Autoprovision multiple existing devices without board integration

Hi,

We are looking into integrating with Mender in our next device production.

In the meanwhile, we would like to use Mender in our existing and already deployed devices, especially as a backup for SSH tunneling and implement a GitOps approach with Ansible installing our custom playbook similarly to @lueschem’s solution posted here.

We have about 50 devices so we don’t want to install them one by one. We can deploy files to them remotely without a problem, so we were thinking if it would be possible to:

  1. Deploy a PEM key to /var/lib/mender/mender-agent.pem
  2. Change /usr/share/mender/identity/mender-device-identity to use echo "internalId=$(hostname)" instead of the mac=...
  3. Generate all the preauthorized devices:
DEVICE_PUBLIC_KEY="$(cat keys-client-generated/public.key | awk 1 ORS='\\n')"
DEVICE_IDENTITY_JSON_OBJECT_STRING='{"internalId":"INTERNAL-04ae9388"}'
67941  curl -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" -X POST -d "{ \"identity_data\" : $DEVICE_IDENTITY_JSON_OBJECT_STRING, \"pubkey\" : \"$DEVICE_PUBLIC_KEY\" }" $MENDER_SERVER_URI/api/management/v2/devauth/devices
  1. Somehow trigger the devices to use this information? It’s not possible to use mender setup because it asks for login credentials. Or maybe we should just use the JWT for all of them together instead?

We are looking for a simple solution, which will allow us the above automation, just until we will start the next production, where we will have a board integration.

Hello @Shaked

thank you for trying Mender with another cool use case.
it is early morning here now, so please excuse if I am missing something, but if you have pre-generated keys deployed to devices, what is stopping you from using pre-authorization by posting the public keys and identity, and enjoying accepted devices as soon as they ask for authorization to access the server?

best regards,
peter

Hi Peter,

Maybe I have missed something, but once I have the pre-generated keys deployed to the devices, how do I tell the device to let mender know about its existence?

it happens automatically when device calls for authorization. so the flow would be:

  1. generate the keys
  2. transfer the keys to device
  3. save the public keys for the next point
  4. call pre-authorization API to let the server know about the device
  5. on each device: start mender client, or call device API and live happily with your newly returned JWT, not to mention the cool live, smooth, fully interactive, colourful remote terminal to your accepted devices from the Mender web UI.

best regards,
peter

When I start the mender client I am asked to use my credentials, i.e:

Setting up the Mender client: The client will regularly poll the server to check for updates and report its inventory data.
Get started by first configuring the device type and settings for communicating with the server.

The device type property is used to determine which Mender Artifact are compatible with this device.
Enter a name for the device type (e.g. raspberrypi3): [internal-04ae9388]

Are you connecting this device to hosted.mender.io? [Y/n] y
Enter your credentials for hosted.mender.io
Email:

How can I avoid this?

If I understand correctly, I should somehow use the PEM file when setting the client up, like with -H 'X-MEN-Signature: string', right?

EDIT:

OK I figured what I was doing wrong - I have to use a Mender user’s credentials so that the device will be able to communicate with the server. Then it uses the previously generated .PEM to identify the device.

Few questions out of curiosity:

  1. Why do I need the JWT token if I already have the PEM? Wouldn’t it be enough to identify the device only with the PEM?
  2. Is there a quick copy-paste snippet to generate the X-MEN-Singature?
  3. Is there a way to add a user role that is only allowed to hit the preauthorized API? so that if the JWT has been stolen, the user won’t be able to generate more damage?

Glad to see people adopting the GitOps approach for IoT!

1 Like

Hello @Shaked

I am sorry for slight delay in answering. I am happy you are progressing.

  1. Why do I need the JWT token if I already have the PEM? Wouldn’t it be enough to identify the device only with the PEM?

The TenantToken in the config file (/etc/mender/mender.conf and by the way this file is all you need to get the devices to preauthorize and use Mender) is required to tell the Mender Server to which tenant the device is connected. There is a way to rely on the key: Mutual TLS authentication | Mender documentation

  1. Is there a quick copy-paste snippet to generate the X-MEN-Singature?

you could take a look at the example bash client: function generate_signature()

  1. Is there a way to add a user role that is only allowed to hit the preauthorized API? so that if the JWT has been stolen, the user won’t be able to generate more damage?

you can always use custom roles, but be aware if someone gets hold of the TenantToken it is still a serious breach, and RBAC will not fully resolve it.

have a good day,
peter