Community discussions

MikroTik App
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

upgrade-package-source

Wed Mar 17, 2010 5:49 am

Ok I have finally given up on this. When executing the /system upgrade upgrade-package-source cmd, it will prompt you for a

[admin@Mikrotik] > /system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate
password: <- THIS IS THE PART I AM HAVING TROUBLES SCRIPTING BELOW AND THERE IS NO SET PASSWORD OPTION

Here is the issue. There is no cmd to add/edit/anything the password during or after. This makes scripting the password impossible so far. You can only edit the name and the source. If you copy and paste -

/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate
p4$$w0RD

into the terminal, this works fine. But put that same code into /system script and it does not work. Anyone have any ideas? Here is my current (not working) script where I attempted to use \r\n. I've tried several variations, including opening the created script in the gui and putting the password on line 2 -

/system script add name=pkgsource source={/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate \r\n p4$$w0RD}


Here what I am trying to push from start to finish if anyone is interested. It basically adds 2 scripts. The first sets the auto update server, the second checks for firmware updates and installs if necessary. If you tell me I should just copy and paste in the cmd line, I'll tell you I'm dealing with over 300 routers so that's not an option, :lol: -

#Remove Package Source Entry
foreach i in=[/system upgrade upgrade-package-source find] do={/system upgrade upgrade-package-source remove $i;};
#Remove All Scripts
foreach i in=[/system script find] do={/system script remove $i;};
#Upgrade Package Source
/system script add name=pkgsource source={/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate \r\n p4$$w0RD}
#Upgrade Script
/system script add name=upgrade source={/system upgrade refresh; :delay 10; :if ([/system upgrade get [/system upgrade find source=1.1.1.1] status]!="installed") do={/system upgrade download-all reboot-after-download=yes}}
#Run Upgrade Scripts
/system script run pkgsource
/system script run upgrade
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Thu Mar 18, 2010 11:39 pm

So there's no one in here that knows how to script the "/system upgrade upgrade-package-source" command where it asks for the password: ?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: upgrade-package-source

Thu Mar 18, 2010 11:51 pm

I don't think you can script it internally. Bad oversight by MT, definitely contact support.

As a workaround, don't use the internal scripts or API but use an external host that can push communication by faking out a terminal session. Net::SSH::Perl should work, or even just a simple solution using expect.
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Fri Mar 19, 2010 4:34 am

Thanks for the reply. We did get it to work by pushing it as into /system/scripts using the API. But 4.6 seems to have broken that. We used to be able to run it from /system scripts just like this with the password on a new line -

/system upgrade upgrade-package-source add address=1.1.1.1 user=mtupdate
p4ssw0RD

Now our app is using pure SSH with a line by line txt file. We would have to make a custom EXPECT to automate the upgrades. Not that big of a deal, but very frustrating. You should be able to script every function of this router. I can also see running /system/reboot as being a problem now as well. I don't know how many other cmds have this issue. Anyone else with suggestions? Mirotik, any chance we can get this changed in a future release?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Fri Mar 19, 2010 8:31 am

through API
/system/reboot
does not ask anything, just reboots.
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Fri Mar 19, 2010 9:56 pm

Ok, so how do you get it to do that through the terminal and not using the API? -

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 4.6 (c) 1999-2010 http://www.mikrotik.com/


[admin@Mikrotik] > /system reboot
Reboot, yes? [y/N]:
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: upgrade-package-source

Sat Mar 20, 2010 5:57 pm

create a script with '/system reboot' command, and run that script from CLI =)
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Mon Mar 22, 2010 11:16 am

Ok, so how do you get it to do that through the terminal and not using the API? -


[admin@Mikrotik] > /system reboot
Reboot, yes? [y/N]:
in api you get
!done
and then router goes for reboot.
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Tue Mar 23, 2010 6:40 am

I still haven't got an answer on how to do this "with out" the API. Chupaka, your system does not work as per below. It still asks for a y/N reply just like the password: reply request from my first post -

[admin@Mikrotik] > /system script run reboot
Reboot, yes? [y/N]:
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: upgrade-package-source

Tue Mar 23, 2010 6:57 am

he1ium,

I've been using /system reboot in scripts every since v3 with no problems at all. Did you follow Chupaka's advice exactly? Here's a breakdown (just for you):

From the CLI:
/system script add name="RebootTest" source="/system reboot"
/system script run RebootTest
You router should reboot after running these 2 commands.

Note: Make sure your RouterOS user's group has the reboot policy enabled.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Tue Mar 23, 2010 11:57 am

in future releases upgrade-package-source API behaviour will be changed, it will accept password as an argument. Behaviour in CLI will not change. Just wait for new releases.
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Wed Mar 24, 2010 6:51 am

dssmiktik,
Yes I have tried just like Chupaka. It still asks for y/N just like the screen copy. This is v.4, are you still using v.3?
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Wed Mar 24, 2010 6:56 am

janisk,
This is sad :( What about other commands that have the same issue in the CLI? I just don't understand why the password would not be an option/variable using the CLI. This makes life really frustrating when you are dealing with 300+ locations. Thanks at least for an answer even if it's not the one I wanted :lol:
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Wed Mar 24, 2010 10:23 am

if you connect through CLI, and issue commands, then commands are saved into command history, from where they can be retrieved in later logins. If history will sport passwords and users for other routers, for certificates etc. that would be serious security problem.

we can enable these arguments in API, as there is no command history
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: upgrade-package-source

Wed Mar 24, 2010 10:38 am

dssmiktik,
Yes I have tried just like Chupaka. It still asks for y/N just like the screen copy. This is v.4, are you still using v.3?
Currently I'm using v4.6 with no problems. I've been doing a system reboots via scripts with no user interaction required since about v3.20 or so through v4.6.

Could you post exactly what you're typing at the command-line or how your running the commands?
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Thu Apr 22, 2010 9:43 am

OK, I have found something interesting. The script works on the RB1000 router but not on an RB493AH. Any thoughts?
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Thu Apr 22, 2010 9:44 am

here is the script -

system reboot;
y;
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: upgrade-package-source

Thu Apr 22, 2010 10:49 am

here is the script -

system reboot;
y;
I can understand your frustration with the upgrade-package-source issue, however I'm not sure you are following the posted steps. Your script is not the same as what I instructed you to do.

Please follow these instructions exatly (even copy and paste them would work).
/system script add name="RebootTest" source="/system reboot"
/system script run RebootTest
Your router will reboot.

Janisk,
Your theory doesn't quite make sense to me.
if you connect through CLI, and issue commands, then commands are saved into command history, from where they can be retrieved in later logins. If history will sport passwords and users for other routers, for certificates etc. that would be serious security problem.
What about these commands:
- /tool fetch address=<ip> user=<user> password=<pass> -- this is saved in the history
- /ppp secret set <name> password=<pass> - this is saved in the history
- /user set <user> password=<pass> - this is saved in the history
- /ip hotspot user set <user> password=<pass> - this is saved in the history

Why not rely on the 'sensitive' permission on the user to exclude them for seeing passwords? Ultimately, you have control over what gets saved in the RouterOS history, why not just remove the password field from the history data?

Just a thought.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: upgrade-package-source

Thu Apr 22, 2010 1:30 pm

maybe, router's password is a bit more important than user's password? =)
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Thu Apr 22, 2010 3:51 pm

when one router of your network is compromised that is bad, but if by getting into one router someone could gain access to other router, and that is not acceptable.
 
he1ium
newbie
Topic Author
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: upgrade-package-source

Tue Apr 27, 2010 10:45 pm

dssmiktik,
Thanks for your help. I tried several variations including the one you posted. Mikrotik has since then admitted it is an issue with the 493AH model. Nuff said.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Thu Apr 29, 2010 2:37 pm

could not get what with the specific RouterBOARD model mentioned there, but from API it is not possible to set up rule.
*) api - can supply password to '/system/upgrade/upgrade-package-source/add';
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: upgrade-package-source

Thu Apr 29, 2010 7:57 pm

could not get what with the specific RouterBOARD model mentioned there, but from API it is not possible to set up rule.
*) api - can supply password to '/system/upgrade/upgrade-package-source/add';
not, or now possible?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: upgrade-package-source

Fri Apr 30, 2010 2:01 pm

sorry - it is possible.
 
User avatar
Deantwo
Member
Member
Posts: 331
Joined: Tue Sep 30, 2014 4:07 pm

Re: upgrade-package-source

Tue May 04, 2021 6:50 pm

when one router of your network is compromised that is bad, but if by getting into one router someone could gain access to other router, and that is not acceptable.
I know this thread is super old, But this still annoys me to no end.
Why does the "/system upgrade upgrade-package-source" even use a USER at all? The "/tool bandwidth-server" doesn't use a USER.

My only guess why, is because the "/system upgrade" service needs to use FTP services to download the files from the central router.
It also uses the WinBox port and service, meaning if you want to use this service to upgrade routers over the internet you need to have the WinBox port and service exposed to the internet.
The final question it comes down to is, why is the "/system upgrade" service designed like this at all? It is a security risk if used incorrectly and it is overly complicated to setup correctly.

Assuming you want to use this over the internet: Best you can do to mitigate these issue is to make a user that doesn't have write permission (only "winbow, read, ftp" permissions), set an IP-address whitelist on all other users on the router, and if able a time-scheduled firewall rule to only open up this within a specific time window.

Really hoping a new version of the "/system upgrade" service will come with version 7.x, as this is just painful.

See also: viewtopic.php?f=2&t=26108

Who is online

Users browsing this forum: No registered users and 20 guests