Transactional Linux Gateway Specification


Transactional Linux Gateway is a specification for how a Linux-based gateway, a low-cost, headless device, manages state, avoids file system corruption and can provide strong guarantees on transactions changing the state.


The transactional gateway specification has two goals: To enable the implementation of an OTA system which relies on an immutable system image and to enable behaviors aligned with those of a consumer product.

Relationship to the OTA system

Transactional Linux Gateway, or Transactional OS for short, is loosely coupled with the OTA system but allows for great flexibility in the configuration of actual products. The OTA system does rely on some of the properties of the Transactional OS. Those are:

T-OS feature for OTA: Presence of an immutable filesystem image

The OTA system can compute a delta between the current system image and the desired system image, being able to guarantee that the system image is bit-for-bit identical on all devices. Mutable state does not impact read-only state.

T-OS feature for OTA: Presence and usage of multiple state slots

The OTA system can be regarded as a traditional A/B system, where one system copy is active and in use and the other system copy can be erased or modified without affecting the running system. Those are collectively called slots and involve the read only system image, boot assets, such as a copy of the kernel extracted from the system image into a firmware-specific boot location as well as mutable system state specific to a given slot. It is important to stress that system state is associated with a specific slot, allowing essential configuration files, like network configuration to move from format to format over time. This is enabled piece of software which can convert those formats over time. This is described below.

To be continued…