Solution

With Mender, it is easy to customize the install process while providing client-server management security and robustness. The deployment is done securely using HTTPS polling, so no ports are open on the device. Mender also supports code signing for added confidence that your devices will be updated by a trusted party. Mender supports both robust system level updates as well as application updates.

You have several options to run Mender: open source on-premise, Mender Enterprise where you can manage your own server with customized updates, or sign up for Hosted Mender where we host the server for you, or in standalone mode with only the Mender client when you do not have sufficient network connectivity. The server stores and controls the deployment of OTA software updates to devices. The Mender client runs on the device and reports to the server periodically to check for updates; as soon as an update is scheduled it is downloaded and installed. Mender supports full image updates with A/B partitioning and automatic rollback functionality, and new types such as application, containers, packages, files, bootloaders and proxy deployment for attached peripherals.

You can read more on our FAQ. Our customer case studies also detail why Mender is chosen for secure and robust OTA updates.

Architecture

Mender is a client-server application, where the client is installed in embedded devices running Linux. The Mender client regularly checks with the Mender server over HTTPS to check if it has an image update available for deployment, and deploys it if there is. For system level updates, a dual A/B rootfs partition layout ensures robustness, so that the embedded device can recover even during incomplete or corrupted deployment installations, e.g. due to power loss during the update process.

Architecture

The Mender management server is now published on GitHub for on-premise installations. It is licensed under the Apache 2.0 license.

Partition layout and robustness

For robustness during system update processes, Mender uses a dual A/B rootfs partition layout. The Mender client daemon runs in user space in the currently booted rootfs partition.

Installation

During the update process, the Mender client writes the updated image to the rootfs partition that is not running and configures U-Boot to boot from the updated rootfs partition. The device is then rebooted. If booting the updated partition fails, the partition that was running is booted instead, ensuring that the device does not get bricked. If the boot succeeds, Mender sets the updated partition to boot permanently when Mender starts as part of the boot process. As Mender downloads and installs the image, other applications on the device continue to run as normal. The only time the device has downtime is during the reboot into the updated partition, which typically takes a minute, depending on the device configuration. Persistent data can be stored in the data partition, which is left unchanged during the update process.

Extensibility of update types

Mender introduces a framework called Update Modules that enables the Mender client to extend support for installing new types of software packages such as application, containers, package managers, bootloaders and proxy deployment for attached peripherals. An Update Module can be tailored to a specific device or environment (e.g. update a proprietary bootloader), or be more general-purpose (e.g. install a set of .deb packages.).

Update Module

When new software is downloaded from the server, the Mender client will run the Update Module executable associated with the software type. The Update Module is responsible for carrying out the steps needed to install the software of this type. An Update Module can also support more advanced functionality such as rolling back a failed update.

In addition to enabling support for new types of software updates, Update Modules also gives full control and customizability over how a software type is installed. For example, the Docker Update Module can be adjusted to include the container data itself if you do not want to rely on remote docker registries. An existing Update Module can be used as a starting point and adjusted to fit your exact needs.

Since Update Modules are independent executables, they can be written in any programming language. Due to their simple nature, Update Modules are typically written in a scripting language like shell or Python. Read more about Update Modules.

Mender is unique for providing both robust system- and application level updates and it is this combination that enables Mender to solve all your needs for OTA updates. Mender enables fleet owners to deploy updates when needed and at the level it is targeted. For example, a common pattern is to deploy quarterly OS level updates and weekly application level updates.

Device deployment and management

Device and deployment management can be done with the Mender Web UI or REST APIs. The Mender Management APIs are used by the Mender Web UI and can be used to integrate Mender with your environment, such as automatically uploading build output from your CI system to the Mender server and creating test deployments. There are APIs for all aspects of the Mender server, including user and device authentication, inventory and deployment. The Device Inventory enables the users to list, search, and use the results to create and manage device groups for the purpose of deployment scheduling.