I have had a couple close calls lately that have me wondering about a better way to go about this.
I have a cyberpower UPS providing power to a ubuntu server, as well as a raspberry pi 3+B (running close to stock openhabian 2.4, all software updated recently using openhabian-config).
With power failures, the cyberpower UPS is able to run a script on the ubuntu server when the backup battery is getting low, as well as shut down the ubuntu server afterwards.
What I’m wondering is what the best way of triggering a shutdown of the raspberry pi remotely would be. I have set up ssh on both machines, and added my public key to the openhabian’s ~/.ssh/authorized_keys, and chmod’d the permissions to 664.
Partial success. I can now connect via ssh from my ubuntu server with:
ssh firstname.lastname@example.org, without needing to enter a password.
similarly, I can run
ssh email@example.com ls
and it displays the result of the ls without requiring a password
If, instead, I use
ssh firstname.lastname@example.org -t sudo shutdown -h -P now
it forces me to enter a password, which completely prevents the entire point, of the shutdown being triggered by the low battery script.
(similar results with attempting to run any sudo command)
Any suggestions on how to get this done, or if there are better ways of triggering this? Ideally, I’d like to maintain as much other security as possible in the device.
I use an APC back-ups with apcupsd, may this daemon supports your Cyberpower UPS also, some models are identical. If not, you could try networkupstools package (nut), what supports more vendors. Both software can run as master (the ups connected to te local pc via usb or serial port) or slave (the daemon connects to the master host via IP). When the UPS provides battery information to the master, the slaves read it via the LAN. There is no other connections need, you can configure every slaves, what threshold value (voltage or remaining time) triggers the clean shutdown. I’ve got a RP3b+ with openhab, it’s connected to the UPS via usb, and an Intel NUC as Kodi and a Synology DS213 as NAS. Every host runs apcupsd, and works fine. I did a test run with a higher treshold (85%), and every boxes went down with a clean shutdown by the apcupsd. Synology is an old one, it needs more time to start after te power comes back, so I’ve set the NUC’s bios to no bootup after power returns. The RPI cannot do poweroff, so it will boot up again, and I can use wakeonlan package to start the others controlled. It needed, because kodi uses NAS as media library. apcupsd nut
The best way would be to set up and configure NUT. One of your computers plugged into the UPS will be the NUT server. The RPi will be set up as a NUT client. You can then configure the clients to shut down when the power gets below a defined point and you can somewhat control the order that your machines close down (e.g. you want the NUT server to close last).
There is a binding in OH for NUT so you can monitor your battery and do stuff in OH in response as well.
Have you given the openhabian user permission to run shutdown without a password in sudoers?
On an RPi (and pretty much all Debian based Linux distros) you cannot log in or ssh directly to root. You can only log in as a normal user and sudo.
Adding to the group sudo gives that user rights to call sudo, but it does not give that user rights to run commands using sudo without providing a password. You need to explicitly give those rights in the sudoers config. openhabian is already a member of sudo.
As Danny indicates, you will want to use visudo to edit the sudoer’s file. Please do not give the openhabian user permission to run ALL commands without a password.
Thanks, this was the seed I needed. For any others putting this together later, visudo is needed to edit users’ sudo permissions (using your system’s default text editor, not necessarily vi). The order of variables can be a bit challenging to sort out, especially as most examples out there simply use a series of ‘all’ values. The line I needed to enter in visudo (which uses nano on openhabian) was
openhabian ALL=(ALL) NOPASSWD: /sbin/shutdown
openhabian = user being modified
ALL (1) = openhabian on ALL hosts
(ALL) = can switch to ALL users
NOPASSWD = don’t require a password for : commands
[you can add multiple commands separated by commas]
Please correct me if I have something incorrect in the descriptions, but I can verify that this addition in the sudoers file (via visudo) works for me to allow SSH shutdown from my ubuntu server via an SSH command:
ssh email@example.com -t sudo shutdown now
As I am using the default daemon from Cyberpower (pwrstatd), I then edited the /etc/pwrstatd-lowbatt.sh to include the above ssh command. I am thinking I’ll eventually switch to the NUT solution above (and if I didn’t already have the pwrstatd service running, I probably would have started with the NUT application as it is much more flexible).