diff --git a/docs/FLEET_PROVISIONING.md b/docs/FLEET_PROVISIONING.md index 769411983..09cc974ee 100644 --- a/docs/FLEET_PROVISIONING.md +++ b/docs/FLEET_PROVISIONING.md @@ -24,17 +24,11 @@ follow few important pre-steps 1. This section assumes that the system has already met the dependencies mentioned in [SETUP.md](./SETUP.md#dependencies). 2. Make sure you are logged in as root. -3. Allow read access to all user for your certificates - `chmod -R +rx /ggcredentials/`. -4. Make sure you do not fill `iotCredEndpoint/iotDataEndpoint` under +3. Make sure you do not fill `iotCredEndpoint/iotDataEndpoint` under `aws.greengrass.NucleusLite` you should only fill these fields under `aws.greengrass.fleet_provisioning`'s config. See the [sample config below](#configyaml). -5. Fleet provisioning assumes the your `GGL_SYSTEMD_SYSTEM_USER` and - `GGL_SYSTEMD_SYSTEM_GROUP` mentioned in [CMakeLists.txt](../CMakeLists.txt) - to be `ggcore:ggcore` please change appropriately if these values are changed - during compile time. -6. If this is your not first run, remove the socket at +4. If this is your not first run, remove the socket at `/run/greengrass/iotcoredfleet`, if it exists. Sample Fleet provisioning template: @@ -139,7 +133,11 @@ $ cp ./run/config.yaml /etc/greengrass/config.yaml $ ./misc/run_nucleus ``` -In root user shell, run fleet provisioning: +In root user shell, run the fleet provisioning binary. + +If you changed `GGL_SYSTEMD_SYSTEM_USER` and `GGL_SYSTEMD_SYSTEM_GROUP` +mentioned in [CMakeLists.txt](../CMakeLists.txt), you can override deafult by +adding `-u "ggcore:ggcore"` at the end of following command: ```sh $ ../build/bin/fleet-provisioning @@ -148,7 +146,7 @@ $ ../build/bin/fleet-provisioning Now this will trigger the fleet provisioning script which will take a few minutes to complete. -> Note: Device will reboot in case of successful run. +> Note: Device will reboot in case of a successful run. If you are storing the standard output then look for log: `Process Complete, Your device is now provisioned`. diff --git a/fleet-provisioning/bin/fleet-provisioning.c b/fleet-provisioning/bin/fleet-provisioning.c index e044bb7c7..c560411b0 100644 --- a/fleet-provisioning/bin/fleet-provisioning.c +++ b/fleet-provisioning/bin/fleet-provisioning.c @@ -18,35 +18,50 @@ static char doc[] = "fleet provisioner -- Executable to automatically " "provision the device to AWS IOT core"; static const char COMPONENT_NAME[] = "fleet-provisioning"; -static struct argp_option opts[] = { - { "claim-key", - 'k', - "path", - 0, - "Path to key for client claim private certificate", - 0 }, - { "claim-cert", - 'c', - "path", - 0, - "Path to key for client claim certificate", - 0 }, - { "template-name", - 't', - "name", - 0, - "AWS fleet provisioning template name", - 0 }, - { "template-param", - 'p', - "json", - 0, - "[optional] Fleet Prov additional parameters", - 0 }, - { "data-endpoint", 'e', "name", 0, "AWS IoT Core data endpoint", 0 }, - { "root-ca-path", 'r', "path", 0, "Path to key for client certificate", 0 }, - { 0 } -}; +static struct argp_option opts[] + = { { "user-group", + 'u', + "name", + 0, + "[optional]GGL_SYSTEMD_SYSTEM_USER user and group \":\" seprated", + 0 }, + { "claim-key", + 'k', + "path", + 0, + "[optional]Path to key for client claim private certificate", + 0 }, + { "claim-cert", + 'c', + "path", + 0, + "[optional]Path to key for client claim certificate", + 0 }, + { "template-name", + 't', + "name", + 0, + "[optional]AWS fleet provisioning template name", + 0 }, + { "template-param", + 'p', + "json", + 0, + "[optional]Fleet Prov additional parameters", + 0 }, + { "data-endpoint", + 'e', + "name", + 0, + "[optional]AWS IoT Core data endpoint", + 0 }, + { "root-ca-path", + 'r', + "path", + 0, + "[optional]Path to key for client certificate", + 0 }, + { 0 } }; static error_t arg_parser(int key, char *arg, struct argp_state *state) { FleetProvArgs *args = state->input; @@ -69,8 +84,14 @@ static error_t arg_parser(int key, char *arg, struct argp_state *state) { case 'r': args->root_ca_path = arg; break; + case 'u': + args->user_group = arg; + break; case ARGP_KEY_END: - // ALL keys have defaults further in. + if (args->user_group == NULL) { + args->user_group = "ggcore:ggcore"; + } + // All keys are optional other are set down the line break; default: return ARGP_ERR_UNKNOWN; diff --git a/fleet-provisioning/include/fleet-provisioning.h b/fleet-provisioning/include/fleet-provisioning.h index 8d29795e1..16825d3cd 100644 --- a/fleet-provisioning/include/fleet-provisioning.h +++ b/fleet-provisioning/include/fleet-provisioning.h @@ -16,6 +16,7 @@ typedef struct { char *data_endpoint; char *root_ca_path; char *iotcored_path; + char *user_group; } FleetProvArgs; GglError run_fleet_prov(FleetProvArgs *args, pid_t *pid); diff --git a/fleet-provisioning/src/entry.c b/fleet-provisioning/src/entry.c index 32a23f3c1..0161cda7f 100644 --- a/fleet-provisioning/src/entry.c +++ b/fleet-provisioning/src/entry.c @@ -28,6 +28,8 @@ #define MAX_TEMPLATE_PARAM_LEN 4096 #define MAX_PATH_LEN 4096 +GglBuffer ggcredentials_path = GGL_STR("/ggcredentials"); + static GglError start_iotcored(FleetProvArgs *args, pid_t *iotcored_pid) { char *iotcore_d_args[] = { args->iotcored_path, "-n", "iotcoredfleet", "-e", @@ -191,8 +193,8 @@ static GglError fetch_from_db(FleetProvArgs *args) { return GGL_ERR_OK; } -static GglError update_cred_access(void) { - char *args[] = { "chown", "-R", "ggcore:ggcore", "/ggcredentials/", NULL }; +static GglError update_cred_access(char *user_group) { + char *args[] = { "chown", "-R", user_group, "/ggcredentials/", NULL }; GglError ret = ggl_exec_command(args); if (ret != GGL_ERR_OK) { @@ -272,8 +274,6 @@ static GglError update_iot_endpoints(void) { } GglError run_fleet_prov(FleetProvArgs *args, pid_t *pid) { - GglBuffer ggcredentials_path = GGL_STR("/ggcredentials"); - int config_dir; GglError ret = ggl_dir_open(ggcredentials_path, O_RDONLY, false, &config_dir); @@ -401,7 +401,7 @@ GglError run_fleet_prov(FleetProvArgs *args, pid_t *pid) { return ret; } - ret = update_cred_access(); + ret = update_cred_access(args->user_group); if (ret != GGL_ERR_OK) { return ret; }