Yes, both the management server and the client on the device are open source and free to use with a permissive license, Apache 2.0.
We are initially focused on support subscriptions and professional services as our business model. Our support subscription includes a dedicated Mender contact with access to our support ticket system with defined service level agreements.
After building a very healthy baseline OTA updater, we plan to add commercial add-ons for more advanced functionality.
We also host the management server for customers. Hosted Mender is currently in beta and you can sign up to try it out, see https://mender.io.
As the source code for Mender is open source, it is free to use by anyone, at your own discretion and risk.
We offer services to help you integrate Mender with your board and resolve issues under an SLA. Hosted Mender is a subscription offering (currently in beta) where you use our scalable Mender server infrastructure instead of maintaining and paying for your own server infrastructure to run the Mender server.
The current Mender release is an on-premise management server.
Hosted Mender, where we take responsibility for the uptime and scale of our Mender server, is currently in beta and you can sign up to try it out, see https://mender.io.
The Mender server is regularly being scale tested in our environment, to ensure it can scale up to tens to hundreds of thousands devices. Setting up, optimizing, scaling and ensuring uptime of the server-side infrastructure is quite complex and environment-specific; device count, update size, frequency, polling intervals, high availability requirements and bandwidth available are key drivers for scalability.
This is why we are adding the Hosted Mender offering (now in beta -- see https://mender.io), where we take responsibility for all this. For large onprem installations, we can also assist setting up the server infrastructure as part of a services agreement to meet your needs.
Yes, given the importance of the security of an OTA tool, Mender is partnering with a third party security auditing company. Issues are addressed as they are found. Mender Software Support customers get immediate notifications and steps to remediate security findings.
There were many trade-offs we considered as we began this project. Ultimately, we felt that Golang would best benefit the community due to the following:
While Mender has an optimized experience with the Yocto Project, it is possible to adapt to other build systems and distributions. Please see the blog posts Porting Mender to a non-Yocto build system and Notes from a user on Mender without Yocto for examples (note that some of Mender's needs may have changed since the blog posts were written).
We are also planning to expand the platform support, please contact us for help with supporting your OS.
Mender has two reference devices: BeagleBone Black and a virtual QEMU-based one using
These devices are part of the Mender CI system, well supported and you will see references to them across the documentation.
In order to lower cost of scaling and meeting needs of specific applications, production devices typically do not have the same hardware specifications. This means that software such as Mender must be integrated with production devices.
You can see more devices integrated with Mender, including community maintained ones, in the meta-mender repository.
To support atomic rootfs rollback, Mender integrates with the bootloader of the device. Currently Mender supports U-Boot, as it is by far the most widely used bootloader on embedded devices. The bootloader system requirements documentation contains more information on the exact U-Boot features leveraged.
As part of broadening the platform support, we do anticipate adding support for other bootloaders like GRUB in the future, although no short term plans are in place for this at the moment.
In the spirit of open source, we would be delighted to give advice and feedback on implementation questions and pull requests for supporting more bootloaders; a good place to start is on the Mender community mailing list.
If you do not have time to work on this integration, we also offer board support services that can help meet all your integration needs.
Mender requires four partitions: one boot, two root file systems, and one data partition,
as described in the documentation for partition layout.
*.sdimg file with this reference layout is automatically generated when
building Yocto Project images with meta-mender.
Mender places no upper limit on the number of partitions on your device. Also see the question on how to create more than four partitions.
Mender comes with a simple
*.sdimg generator as part of the meta-mender Yocto Project layer.
*.sdimg files it outputs has Mender's reference partition layout with four partitions and
is appropriate for flashing to SD cards using
dd for testing and simple production use.
Production devices typically come with their own toolsets for generating and flashing internal
storage like eMMC, e.g.
tegrarcm, or users are maintaining their own tools.
Please refer to these tools on how to use the generated root file system
with your desired partition layout and make sure to set the appropriate Yocto Project variables
to tell Mender where the four required partitions are, as outlined in
the storage documentation.
*.menderfile and what does it contain?
This is a Mender Artifact file which Mender uses to deploy updates. It contains various metadata required to deploy updates in a robust way, like the device types supported and version of the Artifact, in addition to the root file system update itself.
Internally it is packaged as
The Mender Artifact format is designed in such a way that multiple updates
can be bundled in the same file, however the Mender client currently
only supports a single root file system update.
See the documentation on Mender Artifacts
for a more detailed description.
Also see the questions on package-based updates and updates for smaller devices -- these features will leverage the same Mender Artifact format when the Mender client has support for them in the future.
For many devices with a display that interacts with an end user, it is desirable to ask the user before applying the update. You have probably seen this on a smartphone, where it will ask you if you want to update to the latest release of Android or iOS and it only starts after you hit "Apply".
This is supported by using the state scripting feature introduced in Mender 1.2.
Mender automatically rolls back an update if it can not reach the Mender Server after the update is installed, in order to ensure another update can be deployed.
State scripting supports adding additional sanity checks to make sure that the device and applications are working as expected. For example, is the UI application running and responding within a given amount of time? If not, then the script can simply return 1 and Mender will roll back the update.
Mender streams the update from the server over HTTPS (or file, if used in standalone mode), so no temporary space is needed on the device. The checksum is also computed on the fly during the streaming.
In order to offer generic robust rollbacks, Mender requires two rootfs partitions, which means effectively doubling the storage requirements for the rootfs. You can see the full partition layout in the documentation.
The most important design principles of Mender are 1) robustness and 2) ease of use. Currently, there is no other known approach that provides the generic robustness and simplicity of the dual rootfs approach. Secondly, the price of embedded storage is rapidly declining. This is why Mender takes a dual rootfs approach first.
In the future, other and less robust update mechanisms, such as variations of packages, tarballs, will be supported as well. Also see the question on application-level updates, as well as sensors and smaller devices below.
We are currently focused on doing full image-based updates with a dual rootfs partition in order to ensure a robust approach in the presence of potential failures such as poor network connectivity and power loss of endpoint devices during the update process. Our chief goal is to ensure the updates are secure and reliable.
Applications can also be updated as part of image based updates today and we plan to improve support for application-level updates further by integrating with package managers and other types of installers.
This is a planned feature.
The Mender client regularly polls the Mender server over HTTPS to check for updates so no ports need to be opened at the Mender client. Only TLS connections are allowed, the server rejects insecure connections.
To protect against man-in-the-middle attacks, the Mender client stores the server's TLS certificate during provisioning, e.g. during the build of the initial Yocto Project image that gets flashed to the device.
The Mender client pulls the update from the management server. We chose this approach as it makes Mender work with more network topologies and reduces the attack surface of the client as no ports are open for Mender at the device.
Our strategy to support software updates to these devices is by using Mender on the gateway as a proxy to deploy remote updates to those smaller devices, through a variety of network protocols such as ZigBee, Bluetooth low energy and other local network technologies. With this approach, no agent is required to run on them.
Have more questions? Email us at firstname.lastname@example.org.
Or follow our Getting Started Guide to start using Mender today.