Name: Frequently Asked Questions
File: FAQ
Date: 27 December 2000
Auth: Russell Kroll <rkroll@exploits.org>

-----------------------------------------------------------------------------

 Q: My UPS-specific support program (apcsmart, genericups, etc) says 
    "Unable to open /dev/ttyxx".  I'm starting it as root and root owns
    the device, so why doesn't it work?

 A: The programs give up root _before_ they open the serial port.  So, you
    should change the permissions on the port around so that their   
    running userid can open it.  Typically this corresponds to the user
    "nobody".  If you use the --with-uid option to configure, it may be
    something else.

    Having a "ups" user that owns the serial port might not be such a bad
    idea...

-----------------------------------------------------------------------------

 Q: upsc, multimon, and the other programs give me "access denied".  The
    serial port permissions are fine, so what gives?

 A: Those programs only talk over the network.  That denied message is
    coming over it from upsd.  It's denying them since they don't have
    permission to talk to it according to the access controls.

    The fix is to edit the upsd.conf to allow those hosts to do what they
    need.  Simple things like upsstats and upsc only need "monitor" level
    security while upsmon needs "login" or "master" to be functional.

-----------------------------------------------------------------------------

 Q: I have a Smart-UPS connected with the grey APC cable and it won't
    work.  The Back-UPS type in the generic driver works but then I 
    don't get to use all the nifty features in there.  Why doesn't the 
    right driver work?

 A: The problem lies in your choice of cable.  APC's grey cables
    generally only do "dumb" signalling - very basic yes/no info about
    the battery and line status.  While that is sufficient to detect a
    low battery condition while on battery, you miss out on all the
    goodies that you paid for.

    Note that the 940-0095B, while grey, is actually a dual mode cable
    and can be used with the apcsmart driver in conjunction with the -c
    argument.  All other grey cables from APC are assumed to be "dumb".

    If your grey cable isn't the 940-0095B, the solution is to dump that
    cable and find one that supports APC's "smart" signalling.  Typically
    these come with the UPS and are black.  If your smart cable has
    wandered off, one can be built rather easily with some connectors and
    cable - there's no fancy wiring or resistors.

    See this URL for a handy diagram:

    http://www.exploits.org/nut/library/940-0024C.jpg

    That should give you a workable clone of APC's 940-0024C cable.
    There are simpler solutions involving 3 wires that work just fine
    too, but Powerchute won't find the loopback DTR-DCD and RTS-CTS and
    will be annoyed.  If you don't ever plan to use Powerchute, 3 wires
    (RxD, TxD, GND) are sufficient.

    It should also be noted that the genericups driver has no way to detect
    the UPS, so it will fire up quite happily if it can open the serial
    port.  Merely having it start up is not necessarily an indication
    of success.  You should start it and then check the status with upsc
    or similar to be sure that it's reading the hardware properly.

-----------------------------------------------------------------------------

 Q: configure tells me to go get gd, but I have it installed!  Why isn't it
    finding the one I installed?

 A: Chances are, you have installed gd 1.6 (or higher) which includes PNG
    support and totally eliminates GIF.  But, you don't have the PNG libs
    on your system, so gd didn't compile them in.  So, you need to go get
    libpng, install that, recompile gd, THEN rerun configure.

    Start here: http://www.libpng.org/pub/png/pngcode.html

 A: It seems like everyone and their brother has a different place for
    installing the gd includes and libraries.  If your system uses some
    bizarre location for these files, be sure to set the CPPFLAGS and CFLAGS
    accordingly with -L and -I arguments so that the linker and compiler
    can find everything.

-----------------------------------------------------------------------------

 Q: gd can't find zlib.h, so what do I do now?

 A: Go get zlib, install it, then try building gd again.

    Find zlib here: http://www.cdrom.com/pub/infozip/zlib/

-----------------------------------------------------------------------------

 Q: Now gd can't find png.h, so what do I need this time?

 A: libpng.  Get it, install it, and then start the gd make again...

    libpng is here: http://www.libpng.org/pub/png/pngcode.html

-----------------------------------------------------------------------------

 Q: libpng doesn't seem to have a Makefile, so how do I build it on my
    Linux box?

 A: Besides "RTFM", perhaps you should do copy scripts/makefile.linux to
    Makefile (in the libpng directory) and then try it again.

-----------------------------------------------------------------------------

 Q: OK, I built libpng and gd, so why is configure saying "no (cached)"
    for the gdImagePng detection line?

 A: configure is being a bit too clever for its own good.  rm config.cache
    and try it again.  Then it will figure out how things are set up now.

-----------------------------------------------------------------------------

 Q: My web browser used to be able to show the graphs, but then I upgraded
    NUT and it stopped.  Why?

 A: Some older browsers can't handle PNGs, and upsimage.cgi now uses those 
    exclusively.  You can either upgrade to a version that handles the PNG 
    format or hack the upsimage code to use an older version of gd.

    You really should find a newer browser, as GIF support has been dead
    for quite some time now.

    See http://www.burnallgifs.org/ for more information on this change.

-----------------------------------------------------------------------------

 Q: What about Y2K compliance and this software?

 A: That's pretty much a moot point now, isn't it?

    No problems were reported.

    As for 2038, well, that's another story.

-----------------------------------------------------------------------------

  Q: My upsstats pages now have broken images where the bars used to be,
     and running upsimage.cgi by hand gives me something about libgd.so.0
     not being found.  How do I fix this?

  A: There was at least one version of gd in the past which built shared
     libraries.  Recent versions appear to have dumped configure and have
     a simple build process again.  Try upgrading gd if you want to be
     current.

     If your version is really using shared libraries, run ldconfig or
     its equivalent to rebuild the cache.  Then it should work.

-----------------------------------------------------------------------------

  Q: Why doesn't upsd implement the functionality of upsmon?  I have to
     run THREE programs to monitor my UPS!

  A: I try to follow the "tool for the job" philosophy.  It may mean more
     programs running, but the flexibility you get is usually worth it.

     Yes, the machine with the UPS attached will generally have 3 processes
     (model driver, upsd, upsmon) running, but this design allows a much
     bigger setup.  Imagine a data room with a bunch of machines all drawing
     power from the same UPS.  The rest of them just run upsmon.

     Besides, if upsmon were rolled into upsd, upsd would get even bigger
     than it is now.  You'd have one less process, but the RAM consumption
     would be pretty close to now.

     See data-room.txt for more configuration ideas and explanations.

-----------------------------------------------------------------------------

  Q: Why doesn't upsmon send a SIGPWR signal to init so it can deal with
     power events?

  A: New versions of the init man page taken from the sysvinit package
     are saying that usage of SIGPWR is discouraged.  (Since /dev/initctl 
     control channel is the preferred way of communication.)

  A: The name of the game is portability.  Not everyone's init handles that
     kind of signalling gracefully.  What's more, some admins might want to
     do things differently even if they have that kind of init running.

     So, to be compatible, upsmon just invokes a shell command.  If you
     want to use init's SIGPWR stuff, just put the right "kill" line in
     a shell script and make upsmon call it.  Everyone wins.

-----------------------------------------------------------------------------

  Q: Why can't upsset read my upsset.passwd file?

  A: This file gets installed by default to have tight permissions -
     owned by root, only accessible by root.  That's both good and bad.
     Good since it keeps random users out, but bad since one of those
     random users is usually your web server.

     If your web server runs as nobody, then change the ownership to
     nobody.  That means anything running with that userid can get to the
     file, so consider the consequences.  Maybe it would be better if
     upsset.cgi was suid (to "ups", perhaps) and then _that_ userid 
     owned the file.

     In any case, it's done this way to make you think about the security
     implications before jumping right into things.

  A: Having upsset make the decisions about users is silly, and fixing that
     is on the long term to-do list.  upsd should know about these things,
     so that all control can be brought down from a single file.

     Consider this a temporary wart.

-----------------------------------------------------------------------------

  Q: Why won't bestfort talk to my Best Fortress UPS?

  Q: Why won't bestups talk to my Best Fortress UPS?

  A: bestfort handles some older / "traditional" models that tend to be
     black.  bestups is designed around the somewhat newer "Phoenix"
     protocol that seems to be associated with beige units.  If one model
     driver doesn't work, try the other one.

-----------------------------------------------------------------------------

  Q: Why do upsc (or any of the client programs) say "no such variable"
     when I try to run them?

  A: Usually this means that upsd has no data available for that UPS.
     Check your UPS lines in the upsd.conf and make sure that the path
     agrees with the location that the model driver is using.

-----------------------------------------------------------------------------

  Q: My system has an ATX power supply.  It will power off just fine, but
     it doesn't turn back on.  What can I do to fix this?

  A: This depends on how clueful your motherboard manufacturer is, and
     isn't a matter of the OS.  You have to do one of the following things
     depending on what's supported:

     - Set a jumper on the motherboard that means "return after outage"

     - Set something in the BIOS that says "power up after power failure"

     - Hack the cable between the power supply and the motherboard to fool
       it into powering up whenever line power is present

     - Buy a monkey to watch for power outages and press the power button
       when it returns, thus bringing the machine online again.

       This can work, but eventually leads to high produce bills.

     If you can't use one of the first two options, give the board to
     an enemy.  Let them worry about it.

-----------------------------------------------------------------------------

  Q: I want to keep the model drivers and upsd in their own security domains.
     How can this be accomplished?

  A: Using a few role accounts and a common group, you can limit access to
     resources such as the serial port(s) leading to the UPS hardware.

     This is just an example.  Change the values to suit your systems.

     Create a user called 'nutdev' and another called 'nutsrv'.  Put them
     both in a group called 'nut'.

     Change the owner of any serial ports that will be used to nutdev, and
     set the mode to 0600.  Then change the ownership of your state
     directory (usually /var/state/ups) to nutdev.nut.

     For my development system this yields the following /dev entries:

     0 crw-------   1 nutdev   tty        4,  64 Sep  3 17:11 /dev/ttyS0
     0 crw-------   1 nutdev   tty        4,  65 Sep  3 17:11 /dev/ttyS1

     Start the model driver(s) with su, like so:

     # su nutdev -c "/usr/local/ups/bin/apcsmart /dev/ttyS0"
     # su nutdev -c "/usr/local/ups/bin/fentonups /dev/ttyS1"

     The listing for /var/state/ups then looks like this:

     4 drwxr-xr-x   2 nutdev   nut          4096 Aug 20 18:37 .
     4 drwxr-xr-x   4 root     root         4096 May 14 21:20 ..
     4 -rw-r-----   1 nutdev   nut            44 Sep  3 17:10 apcsmart-ttyS0
     4 -rw-r-----   1 nutdev   nut            44 Sep  3 17:10 fentonups-ttyS1

     You may have to remove old state files first if you are changing to
     this security scheme from an older install.  The models will create
     new ones with the right ownership and modes.

     Finally, start upsd:

     # su nutsrv -c "/usr/local/ups/bin/upsd"

     Check your syslog to be sure everything's happy, then be sure to
     update your startup scripts so it uses this procedure on your next
     boot. 

-----------------------------------------------------------------------------

  Q: Why doesn't upsmon shut down my system?  I pulled the plug and nothing
     happened.

  A: Wait.  upsmon doesn't consider a UPS to be critical until it's both
     'on battery' and 'low battery' at the same time.  This is by design.
     Every UPS supports the notion of detecting the low battery all by
     itself.  When the voltage drops below a certain point, it _will_ let
     you know about it.

     If your system has a really complicated shutdown procedure, you
     might need to shut down before the UPS raises the low battery flag.
     For most users, however, the default behavior is adequate.

     Ask yourself this: why buy a nice big UPS with the matching battery
     and corresponding runtime and then shutdown early?  If anything, I'd
     rather have a few more minutes running on battery during which the
     power might return.  Once the power's back, it's business as usual
     with no visible interruption in service.

     If you purposely shut down early, you guarantee an interruption in
     service by bringing down the box.

     See upssched.txt for information on how you can shutdown early if
     this is what you really want to do.

-----------------------------------------------------------------------------

  Q: The CGI programs report "access to that host is not authorized" - 
     what's going on?

  A: Those programs need to see a host in your hosts.conf before they
     will attempt communications.  This keeps people from feeding it
     random data to the programs and annoying others via your system.

     If your hosts.conf turns out to be configured correctly with 
     MONITOR entries and all that, check the permissions.  Your web
     server may be running the CGI programs as a user that can't read
     the file.

-----------------------------------------------------------------------------

  Q: Occasionally there are nebulous references to "the big todo list".
     Where can I see it and what's on it?

  A: There is such a file, but it contains lots of things that may never
     come to fruition.  Since I don't like to play the vaporware game, 
     this file stays low-key and away from prying eyes.

     If you want to know what's coming up, watch the release announcements.
     Each one shows the next phase of development plus some general 
     information on the step after that.

-----------------------------------------------------------------------------
