OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: comet on January 11, 2021, 02:24:29 am
-
What I am looking for is a way to run a bash script from a different machine on the LAN side of the network that will gracefully power off the router prior to powering itself down. This would be for a very rare use case but I do need it to work reliably if it is run. Is there any relatively easy way to do this?
-
ssh into your opnsense router and run shutdown -p now?
-
You can use an API call to power it off
-
ssh into your opnsense router and run shutdown -p now?
That won't work from a bash script, because when you ssh in you get the menu, not a command prompt. AFAIK there is no way to pick the proper selection from the menu from a bash script.
-
You can use an API call to power it off
This sounds promising. Got any details on how to do this from a bash script? I'm not really familiar with how API calls work.
-
Just read the docs about API usage, then in your browser type F12 and diagnose network traffic and click reboot or poweroff, then you can see the API commands the browser is using. This will also work via curl bash script.
-
Just read the docs about API usage, then in your browser type F12 and diagnose network traffic and click reboot or poweroff, then you can see the API commands the browser is using. This will also work via curl bash script.
Thank you. Searching for info on that led me to this thread: https://forum.opnsense.org/index.php?topic=3007.0
So I'm assuming from that this would now work in my case:
curl -XPOST -d '{}' -H "Content-Type: application/json" -k -u "APIKEY":"APISECRET" https://192.168.1.1/api/core/firmware/poweroff
But it says "Note that this requires the user to have firmware page privileges" and I assume that relates to the APIKEY and APISECRET values. And then there is a different format given on the documentation page at https://docs.opnsense.org/development/api/core/firmware.html and from that I surmise that this simplified form should work:
curl -k -u "$key":"$secret" https://192.168.1.1/api/core/firmware/poweroff -v
So then I am wondering how you set the APIKEY/$key and APISECRET/$secret values. I found this information at this page: https://docs.opnsense.org/development/api.html#introduction
The $key and $secret parameters are used to pass the API credentials using curl. You need to set these parameters with your own API credentials before using them in the examples:
key=w86XNZob/8Oq8aC5r0kbNarNtdpoQU781fyoeaOBQsBwkXUt
secret=XeD26XVrJ5ilAc/EmglCRC+0j2e57tRsjHwFepOseySWLM53pJASeTA3
Now that would be helpful, if only it told where to get that key and secret. I wish whoever wrote that page would have taken the extra ten seconds to create a link, something like "How to set up API credentials. (https://docs.opnsense.org/development/how-tos/api.html)" Anyway on that page it says:
API keys are managed in the user manager (system_usermanager.php), go to the user manager page and select a user. Somewhere down the page you will find the API section for this user.
(https://docs.opnsense.org/_images/Usermanager_add_api_key.png)
Click on the + sign to add a new key. When the key is created, you will receive a (single download) with the credentials in one text file (ini formatted). The contents of this file look like this:
key=w86XNZob/8Oq8aC5r0kbNarNtdpoQU781fyoeaOBQsBwkXUt
secret=XeD26XVrJ5ilAc/EmglCRC+0j2e57tRsjHwFepOseySWLM53pJASeTA3
So I am assuming that once you get the text file you open that up and use the key and secret from that. But also on that same page it says:
Using curl
Simple testing with curl is also possible, the sample below uses the same credentials, but ignores the SSL certificate check (-k) for testing.
curl -k -u "w86XNZob/8Oq8aC5hxh2he+vLN00r0kbNarNtdpoQU781fyoeaOBQsBwkXUt":"puOyw0Ega3xZXeD26XVrJ5WYFepOseySWLM53pJASeTA3" https://192.168.1.1/api/core/firmware/status
And schedule the actual upgrade of all packages using:
curl -XPOST -d '{"upgrade":"all"}' -H "Content-Type: application/json" -k -u "w86XNZob/8Oq8aC5hxh2he+vLN00r0kbNarNtdpoQU781fyoeaOBQsBwkXUt":"puOyw0Ega3xZXeD26XVrJ5WYFepOseySWLM53pJASeTA3" https://10.211.55.100/api/core/firmware/upgrade
So, yet two more forms of the curl command, and I have no idea which is the correct one to use. For example in the second example curl command above there is a -v at the end of the line but in the third example which also uses the simplified form there is no -v, and believe it or not I cannot find where in the documentation it explains what those options do.
This a case of documentation written for programmers rather than for users! I don't mean to be too critical because at least there is documentation, but this is probably why many users never even try to use some of the advanced features of OPNsense - the documentation that explains how to do it isn't written for us. Look at how many pages I had to go to in order to find this information, and even then I still have the unresolved question of which form of the curl command is correct. And I still have no idea what the -k, -u, and -v options do because I simply could not find any page where those are explained!
-
man curl
Then you'll get all options.
I didn't check the syntax for shutdown, but using the API is usually for coders, not for users :)
So, you go to user root, create and api key and save, then you use root as user and key:secret like in the file.
I believe for shutdown a simple curl (without XPOST) should be enough, as you would save date to OPN with a POST.
-
Thanks for that. I didn't realize those were curl options, I thought they were API options. If they are curl options then
-k allows curl to proceed and operate even for server connections otherwise considered insecure.
-u specifies that user:password follows
-v makes curl verbose during the operation (probably would not want this unless debugging).
Now it makes sense, I think!
-
Play around a bit. If you still fail Ping me again