A problem of user permissions in Node-RED

[Daniele.tampieri]

Hello to everybody.
I have just purchased a RevPi Connect 5 and, following the standard RevPi procedure, I've enabled Node-RED, updated all the software and configured the RevPi DO in order to enable the outputs and inputs I need for my application. Initially I thought I should enable also the Node-RED user password access and did so: nevertheless, later I found that, for the application I was developing, this is not important thus I disabled it from the Cockpit Console and then proceed with the development.
Then the problem.
I want to drive a group of 24V actuators (maybe LED lamps or relays) and correspondingly I should play a video on a monitor connected to the RevPi Connect 5 HDMI output. The part of code driving the actuators works perfectly, while the video player does not.
It is not a problem of the RevPi itself, nor a problem of the code: indeed if I login to the pi console (ssh pi@RevPixxxxxx) and launch the following command (to play one of the videos)

Code: Select all

mpv --fs /home/pi/Videos/video1.mp4

all works perfectly. Moreover if I launch the associated flow on the Node-Red installation on my Mac, i.e. the following one

where the "Video Player" node is a "exec" node whose the embedded command is exactly the above one and the injected payloads are "home/pi/Videos/video1.mp4", "home/pi/Videos/video2.mp4", etc. and everything works perfectly.
Nevertheless, running it on the RevPi Node-RED gives me the following error message:

Code: Select all

[file] Cannot open file '/home/pi/Videos/video1.mp4': Permission denied
Failed to open /home/pi/Videos/video1.mp4.

Exiting... (Errors when loading file)

and if I try to move the video files to another directory whit all permission enabled, i.e. if I modify the payloads to be "/media/video1.mp4", "/media/video2.mp4", etc. I get the following two error messages:

Code: Select all

1/10/2025, 09:55:33node: video out
msg.payload : string[1279]
string[1279]
 (+) Video --vid=1 (*) (h264 640x360 30.000fps)
 (+) Audio --aid=1 (*) (aac 2ch 48000Hz)
[vo/gpu] Can't open TTY for VT control: No such device or address
[vo/gpu/opengl] Failed to set up VT switcher. Terminal switching will be unavailable.
[vo/gpu/opengl] No primary DRM device could be picked!
[vo/gpu/opengl] Failed to find a usable DRM primary node!
[vo/gpu/opengl] Failed to create KMS.
[vo/gpu-next] Can't open TTY for VT control: No such device or address
[vo/gpu-next/opengl] Failed to set up VT switcher. Terminal switching will be unavailable.
[vo/gpu-next/opengl] No primary DRM device could be picked!
[vo/gpu-next/opengl] Failed to find a usable DRM primary node!
[vo/gpu-next/opengl] Failed to create KMS.
[vo/sdl] Using opengl
[vo/sdl] Warning: this legacy VO has bad performance. Consider fixing your graphics drivers, or not forcing the sdl VO.
[ao/pipewire] Could not connect to context '(null)': Host is down
[ao/alsa] Playback open error: No such file or directory
[ao/jack] canno...

and

Code: Select all

1/10/2025, 09:55:33node: video err
msg.payload : string[7164]
string[7164]
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Opening /dev/dri/renderD128 failed: Permission denied
TU: error: ../src/freedreno/vulkan/tu_knl.cc:315: failed to open device /dev/dri/renderD128 (VK_ERROR_INCOMPATIBLE_DRIVER)
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Opening /dev/dri/renderD128 failed: Permission denied
TU: error: ../src/freedreno/vulkan/tu_knl.cc:315: failed to open device /dev/dri/renderD128 (VK_ERROR_INCOMPATIBLE_DRIVER)
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
libEGL warning: failed to open /dev/dri/renderD128: Permission denied

libEGL warning: failed to open /dev/dri/renderD128: Permission denied

libEGL warning: failed to open /dev/dri/card0: Permission denied

Failed to create random directory /tmp/pulse-PKd...

How should I proceed? Should I erase the Node-RED installation and rebuild it from scratch?

[Daniele.tampieri]

An update: if I restart the flow, I get the following message

Code: Select all

1/10/2025, 11:17:48
msg : string[567]
string[567]


---------------------------------------------------------------------
Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.
---------------------------------------------------------------------
1/10/2025, 11:17:48
msg : string[31]
"Encrypted credentials not found"

Maybe this helps in finding possible solution.

[RevPiModIO]

Hi Daniele!

Node-RED is operated on the Revolution Pi in a systemd "sandbox" and runs as user "nodered". This secures the system, but also brings restrictions. For example, it is not possible to call up commands with "sudo" and the entire file system is only readable, except for the path `/var/lib/revpi-nodered`.

If you want to access devices, so everything in the folder `/dev`, this is still possible. Here it only needs to be checked which authorization is required. The user `nodered` must then be added to certain groups.

In your example:

Code: Select all

ls -lah /dev/dri/

crw-rw----  1 root video  226,   0  2. Okt 08:09 card0
crw-rw----  1 root video  226,   1  2. Okt 08:09 card1
crw-rw----  1 root render 226, 128  2. Okt 08:09 renderD128

In this case, the user `nodered` must be added to the groups `video`. You can do this e.g. via the terminal with `sudo usermod -a -G video nodered`.

Sven

[Daniele.tampieri]

Thank you very much, Sven. I'll apply your solution soon as possible. By the way is there also a "printer" (maybe "cups") group? I am asking this since the flow I am designing need also a printing part that has not been tested yet (due to momentary unavailability of the USB printer), so I wonder if I should add the "nodered" user to such a group.

[Daniele.tampieri]

Sven, I added user nodered to the "video" group, and created a directory `/var/lib/revpi-nodered/Videos` where I loaded all the videos I want to play: nevertheless, when I run the command

Code: Select all

mpv --fs /var/lib/revpi-nodered/Videos/video1.mp4 

I do not see anything on the screen and get the following error messages, similar to the ones I already got without the user nodered added to the proper group: is there some other parameter to set?

Code: Select all

 5/10/2025, 10:25:24node: video out
msg.payload : string[1232]
string[1232]
 (+) Video --vid=1 (*) (h264 640x360 30.000fps)
 (+) Audio --aid=1 (*) (aac 2ch 48000Hz)
[vo/gpu] Can't open TTY for VT control: No such device or address
[vo/gpu/opengl] Failed to set up VT switcher. Terminal switching will be unavailable.
[vo/gpu] Failed to commit ModeSetting atomic request (-13)
[vo/gpu/opengl] Failed to set CRTC for connector 32: Permission denied
[vo/gpu-next] Can't open TTY for VT control: No such device or address
[vo/gpu-next/opengl] Failed to set up VT switcher. Terminal switching will be unavailable.
[vo/gpu-next] Failed to commit ModeSetting atomic request (-13)
[vo/gpu-next/opengl] Failed to set CRTC for connector 32: Permission denied
[vo/sdl] Using opengl
[vo/sdl] Warning: this legacy VO has bad performance. Consider fixing your graphics drivers, or not forcing the sdl VO.
[ao/pipewire] Could not connect to context '(null)': Host is down
[ao/alsa] Playback open error: No such file or directory
[ao/jack] cannot open server
[ao/sdl] could not open audio: AL...

and

Code: Select all

5/10/2025, 10:25:24node: video err
msg.payload : string[7206]
string[7206]
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
failed to open /dev/dri/renderD128: Permission denied
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Opening /dev/dri/renderD128 failed: Permission denied
TU: error: ../src/freedreno/vulkan/tu_knl.cc:315: failed to open device /dev/dri/renderD128 (VK_ERROR_INCOMPATIBLE_DRIVER)
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
failed to open /dev/dri/renderD128: Permission denied
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Opening /dev/dri/renderD128 failed: Permission denied
TU: error: ../src/freedreno/vulkan/tu_knl.cc:315: failed to open device /dev/dri/renderD128 (VK_ERROR_INCOMPATIBLE_DRIVER)
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
error: XDG_RUNTIME_DIR is invalid or not set in the environment.
libEGL warning: failed to open /dev/dri/renderD128: Permission denied

libEGL warning: failed to open /dev/dri/renderD128: Permission denied

Failed...

I stress also that when I'm working on the terminal, my command runs flawlessly, thus the problem has sul

[RevPiModIO]

Hi Daniele!

For the second error, the user "nodered" would also have to be added to the "render" group.

Code: Select all

crw-rw----  1 root video  226,   0 Oct 13 07:26 card0
crw-rw----  1 root video  226,   1 Oct 13 07:26 card1
crw-rw----  1 root render 226, 128 Oct 13 07:26 renderD128

Also with `sudo usermod -a -G render nodered`.

The first error that the system can not change the terminal could be due to the systemd sandbox. Can you first try adding the user "nodered" to the "render" group? If this still does not work, we could disable the sandbox settings if necessary.

Sven

[RevPiModIO]

Hi Daniele!

I tested it on my one. My setup is a RevPi Connect 4 with the 250801-bookworm image. I connected a monitor to the micro HDMI.

I then added the following groups to the user nodered.

Code: Select all

sudo usermod -a -G audio nodered
sudo usermod -a -G render nodered
sudo usermod -a -G video nodered

My Node-RED flow looks like this:

When I click in the inject node, the video plays on my display.

I get the following output on the "stdout":

Code: Select all

 (+) Video --vid=1 (*) (h264 720x1280 29.916fps)
 (+) Audio --aid=1 (*) (aac 2ch 44100Hz)
[vo/gpu] Can't open TTY for VT control: No such device or address
[vo/gpu/opengl] Failed to set up VT switcher. Terminal switching will be unavailable.
[vo/gpu/opengl/kms] Could not find any preferred mode. Picking the first mode.
AO: [alsa] 44100Hz stereo 2ch float
VO: [gpu] 720x1280 yuv420p

Exiting... (End of file)

On "stderr" I get some errors and my exit code is not zero, but the video is playing...

Code: Select all

XDG_RUNTIME_DIR is invalid or not set in the environment.
[W][00241.504769] pw.conf      | [          conf.c: 1214 try_load_conf()] can't load config client.conf: No such file or directory
[E][00241.504971] pw.conf      | [          conf.c: 1243 pw_conf_load_conf_for_context()] can't load config client.conf: No such file or directory
Failed to create random directory /tmp/pulse-PKdhtXMmr18n: Read-only file system
Failed to symlink /var/lib/revpi-nodered/.config/pulse/acc5971b15e6490bbc3991595b0be4af-runtime.tmp: Read-only file system

[KAV: 00:00:00 / 00:00:23 (0%) A-V:  0.000
[KAV: 00:00:00 / 00:00:23 (0%) A-V:  0.044
[KAV: 00:00:00 / 00:00:23 (1%) A-V:  0.013 Dropped: 1
[KAV: 00:00:00 / 00:00:23 (1%) A-V:  0.001 Dropped: 1
[KAV: 00:00:00 / 00:00:23 (2%) A-V:  0.001 Dropped: 1
[KAV: 00:00:00 / 00:00:23 (2%) A-V:  0.000 Dropped: 1
[KAV: 00:00:00 / 00:00:23 (3%) A-V:  0.000 Dropped: 1
[KAV: 00:00:00 / 00:00:23 (4%) A-V:  0.000 Dropped: 1
[KAV: 00:00:01 / 00:00:23..."

Sven