Introduction

reference

Mender is a secure and robust software update system designed to handle large number of devices. Mender is designed according to a simple client/server architecture, allowing central management of deployments to all devices.

The architecture of a software update

The following diagram shows the high level flow of data involved in deploying software updates.

updater-components

The process begins with the build system generating a new version of software for a device. The build system can be a workstation creating a simple application update or a more standard component, such as Jenkins and Yocto Project. It creates Mender Artifacts in the format required by the target device. There will be different Mender Artifacts for each type of device that Mender manages.

You upload the Mender Artifacts to the Mender server, which is the central point for deploying updates to a fleet of devices. Among other things, it monitors the current software version present on each device and schedules the roll out of new releases.

Finally, each Device runs the Mender client, which polls the Mender server periodically to report its status and to discover if there is a software update waiting. If there is, the update client downloads the artifact and performs the installation.

The current Mender client supports devices running embedded Linux and other clients exist for other OSes and hardware such as microcontrollers.

Client modes of operation

You can run the Mender client in a standalone or managed mode.

In managed mode the Mender client runs as a daemon and will regularly poll the server, automatically apply updates, reboot, report and commit the update. This is the best way to run Mender for most large-scale deployments, as the deployments are centrally managed across many devices, but it requires to set up and connect clients to the Mender server.

In standalone mode, you initiate the updates locally on the device instead of connecting the Mender client to a Mender server. A common use-case is to perform updates from e.g an USB flash drive. To learn more visit Standalone deployments

Update types

Robust system updates

One of the primary requirements of any update system is that it should be robust. It must be able to recover from an update that fails, including loss of power or network connectivity during the update process.

The simplest and most robust way to update a device is to write a new file system image directly to the flash partition. Mender comes with built-in support for a dual redundant scheme (also known as A/B scheme), which ensures that the device always comes back to a working state on failure.

During system update, the client writes the new version to the inactive partition. When complete, the client verifies the checksum. If all is well, it sets a flag in the bootloader that will cause it to flip the active and inactive partitions around on the next reboot. Then the system reboots.

On the first boot following an update, the Mender client will commit the update. This sets a flag in the bootloader that indicates that the update was applied successfully.

If something causes the device to reboot before committing the update, the bootloader knows that something went wrong, and will roll back to the previous version by flipping the active and inactive partitions back again.

One consequence of the system update is that the update will replace all the files in a filesystem, thereby deleting any new or changed files that had been placed there. In other words, to be updatable a file system needs to be stateless.

You have to store all files that you modify on the devices in a separate partition. It may include network parameters, user configuration changes, etc..

Application updates

The definition of an application update can vary depending on specific user requirements, e.g an application can be a single file, directory or even a container image. For this reason it is difficult to enforce one way of deploying application updates.

To support application updates in a generic way, Mender provides the Update Module framework.

application-updates

Proxy deployments

Using the Update Module framework it is also possible to deploy updates to peripheral devices, e.g microcontrollers or sensors connected to a device running Linux.

Example using the DFU protocol to update an external microcontroller:

proxy-deployment

You can find more information on above example in the How to do a proxy deployment to an FRDM-K64F tutorial.

Found errors? Think you can improve this documentation? Simply click the Edit link at the top of the page, and then the icon on Github to submit changes.