Ignition 8.1 Commissioning Automation

ralacosta · June 21, 2022, 9:08pm

Has anyone been able to use a custom hash for the commissioning file when installing 8.1? Currently we use the modifications outlined here: ZIP File Installations - Ignition User Manual 8.1 - Ignition Documentation.

{
  "isCommissioned": "COMMISSIONING",
  "connections.useSsl": "false",
  "eulaSetup.accepted": "true",
  "eulaSetup.eula": "TuLW3I1yHBlo9kuqbxz5cDFPf5H4/zqSpbO93Tk7Hco=",
  "authSetup.username": "admin",
  "authSetup.password": "[e811cfc7]fc3b28ad5f73331c94790129f0931437ac31d59376b0e4b15df580a8841ba165"
}

This sets the password to the default, which is great, but I was looking to put our custom password in there instead.

PGriffith · June 21, 2022, 9:21pm

@Kevin.Collins reverse-engineered it (before he was hired) and has a bash snippet available that he uses in his docker images.

github.com

thirdgen88/ignition-docker/blob/main/8.1/perform-commissioning.sh#L96


      
          mapfile -t commissioning_steps < <( (echo "$commissioning_steps_raw" | jq -r '.steps | keys | @sh') | tr -d \' )
          echo "${commissioning_steps[*]}"
          
          
# activation
          if [[ ${commissioning_steps[*]} =~ "activated" ]]; then
              local activation_payload='{"id":"activation","data":{"licenseKey":"'${IGNITION_LICENSE_KEY}'","activationToken":"'${IGNITION_ACTIVATION_TOKEN}'"}}'
              evaluate_post_request "${url}" "${activation_payload}" 201 "${phase}" "Online Activation"
              echo "init     |  IGNITION_LICENSE_KEY: ${IGNITION_LICENSE_KEY}"
          fi
          
          
# authSetup
          if [[ ${commissioning_steps[*]} =~ "authSetup" && "${GATEWAY_PROMPT_PASSWORD}" != "1" ]]; then
              local auth_user="${GATEWAY_ADMIN_USERNAME:=admin}"
              local auth_salt
              auth_salt=$(date +%s | sha256sum | head -c 8)
              local auth_pwhash
              auth_pwhash=$(printf %s "${GATEWAY_ADMIN_PASSWORD}${auth_salt}" | sha256sum - | cut -c -64) 
              local auth_password="[${auth_salt}]${auth_pwhash}"
              local auth_payload
              auth_payload=$(jq -ncM --arg user "$auth_user" --arg pass "$auth_password" '{ id: "authentication", step:"authSetup", data: { username: $user, password: $pass }}')
              evaluate_post_request "${url}" "${auth_payload}" 201 "${phase}" "Configuring Authentication"

kcollins1 · June 22, 2022, 2:32pm

I’ll add that you can use the same environment variables within a regular installation that you’d use for auto-commissioning a Docker container. Setting these vars will satisfy commissioning and continue with Gateway startup automatically:

IGNITION_EDITION=standard
GATEWAY_ADMIN_PASSWORD=password
ACCEPT_IGNITION_EULA=Y
GATEWAY_DEFAULT_PORTS=true

Alternatively, you can also specify all the individual ports:

GATEWAY_HTTP_PORT=8088
GATEWAY_HTTPS_PORT=8043
GATEWAY_GAN_PORT=8060

A couple other bonus tips:

You can also specify GATEWAY_ADMIN_PASSWORD_FILE=/path/to/file where the contents of the file feed the environment variable.
The final value of GATEWAY_ADMIN_PASSWORD (whether directly or by file) can also be a salted hash (created using the code Paul posted above) instead of an explicit password.

Seeding the commissioning file directly is also perfectly valid, but I wanted to mention this in the event that it wasn’t known that these particular environment variables were actually integrated into the platform itself for 8.1.9+ (and not just part of our Docker image entrypoint logic).

ralacosta · June 22, 2022, 7:43pm

Thanks for all the tips. We're not using Docker images, which is why we opted to seed the commissioning file. I did try to seed the commissioning file on an upgrade of 7.9 to 8.1, with the admin password. A temp user source, like when resetting the password using the gwcmd was created with the new admin user.

The GitHub repo was great and it's very helpful to be able to input our own hash in this way during commissioning to automate some of this. This didn't help much in the upgrade of 7.9 to 8.1 though because of the mentioned temp user source that was created.

kcollins1 · June 22, 2022, 7:51pm

IIRC, you shouldn't need to define a password during commissioning on an upgrade from 7.9 to 8.x (and doing so will perform a password reset, as you note).

ralacosta · June 22, 2022, 8:09pm

Yes. That’s correct. No need to enter a new user/password into there.

The EULA does make a return though, which is what we were able to skip through on initial deployment by seeding the commissioning.json file.

I was looking to see if there was a way to skip the EULA in the same way. I had tested this without setting up the user and password in the commissioning file, and a new user was requested in the EULA prompt also. The provided Github repo solution uses curl and basically accepts the EULA that way.

kcollins1 · June 22, 2022, 8:56pm

Ahhh, I see.. Yes, it would be easiest to just add the ACCEPT_IGNITION_EULA=Y var to your environment then.. If you're on Linux, see an example below for updating the systemd override file with additional environment variables:

https://asciinema.org/a/KnHcZHFOxr5cPNkOR4BkEPnNO

kcollins1 · June 27, 2022, 3:45pm

I put together a quick video to demonstrate an installation and then upgrade from Ignition 7.9.20 to Ignition 8.1.18 with the systemd overrides. Along the way I add some audio insight–hopefully this helps with folks who might be interested in this solution for helping automate upgrades.

forum-61034.mp4

kcollins1 · June 30, 2022, 12:57pm

Another supplement here, this script can be used to generate a salted SHA256 hash of a password for direct use within GATEWAY_ADMIN_PASSWORD environment variable or the commissioning.json file:

gist.github.com

https://gist.github.com/thirdgen88/c4257bd4c47b6cc7194d1f5e7cbd6444

generate-gw-password-hash.sh

#!/usr/bin/env bash
set -eo pipefail

###############################################################################
# Processes password input and translates to salted hash
###############################################################################
function main() {
  local -u auth_salt
  local auth_pwhash auth_pwsalthash auth_password

This file has been truncated. show original

pturmel · October 19, 2022, 7:32pm

Hmm. Doesn't seem to work with executable installers. I was hoping to switch away from the zip installs.

kcollins1 · October 19, 2022, 7:36pm

Is your expectation/wish that these environment variables will be discovered by the executable installer and applied to the underlying service configuration as part of the installation?

pturmel · October 19, 2022, 7:38pm

Yes. Particularly for unattended installs. I'm working up an auto-install for netboot/minimal ISO kits.

kcollins1 · October 19, 2022, 7:39pm

Gotcha.. I could see that being handy..

pturmel · October 19, 2022, 8:08pm

Succeeded with a work-around using a SystemD drop-in. Just before invoking the installer, my script has this:

mkdir -p /etc/systemd/system/ignition.service.d
cat >/etc/systemd/system/ignition.service.d/override.conf <<EOF
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
Environment=ACCEPT_IGNITION_EULA=Y
Environment=GATEWAY_ADMIN_USERNAME=someUserName
Environment=GATEWAY_ADMIN_PASSWORD=somePassword
Environment=IGNITION_EDITION=edge
Environment=GATEWAY_HTTP_PORT=80
Environment=GATEWAY_HTTPS_PORT=443
Environment=GATEWAY_GAN_PORT=8060
EOF

The installer launches like so:

useradd -c "Ignition Service" -U -m -G dialout ignition
"./$installer" -- unattended=text logLevel=debug user=ignition serviceName=ignition location=/usr/share/ignition

After the installer completes, I have this in the script:

cat >/etc/systemd/system/ignition.service.d/override.conf <<EOF
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
EOF

systemctl daemon-reload

This booted all the way up into Edge on ports 80 & 443 while running non-root. (:

Edit: I messed up the password hash somehow. But a plain password works.

kcollins1 · October 19, 2022, 10:29pm

Nice. Yeah, I suppose there is nothing wrong with pre-loading the systemd service overrides to have the env vars be there when the installer starts up the service.

The gist I linked above (here) should help you generate a valid hash for the env var.