Rpi Pre Setting a Static IP while not on that network

Question

I have a project where pi's have a particular (and peculiar) communcation purpose. It is irrelevant to the question.

What is relevant is that these go thru intermediate hands (like dealers) who set up id/comm protocols for end clients so they may communicate with them. No problem so far. Everything works as needed, and is pretty fine tuned. On DHCP.

Problem is that we are finding end users requiring static ip's pre assigned to the device (for various reasons). Some are corporate and it's not negotiable.

But by the time these ship to the intermediary (who ships to end user), ssh, tvservice, hdmi, are all disabled. The only communication is timed thru a port and via usbsticks which contain whitelisted configuration files at initial startup. So, the intermediary is on a network, creates a config.txt on usb and it is mounted @reboot cron for security codes, port handshake tests, etc. Two minutes, an entry into their excel to remember their security codes, and it's done. That's all they have to, or can, do.

So... for the static IP "needers", I have just made what I asssumed was a working routine for handling static IP assignments using a similar onboot routine to parse the info on a staticIP.txt file, that mimics by script the basic methods of changing to a static ip, that everyone uses. But instead of directly editing /etc/network/interfaces and /etc/resolv.cong by editor it does by script and shell, 1) copying the original two files, 2) trying to create tmp files to replace, and 3) swapping them out and restarting networking. And variations of that paradigm. It works by hand with text editors, but not by this scripting method. (all else does work - there's lots of decrypting/parsing already there - it's not a programming problem) But The Debian will not let itself be blinded - it finds the words gateway and netmask sees the intended IP's, tells me they're invalid, REPLACES THE IPs DURING THE TEXT INSERTION to what is current, and so now I'm back at square 2. (try it - I even created a simple string 'nameserver 8.8.8.8', and tried to write it alone (as a user and as root) to a hello_world.txt file, in /home, and it came out nameserver 192.168.1.0 (or close to that).) Same with gateway and netmask - I do not need to be near the interfaces file, the generated text string get's clobbered or edited, depending on my attempt.

Now this is with only ssh on (so I can write and test) - ssh will be off when it ships, but this needs work and more understanding. I imagine I'll end up prepping it so a flag warns @reboot there is a final script to run to edit these files - as the last setting at the intermediary place, so that when it reboots at the end user area, were the address, gateway, netmask, and nameservers are appropriate, the editing will be hopefully be allowed/completed. Remember - Once it leave my hands it is all automated and cut off from all normal communications.

So... How can I do this easier, (I can edit by hand to a static on one of our office networks - just not by user or sudo script). I will be trying removing it from a network for the final setup, I will try a number of things, but my intermediaries (consider them like "dealers") will not have any sophisticated abilities other than proper formatting of configuration and test files. Simple files - they wont be able to format a perfect /interfaces copy, cant expect that - I'll just be asking them to put in the appropriate address, gateway, etc. They wont want to turn off their DHCP, or do anything to their pretty much normal office networks where they set these up.

TO sum up (or clairfy): how to pre-setup a static IP, so when the pi is shipped, it is ready to work at the remote site. The OS sabotages attempts I'm trying. HDMI is already off, so I'm working on an image that will allow SSH only until I turn it off for duplication. I ultimately must use scripts for this - no problem. Perhaps some further insight into what (DHCLIENT prob) is stream correcting my input. I will be doing testing (trying the same scripts offline, etc), but I figure I'd put this out there now in case I'm missing something so simple that it's hard.

IFF this post ends up in an inappropriate place, MODS- feel free to move it.

Thanks

rew · Accepted Answer

You seem to be saying that when I do: "echo nameserver 8.8.8.8 > /tmp/a.txt" the operating system interferes and produces something else in that file?

That is NOT the case. Absolutely NOT.

You must be doing something else "wrong". Because I don't know what your scripts are, I don't know what is going wrong. It might be something like you echo nameserver $NAMESERVER >> somefile.txt, while the wanted nameserver is contained in the variable $nameserver, and somehow the current nameserver is in the variable $NAMESERVER.

If you need the network setup according to your own wishes, you can just do something like "manual eth0" in /etc/network/interfaces. Then ifconfig eth0 <ipnumber> in your script will bring the interface up. Don't forget the route and gateway. Or if dhcp is requested you start the dhclient from your script.

But putting the proper "interfaces" file in place should also work 100%.

Problemchild · Answer

Another thing Mark your question text is far too long and contains too much information not relevant to the question. you'll get more replies if what you want to know is expressed simply and clearly.

Former Member · Answer

Hi John - thanks - let me address your ideas and perhaps clarify the situation a bit.

Separate Logical Interfaces - yes, variations on that were (and still are) my first choice. But these units go out in moderate numbers, and while I can have separate files ready to move to into place prepped for specific information, or symlink to, or otherwise cause to be the defining interface file, I do not know what gateways and netmasks the dealer may encounter. Problem is getting those 4 or more ips into ANY file. The OS literally will let the string exist in a script, but will not allow the currently non official information into a file. I see the parsed and reconstructed string displayed on the terminal (via echo or print), yet once that script has moved that string into any file (even a /tmp/a.txt), (using bash cat > , php file put contents, python text.file write, user or sudo) the resultant string will have the have the end users IPs replaced with what is current. Not after reboot (that I can understand), but it is converted AS it is written to file. I cant get a distant staticip version of interfaces ready for use. Manually, sure, but scripting is watched.

After discussions yesterday, we believe it is a safety mechanism demanding human intervention (I can edit the file directly) that prevents malicious scripting from taking over the identity of the device. address = whatever IP is ok - and that makes sense as the pi has to allow the first half of a paired operation to happen (in anticipation of the router static IP being assigned), but since it does not allow printing to (any) file, a foreign gateway, (which would immediately blind it or reposition it) it must be deliberate.

Try putting "gateway (ip of your choice)" into a file - say staticip.txt put in netmask (ip) also as it would go into interfaces. One line after the other. Save and pair it with a script that gets the contents of that file and puts it in a variable. Have that script echo the variable - so you see that you have exactly what you want to drop or move into ../interfaces. Then have it create a file somewhere distant (like ~) and put the variable in, then look at contents of the file - the IPs are replaced. Even to a.txt at home.. I had to show this to my partner yesterday for him to believe it - its frikkin voodoo. I can put up example code if needed for proof but use your own 10 line program and watch. It happens even if I've removed the device from the network.

I cannot ask dealers to turn off dhcp, and some of the end users use only IPs with no DHCP so no foreign devices can get onto the network.

So I'm going to try turning off networking, (tho at the intermediary point it must be connected to the internet to test configuration) I'm also going to try subverting the process by obfuscating building the file (extra chars, then removed, or invert the string array and print it from end to beginning one char at a time). If I'm correct about a comprehensive anti-mallice oversight however, it probably will not allow cp, copy, mv, of the finally properly formatted file into place. (one simple attempt at that did fail) I could use a curses program, but that would leave a comm method open and these cards get locked up so tight that even I cannot re-open a comm method without using up a onetime cipher that allows me to upgrade the main script once it's in the field, should that ever be necessary. (I could for example turn tvservices back on via an upgraded script, but nononono - that's not a solution. A curses program for the dealer that, when finishes, shuts off terminal services, fine - but it's not in our paradigm to have the unit leave here with any vulnerability open - there are some smart guys at the other end and I've no confidence I can absolutely prevent other use of the service prior to curses finishing. (could be a last resort, but...) I may have to have the final boot with info done at the end user, but while some are very sophisticated, that would be a drawback, and competition can arise.

I'm going to be trying them all, and will keep you posted, but if anyone has insight into the interfering process (stream editing when script printing to file) I've so far seen exhibited, it would be appreciated. Really appreciated. It's the real roadblock. Other workaround ideas would be appreciated also, but it shouldn't be this hard. I must assume I'm missing something simple. Or it's standard security I've never had cause to notice, as I'm usually doing this sort of thing for a particular local purpose, and manually. Thanks. This is humbling...