Greetings @lblackbeard,
Let me try to provide some advice/guidance on this use-case of yours.
First of all let’s address Aktualizr. Off the top of my head I see 2 options here.
Option 1: As you already know Aktualizr uses /var/sota
as the location to store and dump it’s data. This location is in fact configurable. As you can see here I believe nearly every path for Aktualizr can be configured: aktualizr/docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc at toradex-master · toradex/aktualizr · GitHub
So in theory you could change the configuration to point to your encrypted storage location. You’ll also need to change the configurations found in secondaries.json
so all the secondary update types (docker-compose, bootloader, etc) also use the new location you want.
Option 2: If you don’t want to change the default configuration then I guess you could try to use symlinks, or bind mounts as you already proposed so that /var/sota
links to/points to your encrypted location.
Please keep in mind these are rough suggestions and I have not tested either thoroughly.
One more point to consider here. A lot of our Aktualizr adjacent tooling assumes the data directory is located at /var/sota
. For example the service that performs the auto-provisioning to Torizon Cloud assumes /var/sota
. These may need to be adjusted/changed depending on how you handle this.
Now speaking about the docker credentials. First of all, when you say “docker credentials” I assume you mean the credentials for docker login
. Please correct me if my assumption is wrong here.
On TorizonOS we change the default Docker configuration location to /etc/docker
as seen here: meta-toradex-torizon/recipes-core/systemd/systemd-conf/system.conf-docker at scarthgap-7.x.y · torizon/meta-toradex-torizon · GitHub
This only applies to processes started by systemd like docker-compose.service
. If you run docker login
as the torizon user on the command-line then it will use the normal default location. That said I imagine when your device is on the field it will be systemd processes/services doing these actions anyways.
Similar idea to Aktualizr you could either change the configuration so DOCKER_CONFIG
just points to your encrypted storage or use a symlink/bind-mount to similar effect. Keep in mind whether you want the Docker credentials to be update-able or not. One reason we configured the location to /etc/docker
is so that the location would be managed by OSTree and could be updated if needed by users.
Anyways, those are my initial thoughts and impressions with regards to your use-case here. I hope it was of some help to your goal. Let me know if you have any questions about anything I described.
Best Regards,
Jeremias