Using Yocto with Self-hosted Mender server, manual instructions appear to be incomplete

Board Integrations Yocto Project
1

We’re trying to spin up a Yocto Kirkstone build with Mender for a customer. Currently using master-next of meta-mender In trying to follow along with the instructions, they seem to be incomplete or incorrect and I would love some direction here.

I’m not sure if the disconnect is due to changes between latest meta-mender stable (which I think is Dunfell) vs master-next and the instructions havn’t yet caught up. However, I don’t see any significant differences between key files that would cause these to just not work.

We’ve done an integration like this before with Buildroot, where a lot of the configuration and files were manually controlled. The documentation for Mender seems to hint that Yocto should automatically take care of a lot of things but does not appear to.

EDIT: Most of what is below is invalid, see my next post for the current sticking point. The documentation does not take in to account changes in master-next so I’m off in the weeds.

e.g. server.crt
As outlined in the instructions here: Building for production | Mender documentation

cat recipes-mender/mender-client/mender-client_%.bbappend

MENDER_SERVER_URL = "https://..."
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI:append = " file://server.crt"

The file server.crt ends up not existing anywhere in the output rootfs.

Based on a few things I’ve found while searching around the internet, it may be necessary to manually install files. And, in digging through the meta-mender layers, nothing seems to actually set ServerCertificate automatically in the final mender.conf Okay, maybe I need to manually install the server.crt

As seen in: Customize Mender | Mender documentation
" It is possible to put your own mender.conf configuration file in the image. The file will be merged with settings from Yocto variables."

So I’ve changed the .bbappend file accordingly to try and get ServerCertificate in the final image:

cat recipes-mender/mender-client/mender-client_%.bbappend

MENDER_SERVER_URL = "https://..."
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI:append = "file://server.crt \
                  file://mender.conf"

cat recipes-mender/mender-client/files/mender.conf 

{
    "ServerCertificate": "/etc/mender/server.crt"
}

The installed mender.conf files on the target are unchanged.

Am I missing something in the .bbappend file? If the server.crt file gets installed to the filesystem, does that automatically update ServerCertificate? Is the manual incorrect? Is this an issue trying to work with master-next for Kirkstone support?

2

I’ve been focusing on just server.crt to try and make this as simple as possible. I’ve made some forward progress, but, am stuck again.

I found that at some point between Dunfell and master-next there was a change to how server.crt is handled. Thus, making the documentation incorrect for master-next (but is probably still valid for Dunfell). Which is fine as it’s unreleased.

Looking at some commits and the mender-demo tree, I’ve found that this appears to be the right thing to do in our layer:

cat recipes-mender/mender-client/mender-client_%.bbappend

# Depend on mender-server-certificate
DEPENDS:append = " mender-server-certificate"
RDEPENDS_${PN}:append = " mender-server-certificate"


MENDER_SERVER_URL = "https://..."

And:

cat recipes-mender/mender-server-certificate/mender-server-certificate.bbappend

FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI:append = " file://server.crt"

I can follow the build logs and see that mender-server-certificate is getting picked up and installed to ~/bsp/build/tmp/work/all-poky-linux/mender-server-certificate/0.1-r0/image/usr/local/share/ca-certificates/mender/server.crt But that file/path is not making it to the rootfs and I have no idea what I’m missing at this point.

3

You’re right that this is “the new way” in master-next (kirkstone) and later. I can’t really see why it wouldn’t be installed though. And this is tested pretty heavily in our CI, so I’m fairly certain this must be something specific on your end.

Does it make any difference if you use this in local.conf?

IMAGE_INSTALL:append = " mender-server-certificate"
4

That was it I guess.

I had tried that much previously, putting mender-client and mender-server-certificate in our image.bb file. I didn’t have success previously, but I figured I would try it again in case I may have had a typo, and it looks like it worked this time around

@@ -52,6 +52,8 @@ IMAGE_INSTALL:append = " \
        matchbox-keyboard \
        matchbox-terminal \
        matchbox-wm \
+        mender-client \
+        mender-server-certificate \
        mesa-demos \
        modemmanager \
        nano \

I’m still fairly green when it comes to Yocto, but I am quite surprised that having set up mender-client_%.bbappend to DEPENDS on mender-server-certificate that it would only end up building and not installing mender-server-certificate. Especially when putting mender-client in our IMAGE_INSTALL variable isn’t actually necessary for the Mender client to end up installed in the final image.

Thanks for the sanity check.

5

Well, technically it’s RDEPENDS which is supposed to install it in the image, but it looks like you already have that based on your earlier replies.