Mender device ID from client side

[Ahmed abdelhalim]

Hi Everyone,

in mender server and after I autherize the device then I find the Device ID (Device identity or ID). How can I get this ID from the client ? in here it is mentioned that using mender-device-identity then the client generates it, but the script only outputs the mac and network interface.

Thanks

Ahmed

 

[Will Moffat]

Hi,

I'd love to see a /var/lib/mender/device_id or similar created.

Use case 1) clickable Mender links when doing remote debugging:

$ ssh my-random-device-in-field
$ show-mender-link.sh
https://mender.muuselabs.com/ui/#/devices/0/id%3D5ac50467aaa8b800011744f5

Use case 2) reliable device-initiated Mender actions

User requests to change Mender group, start update etc.
device makes a call to my api passing Mender device_id
my api then triggers Mender

Currently I do this by passing identity attributes and then looking up
the device in Mender. Unfortunately our 'unique' identity attributes
have not turned out to be entirely unique over the entire fleet of
devices :-(
Working with the Mender device_id would solve this nicely.

Ahmed:
There was a pretty hackly solution here:
https://groups.google.com/a/lists.mender.io/forum/#!msg/mender/4vZ-Lp7wbEo/Lu6tt8V7AAAJ

regards,
--Will
Muuselabs

> --
> You received this message because you are subscribed to the Google Groups
> "Mender List mender.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mender+un...@lists.mender.io.
> To post to this group, send email to men...@lists.mender.io.
> Visit this group at
> https://groups.google.com/a/lists.mender.io/group/mender/.



--
regards,
--Will

[Maciej Mrowiec]

Hi Will,

Device ID is not directly available to the device, it's a completely server side identifier which is tied to device identity object. You can get it on device two ways:

1) After device is accepted it will receive authentication token - eg JWT token, server side device ID is part of tokens claims. Can be extracted from there. No sure where device is storing this exactly (most likely local db), but you can request another one with this API - POST /auth_requests

2) API lookup to translate device identity attributes to device id thorough auth or inventory API's, this requires caller to be able to authenticate to API which I would not recommend to put on the device. However if you have 3d party service your devices already ask for that update it can do it. 

On Fri, Jun 8, 2018 at 10:55 AM Will Moffat <wi...@muuselabs.com> wrote:

Hi,

I'd love to see a /var/lib/mender/device_id or similar created.

Use case 1) clickable Mender links when doing remote debugging:

$ ssh my-random-device-in-field
$ show-mender-link.sh
https://mender.muuselabs.com/ui/#/devices/0/id%3D5ac50467aaa8b800011744f5

Use case 2) reliable device-initiated Mender actions

User requests to change Mender group, start update etc.
device makes a call to my api passing Mender device_id
my api then triggers Mender

Currently I do this by passing identity attributes and then looking up
the device in Mender. Unfortunately our 'unique' identity attributes
have not turned out to be entirely unique over the entire fleet of
devices :-(
Working with the Mender device_id would solve this nicely.

Mix of all identity attributes eg identity object is required to be unique. 

[Will Moffat]

Hi Maciej,

thanks! My responses inline:

On Fri, Jun 8, 2018 at 11:57 AM, Maciej Mrowiec
<maciej....@northern.tech> wrote:

> Device ID is not directly available to the device, it's a completely server
> side identifier which is tied to device identity object.

Yes, but it would be nice if it was passed to the client and stored.
That's my feature request.

> You can get it on device two ways:
> 1) After device is accepted it will receive authentication token - eg JWT
> token, server side device ID is part of tokens claims. Can be extracted from
> there. No sure where device is storing this exactly (most likely local db),

Yeah, that's the hacky way we came up with last time I asked this question ;-)

> 2) API lookup to translate device identity attributes to device id thorough
> auth or inventory API's, this requires caller to be able to authenticate to
> API which I would not recommend to put on the device. However if you have 3d
> party service your devices already ask for that update it can do it.

Yes, that's what I'm doing now via our own APIs:

1) user in the field decides they want to change from beta to stable firmware.
2) they trigger a request using custom Muuselabs API.
3) Muuselabs server calls Mender api to modify group and trigger deployment.

The question is, how do I identify the device in step 3 to Mender?
I have a complex and buggy system using mac address (one of my device
identity attributes)
Ideally I would have /var/lib/mender/device_id in step 2 and pass it
to my server which would pass it directly to Mender API in step 3. No
complex lookups, no duplicate MAC problems.

regards,
--Will

[Maciej Mrowiec]

This steps a bit into usecase of dynamic grouping we are looking into - in the future this would be the "clean" way of implementing this.

Long story short what we are thinking about it providing ability to to create a group based on filter/query over inventory data. Therefore you would be able to create group "Stable" what would consist of devices that have attribute "software_option=stable" and groupu "Beta" that includes devices that have "software_option =beta".

Inventory data reported by device can be customised - it's a result of inventory script https://docs.mender.io/1.5/client-configuration/inventory. Therefore this scipt could be modified in such a way that it reports "software_option" value depending on users choice.

This way you don't need 3d party service or worry about diving device additional API access.  But query based dynamic group is not available yet.

3d option is to emulate this with a script. 

Report that inventory attribute depending on the user choice. 

Have a script that runs periodically on schedule, queries inventory for devices "software_option=stable" and reassign them to  "Stable" group etc. This should take few lines in python to achieve and after the dynamic grouping would be released you'd just replace the script with dynamic group. Not changes to device required.

Alternatively if you want to stay with 3d party service, I suggest to compare all identity attributes then performing API lookup instead just one of them "mac". On the device this is produced by identity script: https://docs.mender.io/1.5/client-configuration/identity this way you will get 1:1 matches -- API https://docs.mender.io/1.5/apis/management-apis/device-authentication#devices-get

regards,

Maciej

[Antonio Santagiuliana]

Hello

As far as I understand from that page the deviceID is generated by the server. They don't say if it is ever communicated to the client.

ID attributes only are generated at client side by that execuble.

--

You received this message because you are subscribed to the Google Groups "Mender List mender.io" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mender+unsubscribe@lists.mender.io.

[Ahmed abdelhalim]

Hi Will,

thanks for this hacky way as short and fast way to get the device idenetity on the device side. I will try it next week. I see the only little issue with it that the user must accept the device in mender server first in order for the token to be sent.

kind regards

Ahmed

[Eystein Måløy Stenberg]

Understandably looks to be a common issue. I created a feature request
ticket here: https://tracker.mender.io/browse/MEN-1970

I think the device_id script is likely the best option; please feel free
to comment on the ticket or provide a PR with this.

Eystein