Changing device identity after field deployment

General Discussions
1

I have devices already deployed to the field, and I’m using the default implementation of mac=xx:xx:xx:xx:xx:xx as the output format for mender-device-identity. Although this satisfies the constraints of uniqueness and is locked to hardware, it isn’t particularly human friendly. I’d like to add a unique serial_number attribute to the identity set. In fact, I’m already sending this attribute as part of an inventory script.

It is my understanding that device identity should remain constant for the device lifetime:

The device identity must remain unchanged throughout lifetime of the device. Thus, it is advised to use attributes that will not change or are unlikely to change in the future.

By adding a serial_number attribute to the mender-device-identity script in addition to the mac attribute (whose implementation I’d leave unchanged), I’d be making the identity set a superset of the current identity. However, my understanding is that this would cause each device to be regarded as a new device, since the identity set is hashed together to form a unique ID from the server.

My use case is simply to add an alternate tag for identity that is easier to read. It appears this could be handled in at least two ways:

  1. Change mender-device-identity to output both mac and serial_number attributes, which would allow changing the displayed identifier in the web UI from mac to serial_number.
  2. Allow custom columns to be added to the device list table in the web UI. The columns could be chosen from either the identity or inventory attributes.

Although the web UI change would satisfy my use case, I’m wondering what the impact would be if I augmented the identity key set from [mac] to [mac, serial_number]. Would it be as simple as the following steps, or am I missing something?

  • Add serial_number output to mender-identity-script.
  • Push a Mender update to all devices containing the change.
  • Decommission every device.
  • Reauthorize every device using the new identity set.
2

Although the web UI change would satisfy my use case, I’m wondering what the impact would be if I augmented the identity key set from [ mac ] to [ mac , serial_number ]. Would it be as simple as the following steps, or am I missing something?

  • Add serial_number output to mender-identity-script .
  • Push a Mender update to all devices containing the change.
  • Decommission every device.
  • Reauthorize every device using the new identity set.

I have recently done this myself. The 4 steps you describe will work. Please also note (as happened with me) Even if you just need to change the key (column heading) as in my case it was just lowercase ‘s’ to upper case ‘S’.

serial=xxxxxxxxxxxxx changed to
Serial=xxxxxxxxxxxxx

I had to Decommission/Reauthorize just for the column heading to change! So it’s save to say that ANY change to id requires those 4 steps.

Have fun!

1 Like
3

I believe your understanding is correct @nowls and thanks @ryanbedford for sharing.

Also note that we do have an upcoming feature (will be part of the upcoming 2.4 release), which we have labeled “Quick device filtering”, which will make it a bit easier to look up devices based on identity and inventory data.

This features has been deployed already to https://hosted.mender.io and you can read a bit more here (at the end of the blog post),

4

This procedure did work for me. However it might be worth adding a paragraph about this situation to the device identity and/or web UI documentation, since others like us may want to change the identity set after units have already been deployed. At first glance I was a bit worried that decommissioning a device might have an impact on the device itself vs. simply removing it from the web portal.

@mirzak thanks for the head’s up about the device filtering stuff. I’ll check it out on hosted Mender.