Differences

This shows you the differences between two versions of the page.

--- ccgx:root_access [2023-09-12 21:13] – mvader
+++ ccgx:root_access [2025-07-25 08:32] (current) – [5.2 Read-only rootfs and available disk space] mvader
@@ Line 9: / Line 9: @@
 Do note that, while we try to maintain to provide all mentioned functionality in this document, the used commands and functionality may change with future updates.
-===== 2. Warning about modifying the rootfs =====
+===== 2. Understanding the partition layout =====
-__1. Your changes can be lost during a firmware update__
+The chapters below refer to the rootfs, data partition, /data and so forth. Before getting into that, first a short explanation.
-Changes made to the rootfs will be lost in case of a firmware update. The complete rootfs is overwitten during an update.
+The disk on a GX device, as well as the SD-card of a RaspberryPi after installing Venus OS on that, is split in to multiple partitions:
+  - **boot**. Normally invisible, except for RaspberryPi when inserting it in another computer
+  - **rootfs1**. First copy of Venus OS, when active, mounted at ''/''
+  - **rootfs2**. Second copy of Venus OS, when active, mounted at ''/''
+  - **data**. User settings and log files, mounted at ''/data''
+Why are there two rootfs-es?
+Venus OS employs a so-called dual boot system. This is to allow for safe and reliable software updates. It works by maintaining two copies of the operating system, one active and one standby. For example, when rootfs1 is the active one, and an update of Venus OS is executed, then the new version is installed on the other partition, rootfs2. And once completed, that one is marked as the active one, GX device is rebooted "into" rootfs2.
+===== 3. Warning about modifying Venus OS =====
+__1. Changes can be lost during an update of Venus OS__
+Changes made to the rootfs will be lost in case of a firmware update. That is because updates on Venus OS are image based, and as a result the complete rootfs is overwitten during an update.
 Of course it is always possible to disable automatic firmware updates. Also there is a data partition (/data), which will be left alone in the image updates, and as such can be used to, upon boot, (re-)install certain changes onto the active rootfs. More details on that below.
@@ Line 30: / Line 45: @@
   - if you remove the files in /data/venus, then -depending on the production date- you might have to restore those manually which might require serial console access. See below. Why does this depend on the production date? Thats because somewhere in 2021 we started writing all factory data to a different place (an eeprom) to make it more robust.
-===== 3. Root access =====
+===== 4. How to obtain root access =====
+==== 4.1 Set access level to Superuser ====
+To set the root password, first set the access level to Superuser.
-==== 3.1 Set access level to Superuser ====
-To set the root password, first set the access level to Superuser:
   - Go to Settings, General
   - Set the Access Level to User and installer, the password is ''ZZZ''
   - Highlight Access Level (don't open the select page, ie. make sure you are in the General Page, not the Access Level page)
-  - Press and hold the right button of the center pad until you see the Access Level change to Superuser. Note: when working from the Remote Console, you need to use the right key on your keyboard. Pressing and holding the right button with your mouse won't work.
+  - Press and hold the right button of the center pad until you see the Access Level change to Superuser. Note: when working from the Remote Console using the Classic UI, you need to use the right key on your keyboard. Pressing and holding the right button with your mouse won't work. When using the New UI, select, drag down and hold down the entire list of General menu entries for five seconds, and until you see the Access level change to super user.
 Now you have access to the super user features.
@@ Line 43: / Line 59: @@
 Note that on a touchscreen, such as a Cerbo GX + GX Touch, there is no "right button". Instead, drag the menu down and hold it down for five seconds. Or, use Remote Console.
-==== 3.2 Create a temporary root password ====
+==== 4.2 Create a temporary root password ====
 Go to //Settings -> General -> Set root password//. And create a temporary root password.
-Note that, for firmware version v2.00 and later, the root password will be reset by a firmware update. The reason is that the passwd file is on the rootfs, which is fully replaced by an update. More info [[https://github.com/victronenergy/venus/wiki/swupdate-project|here]].
+Note that the root password will be reset by a firmware update. The reason is that the passwd file is on the rootfs, which is fully replaced by an update. More info [[https://github.com/victronenergy/venus/wiki/swupdate-project|here]].
+Our advice is to create a complex root password. But use it to login only the first time, and then install a public ssh key(s). Thereafter login with the keys. If key authentication works, you can
+safely disallow root logins with a password with '' echo 'root:*' | chpasswd -e ''.
+The password needs to be 6 characters long, minimum.
+Note that the root password is stored on the rootfs, causing it to be marked as modified. This is normal, and visible in the UI like this:
-Our advice is to create a complex root password. But use it to login only the first time, and then install a public ssh key(s). Thereafter login with the keys. If key authentication works, you can also
+{{ :ccgx:modification_checks_page.png?direct |}}
-safely delete the root password afterwards (''passwd --delete root'').
-==== 3.3 Enable sshd and log in =====
+ssh keys are installed on the data partition, and therefore don't require having a rootfs that is marked as modified.
+==== 4.3 Enable sshd and log in =====
-To login via ssh, enable SSH on LAN (//Settings -> General//). On Venus versions before v2.40, you need to enable Remote Support, which also enables sshd. More info on Remote Support [[ccgx:ccgx_faq#what_is_the_functionality_behind_the_menu_item_remote_support_ssh_in_the_ethernet_menu|here]].
+To login via ssh, enable SSH on LAN (//Settings -> General//). On Venus versions before v2.40, you need to enable Remote Support, which also enables sshd. More info on Remote Support [[https://www.victronenergy.com/media/pg/Cerbo_GX/en/troubleshooting.html#UUID-f13193f4-c359-4a49-005e-05da0fdd6a70|here]].
 To the login, enter the ip address of the GX device in a ssh client. Most Linux and Mac users will simply do this from the command line:
@@ Line 62: / Line 85: @@
 And a very commonly used client for Windows is [[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html|Putty]]. For more info, look around on the Internet, there is [[https://www.google.nl/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=putty+ssh+login&tbm=vid|plenty information]] available.
-==== 3.4 Installing ssh keys ====
+==== 4.4 Installing ssh keys ====
 Using a ssh key for authentication, instead of a root password, has the advantage that it isn't lost during a firmware update. The keys are stored on the /data partition.
@@ Line 75: / Line 98: @@
 The third file contains the keys we use for Remote Support login.
-==== 3.5 Play time! Start executing commands ====
+==== 4.5 Play time! Start executing commands ====
-https://www.victronenergy.com/live/open_source:ccgx:commandline
+[[https://github.com/victronenergy/venus/wiki/commandline---operational|Venus OS commandline operational manual]]
-===== 4. Customizing a GX device =====
+===== 5. Customizing a GX device =====
-==== 4.1 Hooks to install/run own code at boot ====
+==== 5.1 Hooks to install/run own code at boot ====
 Everything, except for information on ''/data'', will be wiped after an update.
@@ Line 89: / Line 112: @@
 If the files ''/data/rcS.local'' or ''/data/rc.local'' exists, they will be called early (rcS) and late (rc) during startup. These scripts will survive upgrades and can be used by customers to start their own custom software. Implementation details in [[https://github.com/victronenergy/meta-victronenergy/commit/2dbd16c560ff7cdf70b1d676c0616013169c7484|this commit]].
-Also if ''venus-data.{tar.gz,tgz,zip}'' is found on removable storage (usb stick, sd-card) when booting, it will be unpacked into /data. Implementation details in [[https://github.com/victronenergy/meta-victronenergy/commit/469760fef4ed2ee977f482c997ac24c2678222c5|this commit]]. Added per Venus v2.30~28. Use this to for example make a USB stick that installs the modifications.
+Also if ''venus-data.*.{tar.gz,tgz,zip}'' is found on removable storage (usb stick, sd-card) when booting, it will be unpacked into /data. Implementation details in [[https://github.com/victronenergy/meta-victronenergy/commit/469760fef4ed2ee977f482c997ac24c2678222c5|this commit]]. Added per Venus v2.30~28. Use this to for example make a USB stick that installs the modifications. You can combine multiple files on the device; they will be run in alphabetical order.
 That venus-data file has one extra feature: if the archive contains ''rc/*'' files, it will extract those first. And if there is a file called ''rc/pre-hook.sh'' it will run this before unpacking the rest of the archive. Similarly, if there is a file called ''rc/post-hook.sh'', then that file will run this after the unpacking of the archive. For details, read the code in the ''/etc/rc5.d/S30update-data.sh'' file.
+You can draw further inspiration from [[https://github.com/victronenergy/meta-victronenergy/tree/master/meta-venus/scripts|here]], where the code resides to generate files for making backups of the ''/data'' partition, resetting Node-RED and SignalK and more scripts.
 You can test the 'update' with
@@ Line 100: / Line 125: @@
 https://github.com/victronenergy/venus/wiki/swupdate-project
-==== 4.2 Partitions, read-only rootfs and available disk space ====
+**User setting that enables and disables modifications
+**
-On a GX Device, there are three partitions that matter:
+In the Settings -> General -> Modification checks menu, there is an option called "Modifications enabled". This is set to enabled by default.
-  * rootfs partition one
+When set to disabled, the GX renames the ''/data/rc.local'' to ''/data/rc.local.disabled'', and similar for rcS.local. It will do this at every boot, as long as the Modifications are disabled.
-  * rootfs partition two
-  * the data partition
-=== 4.2.1 One active rootfs at a time ===
+Here is a screenshot that section of the menu:
-Only one of the two rootfs partitions will be in use at time. During a firmware update, the new firmware is installed on the other one; and once finished the subsequent reboot will reboot the device onto that other partition.
+{{ :ccgx:modifications_checks_page_2.png?direct |}}
+==== 5.2 Read-only rootfs and available disk space ====
-The data partition is not touched during a firmware update, except maybe some migration scripts that run at boot.
+=== 5.2.1 Read-only rootfs ===
-=== 4.2.2 Read-only rootfs ===
+By default, the rootfs is mounted read only. Also, by default, it only has 5% of free space, while the partition in which its installed is actually larger.
-By default, the rootfs is mounted read only. Also, by default, it only has 5% of free space.
+The recommended method to **(a)** mount it as read/write, and **(b)** expand it to use all of the available space in its partition, is by running ''/opt/victronenergy/swupdate-scripts/resize2fs.sh''.
-The solution is to run ''/opt/victronenergy/swupdate-scripts/resize2fs.sh''.
+Here is a short overview of the three ways mount the rootfs as read/write:
-Further details in the next section.
+  * //temporally//: issue the command ''mount -o remount,rw /'' (which holds until the next reboot or issueing ''mount -o remount,ro /'')
+  * //semi-permanent//: issue the command ''/opt/victronenergy/swupdate-scripts/remount-rw.sh'' (which holds until the next firmware update)
+  * //permanent//: adding one of the above commands to ''/data/rc.local'' (which holds permanently)
-=== 4.2.3 Always prevent running out of diskspace ===
+=== 5.2.2 Always prevent running out of diskspace ===
 When doing modifications, make sure both the data partition and the rootfs do not run out of space. We don't design or test for that situation.
@@ Line 142: / Line 169: @@
 Note that a firmware update will replace all of the rootfs, as also explained above. Which implies that you'll need to run ''resize2fs.sh'' again after doing a firmware update.
-==== 4.3 Creating a patch file ====
+In the New UI, you can see available disk space on the data partition in the Settings -> General -> Modification checks menu.
+==== 5.3 Creating a patch file ====
 As mentioned before, the recommended way of customising Venus OS is by applying patch files. This section describes how to make and apply a patch.
@@ Line 156: / Line 184: @@
 For more advanced features please check the manual page of [[https://man7.org/linux/man-pages/man1/diff.1.html|diff]] and [[https://man7.org/linux/man-pages/man1/patch.1.html|patch]].
-==== 4.4 Adding or modifying services ====
+In this thread, there is an example of how to make a patch file to change a certain setting in the GX, and how to apply that at boot. To make it survive a firmware update:
+https://community.victronenergy.com/idea/201826/lets-define-a-local-ntp-server.html
+==== 5.4 Adding or modifying services ====
 Changes made to ''/service'' will not survive a reboot. The
@@ Line 165: / Line 196: @@
 ''/service''.
-By default the root filesystem of Venus is read-only. There are three ways to change that:
+Further details here: https://github.com/victronenergy/venus/wiki/howto-add-a-driver-to-Venus#installing-a-driver-that-doesnt-depend-on-a-serial-port
-  * //temporally//: issue the command ''mount -o remount,rw /'' (which holds until the next reboot or issueing ''mount -o remount,ro /'')
-  * //semi-permanent//: issue the command ''/opt/victronenergy/swupdate-scripts/remount-rw.sh'' (which holds until the next firmware update)
-  * //permanent//: adding one of the above commands to ''/data/rc.local'' (which holds permanently)
-===== 5. Hardening a GX device =====
+===== 6. Hardening a GX device =====
-==== 5.1 Limit physical access to the device ====
+==== 6.1 Limit physical access to the device ====
 The first thing to keep in mind is that we as Victron Energy always want an
@@ Line 191: / Line 218: @@
 access to the device.
-==== 5.2 Disable touch on the attached screen ====
+==== 6.2 Disable touch on the attached screen ====
-Per Venus OS version v3.00, we are introducing a feature that allows disabling the touch feature on the GX Touch display.
+There is a feature that allows disabling the touch feature on the GX Touch display.
 This allows mounting the GX Touch where it is visible by the operators of the system; and at the same time prevent them from using that to elevate their access.
@@ Line 207: / Line 234: @@
 Note that this setting only disables touch/mouse control. On the remote console you are still able to control the device with keyboard input. That is also true if you plugin an external USB keyboard. With the keyboard it is also possible to toggle the ''/Settings/Gui/TouchEnabled'' setting by pressing the [[https://en.wikipedia.org/wiki/Break_key|Pause/Break key]] key. So if you need this feature to be switched on, make sure that the USB ports are not accessible.
-==== 5.3 Limiting digital access  ====
+==== 6.3 Limiting digital access  ====
 When securing the device, it is also advised to disable the Wi-Fi access point,
@@ Line 255: / Line 282: @@
 that.
-==== 5.4 Installing a tamper alarm ====
+==== 6.4 Installing a tamper alarm ====
 By using the digital input(s) of the GX device, you can set the digital
@@ Line 270: / Line 297: @@
   * If a logical low input (0V) should be considered a positive condition, set //Inverted alarm logic// to on.
-==== 5.5 Hardening multiple devices ====
+==== 6.5 Hardening multiple devices ====
 If you have a lot of Venus devices to modify, probably the easiest way is to
@@ Line 280: / Line 307: @@
 Later replace that by something more strong and store it in your vault. Use the USB stick to put your public ssh keys on the GX device so you can gain remote access.
-===== 6. Connecting on the serial console =====
+===== 7. Connecting on the serial console =====
 The serial console offers a straight connection from your computer. Not relying on TCP or anything else.
@@ Line 290: / Line 317: @@
 The serial consoles on all GX devices are configured to 115200 baud.
-==== 6.1 Color Control GX ====
+==== 7.1 Color Control GX ====
 All GX Devices have a dedicated serial console, except for the CCGX. Therefor its documented on a separate page:
@@ Line 296: / Line 323: @@
 [[https://github.com/victronenergy/venus/wiki/ccgx-serial-console|CCGX Serial Console]].
-==== 6.2 Cerbo GX ====
+==== 7.2 Cerbo GX ====
 The serial console is located on the CPU board, header JP201. GND is pin 1, RX and TX are pins 4 and 5. Here is a picture showing a [[https://www.adafruit.com/product/954|ADA Fruit Serial Console cable]] connected to it.
@@ Line 304: / Line 331: @@
 {{ :ccgx:cerbo_serial_console.jpg?nolink&600 |}}
-==== 6.3 Venus GX ====
+==== 7.3 Venus GX ====
 The serial console is located on the base-board, and can be accessed through the slot between that board and the Ethernet connector on the beaglebone-board.
-White: TX of the Beaglebone - connect to RX on your cable
+  * White: TX of the Beaglebone - connect to RX on your cable
-Black: ground
+  * Black: ground
-Green: RX of the Beaglebone - connect to TX on your cable
+  * Green: RX of the Beaglebone - connect to TX on your cable
 Make sure not to connect the red wire.
@@ Line 318: / Line 345: @@
 {{ :ccgx:venus_gx_serial_console.png?nolink&600 |}}
-==== 6.4 GX Card / Nanopi ====
+==== 7.4 GX Card / Nanopi ====
 The GX Card is the PCBA inside the MultiPlus-II GX and EasySolar-II GX product ranges. This photo shows the card, when unmounted from these inverter/chargers.
@@ Line 329: / Line 356: @@
-==== 6.5 Octo GX ====
+==== 7.5 Octo GX ====
 The serial console is located on the base-board, and can be accessed with the top-board unmounted. With the serial console cable connected the top-board can be put back on again.
@@ Line 343: / Line 370: @@
 {{ :ccgx:octo-gx_serial-console.jpg?300 |}}
+==== 7.6 Ekrano GX ====
+Getting to console on the Ekrano GX is not that easy. The pins are located between the network and USB connector on the back of the device.
+  - Black: ground
+  - NC
+  - NC
+  - Green: RX of the Ekrano GX - connect to TX on your cable
+  - White: TX of the Ekrano GX - connect to RX on your cable
+  - NC
+{{ :ccgx:ekrano-console.jpg?300 |}}