cfengine-android

CFEngine on
Android

View Slide

Summary
Conf Management
for Android?
CFEngine /
Rudder
03 04
01
Android?
02
Android !=
GNU/Linux

View Slide

Android ?
01

View Slide

Android ?
I suppose you already know android :-)
You find it in many Consumer devices like phone and tablet.
OS made by Google, opensource (Apache Licence)
Many manufacturers: build devices and customize the OS
Google make sure that devices are “compatible” (CTS)
Do you need configuration tools for your pocket device?

View Slide

People bring their own devices at work (or work devices at home)
Access to corporate network resources, contains sensitive data.
=> need to apply security policy
Localisation / wipe
Tracking / inventory
Bring Your Own Device
BYOD
Android ?

View Slide

Android is used on every kind of devices.
eg: bus shelter at Paris. 3 Android screens, interactive application
for the city (tourist info, find shop at 11pm, ...)
Those devices are connected by ethernet, static ip, UPS, … => not
mobile but more like server
=> Need to update the software, change configuration (ssh keys,
fix bug in libssl, ...)
Mobile Devices
NOT
Android ?

View Slide

Android is found on many type of embedded devices.
Google has bought Nest => android on Internet of Things
=> security issue, how to update and patch those devices?
Fridge sending spam (http://www.bbc.co.uk/news/technology-
25780908)
Bruce schneier wrote an essay to explain that embedded devices
are often shipped with old open source packages and no way for
the user to update them.
https://www.schneier.com/essay-468.html
Internet of Things
Android ?

View Slide

NEED
CONFIGURATION
MANAGEMENT
Android ?

View Slide

A bit of background story
At genymobile, we build customized android version of professional
usage (eg: bus shelter, professional tablet)
We took the source code from google (AOSP) and customize it and
add / remove feature (ethernet support, proxy, snmp), be able to
run a (legacy) binary as root, improve security, ….
I am a software engineer not a sysadmin :-)
Customer ask us how to manage the rom we provided, no real
solution out of the box
How hard it can be? Android is just another linux, just install your
favorite configuration management tool
Add features
AOSP
Dev Ops?
Management?
Customize
Genymobile
Android ?
Genymobile Story

View Slide

Android is not GNU/Linux
02

View Slide

How android is different?
Let see (quickly) :
* Linux kernel (patched)
* libc: bionic, not fully posix.
* Many opensource componant: sqlite, ssl, webkit, …
* Some are google made: X11 => surfaceflinger, gstreamer =>
Mediaframework
* can run binaries but all the OS / Framework is written in java:
API oriented with configuration stored in sqlite db
ex: change keyboard layout
* Gnu/Linux: edit xorg.conf /restart X
* Android: API call, sqlite store + framework send messages to all
applications
Android is not Gnu / Linux
Android Challenge

View Slide

Not FHS !
In data an application can only see its own folder
Android Challenge
un-partitioned => kernel, ramfs (contains /)
/ => initscript + conf, cannot be modified
/system => RO, can be remounted RW (need root access)
/bin => daemon + toolbox (less than busybox)
/lib => libssl.so, libsqlite.so
/framework => *.jar
/data => RW, application data + user configuration, accounts, …
(need root)
/data/data/myapp => user application
File System

View Slide

No package management for the system (you cannot update a lib)
PM is for application only (playstore)
To update the OS you need to use OTA:
* download a zip file with the new OS or a binary patch
* reboot in recovery mode, flash the zip
* reboot with the new system
Android Challenge

View Slide

No python, no ruby (at least not easy)
Mobile devices: no much ram, need to take care of cpu usage =>
battery
Limit the choice of tools
HAVE NOT -:(
Android Challenge

View Slide

We can do native C or java
with limitation (not posix, …)
CHOICE :-)
Android Challenge

View Slide

What exists?
Conf Management for Android
03

View Slide

Google is targeted to “mass market”. Make money with ads,
playstore, and android drive user to google products
No enterprise offers (!=RIM)
Android has a Device Administrator API.
If you set an app to be you Device Administrator, it can do the
following
http://developer.android.com/guide/topics/admin/device-admin.html
Password
Management
Google: Device Administrator API
Remote
Wipe
Force
Encryption

View Slide

Some manufacturer have private API to manage their device =>
buy the phone AND the MDM solution
=> classic tied
Other use various hack + user help (popup if a forbidden app is
installed)
Private API
Manufacturer / Solution provider
Hack

View Slide

Can we do better with CFEngine
CFEngine + Rudder
04

View Slide

Native code: light, efficient, written in C => good match for Android
Need to solve some compilation issue
Add support for android (android::) + techniques
⇒
patch sent upstream (or in progress)
Native code
CFEngine + Rudder
CFEngine
Porting
patches
Android
Support

View Slide

CFEngine: native daemon, run in the linux / shell land
Configuration: managed by android in the java land
CFEngine + Rudder
CFEngine

View Slide

Jni: C code that call java function
Java helper: launch java “command line tool” from linux (see
command am on android)
Rom helper:
CFEngine + Rudder
CFEngine
JNI
Java Helper
Rom Helper

View Slide

Create your own Android version:
* permission: need to run as root. Can root the device and install
sudo to launch cfengine, not a clean solution
Write your rom and create a clean daemon launched
in the init script
* management: Android state can be exported as files and
CFEngine is good at managing files. Solve the communication
issue (eg package whitelist / blacklist)
* Add the feature you need and let cfengine manage it (eg: proxy)
Can be scary, but is the only way to master your device: your are
free to update it and push security fix if needed.
Use The
ROM!
CFEngine + Rudder
ROM

View Slide

User Friendly
CFEngine + Rudder
Rudder
Inventory Reporting

View Slide

You have two part in rudder, the server is a web interface to
manage all the nodes. The client is cfengine + techniques +
inventory agent: fusionInventory or OCSInventory
When an agent start, it send a inventory to the server. Then you
can search for agents based on the inventory (hostname, mac,
operating system, processor type, …)
The search result can be used to create groups of nodes.
CFEngine + Rudder
Rudder

View Slide

Create a directive: ie a “configuration element”.
For example, this directive make sure your node use the version 42
of the Android operating system.
Directive template are created in order to be easy to use: here you
select only the version number, the server name, and the time to
update.
A non expert operator can easily use the directive and change
some parameters.
The role of the expert team is to create the directive (in cfengine3
language)
CFEngine + Rudder
Rudder

View Slide

Finally you apply directives to groups of node.
“I want every Android devices from this group to be in this version
of the system”
You can check the compliance: if your devices are responding to
the directive.
CFEngine + Rudder
Rudder

View Slide

os behaviour: add a proxy, bring up vpn with geo data, ….
OTA Update
Package Management
Blacklist
Geofencing
Remote Wipe
Policy enforcement
os behaviour
Features
CFEngine + Rudder

View Slide

* cfengine is portable
* you can build it with your rom
* help you to manage your android with your features
Thank You for your time !
Questions ?
Email: [email protected]
G+: https://www.google.com/+CedricCabessa
Slides: https://speakerdeck.com/cedriccabessa/cfengine-android
Cédric Cabessa

View Slide

CFEngine on
Android

View Slide

Summary
Conf Management
for Android?
CFEngine /
Rudder
03 04
01
Android?
02
Android !=
GNU/Linux

View Slide

Android ?
01

View Slide

Android ?

View Slide

Bring Your Own Device
BYOD
Android ?

View Slide

Mobile Devices
NOT
Android ?

View Slide

Internet of Things
Android ?

View Slide

NEED
CONFIGURATION
MANAGEMENT
Android ?

View Slide

Add features
AOSP
Dev Ops?
Management?
Customize
Genymobile
Android ?
Genymobile Story

View Slide

Android is not GNU/Linux
02

View Slide

Android Challenge

View Slide

Android Challenge
un-partitioned => kernel, ramfs (contains /)
/ => initscript + conf, cannot be modified
/system => RO, can be remounted RW (need root access)
/bin => daemon + toolbox (less than busybox)
/lib => libssl.so, libsqlite.so
/framework => *.jar
/data => RW, application data + user configuration, accounts, …
(need root)
/data/data/myapp => user application
File System

View Slide

Android Challenge

View Slide

HAVE NOT -:(
Android Challenge

View Slide

CHOICE :-)
Android Challenge

View Slide

03

View Slide

Password
Management
Google: Device Administrator API
Remote
Wipe
Force
Encryption

View Slide

Private API
Manufacturer / Solution provider
Hack

View Slide

CFEngine + Rudder
04

View Slide

Native code
CFEngine + Rudder
CFEngine
Porting
patches
Android
Support

View Slide

CFEngine + Rudder
CFEngine

View Slide

CFEngine + Rudder
CFEngine
JNI
Java Helper
Rom Helper

View Slide

Use The
ROM!
CFEngine + Rudder
ROM

View Slide

User Friendly
CFEngine + Rudder
Rudder
Inventory Reporting

View Slide

CFEngine + Rudder
Rudder

View Slide

OTA Update
Package Management
Blacklist
Geofencing
Remote Wipe
Policy enforcement
os behaviour
Features
CFEngine + Rudder

View Slide

Thank You for your time !
Questions ?
Email: [email protected]
G+: https://www.google.com/+CedricCabessa
Slides: https://speakerdeck.com/cedriccabessa/cfengine-android
Cédric Cabessa

View Slide

cfengine-android

cfengine-android

Cédric Cabessa

More Decks by Cédric Cabessa

Other Decks in Technology

Featured

Transcript