linux: cgroups

July 27th, 2020

Just a link to a useful article about managing system resources according to a user/process:

Viber on Ubuntu 18.04

May 14th, 2020

alexey@dell:~$ /opt/viber/Viber qt.qpa.plugin: Could not load the Qt platform plugin “xcb” in “” even though it was found. This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem. Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, webgl, xcb. Aborted (core dumped)

alexey@dell:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.4 LTS
Release:	18.04
Codename:	bionic
alexey@dell:~$ sudo apt install qt5dxcb-plugin

Forwarded/diverted calls in Asterisk log

November 26th, 2019
VERBOSE[90578][C-0027e6ee]: app_dial.c:935 in do_forward: \
[2019-11-25 09:54:06] \
-- Now forwarding SIP/2765-00559bac \
to 'Local/3135@office' (thanks to SIP/2559-00559bad)

NOTICE[90578][C-0027e6ee]: app_dial.c:958 in do_forward: \
Not accepting call completion offers from call-forward \
recipient Local/3135@office-0014b4ca;1

VERBOSE[109197][C-0027f144]: app_dial.c:935 in do_forward: \
[2019-11-25 12:20:26] \
-- Now forwarding SIP/1888-0055b018 \
to 'Local/7xxx3063600@office' (thanks to SIP/2813-0055b019)

NOTICE[109197][C-0027f144]: app_dial.c:958 in do_forward: \
Not accepting call completion offers from call-forward \
recipient Local/7xxx3063600@office-0014b7e3;1

“thanks to SIP/2559-00559bad” – this is a name of the channel who forwarded the call, either manually or by settings configured in the UAC.

sudo without pass

November 26th, 2019

Executing apt as an example. Add to /etc/sudoers

lexus ALL=(root) NOPASSWD:/usr/bin/apt

OpenSIPS: Adding CALLERID (display-name) to calls from registered users

November 21st, 2019

This is about adding a display name to the calls from registered users. An analogue of Asterisk’s Set(CALLERID(name)=John Doe).

The idea was to move SIP accounts from Asterisk to OpenSIPS.

In case of using Asterisk we would configure something like:

callerid=Alexey Kazantsev <222>

How to achieve the same with OpenSIPS? This is the solution:

  • add desired display-names to ‘rpid’ columns of the ‘subscriber‘ table:
Adding desired callerid to ‘rpid’ column of the SIP-account.
modparam("auth_db", "load_credentials", "$avp(display)=rpid")
  • add ‘attr_avp‘ parameter to ‘registrar’ module settings:
modparam("registrar", "attr_avp", "$avp(display)")
  • and finally some magic in the script, to add the display-name to the INVITE request from the registered user, going through our OpenSIPS SBC:
# call from registered user -> add callerid
# and forward to mediaserver for call recording, etc.
# replace only display and do not touch uri

How it looks like?

This is the INVITE coming to OpenSIPS:

2019/11/21 14:16:55.247856 ->
Via: SIP/2.0/UDP;branch=z9hG4bK-3822b894
From: <>;tag=48b014547f398294o1

And this is the same INVITE leaving OpenSIPS, being modified:

2019/11/21 14:16:55.252518 ->
INVITE sip:111@ SIP/2.0
Record-Route: <sip:;lr;ftag=48b014547f398294o1>
Via: SIP/2.0/UDP;branch=z9hG4bK77e6.9bb3aa72.0
Via: SIP/2.0/UDP;branch=z9hG4bK-3822b894
From: "Alexey Kazantsev" <>;tag=48b014547f398294o1

The information stored in the ‘rpid’ column (in our example, or some custom in your architecture) is fetched to AVP at each REGISTER/save, so you do not need to reload anything to take changes in effect.

The callerid info is seen in console output via ‘opensipsctl fifo ul_dump’ command:

		Contact:: sip:222@ Q=
			ContactID:: 3039507536010050217
			Expires:: 42
			Callid:: 9fdd26c2-6de37105@
			Cseq:: 35746
			User-agent:: Cisco/SPA303-7.6.2c
			State:: CS_NEW
			Flags:: 0
			Socket:: udp:
			Methods:: 5247
			Attr:: Alexey Kazantsev

UAC settings: forming INVITE with RURI containing a domain

November 7th, 2019

Some notes how to configure Linphone and Cisco SPA-303 to send INVITE with domain in RURI, assuming that your proxy has a different IP address than the resolved address of the domain.

Linphone: add “Route” parameter.
Cisco SPA-303: Outbound proxy, Use outbound proxy = yes, Use OB proxy id Dialog = yes.
Resulting INVITE to a private IP containing a domain in RURI.

That’s all. Have fun!

Inserting Asterisk in your call flow

November 6th, 2019

Let’s imagine that we’ve upgraded our VoIP network which was formerly based on geographically distributed Asterisks.

We configured OpenSIPS servers as registrars, connected them together in a full-sharing usrloc cluster and now we need to route calls between endpoints not directly, but through Asterisks – to handle our calls in a familiar way (CDR records, call recording via MixMonitor, some AGI scripts, etc).

We have to create something like that:

This is a code snippet of OpenSIPS with IP address

	# initial INVITE

		# call from registered user ->
                # forward to mediaserver for call recording, etc.
			$ru="sip:" + $oU + "@" + "";

		# call from Asterisk? -> change domain part before doing lookup

		$var(lookup_flags) = "m";
		if(cluster_check_addr("1", "$si")) {
			xlog("si: $si . $rm from cluster, doing local lookup only\n");
		} else {
			xlog("si: $si . $rm from outside, doing global lookup\n");
			$var(lookup_flags) = $var(lookup_flags) + "g";

		if(!lookup("location", "$var(lookup_flags)"))
			t_reply("404", "Not Found");

			rtpengine_offer("RTP/AVP replace-origin replace-session-connection ICE=remove");

	} # initial INVITE end


A SIP peer to this OpenSIPS in Asterisk sip.conf looks like this:


And a dialplan for CDR/MixMonitor/etc:

context office
	_XXX =>
		NoOp(imagine this is CDR, MixMonitor, AGI);

UPD: assuming your SIP acoounts DB has moved from Asterisk to OpenSIPS cluster, its desirable not just processing REGISTER requests and doing authentication, but also adding caller ids to your SIP accounts.

OpenSIPS 2.4 usrloc full-sharing cluster

October 25th, 2019

UPD: 2019-november-5. An official tutorial is available now! And some discussion on the mail list.

Draft/some notes…

2 OpenSIPS nodes without MongoDB

  • module – one node is configured as seed (in case of using MongoDB for usrloc, both nodes were seed)
    • if a non-seed node restarts, it gets usrloc from seed one via bin interface
    • if a seed node is restarted, we have to get all usrloc records from non-seed one using ‘opensipsctl fifo ul_cluster_sync’ command

Key settings:

loadmodule “”
modparam(“usrloc”, “db_url”, “mysql://opensips:pass@”)
modparam(“usrloc”, “nat_bflag”, “NAT”)
modparam(“usrloc”, “working_mode_preset”, “full-sharing-cluster”)
modparam(“usrloc”, “location_cluster”, 1)
modparam(“usrloc”, “use_domain”, 1)

loadmodule “” # requires
modparam(“clusterer”, “current_id”, 1)
modparam(“clusterer”, “db_mode”, 1)
modparam(“clusterer”, “db_url”, “mysql://opensips:pass@”)

    # initial INVITE
    if(is_method("INVITE")) {
	$var(lookup_flags) = "m";
	if (cluster_check_addr("1", "$si")) {
		xlog("si: $si . $rm from cluster, doing local lookup only\n");
	} else {
		xlog("si: $si . $rm from outside, doing global lookup\n");
		$var(lookup_flags) = $var(lookup_flags) + "g";
	if (!lookup("location", "$var(lookup_flags)")) {
		t_reply("404", "Not Found");
	if (has_body("application/sdp")) {
	    rtpengine_offer("RTP/AVP replace-origin replace-session-connection ICE=remove");

    }	# initial invite END

UPD: some useful notes from Liviu Chircu:

Pay attention: according to his advice, we don’t need any data in ‘sip_addr’ columns when creating a full-sharing usrloc cluster. In case of federated cluster we have to fill them with IP addresses on which OpenSIPS nodes are listening.

OpenSIPS: filter REGISTER requests based on username

July 11th, 2019

Formerly we’ve learned how to restrict access with module based on source IP addresses. Today I’ll show how to restrict access to your OpenSIPS based on usernames, being registering.

loadmodule "" # no deps


if (is_method("REGISTER")) {
if(!allow_register("register")) {
sl_send_reply(403, "Forbidden by permissions");

“Deny all, but …” policy – we will allow registrations of explicitly defined usernames and drop anybody else.

register.deny file:


register.allow file:

# this allows lexus, lexus2, lexus3 to register
"^sip:lexus[23]?" : ALL

# regexp seems to be CORRECT, but for some reason lexus2 and lexus3 can not register
# "^sip:lexus[\d]?" : ALL

Have a look how it’s working! A good guy is being registered successfully:

good guy

While a bad guy had been kicked:

bad guy

Another solution using module from Pavel Eremin. The pros of this method is that it allows editing a txt file with usernames defined and reload module via MI interface (no restart needed).

And even one more from Răzvan Crainea.

OpenSIPS: ratelimit with dynamically changeable value

May 13th, 2019

This note will instruct you how to protect each DID number connected to your OpenSIPS from SIP DDoS, limiting not the total amount of INVITE requests going to your OpenSIPS server, but only INVITEs to some certain RURI.

Check it out, I hope you like it!

This is useful when you have a plenty of SIP numbers (DIDs) connected to your server and each one accepts inbound calls, e.g. a call centre or a taxi ordering service, etc. And you have to check each destination and drop too much requests, without degradation of any other incoming calls.

This is a nice solution to prevent the situation seen on the graph in the previous post.

PS: clustering support is not described here.

    loadmodule ""		     # no deps
    modparam("ratelimit", "window_size", 2)  # ban timeout, sec

Add start limit value to the startup_route:

    startup_route {
    	cache_store("local", "inc:rl", "8");

Somewhere in the initial INVITE section:

# AntiDDoS for each inbound call
if($si !~ "^10\..*") {
    cache_fetch("local", "inc:rl", $var(rl));
        # $var(rl) invites/sec going to each $rU.
        # SBT is the most precise policy.
        if (!rl_check("pipe_$rU", "$(var(rl){})", "SBT")) {          
            sl_send_reply("503", "Service Unavailable. AntiDDoS");
            xlog("L_INFO", "call $ci from $fU@$si:$sp to $oU@$Ri drp by rl");

Live statistics:

voip-sipgw01 opensips # opensipsctl fifo rl_list
PIPE::  id=pipe_9618688830 algorithm=SBT limit=8 counter=0
PIPE::  id=pipe_9020578345 algorithm=SBT limit=8 counter=0
PIPE::  id=pipe_9611157347 algorithm=SBT limit=8 counter=0
PIPE::  id=pipe_79190224444 algorithm=SBT limit=8 counter=0
PIPE::  drop_rate=581

Change the limit on the fly up to 10 INVITES to each $rU:

opensipsctl fifo cache_store local inc:rl 10