[SOLVED] OH3: Rule fires, but doesn't execute command line - and return code is always NULL

After I found out that the syntax of the executecommandline command has changed in OH, I hoped that my first rule will work. But it doesn’t. Maybe someone can point out, what I’m doing wrong?

Rule definition:

triggers:
  - id: "1"
    configuration:
      itemName: RestartOHService
    type: core.ItemCommandTrigger
conditions: []
actions:
  - inputs: {}
    id: "2"
    configuration:
      type: application/vnd.openhab.dsl.rule
      script: >-
        val String results = executeCommandLine(Duration.ofSeconds(5),"sudo","/bin/systemctl", "restart", "openhab.service")
        logInfo("RULE", "RestartopenHAB: Restarting openHAB service as requested by user (RC=" + results + ")")
    type: script.ScriptAction

Result in the logfile:

2020-12-26 15:35:34.844 [INFO ] [org.openhab.core.model.script.RULE ] - RestartopenHAB: Restarting openHAB service as requested by user (RC=null)

Thanks!

I’m not sure about the overall performance of your system, but a timeout of 5 seconds seems a bit short for my liking.
Have you tried restarting it manually via shell and measured how long it takes until the prompt comes back?

1 Like

Thanks, that was a very important hint! It took 34 seconds until prompt came back. Will try it with 60 seconds for this certain command and report later!

Unfortunately this wasn’t the solution. I still get the “NULL” result code back and the service isn’t restarting :frowning:

that’s a shame.
I’d probably try using an absolute path for the sudo binary next, just to make sure PATH is not an issue. For me that’d be /usr/bin/sudo.

Login to your system in an other window and check if the restart is being executed.
You may run

sudo journalctl -xe

to check if there is anything that is being shown to be a problem.

I think the user openhab ( this is where the services runs under ) is not in the sudo group while the user openhabian is. To be able to execute sudo commands for user openhab you need to add the user to the sudo group.

usermod --append --groups sudo openhab

Um, you’re expecting to restart openHAB and somehow magically return to the point in the rule where you were before it restarted itself?

1 Like

No, I don’t. I just want to restart the service.

Finally, a clue:

Dec 26 22:23:50 openHABianPi sudo[6803]: pam_unix(sudo:auth): conversation failed
Dec 26 22:23:50 openHABianPi sudo[6803]: pam_unix(sudo:auth): auth could not identify password for [openhab]

The usermod command didn’t help, still RC=null and no restart is being executed. I added “openhab” and “openhabian”, just to be sure.

I even created a file in sudoers.d with the following content:

> openhab      ALL=(ALL) NOPASSWD: /usr/sbin/shutdown, /usr/sbin/poweroff, /usr/sbin/systemctl
> openhabian   ALL=(ALL) NOPASSWD: /usr/sbin/shutdown, /usr/sbin/poweroff, /usr/sbin/systemctl

Still no luck.

Tried it now using an EXEC thing - same result:

> Dec 26 22:59:55 openHABianPi sudo[8093]: pam_unix(sudo:auth): conversation failed
> Dec 26 22:59:55 openHABianPi sudo[8093]: pam_unix(sudo:auth): auth could not identify password for [openhab]

So it seems to be a rights problem, no matter what I try…

re - returning to rule. Okeydoke, just note that (when it works) you’ll never get your log message, you’d need to do that before pulling the plug.

This isn’t supposed to be an easy thing to do, though it seems others have succeeded. Have you tried putting your command in a batch file or whatever it is under *nix?

Not yet, but under OH2.5 it worked without any problems. On my new OH3 setup I have these problems. Plattform is Debian (openHABian)

You are right this one ( NOPASSWD ) needed to be added. Sorry I missed that.
The sudoers file that you created has not to end with a ~ and has not to contain a dot otherwise the files will not taken into account.
Once you added your sudoers file what error message do you get ?
openhab, openhabian are in the sudo group ( per default openhab is not in ) ?
Testing from the command line from within a shell of user openhabian works ?

How can I do this check? When I log on via ssh using the openhabian user, I can execute the command without problems.

But as far as I understand the message, there is a problem with the user “openhab “, not with the user “openhabian”

Success! I found the solution here:

Adding this line

auth sufficient pam_permit.so

in the file /etc/pam.d/sudo solved my problem.
It must be a bug in my openhab/openhabian installation as I started from the scratch.

You also read and understood the comments further down on that page which says ?:

While adding auth sufficient pam_permit.so is enough to gain access. Using it in anything but the most insecure test environment would not be recommended. From the pam_permit man page:

   pam_permit is a PAM module that always permit access. It does nothing else.

So adding pam_permit.so as sufficient for authentication in this manner will completely bypass the security for all users.

I’m not happy with the trade-off, but I need to get further since I have to rebuild my whole system after I updated to OH3 :expressionless:. If someone points out a better solution, I gladly accept it as well.
Since my system is completely closed (no external access) it’s a minor risk I can live with, but still it’s a risk, yes.

right. If it already works with user openhabian than it need to be checked why it does not work with user openhab. As far as I understand you did the check with the user openhabian. For user openhab the check cannot be done in that way because is not shell for user openhab.

I haven’t seen a feedback for this check:

openhab, openhabian are in the sudo group ( per default openhab is not in ) ?

have you checked that ?

Yep. They’re all in:

[16:00:09] openhabian@openHABianPi:/etc/openhab$ grep 'sudo' /etc/group
sudo:x:27:openhabian,openhab
[17:20:53] openhabian@openHABianPi:/etc/openhab$