How it works

Mender supports both robust system level updates
 as well as application updates.

Architecture

There are two components in the Mender architecture
- the server and the client (device).

Mender Server

The Mender server stores and controls the deployment of software updates over-the-air to your devices. You can use Mender’s web UI or REST APIs to manage your devices, upload and manage software releases to the server and create deployments to roll out software to your devices.

You can also use the APIs to integrate Mender with your environment: for example to automatically upload build output from your CI system to the Mender server and create test deployments.

The Mender management server is now published on GitHub for on-premise installations. It is licensed under the Apache 2.0 license.

Mender Client

The Mender client runs on the device and reports to the server periodically to check for updates; if there is a software update available for that device, the client downloads and installs it.


Device partition for system level updates

For system level updates, we require a dual A/B rootfs partition layout on the device. This ensures that the device can recover even if the deployment us incomplete or corrupted during installation for any reason, e.g. due to power loss during the update process.

The Mender client daemon runs in user space in the currently booted rootfs partition.

During the update process, the Mender client writes the updated image to the rootfs partition that is not running and configures U-Boot to boot from the updated rootfs partition. The device is then rebooted. If booting the updated partition fails, the partition that was running is booted instead, ensuring that the device does not get bricked.

If the boot succeeds, Mender sets the updated partition to boot permanently when Mender starts as part of the boot process. As Mender downloads and installs the image, other applications on the device continue to run as normal.

The only time the device has downtime is during the reboot into the updated partition, which typically takes a minute, depending on the device configuration. Persistent data can be stored in the data partition, which is left unchanged during the update process.

For partial updates like application updates, the A/B partition is not necessary, and the Mender client can be installed as a .deb package.


Extensibility of update types

The Mender client can be extended to support different types of updates, using a framework called Update Modules. Installing the appropriate Update Module will enable support for installing different types of software packages such as application, containers, package managers, bootloaders and proxy deployment for attached peripherals.

An Update Module can be tailored to a specific device or environment (e.g. update a proprietary bootloader), or be more general-purpose (e.g. install a set of .deb packages).

When the Mender client downloads new software from the server, it will run the Update Module executable associated with the type of software downloaded. The Update Module is responsible for carrying out the steps needed to install software of this type. An Update Module can also support more advanced functionality such as rolling back a failed update.

Update Modules give full control and customizability over how a software type is installed. An existing Update Module can be used as a starting point and adjusted to fit your exact needs. For example, the Docker Update Module can be adjusted to include the container data itself if you do not want to rely on remote docker registries.

Update Modules are independent executables that can be written in any programming language. Due to their simple nature, Update Modules are typically written in a scripting language like shell or Python. Read more about Update Modules.

Mender is unique for providing both robust system- and application level updates and it is this combination that enables Mender to solve all your needs for OTA updates. Mender enables fleet owners to deploy updates when needed and at the level it is targeted. For example, a common pattern is to deploy quarterly OS level updates and weekly application level updates.


Security

The deployment is done securely using HTTPS polling, so no ports are open on the device. Mender also supports code signing for added confidence that your devices will be updated by a trusted party.

You have several options to run Mender:

Mender Open Source

On-premise management server, free to download and modify under the permissive Apache v2 license.

Mender Professional

Save the hassle of managing your own Mender infrastructure by using our hosted server and web UI.

Mender Enterprise

Manage your own production server
 at scale, with customized updates and advanced features.

Need more help?

Find out why Mender is chosen for secure and robust OTA updates.