[Mikrotik follow-up needed] Router OS 6.37.1 - scheduled script cannot execute script

RouterOS Scripting
1

I’ve read the proposed workaround at Problem with global variables with Scripts running from the scheduler

The below code fails in RouterOS 6.37.1:

  1. Create a global variable having a function
  2. Access that variable from a script (getting typeinfo or running it) then log the results
  3. Run the script from the schedule
  4. Wait for the scheduler to run
  5. Print log results

The code has been carefully crafted after reading http://wiki.mikrotik.com/wiki/Manual:Scripting and http://wiki.mikrotik.com/wiki/Manual:System/Scheduler but apparently I’m doing something wrong.

What?

The code below prints these log entries:

07:32:38 script,info direct execution of testFunction 
07:32:38 script,info testFunctionScript 
07:32:38 script,info testFunctionType=str 
07:32:38 script,info testFunctionResult=1w6d01:00:04 
07:32:38 script,info testFunction=;testFunction=(code) 
07:32:38 system,info script removed by jeroenp 
07:32:38 system,info new script added by jeroenp 
07:32:38 script,info execution of testFunction via testFunctionScript 
07:32:38 script,info testFunctionScript 
07:32:38 script,info testFunctionType=str 
07:32:38 script,info testFunctionResult=1w6d01:00:04 
07:32:38 script,info testFunction=;testFunction=(code) 
07:32:39 system,info script removed from scheduler by jeroenp 
07:32:39 system,info new script scheduled by jeroenp 
07:32:39 script,info execution of testFunction via testFunctionScriptSchedule calling testFunctionScript 
07:32:59 system,info changed scheduled script settings by jeroenp

and this scheduler info:

Flags: X - disabled 
 0 X name="testFunctionScriptSchedule" start-date=sep/22/2015 start-time=12:02:37 interval=10s on-event=testFunctionScript owner="jeroenp" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive run-count=2

This means that:

  • the direct execution of the function from the console works
  • the execution of the function from a script works
  • the scheduler executed the testFunctionScriptSchedule twice, but no information gets logged

The test code to reproduce this:

## logon as user jeroenp

/system script environment remove [ /system script environment find where name="testFunction" ];
:global testFunction do={
  :local result [/system resource get uptime];
  :return $result;
}

/system script environment print detail where name=testFunction
# 0 name="testFunction" value=";(eval /system scheduler  (eval /localname=$result;value=(eval (eval /system resource getvalue-name=uptime))) (eval /returnvalue=$result))" 

:log info "direct execution of testFunction"

{
:global testFunction;
:local testFunctionType [:typeof testFunction];
:local testFunctionResult [$testFunction];
:log info "testFunctionScript";
:log info "testFunctionType=$testFunctionType";
:log info "testFunctionResult=$testFunctionResult";
:log info "testFunction=$testFunction";
}

/log print where buffer=memory && (message~"testFunction" || topics~"info")

/system script remove [ /system script find where name="testFunctionScript" ];
/system script add name=testFunctionScript owner=jeroenp policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global testFunction;\r\
    \n:log info \"testFunctionScript\";\r\
    \n:local testFunctionType [:typeof testFunction];\r\
    \n:local testFunctionResult [\$testFunction];\r\
    \n:log info \"testFunctionType=\$testFunctionType\";\r\
    \n:log info \"testFunctionResult=\$testFunctionResult\";\r\
    \n:log info \"testFunction=\$testFunction\";\r\
    \n"

:log info "execution of testFunction via testFunctionScript"

/system script run testFunctionScript

/log print where buffer=memory && (message~"testFunction" || topics~"info")

/system scheduler remove [ /system scheduler find where name="testFunctionScriptSchedule" ];
/system scheduler add interval=10s name=testFunctionScriptSchedule on-event=testFunctionScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=sep/22/2015 start-time=12:02:37

:log info "execution of testFunction via testFunctionScriptSchedule calling testFunctionScript"
:delay 20s
/system scheduler disable testFunctionScriptSchedule

/log print where buffer=memory && (message~"testFunction" || topics~"info")

/system scheduler print detail where name="testFunctionScriptSchedule"

–jeroen

2

Later:

I found out two things:

  1. the testFunctionScript needs at least these policies to call a function: read, write, policy, test
  2. a schedule needs at least the same permissions as a script in order to run the script at all

This is how the various permissions affect the testFunctionScript script:

  • no policies only allow :log info "testFunctionScript";
  • read allows the above and :local testFunctionJobs [/system script job print as-value detail]; which then is be logged with :log info "testFunctionJobs=$testFunctionJobs";
  • only write seems equivalent to no policies as it will only allow :log info "testFunctionScript";
  • read and write is equivalent to read
  • a lone policy or test policy (talk about confusion!) do not add functionality, so any combinations of just policy or testwith read and/or write get the same functionality as above
  • policy and test without any other seem equivalent to no policies as they result in only :log info "testFunctionScript"; to execute
  • the combined policies read, write, policy, test allow full script functionality including the function call and using the function call result

The above findings show that more logging is needed: the scheduler should log when (and why!) it does not have enough permissions to run a script. Right now you’re in the dark on when (and why!) a script isn’t ran by the scheduler.

The above findings show that these parts of the documentation need updating:

Below is a strike-through of my original text which - due to the bad documentation - was completely in the wrong direction taking me like a working day to find out the actual cause.

So please, please Mikrotik: fix your documentation!

–jeroen

After testing, it appears that a schedule needs the romon policy in able to run a script.

This is unbelievable as http://wiki.mikrotik.com/wiki/Manual:RoMON is a totally different concept than scripting and the romon policy is not documented at http://wiki.mikrotik.com/wiki/Manual:Scripting#Script_repository or http://wiki.mikrotik.com/wiki/Manual:Router_AAA#Properties (it’s only mentioned at the later place, but not explained let alone linked to scripting).

Please fix this (i.e. running scripts only requiring read/write policy at max) and the documentation!

fails:

/system scheduler add interval=10s name=schedule2 on-event=testFunctionScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=sep/22/2015 start-time=12:02:37

works:

/system scheduler add interval=10s name=schedule3 on-event=testFunctionScript policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=oct/23/2016 start-time=11:38:17

[/s]

–jeroen

3

I think you got it completely wrong.

Problem why scheduler cannot execute script is because script as more permissions than scheduler

Permissions of you added scheduler:
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive

permissions of your added script:
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon

So for scheduler to be able to run the script either remove romon policy from script or add it to the sceduler

4

Isn’t that the point I made in2. of my previous post:

  1. the testFunctionScript needs at least these policies to call a function: read, write, policy, test
  2. a schedule needs at least the same permissions as a script in order to run the script at all

In that post I further indicate that both 1. and 2. are not documented so should be added to the documentation. I elaborated a bit on how I found out about 1. and what you might want to document.

–jeroen