Enable SDO Rendezvous Service on StarlingX

Introduction

Secure Device Onboard (SDO) is open source software that is in the process of becoming an industry standard through the FIDO (Fast IDentity Online) alliance. SDO automates the “onboard” process, which occurs when a device establishes the first trusted connection with a device management service.

SDO can be used with x86 and ARM-based devices ranging from small compute IoT devices to higher compute Intel® Xeon® devices. The key requirement is that the device must be manufactured with the necessary credentials and SDO client software.

The SDO process involves interactions between a number of different entities including: Manufacturer, Device, Owner, Rendezvous service, and Device platform service.

This document describes how to enable the SDO Rendezvous (RV) service on StarlingX.

Integration Steps

  1. Complete building all the build layers. See the Layered Build Guide for details.

  2. Build the application exclusively. Enter the flock layer and refer to the Build flock layer steps for details.

  3. Build the application using the commands:

    build-pkgs --clean stx-sdo-helm
    build-pkgs --dep-test stx-sdo-helm
    

    An example of successful logs is shown below:

    13:49:21 ===== iteration 1 complete =====
    13:49:21
    13:49:21 Results out to: /localdisk/loadbuild/stx/flock/std/results/stx-flock-4.0-std
    13:49:21
    13:49:21 Pkgs built: 2
    13:49:21 Packages successfully built in this order:
    13:49:21 /localdisk/loadbuild/stx/flock/std/rpmbuild/SRPMS/build-info-1.0-4.tis.src.rpm
    13:49:21 /localdisk/loadbuild/stx/flock/std/rpmbuild/SRPMS/stx-sdo-helm-1.0-2.tis.src.rpm
    13:49:22 Recreate repodata
    
    ######## Tue Feb 23 13:49:23 UTC 2021: build-rpm-parallel --std was successful
    
    Tue Feb 23 13:49:23 UTC 2021: std complete
    
    Skipping 'rt' build, no valid targets in list:  stx-sdo-helm
    Skipping 'installer' build
    Skipping 'containers' build
    All builds were successful
    
  4. Create the system application using the command:

    build-helm-charts.sh -a stx-sdo
    

    Sample console output is as follows:

    Merging yaml from file: usr/lib/armada/sdo_manifest.yaml
    Writing merged yaml file: stx-sdo.yaml
    Results:
    /localdisk/loadbuild/stx/flock/std/build-helm/stx/stx-sdo-1.0-2.tgz
    
  5. Exit from the container. The SDO-RV system application will be found in the following location:

    $HOME/starlingx/workspace/localdisk/loadbuild/stx/flock/std/build-helm/stx/stx-sdo-<version>.tgz
    
  6. Copy the application into the home folder of the controller.

  7. Copy the certs folder of the SDO version 1.10 release to the home folder using the command:

    curl --progress-bar -LO https://github.com/secure-device-onboard/release/releases/download/v1.10.0/rendezvous-service-v1.10.0.tar.gz
    tar -zxf rendezvous-service-v1.10.0.tar.gz
    
  8. Acquire admin credentials:

    source /etc/platform/openrc
    
  9. Load the stx-openstack application package into StarlingX. The tarball package contains the stx-openstack FluxCD manifest and stx-openstack set of Helm charts. For example:

    system application-upload stx-sdo-<version>.tgz
    
  10. Apply the stx-sdo application to bring the SDO Rendevous application into service. If your environment is preconfigured with a proxy server, make sure the HTTPS proxy is set before applying stx-sdo.

    system application-apply stx-sdo
    
  11. Check the application status using the command:

    system application-show stx-sdo
    

When the SDO Rendezvous application is in service, you will see the RV service and redis DB pods running. For example:

[sysadmin@controller-0 ~(keystone_admin)]$ kubectl get pods -n kube-system
NAME                         READY   STATUS    RESTARTS   AGE
redis-6d76cdd759-wpnv7       1/1     Running   0          11d
rv.deploy-6b9c4b8b65-chf2v   1/1     Running   0          11d