Remote provisioning of system-user/serial assertions


I see two situations where we would want automatic provisioning of serial/system-user assertion:

  1. Factory production
  2. Massive upgrade of deployed devices that did not have initially Ubuntu Core

For the first one afaik the way to go is the Serial Vault, although I do not know if any human intervention is needed there (it would be great if someone can clarify in more detail how the Serial Vault works).

But, how about the second case? If we have remote devices and we need to create users for each of them, how can we do that without a human going there with a USB stick? There are always tricks we can play, but it would be good if we have a general approach to this problems.


1 Like

We talked about the serial-vault doing this in the past. Currently it just sends the serial-user assertion but it could send a stream of assertions including a system-user assertion. AFAIK this also requires changes on the snapd side to accept multiple assertions instead of a single one.

1 Like

just a serial assertion

And yes we discussed letting snapd take a stream there, we even have +1 from Gustavo, we can do it if needed, it just fell on the low-prio pile so far

Right. Corrected that in my post.

This will be needed for a commercial project, so maybe it is time to re-prioratize :slight_smile:

1 Like

Is that decided already? From what I know when talking with @jhodapp recently this wasn’t finally clear yet.

how abut a WebDAV or sshfs mount from a central provisioning server ? at least for the latter we should have everything on board by default already …

The issue with that is that still we would need to run locally “snap create-user” by some sort of hack, and that is actually what I would like to avoid.

i actually meant to replace the USB key mount (when you set a certain cmdline option or some such to provide server info) with a secure remote mount (WebDAV/https … sshfs …)

that should be able to carry any assertions then … like the USB key.

Correct, that has not been clarified yet. Let me get clarification and I’ll let you all know if indeed it’s critical or not for our commercial project.

Actually, the serial vault can now sign a system-user assertion as well as sign a serial assertion. The serial assertion signing is fairly automated - you manually upload a signing key and define model. Then, when the device boots, snapd will send the serial-request assertion to the serial vault and it will get a signed serial assertion.

The system-user assertion part is a new facility and is available as a UI. You just fill in the details of the user in a web form and it will generate a downloadable system-user assertion.

The serial-vault is just a single Go web application that can be run in one of three modes: admin UI, signing serials, or system-user.

1 Like