Antminer L3+ not executing privileged API calls

[guibe80]

Hi there:

I have some Antminer L3+ that I'd love to control remotely and change pools dynamically. I'm using Minera to connect to my Antminers but the command change pool doesn't work. It says that "Access denied to 'switchpool' command". At the beginning, I thought it was a Minera problem but then I checked directly if the miner was executing this command in the 'localhost' but it didn't work either.

In short, I SSH to my Antminer and I run the following command with the following response:

Code:

~# echo "switchpool|1" | nc 127.0.0.1 4028
STATUS=E,When=1518091745,Code=45,Msg=Access denied to 'switchpool' command,Description=cgminer 4.9.0|

I can run stats commands and get a positive reply like:

Code:

echo '{"command":"stats"}' | nc localhost 4028

Then, I decided to dig in a little bit into the configuration of the cgminer. I'm trying to adjust the file /config/cgminer.conf. The default file has the following parameters:

Code:

"api-listen" : true,
"api-network" : true,
"api-groups" : "A:stats:pools:devs:summary:version",
"api-allow" : "A:0/0,W:*",
"bitmain-use-vil" : true,
"bitmain-freq" : "384"

I have changed the "api-allow" to "api-allow" : "A:127.0.0.1, 192.168.0.18,W:127.0.0.1,192.128.0.18". Where the 192.128.0.18 is the address of my minera server. But still, I'm not able to execute the "switchpool" command neither locally nor remotely. Is there any configuration that I have to use to execute privileged commands? According to the Readme.md https://github.com/ckolivas/cgminer/blob/master/API-README the W group should be able to execute all the commands but it ain't my case.

Thanks for your help!

[Bill48105]

Not sure if you ever figured this out or gave up but I found this thread searching for answers so figured I'd reply with the fix in case anyone else stumbles in here since I spent a lot of time searching for a fix.

This is working for me:

Code:

"api-groups" : "A:stats:pools:devs:summary:version:switchpool,P:switchpool",
"api-allow" : "A:0/0,W:*,P:127.0.0.1",

Code:

echo "switchpool|2" | nc 127.0.0.1 4028
STATUS=S,When=1544249013,Code=27,Msg=Switching to pool 2:'stratum+tcp://zzzz:3333',Description=cgminer 4.10.0|

Seems the "trick" is to be sure to add the commands to api-groups but as a new group named P (can use any letter besides A or W) and then it seems if I didn't add them to the A group as well I'd still get access denied..  For some reason using W in place of P would not work for me.  So not sure if that's modified by Bitmain in bmminer or standard cgminer functionality but I sure wasted too much time on something so trivial.

You can easily add your local LAN range to api-allow with 192.168.1.0/24 or specific IP's is better yet.

I ended up editing the strings in /www/pages/cgi-bin/set_miner_conf.cgi so that the conf isn't clobbered upon saving Miner Configuration in the web admin.

Btw some notes for anyone else reading this.. I left the W:* allow in there because it was "stock", but from what i can tell they might have mixed up the wildcard formatting unless * happens to mean deny all.. lol  The docs show W:0/0 as format to allow all for a particular group (probably a very bad idea to set this for obvious reasons..) but the docs do show for api-groups you can add :* to mean "all commands".  I didn't bother testing it but I suspect adding :* to end of A might do the trick but that opens up all read-only commands to "the world" so maybe not ideal even if it did work.

[efudd]

Not sure if you ever figured this out or gave up but I found this thread searching for answers so figured I'd reply with the fix in case anyone else stumbles in here since I spent a lot of time searching for a fix.

This is working for me:

Code:

"api-groups" : "A:stats:pools:devs:summary:version:switchpool,P:switchpool",
"api-allow" : "A:0/0,W:*,P:127.0.0.1",

Code:

echo "switchpool|2" | nc 127.0.0.1 4028
STATUS=S,When=1544249013,Code=27,Msg=Switching to pool 2:'stratum+tcp://zzzz:3333',Description=cgminer 4.10.0|

Seems the "trick" is to be sure to add the commands to api-groups but as a new group named P (can use any letter besides A or W) and then it seems if I didn't add them to the A group as well I'd still get access denied..  For some reason using W in place of P would not work for me.  So not sure if that's modified by Bitmain in bmminer or standard cgminer functionality but I sure wasted too much time on something so trivial.

You can easily add your local LAN range to api-allow with 192.168.1.0/24 or specific IP's is better yet.

I ended up editing the strings in /www/pages/cgi-bin/set_miner_conf.cgi so that the conf isn't clobbered upon saving Miner Configuration in the web admin.

Btw some notes for anyone else reading this.. I left the W:* allow in there because it was "stock", but from what i can tell they might have mixed up the wildcard formatting unless * happens to mean deny all.. lol  The docs show W:0/0 as format to allow all for a particular group (probably a very bad idea to set this for obvious reasons..) but the docs do show for api-groups you can add :* to mean "all commands".  I didn't bother testing it but I suspect adding :* to end of A might do the trick but that opens up all read-only commands to "the world" so maybe not ideal even if it did work.

W:0/0 isn't bad unless your network is wide open... and it shouldn't be.

Jason