Data Collection on Turris OS 5.1.4

I have received my Omnia. With medikit I updated to Turris OS version 5.1.4 and started the first configuration from there. After activating the WAN and setting up the WiFi I downloaded the Data Collection packages from reForis and confirmed to accept EULA. But I can notice that even after a reboot the dynamic firewall and the other packages of the Data Colletion are not started. reForis just installs them, but they are not active. ipset list does not return values. After manually starting and enabling sentinel-dynfw-client, sentinel-minipot and sentinel-proxy, everything seems to work normally. But how is turris-survey activated? Is the failure to activate the services a bug or am I wrong to do something?

go to luci and check your syslog? In there you will see ( if it pings to the pivo republic ) something like this :

Dec 6 02:30:01 turristhuis crond[1160]: (root) CMD (/bin/sh -c “source /lib/functions/sentinel.sh; allowed_to_run “nikola” && exec sentinel-nikola --random-sleep”)
Dec 6 02:30:01 turristhuis crond[1162]: (root) CMD (/usr/bin/get-api-crl)
Dec 6 02:30:01 turristhuis crond[1155]: (root) CMDOUT (There is no message to send.)
Dec 6 02:30:01 turristhuis crond[1154]: (root) CMDOUT ( % Total % Received % Xferd Average Speed Time Time Time Current)
Dec 6 02:30:01 turristhuis crond[1154]: (root) CMDOUT ( Dload Upload Total Spent Left Speed)
Dec 6 02:30:02 turristhuis crond[1154]: (root) CMDOUT ( 0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0100 1080 100 1080 0 0 1636 0 --:–:-- --:–:-- --:–:-- 1839)
Dec 6 03:30:10 turristhuis syslog-ng[15487]: Configuration reload request received, reloading configuration;
Dec 6 03:30:10 turristhuis syslog-ng[15487]: Configuration reload finished;
Dec 6 03:30:10 turristhuis sentinel_nikola: Logrotate took 0.125298 seconds
Dec 6 02:30:10 turristhuis crond[1157]: (root) CMDOUT (Logrotate took 0.125298 seconds)
Dec 6 03:30:10 turristhuis sentinel_nikola: Syslog parsing took 0.075746 seconds
Dec 6 02:30:10 turristhuis crond[1157]: (root) CMDOUT (Syslog parsing took 0.075746 seconds)
Dec 6 03:30:10 turristhuis sentinel_nikola: Records parsed: 110
Dec 6 02:30:10 turristhuis crond[1157]: (root) CMDOUT (Records parsed: 110)
Dec 6 03:30:10 turristhuis sentinel_nikola: Sending records took 0.002383 seconds
Dec 6 02:30:10 turristhuis crond[1157]: (root) CMDOUT (Sending records took 0.002383 seconds)

Too long this post. What exactly should I look for in the syslog? However, if I do not manually activate the firewall, ipset is empty and the firewall itself is not among the active processes.

Did you wait after the installation? As the ipset is filled via a cron job, it might take some time.

Yes, I have installed everything for two days. But no change.

I’ve had to mark them to get started using LuCi (advanced administration). Can you check there if they are enabled ad start?
LuCi / System / Startup

Of course they are active in LuCI, because I activated them from the terminal, which is the same. Did you also have the same non-activation problem after installation? How is turris-survey activated?

I have posted my problem here:

after starting them manually, dynamic firewall works properly.

looks like turris-survey is run by cron:

Dec 6 05:00:01 turris crond[20157]: (root) CMD (/bin/sh -c "source /lib/functions/sentinel.sh; allowed_to_run "survey" && exec turris-survey")

Thanks. I hadn’t seen your post. However we are now at 5.1.x, but it still seems to not work. Do you know of a working workaround?

did you start them, enable start at boot, or both?

I guess for the survey to run you must wait until 05:00 (am).

sentinel reports this to syslog each 15 minutes.

Dec  6 18:30:01 turris crond[19766]: (root) CMD (/bin/sh -c "source /lib/functions/sentinel.sh; allowed_to_run "nikola" && exec sentinel-nikola --random-sleep")
Dec  6 19:30:20 turris sentinel_nikola: Logrotate took 0.091730 seconds
Dec  6 19:30:20 turris sentinel_nikola: Syslog parsing took 0.045344 seconds
Dec  6 19:30:20 turris sentinel_nikola: Records parsed: 60
Dec  6 19:30:20 turris sentinel_nikola: Sending records took 0.002144 seconds

and there are my processes running:

root      3491  0.0  0.7  19860 16032 ?        Sl   03:33   0:08 python3 /usr/bin/sentinel-dynfw-client --ipset turris-sn-dynfw-block --cert /var/run/dynfw_server.pub --renew
root      6565  0.0  0.2   9944  5624 ?        Sl   03:33   0:04 sentinel-proxy
root      6758  0.0  0.1   7308  3724 ?        Sl   03:34   0:02 /usr/bin/sentinel-minipot --ftp=2133 --http=8033 --smtp=5873 --telnet=2333
nobody    6778  0.0  0.0   7172   312 ?        S    03:34   0:00 /usr/bin/sentinel-minipot --ftp=2133 --http=8033 --smtp=5873 --telnet=2333
nobody    6779  0.0  0.0   7364  1152 ?        S    03:34   0:00 /usr/bin/sentinel-minipot --ftp=2133 --http=8033 --smtp=5873 --telnet=2333
nobody    6780  0.0  0.0   7372   312 ?        S    03:34   0:21 /usr/bin/sentinel-minipot --ftp=2133 --http=8033 --smtp=5873 --telnet=2333
nobody    6781  0.0  0.0   7136   312 ?        S    03:34   0:00 /usr/bin/sentinel-minipot --ftp=2133 --http=8033 --smtp=5873 --telnet=2333

I guess the first one fills up the turris-sn-dynfw-block ipset.
It took some time before I’ve had the ipset filled up.

Both as a terminal, as a light it seems to me that all I need to do is enable to do both.

I’ll wait, I don’t know.

Now that I have everything enabled the firewall rules are full. But shouldn’t this be automatic?
But the most important thing is figuring out if activating those three services manually does the trick.

I understood that the problem may derive from the service responsible for the automatic start of the services once installed (the problem has to be confirmed). But I can say that by enabling and starting all the Data Collection services from the terminal or from LuCI everything seems to work fully.

enable in luci means enable starting at boot time. Just FYI.

I agree it should… but I’m not going to test it once I was able to make it run.
Maybe if I had TOS in virtual machine, not on “production” router :slight_smile:

You could do testing via schnapps. That’s easy and foolproof (as long as you don’t lock yourself out of the router). You can very easily revert to the version that came with the medkit, and the switch back to your working state.

1 Like

To automate the process and have everything as it should be proceed with the installation from the terminal with ssh ‘https://docs.turris.cz/basics/collect/setup/
Everything will start up as if by magic.
For use on production systems :wink:
For the corresponding Data Collection tab in reForis, you can then start the installation of the related packages from reForis: it will simply add the desired tab.