Permissions error when launching IoT Management Service

[kzawad1]

After building the source code and running the project I access the service via http://localhost:8010 .

Here are the steps:

1. On the local development PC open a web browser and go to http://localhost:8010
2. The web page shows "You do not have permissions to access this site. Please login."
3. Click on "login".
4. This redirects to https://login.ubuntu.com and so enter Ubuntu One email and password.
5. Next, redirected to "Personal Data Request" from https://login.ubuntu.com and clicked on "Yes, log me in".
6. This redirects to http://management:8010/notfound with "You do not have permissions to access this site. Please login".

What do I need to add to the setup to allow it to login?

[dilyn-corner]

There's an important step you might have missed; did you run:

microk8s.kubectl exec -it management-$REF -- \
    ./createsuperuser \
    -username $USERNAME \
    -email $EMAIL \
    -name “$FIRST $LAST”

Where management-$REF is whatever pod name is associated with the management pod, and the $USERNAME/$EMAIL/$FIRST $LAST is whatever is associated with your Ubuntu SSO account.

Note that you would run this snippet directly in the iot-management repo you cloned locally.

Also note that my command is using the microk8s snap, modify as needed for however you've installed kubectl.

[kzawad1]

Ok, I didn't know I had to do that.

I just ran the command and I am getting an error, so I need to figure out what I need to do in terms of setup in order to run this command. The error is, so it is obviously not installed: microk8s.kubectl: command not found

[dilyn-corner]

If you haven't read the white paper, you can find it here. It goes through a lot of setup instruction.

Because I do this using the microk8s snap, you can use the microk8s.kubectl command I reference by doing the following:

snap install microk8s --channel=1.25-strict/edge
sudo usermod -a -G snap_microk8s $LOGNAME

newgrp snap_microk8s

sudo microk8s enable hostpath-storage
sudo microk8s enable dns

After doing that setup, you should then be able to run the command.

[kzawad1]

Thank you for sending that. I don't understand the Postgres step. It states:

The Kubernetes deployment also needs the password of the PostgresSQL database to be changed, and then the service deployment is straightforward.

I don't know if I manually have to install the Postgres and setup the password or if the command automatically creates this. What do I need to change exactly. I don't understand.

Right now I am getting the following error:

krzysztof@pop-dev:~/iot-management$ kubectl create -f k8s-postgres.yaml
Error from server (AlreadyExists): error when creating "k8s-postgres.yaml": configmaps "postgres-config" already exists
Error from server (AlreadyExists): error when creating "k8s-postgres.yaml": persistentvolumes "postgres-pv-volume" already exists
Error from server (AlreadyExists): error when creating "k8s-postgres.yaml": persistentvolumeclaims "postgres-pv-claim" already exists
Error from server (AlreadyExists): error when creating "k8s-postgres.yaml": deployments.apps "postgres" already exists
Error from server (AlreadyExists): error when creating "k8s-postgres.yaml": services "postgres" already exists
krzysztof@pop-dev:~/iot-management$

What exactly needs to be done to get over this error?

[kzawad1]

I reread the "Secure IoT Device Management" and found out why I was running into the error. I got past it.

Now, what is unclear from that document is the "Exposing the services". For all the previous commands up until this point they all returned. However, the kubectl port forward commands don't return, so I think I need to open 3 terminals for just prototyping this on my local development machine.

Do I need to have three separate terminals open to run the kubectl port forward commands for prototyping only? (This obviously need to change for production).

[dilyn-corner]

Glad to hear you've resolved the issue! Do you mind mentioning what the solution was for posterity?

You are correct that kubectl commands block; while testing I append an & to background the task.

[kzawad1]

Ok, I just wanted to get "iot-management" running on my Ubuntu development machine. Therefore, I just cloned the "iot-management" repository and ran the commands from there.

However, this is not possible. All the projects are interconnected: iot-devicetwin, iot-identity, & iot-managment. Therefore, there is an entire sequence of steps that need to be performed to get this up and working that is not detailed in the guide but implied. For instance, cloning the repositories and performing Go builds.

I've deleted and recreated the Ubuntu development virtual machine a few times. Now, I am stuck at the point where I go to the URL http://management:8010 it just sits there and spins (the web browser with no errors). I can't figure out if I forgot to do a Go build before starting the pod, so there isn't anything to reply to the request. Or if it has to do with the port forwarding or something else.

It seems kind of odd to hold up the entire terminal with kubectl port forward and port forwarding is something you want to do once and forget about it. Not have to have 3 terminal sessions running to make it work.

Hmm... I need to wipe the VM and start over again.

[kzawad1]

Everything is up and running in terms of the server side of things. Now, getting into an issue where I can't register devices:

Getting the error: Mar 03 15:45:37 ubuntu iot-agent.mqtt[1780]: 2023/03/03 15:45:37 Error with enrollment: (EnrollDevice) assertion model: type of snap "snapd" must be one of app|base|gadget|kernel|core

Do I need to remove the iot-agent snap and reinstall it without using --devmode?

[dilyn-corner]

Ah yes; this is a known issue - there was talk of a solution proposal at the end of last year, so I'll ask some people for an update on that.

In the meanwhile, the solution is to use a newer iot-identity image (part of the iot-agent repository).

There are two options: use someone else's, or build your own.

For the first option: check on Docker Hub - bugraaydogar's probably works (@bugraaydogar?). To do this, you'll modify the sonicblue in the iot-identity repository's k8s yaml file with the new username.

For the second option: you can host an image yourself locally.

sudo apt install docker.io # or snap install docker & invoke docker below with sudo
sudo microk8s enable registry
cd iot-identity
docker build -t iot-identity . 
docker tag iot-identity:latest localhost:32000/iot-identity:latest
docker push localhost:32000/iot-identity:latest

And update the iot-identity k8s yaml file to refer to your own localhost: sed -i ‘s/sonicblue/localhost:32000/’ path/to/iot-identity/k8s-identity.yaml

[kzawad1]

Hmm... I tried the second option and it doesn't work. I'm getting the same thing.

I tried this second option while the pods where running. It didn't work, so I deleted the virtual machine and started from scratch again.

Here is the steps for the "iot-identity" setup:

# Go to home directory
cd ~

# Clone the iot-identity repository
git clone https://github.com/canonical/iot-identity.git

cd iot-identity/
# Update k8s-identity.yaml with items (ca.crt & ca.key) in identity.yaml
gedit ../iot-x509/identity.yaml k8s-identity.yaml

# Remove the ca.crt & ca.key files
rm ./datastore/test_data/ca.crt
rm ./datastore/test_data/ca.key

cp ~/iot-x509/ca.crt ./datastore/test_data/
cp ~/iot-x509/ca.key ./datastore/test_data/

go mod tidy
go build cmd/identity/main.go

# Deploy the database and service
kubectl create -f k8s-postgres.yaml
kubectl create -f k8s-identity.yaml

Maybe it is because I have the sequence wrong. Where are the steps/commands you mention above supposed to be ran? Before or after "go build"?

[kzawad1]

I figured it out and I got it working.

It shows "Enrolled".

I think at this point I will close this in the next few dates if no one adds any comments or possibly getting another solution submitted.