Manufacturing Process for Device Registration

lmp-device-register works great when run manually and can be configured to auto register devices in CI builds. However, a different process is required for provisioning production devices. The key to production provisioning lies in owning the device gateway PKI. Once a customer has control of their PKI, they can create client TLS certificates for devices that will be trusted by the Foundries.io device gateway.

Customers all have unique requirements, so Foundries.io created a reference implementation that customers can fork and modify to their liking. Here are some common ways to use this reference.

Fully detached

In this scenario devices connect to a reference server instance on a private network. This network is isolated from the internet (api.foundries.io). Devices get a valid signed client certificate from the reference server. Each device will be created via api.foundries.io on-the-fly the first time they connect.

This scenario is handy for certain security constrained setups. However, it does have a couple of potential drawbacks:

  • Devices don’t show up on Foundries.io until the first time they connect.
  • Devices won’t have Foundries.io managed configuration data available until this first connection.

lmp-device-auto-register configuration

lmp-device-register must be called with two environment variables set to work with the reference server:

DEVICE_API="http://<registration reference uri>/sign"
PRODUCTION=1

A factory can copy lmp-device-auto-register into their meta-subscriber-overrides.git production branch as recipes-support/lmp-device-auto-register/lmp-device-auto-register/lmp-device-auto-register with DEVICE_API and PRODUCTION exported.

The factory should also make sure the recipes-support/lmp-device-auto-register/lmp-device-auto-register/api-token has been removed to prevent leaking a CI credential.

Registration reference configuration

The registration reference should work out-of-the box for this scenario. The operator simply needs to copy their PKI keys as described in the reference server’s README.md.

Partially detached

In this scenario devices connect to a reference server instance on a private network, but the reference server has access to api.foundries.io. The reference server can create device entries via api.foundries.io as devices are registered.

Additionally, if devices have access to ota-lite.foundries.io:8443, they can download their initial fioconfig configuration data.

lmp-device-auto-register configuration

A factory can create a customized lmp-device-auto-register in their meta-subscriber-overrides.git production branch as recipes-support/lmp-device-auto-register/lmp-device-auto-register/lmp-device-auto-register. For example:

#!/bin/sh -e

if [ -f /var/sota/sql.db ] ; then
       echo "$0: ERROR: Device appears to already be registered"
       exit 1
fi

# Done in 2 parts. This first part will remove trailing \n's and make
# the output all space separated. The 2nd part makes it comma separated.
[ -d /var/sota/compose-apps ] && APPS=$(ls /var/sota/compose-apps)
APPS=$(echo ${APPS} | tr ' ' ',')
if [ -n "${APPS}" ] ; then
       echo "$0: Registering with default apps = ${APPS}"
       APPS="-a ${APPS}"
else
       echo "$0: Registering with all available apps"
fi

# Register the device but don't start the daemon:
DEVICE_API="http://example.com/sign" \
PRODUCTION=1 \
       /usr/bin/lmp-device-register --start-daemon=0 -T na ${APPS}

# Pull down the device's initial configuration
fioconfig check-in

# Optionally start services, or maybe just power off the device
#systemctl start aktualizr-lite
#systemctl start fioconfig

Registration reference configuration

The registration reference should work out-of-the box for this scenario. The operator will need to create a Foundries.io API token with scope devices:create. They can take this token and configure the reference server as per the README.md.