Remote provisioning of system-user/serial assertions

abeato · May 11, 2017, 7:57am

Hi,

I see two situations where we would want automatic provisioning of serial/system-user assertion:

Factory production
Massive upgrade of deployed devices that did not have initially Ubuntu Core

For the first one afaik the way to go is the Serial Vault, although I do not know if any human intervention is needed there (it would be great if someone can clarify in more detail how the Serial Vault works).

But, how about the second case? If we have remote devices and we need to create users for each of them, how can we do that without a human going there with a USB stick? There are always tricks we can play, but it would be good if we have a general approach to this problems.

Thanks,
Alfonso

morphis · May 11, 2017, 8:04am

We talked about the serial-vault doing this in the past. Currently it just sends the serial-user assertion but it could send a stream of assertions including a system-user assertion. AFAIK this also requires changes on the snapd side to accept multiple assertions instead of a single one.

pedronis · May 11, 2017, 9:35am

just a serial assertion

And yes we discussed letting snapd take a stream there, we even have +1 from Gustavo, we can do it if needed, it just fell on the low-prio pile so far

morphis · May 11, 2017, 9:40am

Right. Corrected that in my post.

abeato · May 11, 2017, 9:45am

This will be needed for a commercial project, so maybe it is time to re-prioratize

morphis · May 11, 2017, 9:53am

Is that decided already? From what I know when talking with @jhodapp recently this wasn’t finally clear yet.

ogra · May 11, 2017, 10:23am

how abut a WebDAV or sshfs mount from a central provisioning server ? at least for the latter we should have everything on board by default already …

abeato · May 11, 2017, 10:56am

The issue with that is that still we would need to run locally “snap create-user” by some sort of hack, and that is actually what I would like to avoid.

ogra · May 11, 2017, 11:05am

i actually meant to replace the USB key mount (when you set a certain cmdline option or some such to provide server info) with a secure remote mount (WebDAV/https … sshfs …)

that should be able to carry any assertions then … like the USB key.

jhodapp · May 11, 2017, 1:34pm

Correct, that has not been clarified yet. Let me get clarification and I’ll let you all know if indeed it’s critical or not for our commercial project.

jamesj · May 12, 2017, 1:03pm

Actually, the serial vault can now sign a system-user assertion as well as sign a serial assertion. The serial assertion signing is fairly automated - you manually upload a signing key and define model. Then, when the device boots, snapd will send the serial-request assertion to the serial vault and it will get a signed serial assertion.

The system-user assertion part is a new facility and is available as a UI. You just fill in the details of the user in a web form and it will generate a downloadable system-user assertion.

The serial-vault is just a single Go web application that can be run in one of three modes: admin UI, signing serials, or system-user.