Made-with: Cursor
2.5 KiB
Device Provisioning Script
Task: AZ-187_device_provisioning_script Name: Device Provisioning Script Description: Create a shell script that provisions a Jetson device identity (CompanionPC user) during the fuse/flash pipeline Complexity: 2 points Dependencies: None Component: DevOps Tracker: AZ-187 Epic: AZ-181
Problem
Each Jetson needs a unique CompanionPC user account for API authentication. This must be automated as part of the manufacturing/flash process so that provisioning 50+ devices is not manual.
Outcome
- Single script creates device identity and embeds credentials in the rootfs
- Integrates into the fuse/flash pipeline between odmfuse.sh and flash.sh
- Provisioning runbook documents the full end-to-end flow
Scope
Included
- provision_device.sh: generate device email (azaion-jetson-{serial}@azaion.com), random 32-char password
- Call admin API POST /users to create Users row with Role=CompanionPC
- Write credentials config file to rootfs image (at known path, e.g., /etc/azaion/device.conf)
- Idempotency: re-running for same serial doesn't create duplicate user
- Provisioning runbook: step-by-step from unboxing through fusing, flashing, and first boot
Excluded
- fTPM provisioning (covered by NVIDIA's ftpm_provisioning.sh)
- Secure Boot fusing (covered by solution_draft02 Phase 1-2)
- OS hardening (covered by solution_draft02 Phase 3)
- Admin API user creation endpoint (assumed to exist)
Acceptance Criteria
AC-1: Script creates CompanionPC user Given a new device serial AZJN-0042 When provision_device.sh is run with serial AZJN-0042 Then admin API has a new user azaion-jetson-0042@azaion.com with Role=CompanionPC
AC-2: Credentials written to rootfs Given provision_device.sh completed successfully When the rootfs image is inspected Then /etc/azaion/device.conf contains the email and password
AC-3: Device can log in after flash Given a provisioned and flashed device boots for the first time When the loader reads /etc/azaion/device.conf and calls POST /login Then a valid JWT is returned
AC-4: Idempotent re-run Given provision_device.sh was already run for serial AZJN-0042 When it is run again for the same serial Then no duplicate user is created (existing user is reused or updated)
AC-5: Runbook complete Given the provisioning runbook When followed step-by-step on a new Jetson Orin Nano Then the device is fully fused, flashed, provisioned, and can communicate with the admin API