Skip to content

Install the OTA-Pulse Agent

The OTA-Pulse agent (soc-ota-agent) is the device-side component that polls the backend for pending deployments, downloads firmware artifacts, writes them to the inactive A/B partition, and reboots into the new image. It runs as a systemd service and is written in Go.

Three installation paths are supported:

MethodWhen to use
Yocto layer (meta-otapulse)Greenfield or existing Yocto builds — the recommended production path
Buildroot external tree (buildroot-otapulse)Buildroot-based boards
Manual binary installQuick device tests, development VMs, or any Linux device

Yocto (meta-otapulse)

The meta-otapulse layer bakes the agent, its config directory, systemd unit, and identity/inventory scripts directly into your image.

Supported releases: Kirkstone (LTS) · Langdale · Mickledore · Nanbield · Scarthgap

  1. Clone and add the layer

    Terminal window
    cd /path/to/yocto/sources
    git clone https://github.com/binaryblack/OTA-Pulse.git ota-pulse
    # Add to your build
    bitbake-layers add-layer /path/to/ota-pulse/meta-otapulse

    Or add the path directly to conf/bblayers.conf:

    BBLAYERS += "${BSPDIR}/sources/ota-pulse/meta-otapulse"
  2. Inherit the integration class in your image recipe

    For standard images (rootfs < 1 GB):

    # In your image recipe (e.g., my-image.bb)
    inherit otapulse

    For large images (Qt, multimedia — rootfs > 1 GB):

    inherit otapulse-large

    What inherit otapulse does automatically:

    • Adds soc-ota-agent to the image
    • Enables .mender artifact generation
    • Adds ext4 to IMAGE_FSTYPES
    • Includes partition tools (gptfdisk)
  3. Set the OTA server URL in conf/local.conf

    # Required: your OTA-Pulse backend URL
    OTA_SERVER_URL = "http://<your-server-ip>:8000"
    # Optional: pre-provision an API key (tenant token) into the image
    OTAPULSE_TENANT_TOKEN = "smk_..."
    # Optional: enable artifact signature verification for production
    SOC_OTA_SIGNATURE_VERIFICATION = "1"
    SOC_OTA_VERIFY_KEY_FILES = "production-rsa-public.pem production-ecdsa-public.pem"
  4. Build the image

    Terminal window
    bitbake your-image
    # Output: tmp/deploy/images/<MACHINE>/your-image-<MACHINE>.mender
  5. Flash and verify

    Terminal window
    # Flash the WIC image
    sudo dd if=your-image-<MACHINE>.wic of=/dev/sdX bs=4M status=progress
    # After first boot, verify on the device
    systemctl status soc-ota-agent
    soc-ota-agent show-artifact

Signing keys for production

The layer ships with placeholder development keys. For production you must supply your own keys.

Option A — Replace the example keys:

Terminal window
cp your-production-rsa-public.pem \
meta-otapulse/recipes-core/signing-keys/files/example-rsa-public.pem

Option B — Point to your keys in local.conf:

SOC_OTA_VERIFICATION_KEYS = "/absolute/path/to/production-rsa-public.pem"

Supported algorithms: RSA-4096 PSS/SHA-256 and ECDSA-P384 SHA-384.


File locations

After installation, the agent uses the following paths regardless of install method:

PathDescription
/usr/bin/soc-ota-agentAgent binary
/etc/otapulse/otapulse.confMain configuration (JSON)
/etc/otapulse/scripts/State scripts (update lifecycle hooks)
/var/lib/otapulse/Runtime state and deployment log
/usr/share/otapulse/identity/Device identity scripts
/usr/share/otapulse/inventory/Inventory collection scripts

Quick troubleshooting

SymptomCheck
Service won’t startsudo journalctl -u soc-ota-agent --no-pager — look for config parse errors
Cannot reach backendcurl http://<server-ip>:8000/health from the device
Authentication failuresVerify TenantToken in /etc/otapulse/otapulse.conf; check system clock (NTP)
State stuckcat /var/lib/otapulse/deployment.log

Next: Register your first device

With the agent installed and running, register it in the console.

Register your first device →