Pantavisor is PID 1 — and it owns the whole device update.
Base, kernel, app containers, and config ship as one signed, content-addressed revision. No image updater bolted on top — this is the runtime.
Get Started
New here? Learn the architecture, flash real hardware in 30 minutes, or migrate from Mender, RAUC, or SWUpdate.
Start here /pantavisorPantavisor reference
Commands, schemas, and configuration keys for the on-device runtime — versioned per release.
Browse reference /meta-pantavisormeta-pantavisor reference
The Yocto/OpenEmbedded layer: KAS configs, BitBake recipes, the CI pipeline, and board install guides.
Browse reference /pvrpvr reference
The Pantavisor command-line utility for creating, managing, and deploying containerized applications.
Browse reference /meta-pantavisor/getting-started/benchmarksCompare to alternatives
Pantavisor against Yocto, Balena, Mender, RAUC, SWUpdate, Buildroot, and Docker.
See the comparisonDocumentation
- Pantavisor runtime — the on-device init process, container orchestration, and OTA agent
- meta-pantavisor — the Yocto layer for building BSP images, including start guide, install guides, migration guides, and more
- PVR CLI — device state management tool
Why Pantavisor over an image updater
Image updaters (Mender, RAUC, SWUpdate) update the image: every change — even a one-line app fix — is a full-image event. Pantavisor versions the device as content-addressed objects, so a change ships only what actually changed.
- Lifecycle decoupling. Patch a small container layer, not a 200 MB rootfs. Update an app without touching the certified base; swap the BSP without rebuilding apps. See the benchmarks for the numbers.
- Trust at PID 1. Because Pantavisor owns init, its atomicity and rollback guarantees are held to a higher bar than a deletable updater — and we prove it with published power-fail and atomicity evidence.
- Git-like device state. The whole device — kernel, every container, and config — is one signed, inspectable, diffable revision.
- Recertification moat. Freeze and certify the base once; iterate apps in containers without re-touching the certified image. See security and compliance.
Already running Mender, RAUC, or SWUpdate? Pantavisor is a replacement, not something you layer on top — see migrating to Pantavisor for a side-by-side comparison and a path off your current updater.
Pantahub
This site documents Pantavisor, the on-device runtime. Pantahub (also branded Pantacor Hub) is the cloud service devices can register with: it stores device state, delivers OTA updates as object diffs, and aggregates logs across a fleet — claim a device, push a new revision, and watch it roll out.
Pantahub is optional. Pantavisor updates a device fully standalone over the local network; Pantahub adds remote, fleet-scale operations on top when you need them. To manage devices remotely, sign up at hub.pantacor.com.