an Italian based company with 20+ years expertise in providing the best and safest solutions for heating, ventilation and air conditioning (HVAC) system worldwide. It’s a NADCA certified company pioneering this industry with innovative techniques. Neosperience Enterprise is the B2B focused branch of Neosperience group, supporting companies to innovate their market through smart product strategies leveraging Artificial Intelligence, IoT, cloud, and blockchain. Remotair is the smart product leveraging Neosperience technology and Alisea expertise to disrupt HVAC systems cleaning market.
and local sensors A look into Remotair IoT Ad hoc sensor board: - wired sensors directly connected to I2C bus - wireless sensors connected OTA - acts as an edge gateway - collects and forwards data to the cloud - receives OTA software logic updates Requirements: - a single customer can have many plants with many Remotair devices - cloud native application deployed into customers’ AWS accounts - new device provisioning can be customized - receives OTA software logic updates
Lambda Functions and docker containers to be defined in cloud and deployed to an edge device (named a greengrass core) to process data flowing from devices and issue control commands. Supports a variety of connectors to AWS services, and provides local MQTT channels to handle communication.
(simplified) To simplify the overall architecture, we consider a simple version of Remotair deployment, with - a sensor device - a Remotair board - a local business logic - an IoT topic - an AWS Greengrass core - a cloud Lambda function acting as a proxy to cloud services - no connectors
Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup IoT Thing Provisioning: performs actions in cloud to create IoT Shadow, Policies, and certificates AWS Greengrass setup: creates all the required resources in cloud to handle local Greengrass group setup and configures all the resources needed by the config.json of the GG runtime Device configuration: is the initial step to configure device operative system and install AWS IoT libraries and AWS Greengrass daemon
up a new device Device operative system should be provided on a bootable storage. Raspberry CM3 boards require a Raspberry Pi OS version, on an SD card. On startup a systemd routine checks for Wi-Fi and if not available switches the board into access point. An external application can setup Wi-Fi credentials. Through Ansible is possible to start from a bare image, then add libraries and configurations. Greengrass can be installed with its dependencies and started as process daemon. Suitable also for testing environments and to ensure deployments immutability. 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 0. Device setup
IoT Core Thing 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup Creating a new Greengrass Core means setting up its thing before providing a valid configuration file to GG daemon. Setting up a new thing is a classical “chicken and egg” problem: devices need credentials to access AWS resources and obtain a certificate which, in turn, enables them to access AWS resources different approaches: - installing certificates on IoT devices before they are delivered - provisioning by trusted users - provisioning by claim - certificate token vending machine
provisioning (JITP) - a registered certificate authority (CA) issues a certificate which is used to attempt a connection to AWS IoT - the payload of the request contains a template to craft a request for a new IoT certificate - a thing and its policy can be created using the template - the policy is attached to the certificate - the certificate is attached to the thing 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup Evaluation ✓ unattended setup is possible ✓ no external app required ✗ device is in full control of the credentials ✗ security could be an issue ✗ configuration is hard (JITP are difficult to write)
users 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 1. Call CreateProvisioningTemplate to create a provisioning template and return its templateArn and templateName. 2. Create an IAM role that is used by a trusted user to initiate the provisioning process. 3. Give the AWS IoT service permission to create or update IoT resources 4. Provide an user access to the app and obtain IAM role associated to the login (with permissions) 5. The mobile app or web application uses the IAM role and calls CreateProvisioningClaim to obtain a temporary provisioning claim certificate from AWS IoT. 6. Supply the temporary certificate to the device that connects to IoT and claims a certificate Evaluation ✓ security is enforced ✓ device needs to perform handshaking ✓ configuration is easy ✗ requires an external app ✗ requires user explicit approval
creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 1. Call CreateProvisioningTemplate to create a provisioning template 2. Create certificates and associated private keys to be stored securely on device 3. Assign to created certificate a restricted set of permissions 4. Define a policy that allows AWS IoT to manage things 5. Embed certificate securely on the device 6. The device calls AWS IoT (or publishes a request on an MQTT topic) then claims an effective certificate Evaluation ✓ security is enforced (only with encryption of certificates) ✓ no external app required ✓ configuration is easy ✗ unattended provisioning
Vending Machine 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup 1. A Thing device issues a request for a certificate, to an APIGateway endpoint with a websocket. 2. Request contains a token / serial number 3. Lambda processes the request and looks into a DynamoDB Table for a match of the provided token 4. If no match is returned, the new token is added to the DDB Table and admins get notified, to enable the new device 5. When a match is found, Lambda invokes AWS IoT to issue a certificate and create a corresponding thing 6. Certificate is sent back to device Evaluation ✓ security is enforced (devices contain public data) ✓ device needs to perform handshaking ✓ external app is not required (cloud handles certs) ✓ configuration is easy ✓ user explicit approval is not mandatory ✓ provisioning can be a two-phase process ✓ devices could be pre-authorized
3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup A simple shell rule (for a Linux environment) runs CDK to create: - a Greengrass core and its version - at least one Greengrass role for each resource to execute code and access cloud - log groups and log definitions - eventual group resources - group connectors to industrial services Using CloudFormation instead of AWS IoT APIs provides rollback and resource deletion capabilities, just deleting the corresponding stack AWS CDK allows to release this stack as a component to be integrated and extended for customization CDK is run from the device / Ansible to provision cloud resources
version Core Version Logger Version Resource Version Connector Version 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup CDK is run from the device / Ansible to provision cloud resources
cloud resources Setting up Greengrass A single Greengrass Core Group has one or more version of a set of resources that provide local services to local deployment. A Core must be related to an IoT Core that qualifies a device as an IoT thing. Instantiating a new Greengrass Core requires having a thing correctly provisioned into our cloud environment. 1. Device thing creation 2. Roles creation 3. Core and Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup
Core Version creation 4. Logger, resources and connector creation 5. Greengrass group definition and resource linking to versions 0. Device setup Setting up Greengrass CDK is run from the device / Ansible to provision cloud resources
is an open task - Ansible could be an enabling technology (i.e. for a master controller) - Getting a certificate for a device could be achieved by a certificate vending machine - Greengrass provisioning could be done either from a controller or the device itself - Greengrass is a game changer (cloud Lambda and container deployments, OTA updates) - consider starting with docker on bare OS and configure through Ansible
aletheia
daitak
thomasvitale
mitsuzono
lmi
pelelgrino
tomorrowkey
saramune
qsona
nakasho
macloud
yushin_n
yajihum
eileencodes
addyosmani
holman
palkan
ddemaree
lauravandoore
kastner
brianwarren
bkeepers
jmmastey
![www.neosperience.com | blog.neosperience.com | [email protected] Neosperience Empathy in Technology Serverless](https://files.speakerdeck.com/presentations/d1cf5e92556a48c5a63e2903b74092e3/slide_0.jpg){kind=link}
![www.neosperience.com | blog.neosperience.com | [email protected]](https://files.speakerdeck.com/presentations/d1cf5e92556a48c5a63e2903b74092e3/slide_33.jpg){kind=link}