Implementing an update/upgrade system for embedded Linux devices

Question

I have an application that runs on an embedded Linux device and every now and then changes are made to the software and occasionally also to the root file system or even the ins

Answer 1

Atomicity is critical for embedded devices, one of the reasons highlighted is power loss; but there could be others like hardware/network issues.

Atomicity is perhaps a bit misunderstood; this is a definition I use in the context of updaters:

• An update is always either completed fully, or not at all
• No software component besides the updater ever sees a half installed update

Full image update with a dual A/B partition layout is the simplest and most proven way to achieve this.

For Embedded Linux there are several software components that you might want to update and different designs to choose from; there is a newer paper on this available here: https://mender.io/resources/Software%20Updates.pdf

File moved to: https://mender.io/resources/guides-and-whitepapers/_resources/Software%2520Updates.pdf

If you are working with the Yocto Project you might be interested in Mender.io - the open source project I am working on. It consists of a client and server and the goal is to make it much faster and easier to integrate an updater into an existing environment; without needing to redesign too much or spend time on custom/homegrown coding. It also will allow you to manage updates centrally with the server.

Answer 2

I absolutely agree that an update must be atomic - I have started recently a Open Source project with the goal to provide a safe and flexible way for software management, with both local and remote update. I know my answer comes very late, but it could maybe help you on next projects.

You can find sources for "swupdate" (the name of the project) at github.com/sbabic/swupdate.

Stefano

Answer 3

Currently, there are quite a few Open Source embedded Linux update tools growing, with different focus each.

Another one that is worth being mentioned is RAUC, which focuses on handling safe and atomic installations of signed update bundles on your target while being really flexible in the way you adapt it to your application and environment. The sources are on GitHub: https://github.com/rauc/rauc

In general, a good overview and comparison of current update solutions you might find on the Yocto Project Wiki page about system updates:

https://wiki.yoctoproject.org/wiki/System_Update

Answer 4

I believe you are looking wrong at the problem - any update which is non atomic (e.g. dd a file system image, replace files in a directory) is broken by design - if the power goes off in the middle of an update the system is a brick and for embedded system, power can go off in the middle of an upgrade.

I have written a white paper on how to correctly do upgrade/update on embedded Linux systems [1]. It was presented at OLS. You can find the paper here: https://www.kernel.org/doc/ols/2005/ols2005v1-pages-21-36.pdf

[1] Ben-Yossef, Gilad. "Building Murphy-compatible embedded Linux systems." Linux Symposium. 2005.

Answer 5

You can journal an update and divide your update flash into two slots. Power failure always returns you to the currently executing slot. The last step is to modify the journal value. Non atomic and no way to make it brick. Even it if fails at the moment of writing the journal flags. There is no such thing as an atomic update. Ever. Never seen it in my life. Iphone, adroid, my network switch -- none of them are atomic. If you don't have enough room to do that kind of design, then fix the design.