This repository contains Ansible playbooks for demoing FIDO Device Onboard (FDO) using the Fedora IOT implementation of the specification. It relies on the official collections for deploying FDO servers and building FDO-enabled installer images.
Useful links
Before you begin, install Ansible dependencies and collections.
ansible-galaxy install -r requirements.ymlFDO servers require a number of keys and certificates. Those can be generated using the community.fdo.generate_keys_and_certificates role of the Community FDO collection either locally or on a remote host.
A playbook for generating keys and certificates locally is included in this repo.
ansible-playbook fdo-certs-local.ymlIf FDO packages cannot be installed on your Ansible controller, you can generate the keys and certificates on a remote RHEL 9.x host and copy them to local host.
ansible-playbook fdo-certs-remote.yml -i <inventory>The playbook expects a certificate_generator host group in the inventory. Example in YAML format:
certificate_generator:
hosts:
rhel9:
ansible_user: admin
ansible_password: admin
ansible_become_user: root
ansible_become_pass: admin
ansible_host: 192.168.122.24You will need a host (physical or virtual machine) with RHEL 9.x and a valid RHEL subscription.
The inventory must include the following groups configured to allow privileged (Ansible become) access to the hosts.
- rendezvous_server
- owner_server
- manufacturing_server
The configuration must include IP addresses of the hosts. Example in YAML format:
rendezvous_server:
hosts:
rendezvous:
ansible_user: admin
ansible_password: admin
ansible_become_user: root
ansible_become_pass: admin
ansible_host: 192.168.122.20
owner_server:
hosts:
owner:
ansible_user: admin
ansible_password: admin
ansible_become_user: root
ansible_become_pass: admin
ansible_host: 192.168.122.21
manufacturing_server:
hosts:
manufacturing:
ansible_user: admin
ansible_password: admin
ansible_become_user: root
ansible_become_pass: admin
ansible_host: 192.168.122.22Note: You may run all FDO servers on a single host for demo purposes, in that case use the same IP address value for all ansible_host variables.
Passwordless sudo must be configured on the hosts.
Running the playbook:
ansible-playbook fdo-servers.yml -i <inventory> \
-e fdo_admin_ssh_key=<ssh_public_key> \
-e fdo_admin_password=<password>Important: For this demo to work "as is" the device must support TPM, which can be also emulated in a VM.
On first boot, the device will call a manufacturing server for initialization. There are multiple ways to specify the manufacturing server URL.
- Add the following kernel arguments when booting the device for the first time, in the console or using kickstart (e.g. when booting via PXE):
fdo.manufacturing_server_url=http://<manufacturing_server>:8080 fdo.diun_pub_key_insecure=true- Or build an installer image that has the required FDO customizations baked in:
ansible-playbook fdo-image.yml -i <inventory> \
-e download_image=true \
-e manufacturing_server_host=<host>Then you can boot the device (e.g. a VM) into the installer image. Example:
sudo virt-install \
--boot uefi --network default \
--name fdo-device --memory 2048 --vcpus 2 \
--disk size=20,path=fdo-device.qcow2 \
--os-variant rhel9.2 \
--tpm backend.type=emulator,backend.version=2.0,model=tpm-tis \
--cdrom fdo-demo_edge-simplified-installer.isoAfter the device has been initialized, it can be booted and automatically onboarded by copying its Ownership Voucher (OV) from the manufacturing server to the owner server.
Note: There is no need to copy ownership vouchers if the servers run on the same host and share the filesystem.
ansible-playbook sync-vouchers.yml -i <inventory>