We want to update a fleet of various Raspberry Pis and other boards that are run by our users using Mender’s update modules, but we cannot use automatic deployments using the Mender server as we require the user’s explicit consent before updating.
I found this example that asks for user’s confirmation before updating, but there are two drawbacks of this approach for our use-case:
We need a sure-shot way that cannot be hijacked to install any update without user consent whatsoever. In the above example, a mender artifact can simply be released without a state script that doesn’t ask for the user’s confirmation before installation.
The user should be allowed to update whenever he wishes to, eg. even 3 months after the update has been released. But Mender’s docs note that “Maximum wait time between Sync and Download state is 24 hours, after this period the update will be marked as failed by the Mender client.” Is there a way we can change this limit?
This can be worked around by using your own Update Module for doing the rootfs update. You can start with [this one] and modify to add the required checks. If you then also remove the RootfsPartA and RootfsPartB configuration entries from /etc/mender/mender.conf, you have removed the possibility of doing an update which circumvents those checks.
The only downside is that mender-artifact cp and related commands do not work on rootfs-image-v2 Artifacts, but these are just convenience tools.
Unfortunately, this is not possible to work around at the moment. Mender is built for fully unattended upgrades, and thus has “escape hatches” out of all situations where it might get stuck in a loop. It is on the road map to add such “interaction friendly” functionality, but I cannot give an estimate for when this will be finished.