Upgrade to Pro — share decks privately, control downloads, hide ads and more …

cfengine-android

 cfengine-android

Android devices are now everywhere. Tablet is the new laptop and everybody in your company has a smartphone. We also find Android in non mobile environments like interactive kiosk, infotainment systems, ...

How can we identify, manage and configure those devices?

Even if Android use a linux kernel, it is very different from a GNU/Linux system, the C library is not fully POSIX, the filesystem hierarchy is not standard, and most of the configuration is done through a Java API and sqlite files.

However those challenges can be solved. In this talk we will see how robust and well known technologies like CFEngine and Rudder can help you to manage those new devices.

This talk was done at cfgmgmtcamp.eu 2014
Slides 1-29 contains speacker note
Slides 30-58 are normal slides (download the file to see them correctly)

C2d7e750b1cc7dd5a74bd6aca1b49941?s=128

Cédric Cabessa

February 04, 2014
Tweet

Transcript

  1. CFEngine on Android

  2. Summary Conf Management for Android? CFEngine / Rudder 03 04

    01 Android? 02 Android != GNU/Linux
  3. Android ? 01

  4. Android ? I suppose you already know android :-) You

    find it in many Consumer devices like phone and tablet. OS made by Google, opensource (Apache Licence) Many manufacturers: build devices and customize the OS Google make sure that devices are “compatible” (CTS) Do you need configuration tools for your pocket device?
  5. People bring their own devices at work (or work devices

    at home) Access to corporate network resources, contains sensitive data. => need to apply security policy Localisation / wipe Tracking / inventory Bring Your Own Device BYOD Android ?
  6. Android is used on every kind of devices. eg: bus

    shelter at Paris. 3 Android screens, interactive application for the city (tourist info, find shop at 11pm, ...) Those devices are connected by ethernet, static ip, UPS, … => not mobile but more like server => Need to update the software, change configuration (ssh keys, fix bug in libssl, ...) Mobile Devices NOT Android ?
  7. Android is found on many type of embedded devices. Google

    has bought Nest => android on Internet of Things => security issue, how to update and patch those devices? Fridge sending spam (http://www.bbc.co.uk/news/technology- 25780908) Bruce schneier wrote an essay to explain that embedded devices are often shipped with old open source packages and no way for the user to update them. https://www.schneier.com/essay-468.html Internet of Things Android ?
  8. NEED CONFIGURATION MANAGEMENT Android ?

  9. A bit of background story At genymobile, we build customized

    android version of professional usage (eg: bus shelter, professional tablet) We took the source code from google (AOSP) and customize it and add / remove feature (ethernet support, proxy, snmp), be able to run a (legacy) binary as root, improve security, …. I am a software engineer not a sysadmin :-) Customer ask us how to manage the rom we provided, no real solution out of the box How hard it can be? Android is just another linux, just install your favorite configuration management tool Add features AOSP Dev Ops? Management? Customize Genymobile Android ? Genymobile Story
  10. Android is not GNU/Linux 02

  11. How android is different? Let see (quickly) : * Linux

    kernel (patched) * libc: bionic, not fully posix. * Many opensource componant: sqlite, ssl, webkit, … * Some are google made: X11 => surfaceflinger, gstreamer => Mediaframework * can run binaries but all the OS / Framework is written in java: API oriented with configuration stored in sqlite db ex: change keyboard layout * Gnu/Linux: edit xorg.conf /restart X * Android: API call, sqlite store + framework send messages to all applications Android is not Gnu / Linux Android Challenge
  12. Not FHS ! In data an application can only see

    its own folder Android is not Gnu / Linux Android Challenge un-partitioned => kernel, ramfs (contains /) / => initscript + conf, cannot be modified /system => RO, can be remounted RW (need root access) /bin => daemon + toolbox (less than busybox) /lib => libssl.so, libsqlite.so /framework => *.jar /data => RW, application data + user configuration, accounts, … (need root) /data/data/myapp => user application File System
  13. No package management for the system (you cannot update a

    lib) PM is for application only (playstore) To update the OS you need to use OTA: * download a zip file with the new OS or a binary patch * reboot in recovery mode, flash the zip * reboot with the new system Android is not Gnu / Linux Android Challenge
  14. No python, no ruby (at least not easy) Mobile devices:

    no much ram, need to take care of cpu usage => battery Limit the choice of tools HAVE NOT -:( Android is not Gnu / Linux Android Challenge
  15. We can do native C or java with limitation (not

    posix, …) CHOICE :-) Android is not Gnu / Linux Android Challenge
  16. What exists? Conf Management for Android 03

  17. Google is targeted to “mass market”. Make money with ads,

    playstore, and android drive user to google products No enterprise offers (!=RIM) Android has a Device Administrator API. If you set an app to be you Device Administrator, it can do the following http://developer.android.com/guide/topics/admin/device-admin.html Password Management Conf Management for Android Google: Device Administrator API Remote Wipe Force Encryption
  18. Some manufacturer have private API to manage their device =>

    buy the phone AND the MDM solution => classic tied Other use various hack + user help (popup if a forbidden app is installed) Private API Conf Management for Android Manufacturer / Solution provider Hack
  19. Can we do better with CFEngine CFEngine + Rudder 04

  20. Native code: light, efficient, written in C => good match

    for Android Need to solve some compilation issue Add support for android (android::) + techniques ⇒ patch sent upstream (or in progress) Native code CFEngine + Rudder CFEngine Porting patches Android Support
  21. CFEngine: native daemon, run in the linux / shell land

    Configuration: managed by android in the java land CFEngine + Rudder CFEngine
  22. Jni: C code that call java function Java helper: launch

    java “command line tool” from linux (see command am on android) Rom helper: CFEngine + Rudder CFEngine JNI Java Helper Rom Helper
  23. Create your own Android version: * permission: need to run

    as root. Can root the device and install sudo to launch cfengine, not a clean solution Write your rom and create a clean daemon launched in the init script * management: Android state can be exported as files and CFEngine is good at managing files. Solve the communication issue (eg package whitelist / blacklist) * Add the feature you need and let cfengine manage it (eg: proxy) Can be scary, but is the only way to master your device: your are free to update it and push security fix if needed. Use The ROM! CFEngine + Rudder ROM
  24. User Friendly CFEngine + Rudder Rudder Inventory Reporting

  25. You have two part in rudder, the server is a

    web interface to manage all the nodes. The client is cfengine + techniques + inventory agent: fusionInventory or OCSInventory When an agent start, it send a inventory to the server. Then you can search for agents based on the inventory (hostname, mac, operating system, processor type, …) The search result can be used to create groups of nodes. CFEngine + Rudder Rudder
  26. Create a directive: ie a “configuration element”. For example, this

    directive make sure your node use the version 42 of the Android operating system. Directive template are created in order to be easy to use: here you select only the version number, the server name, and the time to update. A non expert operator can easily use the directive and change some parameters. The role of the expert team is to create the directive (in cfengine3 language) CFEngine + Rudder Rudder
  27. Finally you apply directives to groups of node. “I want

    every Android devices from this group to be in this version of the system” You can check the compliance: if your devices are responding to the directive. CFEngine + Rudder Rudder
  28. os behaviour: add a proxy, bring up vpn with geo

    data, …. OTA Update Package Management Blacklist Geofencing Remote Wipe Policy enforcement os behaviour Features CFEngine + Rudder
  29. * cfengine is portable * you can build it with

    your rom * help you to manage your android with your features Thank You for your time ! Questions ? Email: ccabessa@genymobile.com G+: https://www.google.com/+CedricCabessa Slides: https://speakerdeck.com/cedriccabessa/cfengine-android Cédric Cabessa
  30. CFEngine on Android

  31. Summary Conf Management for Android? CFEngine / Rudder 03 04

    01 Android? 02 Android != GNU/Linux
  32. Android ? 01

  33. Android ?

  34. Bring Your Own Device BYOD Android ?

  35. Mobile Devices NOT Android ?

  36. Internet of Things Android ?

  37. NEED CONFIGURATION MANAGEMENT Android ?

  38. Add features AOSP Dev Ops? Management? Customize Genymobile Android ?

    Genymobile Story
  39. Android is not GNU/Linux 02

  40. Android is not Gnu / Linux Android Challenge

  41. Android is not Gnu / Linux Android Challenge un-partitioned =>

    kernel, ramfs (contains /) / => initscript + conf, cannot be modified /system => RO, can be remounted RW (need root access) /bin => daemon + toolbox (less than busybox) /lib => libssl.so, libsqlite.so /framework => *.jar /data => RW, application data + user configuration, accounts, … (need root) /data/data/myapp => user application File System
  42. Android is not Gnu / Linux Android Challenge

  43. HAVE NOT -:( Android is not Gnu / Linux Android

    Challenge
  44. CHOICE :-) Android is not Gnu / Linux Android Challenge

  45. Conf Management for Android 03

  46. Password Management Conf Management for Android Google: Device Administrator API

    Remote Wipe Force Encryption
  47. Private API Conf Management for Android Manufacturer / Solution provider

    Hack
  48. CFEngine + Rudder 04

  49. Native code CFEngine + Rudder CFEngine Porting patches Android Support

  50. CFEngine + Rudder CFEngine

  51. CFEngine + Rudder CFEngine JNI Java Helper Rom Helper

  52. Use The ROM! CFEngine + Rudder ROM

  53. User Friendly CFEngine + Rudder Rudder Inventory Reporting

  54. CFEngine + Rudder Rudder

  55. CFEngine + Rudder Rudder

  56. CFEngine + Rudder Rudder

  57. OTA Update Package Management Blacklist Geofencing Remote Wipe Policy enforcement

    os behaviour Features CFEngine + Rudder
  58. Thank You for your time ! Questions ? Email: ccabessa@genymobile.com

    G+: https://www.google.com/+CedricCabessa Slides: https://speakerdeck.com/cedriccabessa/cfengine-android Cédric Cabessa