Provisioning a Device
After flashing the LineInterpreter image to your hardware and booting it for the first time, provisioning installs the dashboard application, configures SSH access, applies firewall rules, and optionally sets a static IP and enables observability.
Provisioning is performed by running sudo provision-once as the li-bootstrap user — a one-time bootstrap account created at first boot. provision-once calls provision.sh from a bundle you upload to the device.
Prerequisites
Section titled “Prerequisites”The device must have internet access — all snaps except the dashboard are downloaded from the Snap Store during provisioning.
provision.sh is baked into the image at injection time and copied to /var/lib/lineinterpreter/deploy/ by cloud-init on first boot. You do not need to transfer it manually.
You only need to bring two files:
| File | How to obtain |
|---|---|
lineinterpreter-dashboard_*.snap | Download from the LineInterpreter customer portal |
lineinterpreter-dashboard_*.assert | Download alongside the snap from the portal |
Because SSH is not installed until provisioning runs, transfer via USB stick is the recommended method. USB storage is enabled in the base image for exactly this purpose.
li-bootstrap has a standard bash shell with no command restrictions — only sudo is limited to provision-once. You can use cp, mkdir, mount, and any other standard shell commands freely.
- Put both files onto a USB stick
- Plug the USB stick into the device
- Log in as
li-bootstrapusing the password shown on the screen - Mount the USB stick and copy the snap bundle to your home directory:
Terminal window sudo mount /dev/sdb1 /mntcp /mnt/lineinterpreter-dashboard_*.snap /mnt/lineinterpreter-dashboard_*.assert ~/sudo umount /mntprovision-onceautomatically passes--snap-dir /home/li-bootstraptoprovision.sh. If you place the files somewhere else, pass--snap-dir <path>explicitly:Terminal window sudo provision-once --snap-dir /some/other/path [options] - Run provisioning:
Terminal window sudo provision-once [options]
After provisioning completes, USB storage is disabled automatically (unless --keep-usb is passed).
SSH Access
Section titled “SSH Access”SSH is not enabled unless at least one of --ssh-key, --generate-ssh-key, or --ssh-password is provided. Recommend using key-based authentication.
Provide an existing public key
Section titled “Provide an existing public key”sudo provision-once --ssh-key "ssh-ed25519 AAAA... user@host"Installs the key for the li-updater account. After provisioning, connect with:
ssh -i /path/to/your_private_key li-updater@<device-ip>Generate a key on the device
Section titled “Generate a key on the device”sudo provision-once --generate-ssh-keyGenerates an ed25519 key pair on the device, prints the private key to stdout, then deletes it from the device. Copy and store it securely — it will not be shown again.
To save the private key directly to a file (e.g. a USB drive):
sudo provision-once --generate-ssh-key --key-output /mnt/usb/lineinterpreter_id_ed25519--key-output requires --generate-ssh-key and cannot be used alone.
Password authentication
Section titled “Password authentication”sudo provision-once --ssh-password "your-password"Can be combined with --ssh-key or --generate-ssh-key to permit both methods simultaneously.
Network Configuration
Section titled “Network Configuration”By default the device uses DHCP. To assign a static IP:
sudo provision-once \ --static-ip 192.168.1.100 \ --gateway 192.168.1.1 \ --prefix 24 \ --dns 8.8.8.8| Option | Default | Description |
|---|---|---|
--static-ip | — | IPv4 address to assign |
--gateway | — | Required when --static-ip is set |
--prefix | 24 | Subnet prefix length |
--dns | — | DNS server address |
Observability
Section titled “Observability”The image includes grafana-agent. Passing either of the options below configures it to push data to your monitoring infrastructure.
Log forwarding (Loki-compatible)
Section titled “Log forwarding (Loki-compatible)”sudo provision-once --log-server 10.0.0.5 --log-port 3100Forwards the system journal to a Loki-compatible endpoint. Compatible receivers include Grafana Loki, Grafana Alloy (loki.write), and VictoriaLogs.
Metrics (Prometheus remote_write)
Section titled “Metrics (Prometheus remote_write)”sudo provision-once --metrics-server 10.0.0.5 --metrics-port 9090Collects CPU, RAM, disk I/O, filesystem, network, load average, and uptime via the built-in node_exporter integration, and pushes to a Prometheus-compatible remote_write endpoint. Compatible receivers include Grafana Mimir, Thanos, Prometheus 2.x+, and VictoriaMetrics.
Both options can be combined:
sudo provision-once \ --log-server 10.0.0.5 --log-port 3100 \ --metrics-server 10.0.0.5 --metrics-port 9090Full Example
Section titled “Full Example”A typical production provisioning command combining all categories:
sudo provision-once \ --generate-ssh-key \ --key-output /mnt/usb/lineinterpreter_id_ed25519 \ --static-ip 192.168.1.100 \ --gateway 192.168.1.1 \ --dns 192.168.1.1 \ --log-server 10.0.0.5 \ --metrics-server 10.0.0.5What Provisioning Does
Section titled “What Provisioning Does”Regardless of the options passed, provision.sh always:
- Installs all required snaps — common snaps from the Snap Store,
lineinterpreter-dashboardfrom the--snap-dirbundle - Connects snap interfaces (Wayland, GNOME runtime)
- Configures and enables the UFW firewall (default deny inbound, allow outbound; port 22 opened only if SSH is enabled)
- Starts
ubuntu-frameandlineinterpreter-dashboardservices - Disables USB storage (
usb-storagekernel module blacklisted viamodprobe.d) unless--keep-usbis passed
On success, provision-once removes the li-bootstrap account and restores /etc/issue to the standard Ubuntu Core banner.
All Options Reference
Section titled “All Options Reference”| Option | Default | Description |
|---|---|---|
--ssh-key <pubkey> | — | SSH public key to authorise for li-updater |
--generate-ssh-key | — | Generate an ed25519 key pair on-device; print or save private key |
--key-output <path> | — | Save generated private key to this path (requires --generate-ssh-key) |
--ssh-password <pass> | — | Enable password auth for li-updater (CIS L2 deviation) |
--static-ip <address> | — | IPv4 address to assign |
--gateway <address> | — | Default gateway (required with --static-ip) |
--prefix <length> | 24 | Subnet prefix length |
--dns <address> | — | DNS server |
--log-server <address> | — | Loki-compatible log receiver hostname or IP |
--log-port <port> | 3100 | Port on the log server |
--metrics-server <address> | — | Prometheus remote_write receiver hostname or IP |
--metrics-port <port> | 9090 | Port on the metrics server |
--snap-dir <path> | ~/ | Directory containing the dashboard .snap and .assert bundle. Set automatically by provision-once; only needed if you placed the files somewhere other than li-bootstrap’s home directory. |
--keep-usb | — | Skip disabling USB storage after provisioning |