Introducing balenaHub: an easier way to find and publish edge and IoT projects

OpenBalena Getting Started Guide

This guide will walk you through the steps of deploying an openBalena server, that together with the balena CLI, will enable you to create and manage a fleet of devices running on your own infrastructure, on premises or in the cloud. The openBalena servers must be reachable by the devices, which is easiest to achieve with cloud providers like AWS, Google Cloud, Digital Ocean and others.

This guide assumes a setup with two separate machines:

  • The openBalena server, running Linux. These instructions were tested with an Ubuntu 18.04 x64 server.
  • The local machine, running Linux, Windows or macOS where the balena CLI runs (as a client to the openBalena server). The local machine should also have a working installation of Docker so that application images can be built and deployed to your devices, although it is also possible to use balenaEngine on a balenaOS device instead of Docker.

Preparing a server for openBalena

Login to the server via SSH and run the following commands.

  1. First, install or update essential software:

    $ apt-get update && apt-get install -y build-essential git libssl-dev nodejs npm
  2. Install docker-compose:

    $ curl -L -o /usr/local/bin/docker-compose
    $ chmod +x /usr/local/bin/docker-compose

    Test your docker-compose installation with $ docker-compose --version.

  3. Create a new user, assign admin permissions and add to docker group:

    $ adduser balena
    $ usermod -aG sudo balena
    $ usermod -aG docker balena

Install openBalena on the server

  1. On the server still, login as the new user and change into the home directory:

    $ su balena
    $ cd ~
  2. Clone the openBalena repository and change into the new directory:

    $ git clone
    $ cd open-balena/
  3. Run the quickstart script as below. This will create a new config directory and generate appropriate SSL certificates and configuration for the server. The provided email and password will be used to automatically create the user account for interacting with the server and will be needed later on for logging in via the balena CLI. Replace the domain name for the -d argument appropriately.

    $ ./scripts/quickstart -U <email@address> -P <password> -d

    For more available options, see the script's help:

    $ ./scripts/quickstart -h
  4. At this point, the openBalena server can be started with:

    $ systemctl start docker
    $ ./scripts/compose up -d

    The -d argument spawns the containers as background services.

  5. Tail the logs of the containers with:

    $ ./scripts/compose exec <service-name> journalctl -fn100

    Replace <service-name> with the name of any one of the services defined in compose/services.yml; eg. api or registry.

  6. The server can be stopped with:

    $ ./scripts/compose stop

Domain Configuration

The following CNAME records must be configured to point to the openBalena server:

Check with your internet domain name registrar for instructions on how to configure CNAME records.

Test the openBalena server

To confirm that everything is running correctly, try a simple request from the local machine to the server:

$ curl -k

Congratulations! The openBalena server is up and running. The next step is to setup the local machine to use the server, provision a device and deploy a small project.

Install self-signed certificates on the local machine

The installation of the openBalena server produces a few self-signed certificates that must be installed on the local machine, so that it can securely communicate with the server.

The root certificate is found at config/certs/root/ca.crt on the server. Copy it to some folder on the local machine and keep a note the path -- it will be used later during the CLI installation. Follow the steps below for the specific platform of the local machine.


$ sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt
$ sudo update-ca-certificates
$ sudo systemctl restart docker


$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
$ osascript -e 'quit app "Docker"' && open -a Docker


$ certutil -addstore -f "ROOT" ca.crt

The Docker daemon on the local machine must then be restarted for Docker to pick up the new certificate.

Install the balena CLI on the local machine

Follow the balena CLI installation instructions to install the balena CLI on the local machine.

By default, the CLI targets the balenaCloud servers at, and needs to be configured to target the openBalena server instead. Add the following line to the CLI's configuration file, replacing "" with the domain name of the openBalena server:

balenaUrl: ""

The CLI configuration file can be found at:

  • On Linux or macOS: ~/.balenarc.yml
  • On Windows: %UserProfile%\_balenarc.yml

If the file does not already exist, just create it.

Wrapping up the CLI installation, set an environment variable that points to the root certificate copied previously on the local machine. This step is to ensure the CLI can securely interact with the openBalena server.

Shell Command
bash export NODE_EXTRA_CA_CERTS='/path/to/ca.crt'
Windows cmd.exe set NODE_EXTRA_CA_CERTS=C:\path\to\ca.crt
Windows PowerShell $Env:NODE_EXTRA_CA_CERTS="C:\path\to\ca.crt"

Deploy an application

The commands below should be run on a terminal on the local machine (where the balena CLI is installed). Ensure that the NODE_EXTRA_CA_CERTS environment variable is set, as discussed above.

Login to openBalena

Run balena login, select Credentials and use the email and password specified during quickstart to login to the openBalena server. At any time, the balena whoami command may be used to check which server the CLI is logged in to.

Create an application

Create a new application with balena app create myApp. Select the application's default device type with the interactive prompt. The examples in this guide assume a Raspberry Pi 3.

An application contains devices that share the same architecture (such as ARM or Intel i386), and also contains code releases that are deployed to the devices. When a device is provisioned, it is added to an application, but can be migrated to another application at any time. There is no limit to the number of applications that can be created or to the number of devices that can be provisioned.

At any time, the server can be queried for all the applications it knows about with the following command:

$ balena apps
1  myApp    raspberrypi3

Provision a new device

Once we have an application, it’s time to start provisioning devices. To do this, first download a balenaOS image from Pick the development image that is appropriate for your device.

Unzip the downloaded image and use the balena CLI to configure it:

$ balena os configure ~/Downloads/balena-cloud-raspberrypi3-2.58.3+rev1-dev-v11.14.0.img --app myApp

Flash the configured image to an SD card using Etcher. Insert the SD card into the device and power it on. The device will register with the openBalena server and after about two minutes will be inspectable:

$ balena devices
4  59d7700 winter-tree  raspberrypi3 myApp            Idle   true      11.14.0            balenaOS 2.58.3+rev1

$ balena device 59d7700
ID:                 4
DEVICE TYPE:        raspberrypi3
STATUS:             online
IS ONLINE:          true
UUID:               59d7700755ec5de06783eda8034c9d3d
OS VERSION:         balenaOS 2.58.3+rev1

It's time to deploy code to the device.

Deploy a project

Application release images are built on the local machine using the balena CLI. Ensure the root certificate has been correctly installed on the local machine, as discussed above.

Let's create a trivial project that logs "Idling...". On an empty directory, create a new file named Dockerfile.template with the following contents:

FROM balenalib/%%BALENA_MACHINE_NAME%%-alpine

CMD [ "balena-idle" ]

Then build and deploy the project with:

$ balena deploy myApp --logs

The project will have been successfully built when a friendly unicorn appears in the terminal:

[Info]    Compose file detected
[Info]    Creating release...
[Info]    Pushing images to registry...
[Info]    Saving release...
[Success] Deploy succeeded!
[Success] Release: f62a74c220b92949ec78761c74366046

			    _.-(6'  \
			   (=___._/` \
			        )  \ |
			       /   / |
			      /    > /
			     j    < _\
			 _.-' :      ``.
			 \ r=._\        `.
			<`\\_  \         .`-.
			 \ r-7  `-. ._  ' .  `\
			  \`,      `-.`7  7)   )
			   \/         \|  \'  / `-._
			              ||    .'
			               \\  (
			                >\  >
			            ,.-' >.'

This command packages up the local directory, creates a new Docker image from it and pushes it to the openBalena server. In turn, the server will deploy it to all provisioned devices and within a couple of minutes, they will all run the new release. Logs can be viewed with:

$ balena logs 59d7700 --tail
[Logs]    [10/28/2020, 11:40:16 AM] Supervisor starting
[Logs]    [10/28/2020, 11:40:50 AM] Creating network 'default'
[Logs]    [10/28/2020, 11:42:38 AM] Creating volume 'resin-data'
[Logs]    [10/28/2020, 11:42:40 AM] Downloading image …
[Logs]    [10/28/2020, 11:44:00 AM] [main] Idling...

Enjoy Balenafying All the Things!

Next steps

  • Try out local mode, which allows you to build and sync code to your device locally for rapid development.
  • Develop an application with multiple containers to provide a more modular approach to application management.
  • Manage your device fleet with the use of configuration and environment variables.
  • Explore our example projects to give you an idea of more things you can do with balena.
  • If you find yourself stuck or confused, help is just a click away.
  • Pin selected devices to selected code releases using sample scripts.
An open source project byBalena
Terms of Service
Privacy Statement
Master agreement
Copyright 2021 Balena
All Rights Reserved