[Solved] How to control a raspi with mqtt?

hi i have raspi 2 as ambilight controller and want to send commands like stop hyperion etc. to that machine. can you show me a best practise?

As always, there are various ways to do this. perhaps the main thing to think about before getting started is security. Assuming that you are running with a standard Pi and Node-RED setup, you are running Node-RED under the Pi user. This is OK as long as you never connect your Pi to outside of your local network.

The default setup requires a passcode to be entered when running system commands as the pi user with sudo.

So to be able to call system commands such as stopping a service from within node-RED, you typically use the exec node but would need to prefix the command with sudo which would prompt for a passcode which you cannot then provide very easily in a flow.

There are probably 3 main ways to get around this. Each has strengths and weaknesses and you will need to decide which is best for your use-case:

  1. Change the sudo permissions for the pi user so that a password is not required for certain system commands.

    This is the easiest of course and you can look up the sudoers command. It is also somewhat dangerous but OK as long as you can guarantee that you will NEVER let the Pi be accessible (directly or indirectly) from the Internet.

  2. Put the commands into a bash script with the password embedded.

  3. Change the bash input stream to take the password from the exec node.

    These two are quite similar, #3 is marginally safer since you could, if you wanted to, put the password into a configuration node. There is a node that lets you do that, sorry, the name escapes me. Still not very safe though. Personally, if you only look this far, I would choose #1.

  4. Write a separate service (using node.js, python or bash, etc) that has the permissions and validates specific input to only allow certain commands from Node-RED only.

    This is certainly a more secure option by far as long as you write the service correctly - not that hard actually in either Node.js (JavaScript of course) or Python. Not that hard in BASH either as long as you know BASH reasonably well.

    With this option, you could also use any web development skills you might have to add extra security.

    Indeed, it would be very easy to write a service that directly took commands from MQTT if you wanted it too. With Node-RED not directly involved. That would likely be a more robust solution in fact though possibly only if your development skills are up to it.

thanks for your reply.
i finaly played around with node-red-contrib-ssh-v2-reconnection and a sonoff plug with measuring.
If "Power" is under 11 Watt ambilight is switched off and over 10 Watt it is switched on.

I think it is the best solution without hacking tonns of code into an IDE or stealing code without understanding what it does.

2 Likes

node-red-contrib-credentials

1 Like

Isn't this node suffering a fairly significant (still unresolved) issue at the moment? https://github.com/Steveorevo/node-red-contrib-credentials/issues/3

1 Like

I wasn’t aware of that, and you’re right. I can see what causes it too. It’s an error by design looking at the code. All credentials-rules set up are stored in a complex object in a single credentials field stored as “text”, meaning encrypted in the credentials but entirely received and gotten back at config time.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.