search

jeanmarc77 / 123solar

123Solar is a lightweight set of PHP/JS files that makes a web logger to monitor your photovoltaic inverter(s). It just need a web server and PHP, no databases are even needed. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices.
GNU General Public License v3.0
36 stars 12 forks source link

use systemd for start/ stop via browser #51

Closed basti122303 closed 1 year ago

basti122303 commented 1 year ago

this only for non debug mode, I never used it.

create a sudoers file like: # /etc/sudoers.d/www-data www-data ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service www-data ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service www-data ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service

jeanmarc77 commented 1 year ago

I like the idea but well, i'm not sure.. Systemd is not a 123s requirement (some people NAS or whatever..) Also, people will have additional commands to do so

basti122303 commented 1 year ago

you are right, let's check if systemd is present and the unit is active. But not now at the weekend. :-D

basti122303 commented 1 year ago

Please add a note that when the systemd unit is used, a sudoers file is needed.

jeanmarc77 commented 1 year ago

Hi, I am doing some testing: The 123solar service respawn but don't write 123solar.pid file. The path is correct, i don't know what's wrong.. So, i can have several 123solar.php instances (like via the interface and from the respawn) Can you help ?

basti122303 commented 12 months ago

perhaps an permission problem?

have you seen https://github.com/jeanmarc77/123solar/pull/52/commits/2fdbfb0b8fec153523f1f5505fd6c87e655ac57e#diff-8e20415679370934cee69bc0ed071827d4e83241362259f9ddbc715e2f6f93fd you need also edit your sudoers file to check if the service is enabled.

jeanmarc77 commented 12 months ago

Hi, I have this

# This file should placed in /etc/sudoers.d/ as www-data or something else
# Username (http, www-data,..) should be edited for your needs
http ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
http ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
http ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service
http ALL=(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service

but this don't work 

<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
if (is_dir('/run/systemd/system') && ($output[0] == "enabled")) {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>

any idea ? how to check if sudoers is enable ? Thanks for helping

basti122303 commented 12 months ago 
root@c2:~# sudo -u www-data -s /bin/bash

www-data@c2:/root$ systemctl status 123solar.service
● 123solar.service - 123Solar
     Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-07-07 14:09:08 CEST; 3 days ago
    Process: 32543 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value 123solar.service  > /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
   Main PID: 32542 (php)
      Tasks: 1 (limit: 2110)
     Memory: 5.5M
        CPU: 58min 41.056s
     CGroup: /system.slice/123solar.service
             └─32542 /usr/bin/php 123solar.php
www-data@c2:/root$

www-data@c2:/root$ sudo systemctl stop 123solar.service
www-data@c2:/root$

www-data@c2:/root$ systemctl status 123solar.service
○ 123solar.service - 123Solar
     Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: enabled)
     Active: inactive (dead) since Tue 2023-07-11 13:10:12 CEST; 12s ago
   Duration: 3d 23h 1min 4.614s
    Process: 32542 ExecStart=/usr/bin/php 123solar.php (code=killed, signal=TERM)
    Process: 32543 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value 123solar.service  > /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
    Process: 13057 ExecStopPost=/usr/bin/rm -f /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
   Main PID: 32542 (code=killed, signal=TERM)
        CPU: 58min 41.235s
www-data@c2:/root$

www-data@c2:/root$ sudo systemctl start 123solar.service
www-data@c2:/root$

www-data@c2:/root$ systemctl status 123solar.service
● 123solar.service - 123Solar
     Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-07-11 13:10:35 CEST; 2s ago
    Process: 13067 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value 123solar.service  > /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
   Main PID: 13066 (php)
      Tasks: 1 (limit: 2110)
     Memory: 5.2M
        CPU: 453ms
     CGroup: /system.slice/123solar.service
             └─13066 /usr/bin/php 123solar.php
www-data@c2:/root$
basti122303 commented 12 months ago 
www-data@c2:/etc/sudoers.d$ ls -la
total 16
drwxr-xr-x  2 root root 4096 Jul  6 22:35 .
drwxr-xr-x 88 root root 4096 Jul  8 05:46 ..
-r--r-----  1 root root 1096 Mar  8 21:17 README
-rw-r--r--  1 root root  294 Jul  6 16:37 www-data
www-data@c2:/etc/sudoers.d$ 
www-data@c2:/etc/sudoers.d$ cat www-data 
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service
www-data@c2:/etc/sudoers.d$
jeanmarc77 commented 12 months ago

I can't sudo systemctl status 123solar.service as http user as it ask for a password

` jeanmarc@zbox scripts]$ sudo ls -la /etc/sudoers.d/ [sudo] Mot de passe de jeanmarc : total 24 drwxr-x--- 2 root root 4096 11 jui 12:35 . drwxr-xr-x 112 root root 12288 11 jui 13:02 .. -r--r----- 1 root root 21 8 jun 2022 10-installer -rw-r--r-- 1 root root 278 11 jui 12:35 http

[jeanmarc@zbox scripts]$ sudo cat /etc/sudoers.d/http http ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service http ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service http ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service http ALL=(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service

[jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash [http@zbox scripts]$ systemctl status 123solar.service ● 123solar.service - 123Solar Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: dis> Active: active (running) since Tue 2023-07-11 13:45:29 CEST; 13min ago Process: 1525773 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value> Main PID: 1525768 (php) Tasks: 2 (limit: 9298) Memory: 7.0M CPU: 13.258s CGroup: /system.slice/123solar.service ├─1525768 /usr/bin/php 123solar.php └─1591949 aurora -a 2 -c -T -Y3 -l4 -d0 -e /dev/solar

[http@zbox scripts]$ sudo systemctl status 123solar.service

Nous espérons que vous avez reçu de votre administrateur système local les consignes traditionnelles. Généralement, elles se concentrent sur ces trois éléments :

#1) Respectez la vie privée des autres.
#2) Réfléchissez avant d'utiliser le clavier.
#3) De grands pouvoirs confèrent de grandes responsabilités.

Pour des raisons de sécurité, le mot de passe que vous tapez ne sera pas visible.

[sudo] Mot de passe de http : Désolé, essayez de nouveau. [sudo] Mot de passe de http : sudo: 1 saisie de mot de passe incorrecte [http@zbox scripts]$ `

jeanmarc77 commented 12 months ago

That say, i can request systemctl is-enabled as http without password but it dosen't work from my test script from browser.. i am lost [jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash [sudo] Mot de passe de jeanmarc : [http@zbox scripts]$ sudo systemctl is-enabled 123solar.service enabled

basti122303 commented 12 months ago

I guess the file is not included. What does sudo -l say?

www-data@c2:/etc/sudoers.d$ sudo -l
Matching Defaults entries for www-data on c2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on c2:
    (root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
    (root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
    (root) NOPASSWD: /usr/bin/systemctl start 123solar.service
    (root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service
www-data@c2:/etc/sudoers.d$

Is /etc/sudoers.d included? My last line in /etc/sudoers looks like:

# See sudoers(5) for more information on "@include" directives:

@includedir /etc/sudoers.d

Insert the lines in /etc/sudoers for testing if it still does not work.

basti122303 commented 12 months ago 
root@c2:~# whereis systemctl
systemctl: /usr/bin/systemctl /usr/share/man/man1/systemctl.1.gz
root@c2:~#
jeanmarc77 commented 12 months ago

http@zbox scripts]$ whereis systemctl systemctl: /usr/bin/systemctl /usr/share/man/man1/systemctl.1.gz [http@zbox scripts]$ sudo -l L'utilisateur http peut utiliser les commandes suivantes sur zbox : (root) NOPASSWD: /usr/bin/systemctl restart 123solar.service (root) NOPASSWD: /usr/bin/systemctl stop 123solar.service (root) NOPASSWD: /usr/bin/systemctl start 123solar.service (root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service [jeanmarc@zbox scripts]$ sudo more /etc/sudoers | grep @includedir [sudo] Mot de passe de jeanmarc : @includedir /etc/sudoers.d

Can you get 'enable' from the browser using the test.php file ?

basti122303 commented 12 months ago

Can you please set LANG=C.UTF-8 to get english messages. OK lets see that sudo means you can run systemctl is-enabled 123solar.service but you will be ask for a password? perhaps you get messages in french? I Don't know, all my systems run C.UTF-8 as LANG Have you run the following as root? systemctl enable 123solar.service to enable your service unit? It seems that your unit is not enabled.

which test.php? It doesn't matter, PHP only use the command line. So it must fit there

jeanmarc77 commented 12 months ago

weird, it works from CLI as http user and 123solar.service is enable

[jeanmarc@zbox scripts]$ LANG=C.UTF-8
[jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash
[http@zbox scripts]$ sudo systemctl is-enabled 123solar.service
enabled
[http@zbox scripts]$ systemctl is-enabled 123solar.service
enabled

Now, if i make this test.php, i get 'nope' from browser

<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
if ($output[0] == "enabled") {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
basti122303 commented 12 months ago 
www-data@c2:/tmp$ sudo systemctl is-enabled 123solar.service
enabled

www-data@c2:/tmp$ cat test.php 
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
if ($output[0] == "enabled") {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
www-data@c2:/tmp$ php test.php 
yeah enabled

www-data@c2:/tmp$ php -v
PHP 8.2.7 (cli) (built: Jun  9 2023 19:37:27) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.7, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.7, Copyright (c), by Zend Technologies

www-data@c2:/tmp$ cat /etc/issue
Debian GNU/Linux 12 \n \l

modified version:

www-data@c2:/tmp$ php test.php 
array(1) {
  [0]=>
  string(7) "enabled"
}
www-data@c2:/tmp$ cat test.php 
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
var_dump($output);
exit();
?>
www-data@c2:/tmp$
jeanmarc77 commented 12 months ago

yeah but put test.php in your webserver's directory and request test.php from a browser..

basti122303 commented 12 months ago 
www-data@c2:/home/www/solar$ cat test.php 
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
var_dump($output);
exit();

if ($output[0] == "enabled") {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
www-data@c2:/home/www/solar$

Unbenannt

Can you see some errors in php error.log or journalctl? What's about enbale error logging to browser?

jeanmarc77 commented 12 months ago

damn.. i got array(0) { }

jui 11 16:05:21 zbox sudo[2188888]: http : command not allowed ; PWD=/srv/http/123solar/scripts ; USER=root ; COMMAND=systemctl is-enabled 123solar.service jui 11 16:05:19 zbox sudo[2188888]: pam_unix(sudo:auth): auth could not identify password for [http] jui 11 16:05:19 zbox sudo[2188888]: pam_unix(sudo:auth): conversation failed jui 11 16:05:19 zbox sudo[2188888]: pam_systemd_home(sudo:auth): Not a user managed by systemd-homed: No home for user http known jui 11 16:04:21 zbox sudo[2183209]: pam_unix(sudo:session): session closed for user root jui 11 16:04:07 zbox sudo[2183209]: pam_unix(sudo:session): session opened for user root(uid=0) by jeanmarc(uid=1000)

basti122303 commented 12 months ago 
www-data@c2:/home/www/solar$ echo $HOME
/var/www
www-data@c2:/home/www/solar$ grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
www-data@c2:/home/www/solar$

Which OS do you use?

jeanmarc77 commented 12 months ago 
[jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash
[sudo] password for jeanmarc: 
[http@zbox scripts]$ echo $HOME
/srv/http
[http@zbox scripts]$ grep http /etc/passwd
http:x:33:33::/srv/http:/usr/bin/nologin
[http@zbox scripts]$ uname -a
Linux zbox 6.4.2-3-MANJARO #1 SMP PREEMPT_DYNAMIC Fri Jul  7 19:19:45 UTC 2023 x86_64 GNU/Linux
basti122303 commented 12 months ago

SE Linux or apparmor? I have no idea anymore

falkiy commented 12 months ago

@jeanmarc77 delete system and exec in disable_functions in your php.ini of the Webserver (means allow it) exec means php can execute shell-commands and system means execute + Output

jeanmarc77 commented 12 months ago

Thanks for the tips but disable_functions is empty in my php.ini.. still wondering what's wrong here

falkiy commented 12 months ago

does the webserver (error)log mention something? or alternatively set temporarily display_errors 1 in your php.ini? Pretty sure its something webserver/php-related

jeanmarc77 commented 12 months ago

@falkiy i got this from systemctl status php-fpm

jui 11 17:47:27 zbox sudo[2671384]: http : command not allowed ; PWD=/srv/http/123solar/scripts ; USER=root ; COMMAND=systemctl is-enabled 123solar.service

nothing much into nginx error log

falkiy commented 12 months ago

for testing, in the sudoers

http ALL=(ALL) NOPASSWD: ALL

any change? sound like some wired sudo-problem/stuff

btw: would you mind to test with some fresh Debian-Container or something? We've no idea how your Machine ist configured exactly und Manjaro is absolutly not invented for Servers purposes

falkiy commented 12 months ago

Other Idea @basti122303 : Let php only touch the pid and Trigger systemd path unit / incrond to stop / start the service. Wouldnt be less wired, but would prevent the sudo-stuff

basti122303 commented 12 months ago

I have done some changes. See https://github.com/jeanmarc77/123solar/pull/52 systemctl is-enabled can run without sudo. I have test it. The next strace think is, that the sudo file does not work as expected. You need to add http ALL=(ALL) NOPASSWD: ALL to the sudoers file, else you get http : command not allowed ; PWD=/srv/http/123solar/admin ; USER=root ; COMMAND=systemctl is-enabled 123solar.service

allow the http user to run any command is not what you want.

Please ask the arch / majaro mailing list for more infos about that. For me it works on debian, sorry I have no idea anymore.

jeanmarc77 commented 12 months ago

I can now run is-enabled, but still got

jui 12 16:38:47 zbox sudo[290969]: pam_systemd_home(sudo:auth): Not a user managed by systemd-homed: No home for user http known jui 12 16:38:47 zbox sudo[290969]: pam_unix(sudo:auth): conversation failed jui 12 16:38:47 zbox sudo[290969]: pam_unix(sudo:auth): auth could not identify password for [http] jui 12 16:38:50 zbox sudo[290969]: http : command not allowed ; PWD=/srv/http/123solar/admin ; USER=root ; COMMAND=systemctl stop 123solar.service

I don't have much time to look at that for now, thanks for the tips @basti122303 ,

basti122303 commented 12 months ago

The errors of systemd-homed not relevant here. This is the problem: jui 12 16:38:50 zbox sudo[290969]: http : command not allowed ; PWD=/srv/http/123solar/admin ; USER=root ; COMMAND=systemctl stop 123solar.service I wrote about that above.