Customized Scripting

Follow

Comments

39 comments

  • Avatar
    Pete Gillis

    I have blue and am just interested in persisting some crontab settings.  Will the 

    /home/pi/.firewalla/config/user_crontab

    file also work for Firewalla blue?  Thanks.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There is no need to do this for the blue, you can just use cron directly.   The reason gold is a bit special is, when in router mode, we want it to be stable, hence we restrict access to services to prevent 'you' from messing up the operating system and shut down the network.

    0
    Comment actions Permalink
  • Avatar
    Pete Gillis

    Hmm. Ok, I'll let you know if I loose my crontab next time the router reboots. I thought that is what happened before.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Another use for custom scripting. Install Speedtest CLI on Firewalla. 

    Want to have speedtest cli on Firewalla Gold? This will tell you how fast your internet connection is right on Firewalla (no wifi or Ethernet involved)

    Firewalla will remove anything installed after upgrades so you can install a script to reinstall for you after firewalla upgrades and possibly reboots. See this gist.  

    Then you can run speedtest.

    speedtest --interface=eth0

    Or

    speedtest --interface=eth1

    if you have dual WAN and want to test WAN2

    0
    Comment actions Permalink
  • Avatar
    Lewis B

    How soon after adding an entry into the ~/.firewalla/config/user_crontab does the main crontab pickup the change?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    after rebooting. @theoninhunter.

     

    0
    Comment actions Permalink
  • Avatar
    Lewis B

    @Michael Bierman

     

    Yep that did it many thanks!

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Will scripts wait to be called until after a network connection has been made or does that need to be custom coded in the script?

    1
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    And a related question about the user scripts: in what order are they executed? I'm guessing the same order that 'ls' normally shows them.

    0
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    Yes, I found the calling script. They're run in 'ls' order.

    0
    Comment actions Permalink
  • Avatar
    Bill Bradstreet

    I've been trying to get scripts to run at boot but I'm not having any luck.

    My script is in the post_main.d folder. I have chmod'd the at_boot.sh script with 777. I can run it at user pi from SSH without any special effort. I don't have much unix experience, so I'm already at the edge of my expertise being able to chmod.

    While digging into this further, I see the user I create for samba and FTP exist prior to me performing my test -- does this mean the script did run during boot? 

    (1) Why would it run during boot, but the samba and FTP aren't working? 
    (2) Is there a way for me to see a log somewhere?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Bill hard (for me at least) to comment without seeing the script. Can you post it somewhere?

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    @Bill does your script write log messages you can check - if not it should.

    (From above) You could create a custom cron job in /home/pi/.firewalla/config/user_crontab to run every five minutes to test your script - then return to only at boot.

    You could also put an @reboot in there to run your script at reboot just to make sure.

    1
    Comment actions Permalink
  • Avatar
    Bill Bradstreet

    I had the script set to create log files, but they were mostly empty. I removed it (for now). 

    Here's the script (with a few anonymizers). Again, this script runs through successfully when I run it in SSH as pi. ./at-boot.sh

     

    script: at_boot.sh

    #!/bin/bash

    sudo apt-get update
    sudo apt-get -y install samba samba-common samba-common-bin cifs-utils python-glade2 system-config-samba vsftpd

    # Date Variables

    # sudo read -r YYYY MM DD H M S <<< "$(date '+%Y %m %d %H %M %S' -d "$date_in")"

    # Sets up ftp users

    sudo addgroup sftp
    sudo useradd -m thisisanthrusrname -g sftp
    sudo passwd thisisanthrusrname <<< thisisapwd
    sudo useradd -m thisisausrname -g sftp
    sudo passwd thisisausrname <<< thisisapwd
    sudo mkdir /home/thisisausrname/

    # Set permissions

    sudo chmod 744 /home/thisisausrname/

    # Sets up external drive mounting

    sudo fdisk -l
    sudo mount /dev/sda1 /home/thisisausrname/
    sudo mount

    # Copy config into ssh directory

    sudo rm -f /etc/ssh/sshd_config
    sudo cp /home/pi/.firewalla/config/post_main.d/sshd_config /etc/ssh/sshd_config
    sudo systemctl restart ssh

    # Set ownership

    sudo chown -R nobody:nogroup /home/thisisausrname/
    sudo chmod -R 0775 /home/thisisausrname/

    # Copy config into samba directory

    sudo rm -f /etc/samba/smb.conf
    sudo cp /home/pi/.firewalla/config/post_main.d/smb.conf.1709LH /etc/samba/smb.conf
    sudo service smbd stop
    sudo service smbd start

    # Open firewall ports for FTP & Samba

    sudo ufw allow samba
    sudo ufw allow 21
    sudo ufw allow 22

    # Enable FTP

    sudo systemctl start vsftpd
    sudo systemctl enable vsftpd

    # Set directory for FTP

    # sudo mkdir /home/thisisausrname/WebcamImages/$YYYY/$MM/$DD

    sudo usermod -d /home/thisisausrname/WebcamImages thisisausrname

    # Over-write config file

    sudo cp  /home/pi/.firewalla/config/post_main.d/vsftpd.conf /etc/vsftpd.conf

    sudo systemctl restart vsftpd.service

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    You shouldn’t have to do this at every boot. I don’t think all this gets reset on boot. Have you talked a look at this https://help.firewalla.com/hc/en-us/articles/360007345553-Fun-Things-To-Do-with-Firewalla ?  @Firewalla can you comment?

    Reminder that using FTP is significant security risk. What is the end result you are trying to do here? You should have to open SSH as the Firewalla already does that.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Agree with Chris. In addition. i confess i have not installed SAMBA, but there are things that concern me about this code. A few examples:

    • I would test if something is already installed before installing it.
    • I’d test if a directory exists before creating it.
    • Don’t put things in /home/thisisausrname. Use the locations Firewalla allows you to customize like /data.
    • this
    sudo cp /home/pi/.firewalla/config/post_main.d/sshd_config /etc/ssh/sshd_config

    Ii going to copy the whole script to another location. Why?

    • Use logging and bash -x to debug things. You will see where things go wrong if you do it hour trying to guess.
    • does /etc/samba/smb.conf require permissions?
    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    You can always run this command to see what is installed on a Debian distro.

    sudo dpkg-query -f '${Package;-30}${Priority}\t${Essential}\t${Description;-100}\n' -W | grep -Ev '^ ' | grep -v '^$'

    0
    Comment actions Permalink
  • Avatar
    Bill Bradstreet

    @Chris. That's dpkg query is a great addition to my limited unix knowledge. Thanks.

    I was under the understanding that whenever a Firewalla Gold reboots it removes all customizations. If this isn't the case, then I'd love to be able to streamline the script.

    I use FTP because I have some security cameras around the property that FTP images to a server when they sense motion. The company has the ability to use samba, but they have a bug in the firmware for two of my cameras. So, I send the images via FTP. I tried to use sFTP, but it didn't work even when I switched to port 22. I should probably set up a rule to block remote FTP requests.

    @Michael, The cp command you call out just overlays a working config over the one that is placed in the /etc folder during installation. I do this as it is easier than inserting rows to an existing file. I'll look more into the /data folder. I'm, in actuality, setting this up to use a 16TB external drive for the files that get uploaded. The actual upload location isn't on the Firewalla. For this reason, I didn't think it really mattered if I used /data or not.

    Back to one of my initial questions, though. Why would a script that I can run successfully fail at boot?

    My wife is out of time in a few days. I'll do more testing while she is away. I try not to disrupt the network too much when she's home.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Firewalla does not remove everything on every reboot. Certain directories do not get removed ever. That is why you should put your stuff there. Anything you install may be removed so you should check to see what needs to be done before doing it. I would have tests. Don't assume the state of anything.

    1. Do I need to do x? If yes, do it. If no, do not.
    2. Does X file or directory already exist? If yes, do Y, if not, do not. 
    3. Is X already running? If yes, do nothing if no start it... 
    4. Is X already mounted? If Yes, do nothing. If no mount it.
    5. Personally I wouldn't put passwords in the file. There are better ways to handle this. 

    You are copying a script that does the entire installation to another location. This doesn't make sense to me. What happens on reboot should be separate from any configuration stuff. Don't duplicate. If you want to make sure something is installed just call the installs script before anything else.

    Adding rows to an existing file is simple to do if that's needed. google "bash >>" 

    The actual upload location isn't on the Firewalla. For this reason, I didn't think it really mattered if I used /data or not.

    It might not. To be honest, I don't know exactly how Firewalla reacts to remounting file systems. I would definitely add a check to the reboot script to test if the mount exists and redo it if it does not. I would probably error to mounting something under an area Firewalla expects to have user content—even if that isn't necessary. 

    Again, to debug you should use "bash -x" and/or log each significant action so you can see what is happening at every step. Each log entry should have a time stamp. You can run it and when needed try rebooting to see what is firing and what is not. You can always remove or comment out some of the logging when it is confirmed to be working. 

    1
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    Also, a good reason to check the state of something before executing is because these scripts are run whenever the Firewalla service restarts, not necessary just one time at boot.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Exactly so, @David. In fact for many people they hardly ever reboot but the FW service has to restart for other reasons like upgrades. 

    0
    Comment actions Permalink
  • Avatar
    Bill Bradstreet

    I've learned a bit over the past two days. If I perform a sudo passwd && sudo chmod 744 /home/userid/ && sudo mount /dev/sda1 /home/userid/ my systems can access data via samba and ftp. I'm interpreting this to mean that the rest of the script runs just fine after the Firewalla is turned back on.

    (1) The password steps I have coded hasn't worked. I can do a passwd manually and that fixes the issue. So, I still need to find a method for setting/changing a password inside my script. If someone has a suggestion for what I should choose, I would be very grateful! I've tried a few so far. These are the ones I recall trying.

    a> echo 'userid:newpwd' | sudo chpasswd
    b> echo 'newpwd\newpwd' | sudo passwd userid

    (2) I did the chmod command because it is in the script. I'm not sure if it worked or not at this point. I've found that logging my scripts hasn't worked as I would have expected. I'm not getting much output. This is one of those instances where the log doesn't contain any useful information for the chmod command.

    (3) The mount command in the script hasn't worked. I can run the mount command manually and that fixes the issue. I added a 5 minute delay, which I thought would have done it, but it still hasn't worked. In my most recent test, I only turned the Firewalla off. By leaving the NAS online, there wouldn't be a power cycle delay in the mix.

    a> sudo mount /dev/sda1 /home/fshare/

    0
    Comment actions Permalink
  • Avatar
    Chris Hewitt

    No no no no. Do not use a password on your script. Hard coded passwords are a HUGE vulnerability.

    Use keys for authentication and disable the ability to use passwords.

    If you have been testing this on the CLI be aware your clear text password is now in your history file.

    Remember if you truly are using FTP all traffic - including username and password - is sent as clear text.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Bill Try

    userid="fred"
    pass="123"
    sudo chpasswd $userid:$pass

    You could also do the following to separate the passwords so you can easily share the script without having to hide info:

    cat > pass.txt
    user1:user1_password
    

     

    $chpasswd < pass.txt

    In terms of logging, you get what you ask for—or what you ask for properly anyway. Again, I couldn't suggest what is wrong without seeing your code. You can log absolutely anything you want if you do it right. 

    Have you tried

    sudo mount /dev/sda1 /home/fshare
    0
    Comment actions Permalink
  • Avatar
    Bill Bradstreet

    I created a little script with 

    userid="fred"
    pass="123"
    sudo chpasswd $userid:$pass

    The above script hangs (never finishes; shows no information in stdout or stderr). The below script does not hang, but also does not work (but it logs). Now I'll put logging on each of the commands and see how they fare. At this point, I'm just excited I can see what's happening! :-) I'll see if I can take what you've taught me and come up with a way to change the password.  

    sudo chpasswd < passwd.txt

    The log output follows. 

    chpasswd: (user 'userid') pam_chauthtok() failed, error:
    Authentication token manipulation error
    chpasswd: (line 1, user 'userid') password not changed

     

    0
    Comment actions Permalink
  • Avatar
    Bill Bradstreet
    sudo mount /dev/sda1 /home/fshare

    Are you saying I should drop the ending / from my parameter(s)? The script works with the / included when I run the script myself. Should that matter?

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Sorry, Bill. I haven't used chpasswd in scripts much. Try: 

    echo "password:name" | chpasswd

    https://www.baeldung.com/linux/passwd-shell-script Note the double quotes. quotes, special characters, escaping things are often the trickiest bits of shell scripts. I'm not sure if you need sudo or not. 

    Yes, leave the trailing slash off the mount command. 

    0
    Comment actions Permalink
  • Avatar
    Bill Bradstreet

    I'm not having any luck with this still! Sorry to be a pain. By the way, the documentation for chpasswd as it uid:pwd; not pwd:uid, so I tried both. It expects the first parameter to be the user name.

    Here's what I tried most recently. At least I'm getting an error message with this one. :-/

    $ sudo echo UID:password123! | chpasswd
    Changing password for fshare.
    chpasswd: (user UID) pam_chauthtok() failed, error:
    Authentication token manipulation error
    chpasswd: (line 1, user UID) password not changed
    0
    Comment actions Permalink
  • Avatar
    David Koppenhofer

    @Bill
    I'm not sure, but maybe the sudo doesn't apply to the chpasswd command after the pipe. I ran into a similar permissions problem with output redirection when trying to write to a file in /etc.
    https://help.firewalla.com/hc/en-us/community/posts/4491452568851/comments/4507491636499

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Bill it is too hard to help without seeing the whole script. I suggest posting the full current version here or on GitHub. Much more likely someone can help that way.

    0
    Comment actions Permalink

Please sign in to leave a comment.