Feedback on Geolocation from 3rd party as part of default inventory

Hi everyone,

We would like to add geolocation information by default to Mender as this is often used to make decisions and about software updates and ordering the deployments (e.g. deploy to Europe first, then east coast US). It turns out this can be achieved quite easily with a inventory script run on the device, you can see the PR here: https://github.com/mendersoftware/mender/pull/539

It does raise a potential privacy/security question though. In this PR the device would periodically call https://ipvigilante.com to convert the device IP to location information.

Our current thinking is that as long as this is clear and easy to disable (simply remove the script) we can provide it as part of the default installation of Mender.

We would like to hear your opinion on this, and if you have seen similar cases for other tools or products you are working with.

4 Likes

Adding geolocation from 3rd party to the default is good. However, we should explicitly mentioned the same in the document - easily accessible and visible to the people to avoid the confusion.
How about adding this change and how to remove if required in the production version page?
We already mentioned mender demo layer removal and default security changes here.

Also, I would like to know how to handle this feature if someone using proxy servers or VPN for their connection (where actual Geo location might be different) ?

Hi @ajithpv

Thanks, this makes a lot of sense.

1 Like

In this case it probably will not work as it is based on the IP address and other means have to be used for Geo location.

I consider the script we add mostly for demonstration purposes (as is really with all the inventory scripts we install) to show one (simple) way of Geo locations.

1 Like

@mirzak, @ajithpv, @eystein

Objective: How to disable geo location ("/usr/share/mender/inventory/mender-inventory-geo" script) in mender OTA deployment.
Problem: Getting Issue of Blocked URL https://ipvigilante.com

ISO Image: Ubuntu 18.04.3 LTS (Bionic beaver) Desktop image
Device architecture: x86_64
Mender Server version: integration-2.1.0 (Hosted on EC2 instance)

Currently I was using mender-convert (2.0.X) to generate sdimg & .mender artifacts But from last few days, we are getting the issue of blocked URL https://ipvigilante.com in the mender OTA deployment.
Could you please assist me or suggestion that how to disable/Remove this geo location inventory for mender OTA artifacts deployment?

Just remove the following file /usr/share/mender/inventory/mender-inventory-geo.

@mirzak

I had removed this script in the system booted with mender .sdimg & then restart the mender-client. service. the device was notified on the mender server UI, I have accepted this device but after that “Device inventory” is freeze as "Waiting for inventory data from the device. It is waiting a long time 4-5 hours but still the same status.
Means the updating inventory fails, the deployment also does not work.
Please any suggestion on this issue.

Is there any way to remove from the mender-convert tool, B’coz I have observed that the mender-convert tool is using *.deb file to fetch mender components e.g. mender-client etc from the mender-convert-modify script file?

What happens if you decommission the device and let it connect again?

As for removing the file in mender-convert your best bet would be to use a PLATFORM_PACKAGE_HOOKS entry that removes it.

Drew

@drewmoseley

When I decommission the device and connect again, then mender UI is not fatching device inventory data as showing in below screenshot
"Waiting for inventory data from the device"

Can you provide the output from running the following on the device?

sudo journalctl -u mender-client

@drewmoseley

Below is the “sudo journalctl -u mender-client” logs output.

– Logs begin at Sat 2020-09-26 13:14:45 EDT, end at Wed 2020-11-18 22:44:55 EST. –
Nov 18 05:03:11 alto-VirtualBox systemd[1]: Started Mender OTA update service.
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“Loaded configuration file: /var/lib/mender/mender.conf”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“Loaded configuration file: /etc/mender/mender.conf”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“Mender running on partition: /dev/sda2”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“State transition: init [none] -> init [none]”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“State transition: init [none] -> idle [Idle]”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“State transition: idle [Idle] -> authorize-wait [Idle]”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“State transition: authorize-wait [Idle] -> authorize [Sync]”
Nov 18 05:03:11 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:11-05:00” level=info msg=“Device keys not present or bootstrap forced, generating”
Nov 18 05:03:12 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:12-05:00” level=error msg="Authorize failed: transient error: authorization request failed: (request_id: ): authentication request reje
Nov 18 05:03:12 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:12-05:00” level=error msg="Authorize failed: transient error: authorization request failed: (request_id: ): authentication request reje
Nov 18 05:03:12 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:12-05:00” level=info msg=“State transition: authorize [Sync] -> authorize-wait [Idle]”
Nov 18 05:03:41 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:41-05:00” level=info msg=“State transition: authorize-wait [Idle] -> authorize [Sync]”
Nov 18 05:03:42 alto-VirtualBox mender[1385]: time=“2020-11-18T05:03:42-05:00” level=error msg="Authorize failed: transient error: authorization request failed: (request_id: ): authentication request reje

The authorization requests are being rejected. This normally means that there is an authentication set needing approval on the server. Basically, if the identity or mender-agent.pem change then the server will no longer recognize the device. I don’t know how this happened in your case but I suspect if you go into the device details there will be an authentication set you can approve. It should be available as a link on the text “Reject, Dismiss or Decomission this device”.

But in case the issue is something else, it looks like your journalctl output is truncated and we are not seeing the full output. I think if you add the --no-pager option to the command it will show more details.

@drewmoseley

Thanks, drew…

"Waiting for inventory data from the device" issue has resolved by After changing the version of mender client to 2.4.0 (from master) in mender_convert. Now I am able to see inventory data on the mender server UI successfully.