search

toggledbits / Vera-Decouple

Scripts to decouple Vera Home Automation Controllers from their parent cloud services
4 stars 2 forks source link

(Partial)couple? Stabilize while maintaining access via Vera app and Amazon Alexa integration. #5

Open polskikrol opened 3 years ago

polskikrol commented 3 years ago

Read through your script, and thinking that quite a few of the modifications can be performed to stabilize the system, while still maintaining partial Vera and Amazon Alexa integration. Namely, the following are some services I still would like to use:

Tried for a while to lock down the firewall policy for the Vera outbound, but it performs silly network checks like PING (why???). I have a setup where I use a hardware firewall for DNS/DHCP/NTP, and this is the local gateway next hop. So thinking it should be trivial to setup a 'partial decouple lite' where one could migrate DNS/NTP and any other local service (including the network monitoring) local into the network. Thoughts?

toggledbits commented 3 years ago

I've published the commands for NTP and DNS previously in several places. The network monitoring is pretty tightly coupled and getting it out is one of more aggressive fixes the script has to do.

Since the server list for other things updates periodically, presumably based on their attempts to load level or other factors, there's no telling where notifications, backups and firmware update queries will be handled. They could change any time. Decoupling prevents that; so, if you don't fully decouple, your efforts to control these destinations will fail.

polskikrol commented 3 years ago

So is there a way to only perform the items mentioned in the 1st paragraph? Trash the network monitoring, and fix NTP/DNS locally, while keeping the rest of the coupling in place?

toggledbits commented 3 years ago

I mentioned in another post here that this decoupling script does not prevent the system from accessing other cloud services. Have you actually tested the Alexa integration to see if it works or not after decoupling? I think there's a high probability it will continue to work. And if that's the case, the Internet check can be properly disabled by decoupling.

Separately:

NTP:

uci set ntpclient.@ntpserver[0].hostname=server1
uci set ntpclient.@ntpserver[1].hostname=server2
uci set system.ntp.server="server1 server2"
uci commit ntpclient
uci commit system.ntp
/etc/init.d/sysntpd restart
/etc/init.d/ntpclient restart

DNS:

uci set dhcp.@dnsmasq[0].server="dnsserver1 dnsserver2"
/etc/init.d/dnsmasq restart

Disabling the Internet check requires considerably more surgery, as I said, and is probably best left in the context of full decoupling.

polskikrol commented 3 years ago

So, I ended up looking closely through the decouple script and 'picking and choosing' what I wanted to disable. Namely, fixed up NTP and DNS to be localized to the firewall interface, removed provisioning access, and removed network monitor. Of course, saved changes files to .old where possible, and documented removed sym links. Documenting my modifications below.

The only issue I still see, is that on my firewall, the Vera still attempts to PING various destinations, ie one.one.one.one, 4.4.4.4, 8.8.8.8, www.amazon.com, www.google.com, etc. Also, checking the log file for network_monitor, see the following:

2020-12-14_15:50:52 -[2638]- Ping host : test.mios.com ping: bad address 'test.mios.com'

Lovely part is that this doesnt even exist in external DNS! Looks like the script continues to ping that list of hostnames entries to see if the Internet is up.

NOTE: Fixed up 'cmh-ra' to run as its needed for the proxy capability to allow the iPhone app to work. Disabled the PING firewall rule, and despite the failure, can still access the Vera for now via testing. Suppose the changes to scripts hardcode the favorable return code, so these 'health checks' still run, but even if they fail, they show as status OK.

#Localize NTP to FW interface
uci set ntpclient.@ntpserver[0].hostname=100.65.106.254
uci set system.ntp.server="100.65.106.254"
uci delete ntpclient.@ntpserver[1]
uci delete ntpclient.@ntpserver[2]
uci delete ntpclient.@ntpserver[3]
uci commit ntpclient
uci commit system.ntp
/etc/init.d/sysntpd restart
/etc/init.d/ntpclient restart
rm -f /etc/rc.d/S*mios_fix_time*

#Localize DNS to FW interface
uci set dhcp.@dnsmasq[0].server="100.65.106.254"
/etc/init.d/dnsmasq restart

#Remove Provisioning Access
rm -f /etc/rc.d/S*-provision_vera*
lrwxrwxrwx    1 root     root            27 Dec 31  1999 S480-provision_vera -> ../init.d/provision_vera.sh

#Remove Network Monitor
mv /usr/bin/InternetOk /usr/bin/InternetOk.old
echo 'exit 0 # decouple' >/usr/bin/InternetOk
chmod +rx /usr/bin/InternetOk
mv /usr/bin/Rotate_Logs.sh /usr/bin/Rotate_Logs.sh.old
sed '/^NM_WATCHDOG_FILE=/,/^fi/c \
    # decouple removed \
    ' </mios/usr/bin/Rotate_Logs.sh >/usr/bin/Rotate_Logs.sh
chmod +rx /usr/bin/Rotate_Logs.sh
mv /usr/bin/Start_NetworkMonitor.sh /usr/bin/Start_NetworkMonitor.sh.old
sed '/===BEGIN===/a \
    log "$0 disabled by decouple" # decouple \
    touch /var/run/nm.stop # decouple \
    exit 0 # decouple \
    ' </mios/usr/bin/Start_NetworkMonitor.sh >/usr/bin/Start_NetworkMonitor.sh
chmod +rx /usr/bin/Start_NetworkMonitor.sh
cp /etc/init.d/check_internet /etc/init.d/check_internet.old
awk '/bin\/Start_NetworkMonitor.sh/ { print "touch /var/run/nm.stop # decouple.sh"; print $0; next } { print; }' </etc/init.d/check_internet >/tmp/decouple.tmp && \
mv /tmp/decouple.tmp /etc/init.d/check_internet
chmod +rx /etc/init.d/check_internet
/etc/init.d/check_internet stop
touch /var/run/nm.stop