Best way to distribute and update software on a Raspberry Pi?
September 1, 2022 2:11 PM Subscribe
Forgive me if my terminology is wrong but I want to give out hardware devices to friends, which is Raspberry Pi but that can change, and also have it update if I add new features. All my experience has been with backend server development and not consumer devices. What's the best way achieve this so I can just hand them a box and also push out updates to the box when needed? My initial instinct is to setup a K3S cluster like this and then use Kubernetes to rollout updates. I'm sure consumer devices like Alexa or cable television boxes have all kinds of crazy custom ways of doing this, but am I on the right track? Some more details inside.
The boxes will be essentially the same but I want friend and family to be able to choose things like their favorite NFL team and have that persist. Most Kubernetes clusters I've built have all been exact same Docker image. I can't be the first person to do this but again, I've only done clusters in the same data center and not individual boxes over the Internet so I might be looking for the wrong solution.
Again I'm not tied to Raspberry Pi or Kubernetes, I just want the ability to update as new features roll out and monitor the devices.
Second question, Alexa has a neat feature where out of the box it serves as a Wifi hotspot where you login then put your Wifi information in so it can then connect to the internet. Is there anything that does this OOTB? I tried searching GitHub but came up with nothing. Thanks!
The boxes will be essentially the same but I want friend and family to be able to choose things like their favorite NFL team and have that persist. Most Kubernetes clusters I've built have all been exact same Docker image. I can't be the first person to do this but again, I've only done clusters in the same data center and not individual boxes over the Internet so I might be looking for the wrong solution.
Again I'm not tied to Raspberry Pi or Kubernetes, I just want the ability to update as new features roll out and monitor the devices.
Second question, Alexa has a neat feature where out of the box it serves as a Wifi hotspot where you login then put your Wifi information in so it can then connect to the internet. Is there anything that does this OOTB? I tried searching GitHub but came up with nothing. Thanks!
Though I don't have practical experience, and it is perhaps overkill for your project, I'd also look at using AWS IoT, which seems like it is specifically setup for this.
Within their "Well architected framework" documents, under Operational design principles, an outline is given on device provisioning and OTA updates.
Specifically for Raspberry Pi, there are these instructions to connect it as an IoT device.
posted by Gomez_in_the_South at 3:15 PM on September 1, 2022
Within their "Well architected framework" documents, under Operational design principles, an outline is given on device provisioning and OTA updates.
Specifically for Raspberry Pi, there are these instructions to connect it as an IoT device.
posted by Gomez_in_the_South at 3:15 PM on September 1, 2022
Kubernetes can use persistent storage on the Pis mounted into your containers.
If there's a base OS image using Raspbian, host yourself a Private Package Archive (PPA) for the apt package management system as straw says.
The Wifi setup thing, I've done that with a Pi-KVM by creating an ad-hoc network for the first boot, then restarted to have it join the intended networks.
posted by k3ninho at 3:40 PM on September 1, 2022 [1 favorite]
If there's a base OS image using Raspbian, host yourself a Private Package Archive (PPA) for the apt package management system as straw says.
The Wifi setup thing, I've done that with a Pi-KVM by creating an ad-hoc network for the first boot, then restarted to have it join the intended networks.
posted by k3ninho at 3:40 PM on September 1, 2022 [1 favorite]
Response by poster: Is there a reason for using PPA over Helm? Everything I've seen has heavily marketed Kubernetes for Raspberry Pi/IoT devices. It might just be popular buzzwords now but I'm curious if there's any advantage over just being simply easier.
posted by geoff. at 3:49 PM on September 1, 2022
posted by geoff. at 3:49 PM on September 1, 2022
Balena does what you are after, and is free for less than 10 devices. Push up a docker image and it gets rolled out over the air and (sorta) green-blue deployed. At my old job we used Balena to deploy and monitor over about 300 or so Raspberry Pis and it was pretty solid.
posted by cogat at 4:11 PM on September 1, 2022
posted by cogat at 4:11 PM on September 1, 2022
Unless you want to also maintain the users WiFi router with rules and such the only option is for the devices to call you and let the NAT do it's thing. It's bad if you can just plonk into a friend/family's Pi from the outside, it means other people could do the same thing. The Pi's should be plug and play DHCP things that are just this weird little box a friend gave me that does shit, pack it up and take it on vacation, still works.
The Pi has to do all of the initial contact for updates or even opening a shell (like screen or tmux or such) and receiving commands or offering you access. You should not be able to do this from your side (the outside). That's bad. Not a datacenter, not your network.
That's where the PPA sort of thing comes in. Presumably you have your own Pi of the same sort and know that the update/change will not break something, package it up and the others will get it, you can watch the logs if you must. The devices send information to you at a fixed domain and your router (only one place to mess with). And it doesn't matter where they are, they could take it on vacation and it still works the same as long as you're still there. Throw in a configures private SSL certificate chain and boop you're done.
Or even.... configure them with a Wireguard tunnel back to your machine so that they have an interface on a VPN network with your computer. Then the world would be your oyster and you could do anything.
Now that I think about it. I'd totally configure them with a Wireguard tunnel.
posted by zengargoyle at 11:14 PM on September 1, 2022 [3 favorites]
The Pi has to do all of the initial contact for updates or even opening a shell (like screen or tmux or such) and receiving commands or offering you access. You should not be able to do this from your side (the outside). That's bad. Not a datacenter, not your network.
That's where the PPA sort of thing comes in. Presumably you have your own Pi of the same sort and know that the update/change will not break something, package it up and the others will get it, you can watch the logs if you must. The devices send information to you at a fixed domain and your router (only one place to mess with). And it doesn't matter where they are, they could take it on vacation and it still works the same as long as you're still there. Throw in a configures private SSL certificate chain and boop you're done.
Or even.... configure them with a Wireguard tunnel back to your machine so that they have an interface on a VPN network with your computer. Then the world would be your oyster and you could do anything.
Now that I think about it. I'd totally configure them with a Wireguard tunnel.
posted by zengargoyle at 11:14 PM on September 1, 2022 [3 favorites]
Seriously, on like third thought. The WireGuard VPN tunnel will solve all of your problems. I was a bigwig large university network administrator/security guy and worked from home over first a direct DSL connection to work, then a Cisco VPN tunnel, then because I'm fedora wearing boss.... WireGuard to my desktop on a restricted network with privileges and could SSH/SNMP into everything. You have to learn a bit of multiple interface routing stuff. `dnsmask` can help, but you could have all of your friend/family's Pi's on 192.168.10.1,2,3,4,5 and even give them DNS names like mom.mypi.net . I have done that, for work, but split tunneling and custom DNS handling, and multiple interfaces on different networks. Port goes out the cable ISP as normal, SNMP to switches goes through tunnel to work. totally doable. Still PPA sort of auto update is your friend. But you can get them all on a VPN with your machine as well while leaving them bog standard DHCP plug in and go.
posted by zengargoyle at 11:40 PM on September 1, 2022
posted by zengargoyle at 11:40 PM on September 1, 2022
Instead of wireguard for remote connectivity, I'd suggest zerotier or tailscale. Maybe connect the Raspberry Pis to the router with Ethernet.
I might try docker, and update with watchtower. Or something with a cron script.
I suggest that it's probably better to start with a VPS or server that they connect to from home. It'll be easier to update the software, you won't have to worry about sourcing Raspberry Pis (they've been really hard to find for the past year), and you don't have to worry about them unplugging the Pis, losing track of them, updating the info when they replace the router and the wifi credentials, or handling when the microSD cards die. Further, your friends will be able to access data when they're not at home.
posted by Pronoiac at 12:39 AM on September 2, 2022
I might try docker, and update with watchtower. Or something with a cron script.
I suggest that it's probably better to start with a VPS or server that they connect to from home. It'll be easier to update the software, you won't have to worry about sourcing Raspberry Pis (they've been really hard to find for the past year), and you don't have to worry about them unplugging the Pis, losing track of them, updating the info when they replace the router and the wifi credentials, or handling when the microSD cards die. Further, your friends will be able to access data when they're not at home.
posted by Pronoiac at 12:39 AM on September 2, 2022
Seconding Balena!
posted by osmond_nash at 4:30 AM on September 2, 2022
posted by osmond_nash at 4:30 AM on September 2, 2022
rPis these days are beefy enough to run Ansible, Chef or Puppet just fine. Kubernetes is cool if everything your pi is intended for is kubernetes ready but you still need something to manage the control plane itself.
posted by pwnguin at 12:07 PM on September 2, 2022
posted by pwnguin at 12:07 PM on September 2, 2022
Response by poster: I actually took no one's advice here :). I know K8S well enough that I basically used this repo, I'll admit is kind of a pain in the ass but it works and works well. I would encourage anyone who is doing what I'm doing to not do what I do and use Balena or something similar but what I'm doing is of questionable legality so I didn't want to use a paid service. I used hetzner before which was great but they cut off my service only because they couldn't read the number on my passport, and instead of asking to take a better photo they just cut me off. So I'm wary of relying on cloud providers for personal projects.
@pwnguin is right and the control plane is really the biggest pain in the ass to do right. Azure and AWS both have IOT services which I'm sure uses Kubernetes underneath but not only is sharing movies questionable but I'm kind of having fun with this project.
Thanks everyone feel free to add follow up questions or DM me if I don't respond here,
posted by geoff. at 11:09 AM on September 3, 2022
@pwnguin is right and the control plane is really the biggest pain in the ass to do right. Azure and AWS both have IOT services which I'm sure uses Kubernetes underneath but not only is sharing movies questionable but I'm kind of having fun with this project.
Thanks everyone feel free to add follow up questions or DM me if I don't respond here,
posted by geoff. at 11:09 AM on September 3, 2022
Response by poster: It's bad if you can just plonk into a friend/family's Pi from the outside, it means other people could do the same thing.
That's a great point and something I considered, basically I'm going to use what you suggest and create a VPN. If keys/certs expire I mean they can just send the device back to me. I think I can just set flannel to use Wireguard as a CNI mesh but my terminology on that is probably wrong.
I'm not super worried about this as I'm not the first person to do IOT devices over a WAN. Obviously Alexa/Plex/Ring all work somehow. I will say it is a lot more complex when you're not in the comfortable confines of a cloud environment, for lack of a better term consumer devices are kind of a pain in the ass compared to what I'm used to developing. Even setting automated builds and things that emulate devices over a WAN is difficult, but a good learning experience.
posted by geoff. at 11:20 AM on September 3, 2022
That's a great point and something I considered, basically I'm going to use what you suggest and create a VPN. If keys/certs expire I mean they can just send the device back to me. I think I can just set flannel to use Wireguard as a CNI mesh but my terminology on that is probably wrong.
I'm not super worried about this as I'm not the first person to do IOT devices over a WAN. Obviously Alexa/Plex/Ring all work somehow. I will say it is a lot more complex when you're not in the comfortable confines of a cloud environment, for lack of a better term consumer devices are kind of a pain in the ass compared to what I'm used to developing. Even setting automated builds and things that emulate devices over a WAN is difficult, but a good learning experience.
posted by geoff. at 11:20 AM on September 3, 2022
« Older Setting up shop as a one-person virtual assistant | Where have all the soybeans gone? Newer »
This thread is closed to new comments.
posted by straw at 2:29 PM on September 1, 2022 [3 favorites]