Installing, configuring, and running the Owner server
Install the fdo-owner-cli
and fdo-owner-onboarding-server
RPM package to
enable the systems to receive the voucher generated by the Manufacturing server
during the first device boot. The Rendezvous server then matches the device
UUID with the target platform or cloud and informs the device about which Owner
server endpoint the device must use.
-
The device where the server will be deployed has a Trusted Platform Module (TPM) device to encrypt the disk. If not, you will get an error when booting the Fedora IoT device.
-
You created the
device_ca_cert.pem
,owner_key.der
, andowner_cert.pem
with keys and certificates and copied them into the/etc/fdo/keys
directory.
-
Install the required RPMs in this server:
# dnf install -y fdo-owner-cli fdo-owner-onboarding-server
-
Prepare the
owner-onboarding-server.yml
configuration file and save it to the/etc/fdo/
directory. Include the path to the certificates you already copied and information about where to publish the Owner server service in this file.The following is an example available in
/usr/share/doc/fdo/owner-onboarding-server.yml
. You can find references to the Service Info API, such as the URL or the authentication token.--- ownership_voucher_store_driver: Directory: path: /etc/fdo/stores/owner_vouchers session_store_driver: Directory: path: /etc/fdo/stores/owner_onboarding_sessions trusted_device_keys_path: /etc/fdo/keys/device_ca_cert.pem owner_private_key_path: /etc/fdo/keys/owner_key.der owner_public_key_path: /etc/fdo/keys/owner_cert.pem bind: "0.0.0.0:8081" service_info_api_url: "http://192.168.122.1:8083/device_info" service_info_api_authentication: BearerToken: token: Kpt5P/5flBkaiNSvDYS3cEdBQXJn2Zv9n1D50431/lo= owner_addresses: - transport: http addresses: - ip_address: 192.168.122.1 port: 8081
-
Create and configure the Service Info API.
-
Add the automated information for onboarding, such as user creation, files to be copied or created, commands to be executed, disk to be encrypted, and so on. Use the Service Info API configuration file example in
/usr/share/doc/fdo/serviceinfo-api-server.yml
as a template to create the configuration file under/etc/fdo/
.--- service_info: initial_user: username: admin sshkeys: - "ssh-rsa AAAA...." diskencryption_clevis: - disk_label: /dev/vda3 binding: pin: tpm2 config: "{}" reencrypt: true bind: "0.0.0.0:8083" device_specific_store_driver: Directory: path: /etc/fdo/stores/serviceinfo_api_devices service_info_auth_token: Kpt5P/5flBkaiNSvDYS3cEdBQXJn2Zv9n1D50431/lo= admin_auth_token: zJNoErq7aa0RusJ1w0tkTjdITdMCWYkndzVv7F0V42Q=
-
-
Check the status of the systemd units:
# systemctl list-unit-files | grep fdo fdo-owner-onboarding-server.service disabled disabled fdo-serviceinfo-api-server.service disabled disabled
-
If the service is stopped and disabled, enable and start it:
# systemctl enable --now fdo-owner-onboarding-server.service # systemctl enable --now fdo-serviceinfo-api-server.service
You must restart the systemd
services every time you change the configuration files.
-
-
Check that the server is listening on the default configured port 8083:
# ss -ltn
-
Open the port if you have a firewall configured on this server:
# firewall-cmd --add-port=8081/tcp --permanent # firewall-cmd --add-port=8083/tcp --permanent # systemctl restart firewalld
Want to help? Learn how to contribute to Fedora Docs ›