I recently upgraded my Revolution Pi from Stretch to Bookworm OS. In my Node-RED application, I used to restart the Node-RED service once a week using the sudo node-red-restart command in an Exec node.
With the latest release, it appears that running sudo from within Node-RED is no longer supported due to the new sandboxing and privilege restrictions.
I am looking for recommended methods or best practices to achieve the following:
Restart Node-RED at a scheduled time or based on certain application variables.
Reboot the entire hardware once a week.
Ideally, the solution should allow some dynamic control from Node-RED (e.g., conditional restart based on variable values) while complying with the Bookworm OS restrictions.
Any guidance, examples, or suggested approaches would be highly appreciated.
It isn't that bookworm has added restrictions, it is that older pi OS disabled them.
In a terminal run sudo visudo
then add to the end
myusername ALL=(ALL) NOPASSWD: /usr/bin/node-red-restart
where myusername is the name of the user that runs node-red and /usr/bin/node-red-restart is the full path to the command. Run which node-red-restart
to check that is correct for your setup.
That allows the node-red user to run sudo node-red-restart without entering a password, so you can call it in an exec node.
As mentioned , i have tired your suggestion. Got the below response.
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
Also, please refer the below comments mentioned in the Bookworm OS release.
The Node-RED process runs as the system user nodered. All settings and user data are located in the
folder /var/lib/revpi-nodered. This path is also the only path where the user can write data.
The rest of the file system is only available for reading.
sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.
is a consequence of this line in your /etc/systemd/system/multi-user.target.wants/nodered.service file:
Change true to false (you will have to edit the file using sudo in a terminal) and reboot.
Note that if, as you suggest, this is a new security feature in Node-red (I've never come across it before), there may be better options than merely turning it off.
Are you running the node-red install provided with bookworm or installing it yourself? Certainly this is not a problem running the recommended way of installing node-red on a normal pi. I don't know whether that works on a revpi though.
I duckduckgoed it Colin & found mentions of it in a systemd script for a different application.
Adding the line to my Node-red script on a Pi Zero 2 with Bookworm caused the same message when I ran an exec command with sudo.
As I said, I've never come across it before.
I have no idea where it comes from and I don't see it in the current Pi install script (though it has possibly been added to the model systemd script file).
Even if it was in the install I would not see it because all my Pies already have modified systemd scripts, which do not get overwritten.
I have often pushed for better security of Node-red, I somehow doubt if this is what @Manikandan has stumbled upon.
I suspect that he is running a revpi supplied version of node red. The docs he pointed out are revpi specific. So the title of the thread is misleading, as, if I am right, then this is a revpi issue, not a node-red one.
Look in /usr/lib/systemd/system for the node red service file. Possibly it will be nodered.service or node-red.service and look in there for the line @jbudd suggested. If it is there change it to false and reboot.
That service seems to be some python utilities to allow Node-red to access the GPIO pins and it's not surprising that changing it has no effect on Node-red itself.
There are very good reasons in an industrial setting to prevent Node-red from using sudo.
I may be misunderstanding exactly what you’re asking, but i just use a flow with an exec node to do restarts at specific intervals or manually from the node-red editor. I also use a few tricks with global state variables, inject nodes and virtual switches to survive random restarts and what-not to keep things on track. Happy to provide more details if you’d like.
/usr/bin/node-red-restart is a shell script which calls sudo systemctl restart nodered.
If the Node-red user is prohibited from using sudo it will fail, though maybe the NoNewPrivileges line in a systemd script, which @Manikandan has not confirmed he has, will not prevent sudo in a script.
In which case, what use is it?
That is true if node-red were installed using the Pi install script, but this is not the case here. It is the revpi node red install that is being used. We don't know what is in the command in this case, it could be the command you suggest, but not necessarily.
@Manikandan run which node-red-restart
which will tell you where that file is, possibly something like /usr/bin/node-red-restart. Then look at what is in that using cat /usr/bin/node-red-restart
but using the correct file of course. That will tell you what it is doing.
I think the error would be different if that were the case.
Sorry, I don't understand what you are saying here.
