The client is intended to be installed on devices that wish to receive OTA updates from an Uptane-compatible OTA server such as HERE OTA Connect. It is most commonly built by using the meta-updater layer in a Yocto environment. You can use aktualizr as a stand-alone system tool or you can integrate libaktualizr into a larger project.
The client is responsible for:
Communicating with the OTA server
Authenticating using locally available device and user credentials
Reporting current software and hardware configuration to the server
Checking for any available updates for the device
Downloading any available updates
Installing the updates on the system, or notifying other services of the availability of the downloaded file
Receiving or generating installation reports (success or failure) for attempts to install received software
Submitting installation reports to the server
The client maintains the integrity and confidentiality of the OTA update in transit, communicating with the server over a TLS link. The client can run either as a system service, periodically checking for updates, or can by triggered by other system interactions (for example on user request, or on receipt of a wake-up message from the OTA server).
Table of Contents
This client is aligned with the Uptane security framework for software updates. Full details and documentation can be found on their site.
To install the minimal requirements on Debian/Ubuntu, run this:
sudo apt install asn1c build-essential cmake curl libarchive-dev libboost-dev libboost-filesystem-dev libboost-log-dev libboost-program-options-dev libcurl4-openssl-dev libpthread-stubs0-dev libsodium-dev libsqlite3-dev libssl-dev python3
The default versions packaged in recent Debian/Ubuntu releases are generally new enough to be compatible. If you are using older releases or a different variety of Linux, there are a few known minimum versions:
cmake (>= 3.5)
curl (>= 7.47)
openssl (>= 1.0.2)
libboost-* (>= 1.58.0)
libcurl4-openssl-dev (>= 7.47)
libpthread-stubs0-dev (>= 0.3)
Additional packages are used for non-essential components:
To build the test suite, you will need
net-tools python3-dev python3-openssl python3-venv sqlite3 valgrind.
To run the linting tools, you will need
clang clang-format-10 clang-tidy-10.
To build additional documentation, you will need
To build with code coverage, you will need
Some features also require additional packages:
For OSTree support, you will need
For PKCS#11 support, you will need
For fault injection, you will need
brew tap advancedtelematic/otaconnect brew install aktualizr
You can build and install the latest development version of aktualizr on MacOS (current head of the development branch):
brew tap advancedtelematic/otaconnect brew install --HEAD aktualizr
If any of the previous release versions of aktualizr has been installed before make sure you
unlink it prior to installing the HEAD version:
brew unlink aktualizr brew install --HEAD aktualizr
You can switch back to the release version by unlinking and installing again:
brew unlink aktualizr brew install aktualizr
You can also build it yourself, with basic dependencies from homebrew. You can install the necessary dependencies as follows:
brew install asn1c boost cmake libarchive libsodium pkgconfig python3
and run the following from the aktualizr project directory:
export CXXFLAGS=-w cmake -S . -B build -DBoost_USE_MULTITHREADED=ON cmake --build build --target all -- -j8 ./build/src/aktualizr_primary/aktualizr --version
If you also want to compile the SOTA tools:
brew install gettext && brew unlink gettext && brew link --force gettext
and run cmake with
This project uses git submodules. To checkout the code:
git clone --recursive https://github.com/advancedtelematic/aktualizr cd aktualizr
If you had an old checkout, forgot to include
--recursive or need to update the submodules, run:
git submodule update --init --recursive
aktualizr is built using CMake. To setup your
mkdir build cd build cmake -DCMAKE_BUILD_TYPE=Debug ..
You can then build the project from the
build directory using Make:
You can also create a debian package:
To use CMake’s Ninja backend, add
-G Ninja to the first CMake invocation. It has the advantage of running all targets in parallel by default and is recommended for local development.
Before checking in code, it must pass the following tests (along with their corresponding build targets):
compilation of the main targets and tests without warning:
validation against the project’s automatic formatting conventions:
make check-formatto run the check,
make formatto apply the transformation automatically
absence of clang-tidy warning:
full test suite run:
make check(test build included),
make test(only run the tests)
qa target includes all of these checks, including auto-formatting:
Note that, by default, the compilation and tests run in sequence and the output of failing tests is suppressed. To run in parallel, for example with eight threads, and print the output of failing tests, run this:
CTEST_OUTPUT_ON_FAILURE=1 CTEST_PARALLEL_LEVEL=8 make -j8 qa
Some tests require additional setups, such as code coverage, HSM emulation or provisioning credentials. The exact reference about these steps is the main test script used for CI. It is parametrized by a list of environment variables and is used by our CI environments. To use it, run it in the project’s root directory:
Note that it will run CMake itself in a dedicated build directory.
Building with Docker
Several Dockerfiles are provided to support building and testing the application without dependencies on your local environment.
If you have a working docker client and docker server running on your machine, you can build and run a docker image on the default environment with:
It will start a shell session inside the container, running as the same UID/GID as on the host system, with the current directory mounted as a docker volume. Any local code changes are then immediately in effect inside the container and user/group permissions are compatible in the two environments.
Inside the container, the test suite with coverage can be run with:
TEST_WITH_COVERAGE=1 TEST_WITH_P11=1 TEST_WITH_STATICTESTS=1 ./scripts/test.sh
Alternatively, scripts/run_docker_test.sh can directly run the test script:
./scripts/run_docker_test.sh Dockerfile \ -eTEST_WITH_COVERAGE=1 \ -eTEST_WITH_P11=1 \ -eTEST_WITH_STATICTESTS=1 \ -- ./scripts/test.sh
To run the aktualizr client, you will need to provide a toml-formatted configuration file using the command line option
aktualizr -c <path/configfile>
Additional command line options can be found in the code or by running
aktualizr --help. More details on configuring aktualizr can be found in docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc. If you are using meta-updater, more information about configuring aktualizr in that environment can be found there.
Running a "fake" device
Aktualizr is generally intended to run on embedded devices, but you may find it convenient to run it on your local system for development or testing. To get a binary you can run locally, you can:
Some more detailed instructions on how to configure a fake device can be found on the OTA Connect docs site.
If you intend to use aktualizr to authenticate with a server, you will need some form of provisioning. Aktualizr currently supports provisioning with shared credentials or with device credentials. Device credential provisioning supports using an HSM to store private keys. The differences and details are explained in docs/ota-client-guide/modules/ROOT/pages/client-provisioning-methods.adoc and docs/ota-client-guide/modules/ROOT/pages/enable-device-cred-provisioning.adoc. You can learn more about the credentials files used to support provisioning in docs/ota-client-guide/modules/ROOT/pages/provisioning-methods-and-credentialszip.adoc.
The changelog is available in CHANGELOG.md.
Complete contribution guidelines can be found in CONTRIBUTING.md.
This code is licensed under the Mozilla Public License 2.0, a copy of which can be found in this repository. All code is copyright HERE Europe B.V., 2016-2020.