A recent Stack Overflow post had me looking at how to run Node-RED using Visual Code to debug custom nodes. Since I’d not tried Visual Code before (I tend to use Sublime Text 4 as my day to day editor) I thought I’d give it a go and see if I could get it working.
We will start with a really basic test node as an example. This just prints the content of msg.payload to the console for any message passing through.
All three files mentioned above are placed in a directory and then the following steps are followed:
In the Node-RED userDir (normally ~/.node-red on a Linux machine) run the following command to create a symlink in the node_modules directory. This will allow Node-RED to find and load the node. npm install /path/to/test/directory
Add the following section to the package.json file
Where usr/lib/node_modules/node-red/red.js is the output from readlink -f `which node-red`.
You can then add a breakpoint to the code
And then start Node-RED by clicking on the Play button just above the scripts block.
This will launch Node-RED and attach the debugger and stop when the breakpoint if hit. You can also enable the debugger to stop the application on exceptions, filtering on if they are caught or not.
This even works when using Visual Code’s remote capabilities for editing, running and debugging projects on remote machines. I’ve tested this running over SSH to a Raspberry Pi Zero 2 W (which is similar to the original StackOverflow question as they were trying to debug nodes working with the Pi’s GPIO system). The only change I had to make on the Pi was to increase the default swap file size from 100mb to 256mb as squeezing the Visual Code remote agent and Node-RED into 512mb RAM is a bit of a squeeze.
I might give Visual Code a go as my daily driver in the new year.
I’ve had a background project ticking over slowly in the background for a number of years.
Last year I designed and had built a number of PCBs to be used as HATs for a Raspberry Pi Zero. They included a RTC and a terminal block to attach the LED strip.
I did say that I would write another post when the boards where delivered and I had assembled the first prototype. Unfortunately I had made a small, but critical mistake when designing the boards, I slightly messed up the package package size for the RTC so it wasn’t possible to get assemble the boards correctly. I didn’t get round to re-doing the PCB layout with the correct sized parts so the whole thing just sat for a while.
In the meantime the Raspberry Pi Foundation went and released a new product, the Raspberry Pi Pico, which is based on the RP2040 chip. As well as the Pico they are also making the RP2040 chip available to other folk to include it directly in their own projects.
Pimoroni have created a number of different boards but their latest is the Plasma 2040 which is specifically designed to drive LED strips.
Solder the RTC on to the breakout section of the Plasma 2040, the terminals are labelled so just make sure you match up the pins, I used the headers that came with the RTC and arranged it so the breakout was over the top of the Plasma2040
Loosen the screw terminals for the connections marked 5V, DA and -. Insert the Red wire of the adapter in the 5V, Green wire in DA and White wire in –
Clip the LED strip to the end of the adapter.
Code
When you first attach the Plasma2040 to your computer it will show up as a USB flash drive. This is so you can install the runtime. In this case we’ll be using the Pimoroni Micropython build that comes with support for the board. You can grab a version from the release page on GitHub here. Once downloaded copy it into the root of the drive. When the copy has finished the board will reboot and be ready to run Python code.
You can use the Thonny IDE to both write and push code to the device. You will need at least version 3.3.3 to support the Plasma2040.
The fist version of the code was as follows:
import plasma
from plasma import plasma2040
from pimoroni import RGBLED, Button
import time
NUM_LEDS = 60
LOW = 32
MED = 64
HIGH = 128
BRIGHTNESS = [LOW,MED,HIGH]
BRIGHTNESS_LEVEL = 0
button_brightness = Button(plasma2040.BUTTON_A)
led = RGBLED(plasma2040.LED_R, plasma2040.LED_G, plasma2040.LED_B)
led.set_rgb(0, 0, 0)
led_strip = plasma.WS2812(NUM_LEDS, 0, 0, plasma2040.DAT)
led_strip.start()
while True:
RED = [0]*NUM_LEDS
GREEN = [0]*NUM_LEDS
BLUE = [0]*NUM_LEDS
t = time.localtime()
hour = (t[3] % 12) * 5
#Hours
RED[hour] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 1] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 2] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 3] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 4] = BRIGHTNESS[BRIGHTNESS_LEVEL]
#Mins
GREEN[t[4]] = BRIGHTNESS[BRIGHTNESS_LEVEL]
#Secs
BLUE[t[5]] = BRIGHTNESS[BRIGHTNESS_LEVEL]
#set the LEDS
for i in range (NUM_LEDS):
led_strip.set_rgb(i, RED[i], GREEN[i], BLUE[i])
#change brightness
if button_brightness.read():
BRIGHTNESS_LEVEL += 1
BRIGHTNESS_LEVEL %= 3
time.sleep(1)
This works well when triggered from Thonny as it syncs the laptop’s time to the RP2040 each time it connects. But when the clock is powered by a USB power supply or a battery, the clock starts at 00:00:01 Jan 1st 2021 and has no way to be updated to match now.
This is why we need the RTC module, it keeps track of the time while the clock is powered down.
It also has a way to change the brightness, by pressing the A button it will cycle through 3 different brightness levels.
Setting the RTC Time
With a little bit of playing I worked out how to sync the RTC to the current time in the Thonny console
The most important line is the last one, which enables the battery backup for the RTC so it remembers the time you just set.
I was going to use the rtc.set_unix() function and pass in time.time() but it appears that the unix timestamp is maintained independently of the “Real” time on the RTC.
The set_time() function takes values in the order
seconds (0-60)
minutes (0-60)
hours (0-23)
day of the week (1-7 -> mon-sun)
day of month (1-31)
monthe (1-12)
year (2000-2099)
With the RTC set correctly a small update to the code to read from the RTC rather than from the time object and we are good to go.
import plasma
from plasma import plasma2040
from pimoroni import RGBLED, Button
from pimoroni_i2c import PimoroniI2C
from breakout_rtc import BreakoutRTC
import time
PINS_PLASMA = {"sda": 20, "scl": 21}
i2c = PimoroniI2C(**PINS_PLASMA)
rtc = BreakoutRTC(i2c)
if rtc.is_12_hour():
rtc.set_24_hour()
if rtc.update_time():
print(rtc.string_time())
print(rtc.string_date())
NUM_LEDS = 60
LOW = 32
MED = 64
HIGH = 128
BRIGHTNESS = [LOW,MED,HIGH]
BRIGHTNESS_LEVEL = 0
button_brightness = Button(plasma2040.BUTTON_A)
led = RGBLED(plasma2040.LED_R, plasma2040.LED_G, plasma2040.LED_B)
led.set_rgb(0, 0, 0)
led_strip = plasma.WS2812(NUM_LEDS, 0, 0, plasma2040.DAT)
led_strip.start()
rtc.enable_periodic_update_interrupt(True)
while True:
RED = [0]*NUM_LEDS
GREEN = [0]*NUM_LEDS
BLUE = [0]*NUM_LEDS
t = time.localtime()
if rtc.read_periodic_update_interrupt_flag():
rtc.clear_periodic_update_interrupt_flag()
rtc.update_time()
hour = (rtc.get_hours() % 12) * 5
RED[hour] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 1] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 2] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 3] = BRIGHTNESS[BRIGHTNESS_LEVEL]
RED[hour + 4] = BRIGHTNESS[BRIGHTNESS_LEVEL]
GREEN[rtc.get_minutes()] = BRIGHTNESS[BRIGHTNESS_LEVEL]
BLUE[rtc.get_seconds()] = BRIGHTNESS[BRIGHTNESS_LEVEL]
for i in range (NUM_LEDS):
led_strip.set_rgb(i, RED[i], GREEN[i], BLUE[i])
if button_brightness.read():
BRIGHTNESS_LEVEL += 1
BRIGHTNESS_LEVEL %= 3
time.sleep(1)
2021 Edition
Next Steps
There are a few things that need doing next. The first is to build a case for the clock, I’m thinking about something made up of layers of thin plywood with a channel for the LED strip and maybe a layer of smoked/mat acrylic to act as a diffuser.
The second part is to work out a way to work with DST, Micropython doesn’t support timezones as the database needed to keep track of all the different timezones takes up a huge amount of space. I could hard code in the dates for my location, but I’ll probably just make use of the B button to toggle an hours difference on/off.
Optionally I might add another 31 LED strip (probably at 30/meter) to be used as a calendar showing the current month with markers for weekends and the current day.
Another option is to use 4 of these to build a 60 LED ring for something a little more conventionally shaped.
And the final extra hack is to daisy chain the Light level sensor (e.g. one of these) on top of the RTC and dynamically adjust the brightness based on ambient light levels.
I’ll also probably keep tinkering with the Raspberry Pi Zero W version as that will allow oAuth to link to things like Google Calendar to show meetings in the clock view and add Holidays to the Calendar view. It will also have access to the full timezone database and NTP for time syncing over the network.
Having seen a tweet to a Hackaday article (/ht Andy Piper) about adding a ESP8266 to the new IKEA VINDRIKTNING air quality sensor.
The sensor is a little stand alone platform that measures the amount of PM 2.5 particles in the air and it has an array of coloured LEDs on the front to show a spectrum from green when the count is low and red when high.
Sören Beye opened one up and worked out that the micro controller that reads the sensor to control the leds does so over a uart serial connection and that the Tx/Rx lines were exposed via a a set of test pads along with 5v and Ground power. This makes it easy to attach a second micro controller to the Rx line to read the response when the sensor is polled.
Sören has written some code for an ESP8266 to decode that response and publish the result via MQTT.
Making the hardware modification is pretty simple
Unscrew the case
Strip the ends on 3 short pieces of wire
Solder the 3 leads to the test pads labelled 5v, G and REST
Solder the 5V to 5V, G to G and REST to D2 (assuming using a Wemos D1 Mini)
Place the Wemos in the empty space above the sensor
Screw the case back together
The software is built using the Ardunio IDE and is easily flashed via the USB port. Once installed when the ESP8266 boots it will set up a WiFi Access Point to allow you to enter details for the local WiFi network and the address, username and password for a MQTT broker.
When connected the sensor publishes a couple of messages to allow auto configuration for people who use Home Assistant but it also publishes messages like this:
It includes the pm25 value and information about which network it’s connected to and it’s current IP address. I’m subscribing to this with Node-RED and using it to convert the numerical value, which has units of μg/m3 into a recognised scale (found on page 4).
I’m feeding this into a Google Smart Home Assistant Sensor device that has the SensorState trait, this takes the scale values as input, but you can also include the raw values as well.
I’ve recently been working on a project that uses AWS EKS managed Kubernetes Service.
For various reasons too complicated to go into here we’ve ended up with multiple clusters owned by different AWS Accounts so flipping back and forth between them has been a little trickier than normal.
Here are my notes on how to manage the AWS credentials and the kubectl config to access each cluster.
AWS CLI
First task is to authorise the AWS CLI to act as the user in question. We do this by creating a user with the right permissions in the IAM console and then export the Access key ID and Secret access key values usually as a CSV file. We then take these values and add them to the ~/.aws/credentials file.
Instead of using the --profile option you can also set the AWS_PROFILE environment variable. Details of all the ways to switch profiles are in the docs here.
The user that created the cluster should also follow these instructions to make sure the new account is added to the cluster’s internal ACL.
Kubectl
If we run the previous command with each profile it will add the connection information for all 3 clusters to the ~/.kube/config file. We can list them with the following command
$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* arn:aws:eks:us-east-1:111111111111:cluster/foo-bar arn:aws:eks:us-east-1:111111111111:cluster/foo-bar arn:aws:eks:us-east-1:111111111111:cluster/foo-bar
arn:aws:eks:us-east-1:222222222222:cluster/foo-bar arn:aws:eks:us-east-1:222222222222:cluster/foo-bar arn:aws:eks:us-east-1:222222222222:cluster/foo-bar
arn:aws:eks:us-east-1:333333333333:cluster/foo-bar arn:aws:eks:us-east-1:333333333333:cluster/foo-bar arn:aws:eks:us-east-1:333333333333:cluster/foo-bar
The star is next to the currently active context, we can change the active context with this command
$ kubectl config set-context arn:aws:eks:us-east-1:222222222222:cluster/foo-bar
Switched to context "arn:aws:eks:us-east-1:222222222222:cluster/foo-bar".
Putting it all together
To automate all this I’ve put together a collection of script that look like this
I then use the shell source ./setup-prod command (or it’s shortcut . ./setup-prod) , this is instead of adding the shebang to the top and running it as a normal script. This is because when environment variables are set in scripts they go out of scope. Leaving the AWS_PROFILE variable in scope means that the AWS CLI will continue to use the correct account settings when it’s used later while working on this cluster.
Today is my first day working for FlowForge Inc. I’ll be employee number 2 and joining Nick O’Leary working on all things based around Node-RED and continuing to contribute to the core Open Source project.
We should be building on some of the things I’ve been playing with recently.
Hopefully I’ll be able to share some of the things I’ll be working on soon, but in the mean time here is the short post that Nick wrote when he announced FlowForge a few weeks ago and a post welcoming me to the team
To go with this announcement Hardill Technologies Ltd will be going dormant. It’s been an good 3 months and I’ve built something interesting for my client which I hope to see it go live soon.
Having built my 2 differentLoRA connected temperature/humidity sensors I was looking for something other than the Graphana instance that shows the trends.
Being able to ask Google Assistant the temperature in a room seemed like a good idea and an excuse to add the relatively new Sensor device type my Google Assistant Bridge for Node-RED.
I’m exposing 2 options for the Sensor to start with, Temperature and Humidity. I might look at adding Air Quality later.
Once the virtual device is setup, you can feed data in the Google Home Graph using a flow similar to the following
The join node is set to combine the 2 incoming MQTT messages into a single object based on their topics. The function node then builds the right payload to pass to the Google Home output node and finally it feeds it through an RBE node just to make sure we only send updates when the data changes.
As mentioned in a previous post I’ve been playing with Streaming Camera feeds to my Chromecast.
The next step is to enabling accessing these feeds via the Google Assistant. To do this I’m extending my Node-RED Google Assistant Service.
You should now be able to add a device with the type Camera and a CameraStream trait. You can then ask the Google Assistant to “OK Google, show me View Camera on the Livingroom TV”
This will create an input message in Node-RED that looks like:
The important part is mainly the SupportedStreamProtocols which shows the types of video stream the display device supports. In this case because the target is a ChromeCast it shows the full list.
Since we need to reply with a URL pointing to the stream the Node-RED input node can not be set to Auto Acknowledge and must be wired to a Response node.
The function node updates the msg.payload.params with the required details. In this case
It needs to include the cameraStreamAccessUrl which points to the video stream and the cameraStreamProtocol which identifies which of the requested protocols the stream uses.
This works well when the cameras and the Chromecast are on the same network, but if you want to access remote cameras then you will want to make sure that they are secured to prevent them being scanned by a IoT search engine like Shodan and open to the world.
A question popped up on the Node-REDSlack yesterday asking how to recover an entry from the credentials file.
Background
The credentials file can normally be found in the Node-RED userDir, which defaults to ~/.node-red on Unix like platforms (and is logged near the start of the output when Node-RED starts). The file has the same name as the flow file with _cred appended before the .json e.g. the flows_localhost.json will have a coresponding flows_localhost_creds.json
The content of the file will look something a little like this:
{"$":"7959e3be21a9806c5778bd8ad216ac8bJHw="}
This isn’t much use on it’s own as the contents are encrypted to make it harder for people to just copy the file and have access to all the stored passwords and access tokens.
The secret that is used to encrypt/decrypt this file can be found in one of 2 locations:
In the settings.js file in the credentialsSecret field. The user can set this if they want to use a fixed known value.
In the .config.json (or .config.runtime.json in later releases) in the __credentialSecret field. This secret is the one automatically generated if the user has not specifically set one in the settings.js file.
Code
In order to make use of thex
const crypto = require('crypto');
var encryptionAlgorithm = "aes-256-ctr";
function decryptCreds(key, cipher) {
var flows = cipher["$"];
var initVector = Buffer.from(flows.substring(0, 32),'hex');
flows = flows.substring(32);
var decipher = crypto.createDecipheriv(encryptionAlgorithm, key, initVector);
var decrypted = decipher.update(flows, 'base64', 'utf8') + decipher.final('utf8');
return JSON.parse(decrypted);
}
var creds = require("./" + process.argv[2])
var secret = process.argv[3]
var key = crypto.createHash('sha256').update(secret).digest();
console.log(decryptCreds(key, creds))
If you place this is a file called show-creds.js and place it in the Node-RED userDir you can run it as follows:
$ node show-creds creds.json [secret]
where [secret] is the value stored in credentialsSecret or _credentialsSecret from earlier. This will then print out the decrypted JSON object holding all the passwords/tokens from the file.
The idea was to run the CA on the pi that can only be accesses when it’s plugged in via a USB cable to another machine. This means that the CA cert and private key are normally offline and only potentially accessible by an attacker when plugged in.
For what’s at stake if my toy CA gets compromised this is already overkill, but I was looking to see what else I could do to make it even more secure.
TPM
A TPM or Trusted Platform Module is a dedicated CPU paired with some dedicated NVRAM. The CPU is capable of doing some pretty basic crypto functions, provide a good random number generator and NVRAM is used to store private keys.
TPMs also have a feature called PCRs which can be used to validate the hardware and software stack used to boot the machine. This means you can use this to detect if the system has been tampered with at any point. This does require integration into the bootloader for the system.
You can set access policies for keys protected by the TPM to allow access if the PCRs match a known pattern, some Disk Encryption systems like LUKS on Linux and Bitlocker on Windows1 can use this to automatically unlock the encrypted drive.
You can get a TPM for the Raspberry Pi from a group called LetsTrust (that is available online here).
It mounts on to the SPI bus pins and is enabled by adding a Device Tree Overlay to the /boot/config,txt similar to the RTC.
dtoverlay=i2c-rtc,ds1307
dtoverlay=tpm-slb9670
Since the Raspberry Pi Bootloader is not TPM aware the PCRs are not initialised in this situation, so we can’t use it to automatically unlock an encrypted volume.
Using the TPM with the CA
Even without the PCRs the TPM can be used to protect the CA’s private key so it can only be used on the same machine as the TPM. This makes the private key useless if anybody does manage to remotely log into the device and make a copy.
Of course since it just pushes on to the Pi header if anybody manages to get physical access they can just take the TPM and sdcard, but as with all security mechanisms once an attacker has physical access all bets are usually off.
There is a plugin for OpenSSL that enables it to use keys stored in the TPM. Once compiled it can be added as OpenSSL Engine along with a utility called tpm2tss-genkey that can be used to create new keys or an existing key can be imported.
Generating New Keys
You can generate a new CA certificate with the following commands
Once the keys have been imported the it’s important to remember to clean up the original key file (ca.key) so any attacker can’t just use them instead of using the one protected by the TPM. Any attacker now needs both the password for the key and the TPM device that was used to cloak it.
Web Interface
At the moment the node-openssl-cert node that I’m using to drive the web interface to CA doesn’t look to support passing in engine arguments so I’m having to drive it all manually on the command line, but I’ll be looking at a way to add support to the library. I’ll try and generate a pull request when I get something working.
1Because of it’s use with Bitlocker, a TPM is now required for all machines that want to be Windows 10 certified. This means my second Dell XPS13 also has one (it was an optional extra on the first version and not included in the Sputnik edition)
Over the last few years I’ve had a number of people approach me to help them build things with Node-RED, each time it’s not generally been possible to get as involved as I would have liked due to my day job.
Interest started to heat up a bit after I posted my series of posts about building Multi Tenant Node-RED systems and some of them sounded really interesting. So I have decided to start doing some contract work on a couple of them.
Node-RED asking for credentials
The best way for me to do this is to set up a company and for me to work for that company. Hence the creation of Hardill Technologies Ltd.
At the moment it’s just me, but we will have to see how things go. I think there is room for a lot of growth in people embedding the Node-RED engine into solutions as a way for users to customise event driven systems.
As well as building Multi-Tenant Node-RED environments I’ve also built a number of custom Node-RED nodes and Authentication/Storage plugins, some examples include:
If you are interested in building a multi-user/multi-tenant Node-RED solution, embedding Node-RED into an existing application, need some custom nodes creating or just want to talk about Node-RED you can check out my CV here and please feel free to drop me a line on tech@hardill.me.uk.
Where possible (and in line with the wishes of clients) I hope to make the work Open Source and to blog about it here so keep an eye out for what I’m working on.
