Configuring Devices

Device configuration can be managed with Fioctl. There are three types of configuration supported:

  1. Fleet-wide — Configuration gets sent to all devices in a Factory.
  2. Device group specific — Configuration gets sent to all devices in a device group.
  3. Device specific — This overrides fleet-wide and device group configuration in the event they collide.

Tip

Configuration files set in this section can be found in /var/run/secrets after delivered to the device.

Fleet-Wide Configuration

Configuration common to all Factory devices can be set with fioctl config subcommands:

# View log of config changes (similar to "git log")
fioctl config log

# Add a config file to the entire fleet
fioctl config set --reason "for docs" AWS_REGION="us-east-2"

The configuration reason specified via --reason is visible in the output of fioctl config log:

Created At:    2021-03-06T00:46:02
Applied At:    2021-03-06T00:49:24
Change Reason: for docs
Files:
        z-50-fioctl.toml - [/usr/share/fioconfig/handlers/aktualizr-toml-update]
...

Device Group Specific Configuration

Similar to fleet-wide configurations, device group specific configuration is managed with the fioctl config subcommands using the --group parameter:

# View log of config changes made to the device group
fioctl config log --group <group-name>

# Add a config file to the device group
fioctl config set --group <group-name> --reason "for docs" secret="doc-secret"

Device Specific Configuration

Device configuration is managed with the fioctl devices config subcommands:

# View log of config changes made to device
fioctl devices config log <device-name>

# Add a config file to device
fioctl devices config set <device-name> --reason "for docs" \
  githubapitoken="really secure value"

“Raw” Configuration

The config set commands only expose part of what is possible with configuration. Advanced use cases require the --raw option.

Two interesting things that can be done with this include on-changed and unencrypted:

cat >tmp.json <<EOF
{
  "reason": "for docs",
  "files": [
    {
      "name": "newconfig",
      "value": "root (this will get encrypted by tooling)",
      "on-changed": ["/usr/share/fioconfig/handlers/<new-script>"]
    },
    {
      "name": "A-Readable-Value",
      "value": "This won't be encrypted and will be visible from the API",
      "unencrypted": true
    }
  ]
}
EOF

The on-changed parameter allows to run commands upon receiving configuration fragments. The fioconfig may only run “trusted” scripts from the /usr/share/fioconfig/handlers/ folder to protect devices from arbitrary script execution. As such, a custom handler should be created in this folder. See fioconfig_git.bb for reference.

Tip

For testing purposes, it is possible to use the on-changed parameter to run commands outside of the /usr/share/fioconfig/handlers folder. This is done by running fioconfig daemon --unsafe-handlers. We do not recommend doing that in production. This allows running configurations as:

cat >tmp.json <<EOF
{
  "reason": "for docs",
  "files": [
    {
      "name": "npmtok",
      "value": "secret-token",
      "on-changed": ["/usr/bin/touch", "/tmp/npmtok-changed"]
    }
  ]
}
EOF

See also

Fioconfig