Configuration Management of Devices

Over the last month our engineering team has been working on a way to provide our customers an easy-to-use mechanism for managing on-device configuration. The result is a new project we call "fioconfig".

fioconfig consists of three components:

  1. Configuration management APIs under api.foundries.io/ota/
  2. Command line management these APIs via fioctl
  3. A new configuration management daemon, fioconfig, that runs on Factory devices.

We support two types of configuration:

  • Fleet-wide - configuration that should be applied to your entire fleet
  • Per-device - configuration targeted for a specific device. These values "override" fleet-wide configuration in the event they collide.

A "configuration" allows you to specify an array of files to be sent to a device. The format we store these files allows for interesting flexibility:

  {
    "name": "name of the file to store on disk",
    "value": "content of file (binary data needs base64 encoding)",
    "on-changed": [
      "/bin/echo",
      "Optional- but will be run on device when changed"
    ]
  }

We keep a configuration history of the last 10 updates you’ve made to each of your devices and fleet to provide some contextual information. Additionally, you can mark a file with an "unencrypted" attribute to tell the system the data isn’t super sensitive. We’ve found this can be handy for adding extra information about devices that can be retrieved via our REST API for custom things you may want.

Backend Security

Fleet wide configuration will be managed with a new fioctl command: fioctl factories config. The security story on this is typical. We do symmetric encryption of this data at rest and only decrypt it when sending to an authorized device.

Device configuration is interesting. All devices in the factory communicate through a "device gateway" using SSL client authentication. This means we know the public key of each device. Fioctl is able to use the public key to do Elliptical Curve Integrated_Encryption_Scheme encryption of the file contents before the data is sent to our servers. This means the only thing that will ever be able to read this content will be the device it's intended for.

Device Security

Fioconfig also employs some tactics to help keep configuration data as secure as it can. The data is kept in its encrypted format when stored persistently. However, fioconfig will "extract" the contents of the encrypted file into a set of files under a tmpfs mounted directory, /var/run/secrets/.

What’s Next

The backend APIs are all in place now. The code to fioconfig is available on GitHub. We are currently working on testing it out in our personal factories to iron out the rough edges. The same goes for the fioctl. We have a Pull Request that we are testing out.

We’ve also started preliminary work on a new feature we’ll be blogging on next week, Device Remote Access. We’ve based this feature on top of this new configuration management feature in order to help test and validate its feature set.

Keep up to date with Foundries.io