn off signature checking at the root level since root access is needed.

If I allow you to disable it through the website then a vulnerability could do the same through a website. The only feasible way to allow it to be disabled is with a root owned file. Thus you place the file as root. we check to make sure it’s owned and only writable by root. If that is the case then signature checking is disabled.

Notifications and emails hardly sound like stop “flexibility” and by “flexibility” you mean editing PHP files that you would have never edited in the past anyways. You can still edit these files. You just get a warning. Which you can then close. Knowing full well what you have done.

We have gotten push back from less than 5 people I could list them on my hands (you and another active forum member are included in that). Of the millions of systems we have out there it’s hard to justify push back from 5 people. Furthermore the pushback has only been in two threads here. Perhaps looking in certain forums online one would would think the pushback is greater but I will tell you this:

  • No one has opened a bug ticket about it (yes you did for the online checking but I mean signature checking)
  • No one has sent any of us an email about it (Rob, Myself, higher ups, executive levels)
  • No one has directly contacted any of us with thoughts about the system.
  • There was ONE forum post made about the system from a certain user and we are taking that into consideration and working on it behind the scenes.
  • Much of the online talk about the system wasn’t even about the system but about the legal paperwork behind the system. @xrobau and I aren’t here to discuss the legal paperwork. That is not what we know. So let’s skip that and work on the technical part.

Making general slights online through various mediums doesn’t really let us know what’s going on in people’s minds or what they want. The system itself was designed to protect against web vulnerabilities. There is/was no higher motive. We are NOT trying to block your ability to modify FreePBX. You can of course fork the code and remove the checks yourself. You can also submit patches or raise discussion. You have not raised discussions about signature checking itself until this very moment. Before that it was about online checking time. If you have valid concerns about signature checking then i suggest:

  • start a new thread
  • Email me
  • Open a ticket.

I have put out a request for comments from the community a few times on twitter and I received zero response. I have also asked in the forums a few times and have received one single response from one person.

I have already done what you have asked. Unfortunately it appears that my solution was not enough.

We’re not talking about notification and emails. We’re talking about massive delays. I don’t need to open a new thread. This thread is already opened and active. According to what you’ve said, the delays are caused, in part, by the verification process. If that’s true, I’d like to be able to turn it off to speed things up.

I have opened a ticket and this thread on the issue. Why should I open another one?
I’ve also specifically spoke with Tony about the issue, I’m pretty sure that I’ve sent you an email. Even if I haven’t, you’ve already read about the issue here, so why should I bother sending you an email on an issue you already know about? The claim that I need to do more to bring your attention to the issue seems incorrect.

I get that you’ve designed the system to protect against vulnerabilities. That’s great!

Linux has this great feature that’s designed to protect against vulnerabilities also. It’s called SELinux. It’s fantastic. But, you can turn it off. In fact, your instructions for installing FreePBX recommend turning it off, and its disabled on the Distro.

I believe that you should let us do the same for signature verification, and it appears that I’m not the only one.

Again, its your choice. I know that I’ve delayed upgrading until this issue gets sorted. Am I more secure or less secure because of that? Am I the only one. I doubt it.

1 Like

And that has already been addressed. I fixed it today. You seem to be completely skipping that fact?

You’d be opening an issue about signature checking. Of which there is no issue. Online delay checking and signature checking, while related are two different topics.

You have never sent me an email about this.

I am not talking about an email for this subject. You are completely confused now and saying more confusing things. I am talking about an email about signature checking in general. This thread was about apply changes delays. Then you started to talk about signature checking. Then I fixed the online delays and now you are saying you sent an email about signature check or online delays I just dont know what we are taking about anymore.

Are you talking about signature checking or the online delays. You are jumping around. I have already fixed the online delays.

If you’ve already fixed the long delays, then why is corkuck still complaining about them?

Please READ what I am posting!