Merge pull request #507 from advancedtelematic/feat/OTA-2142/aktualizr-resource-control

aktualizr resource control

19 files changed, 430 insertions, 329 deletions

diff --git a/README.adoc b/README.adoc
index f3aef45..cc01612 100644
--- a/README.adoc
+++ b/README.adoc
@@ -95,6 +95,7 @@ Your images will also need network connectivity to be able to reach an actual OT
 * `SOTA_MAIN_DTB` - base device tree to use with the kernel. Used together with FIT images. You can change it, and the device tree will also be changed after the update.
 * `SOTA_DT_OVERLAYS` - whitespace-separated list of used device tree overlays for FIT image. This list is OSTree-updateable as well.
 * `SOTA_EXTRA_CONF_FRAGS` - extra https://lxr.missinglinkelectronics.com/uboot/doc/uImage.FIT/overlay-fdt-boot.txt[configuration fragments] for FIT image.
+* `RESOURCE_xxx_pn-aktualizr` - controls maximum resource usage of the aktualizr service, when `aktualizr-resource-control` is installed on the image. See <<aktualizr service resource control>> for details.
 
 == Usage
 
@@ -160,6 +161,19 @@ Second, you can write recipes to install additional config files with customized
 
 To use these recipes, you will need to add them to your image with a line such as `IMAGE_INSTALL_append = " aktualizr-log-debug "` in your `local.conf`.
 
+=== aktualizr service resource control
+
+With systemd based images, it is possible to set resource policies for the aktualizr service. The main use case is to provide a safeguard against resource exhaustion during an unforeseen failure scenario.
+
+To enable it, install `aktualizr-resource-control` on the target image and optionally override the default resource limits set in link:recipes-sota/aktualizr/aktualizr_git.bb[aktualizr_git.bb], from your `local.conf`.
+
+For example:
+
+....
+IMAGE_INSTALL_append += " aktualizr-resource-control "
+RESOURCE_CPU_WEIGHT_pn-aktualizr = "50"
+....
+
 == Development configuration
 
 There are a few settings that can be controlled in `local.conf` to simplify the development process:
@@ -214,7 +228,7 @@ sudo apt install ovmf
 5. Run oe-selftest:
 +
 ```
-oe-selftest --run-tests updater
+oe-selftest -r updater_native updater_qemux86_64 updater_minnowboard updater_raspberrypi
 ```
 
 For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki].
diff --git a/lib/oeqa/selftest/cases/testutils.py b/lib/oeqa/selftest/cases/testutils.py
new file mode 100644
index 0000000..90ba653
--- /dev/null
+++ b/lib/oeqa/selftest/cases/testutils.py
@@ -0,0 +1,128 @@
+import os
+import logging
+import re
+import subprocess
+from time import sleep
+
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
+from qemucommand import QemuCommand
+
+
+def qemu_launch(efi=False, machine=None, imagename=None):
+    logger = logging.getLogger("selftest")
+    if imagename is None:
+        imagename = 'core-image-minimal'
+    logger.info('Running bitbake to build {}'.format(imagename))
+    bitbake(imagename)
+    # Create empty object.
+    args = type('', (), {})()
+    args.imagename = imagename
+    args.mac = None
+    # Could use DEPLOY_DIR_IMAGE here but it's already in the machine
+    # subdirectory.
+    args.dir = 'tmp/deploy/images'
+    args.efi = efi
+    args.machine = machine
+    qemu_use_kvm = get_bb_var("QEMU_USE_KVM")
+    if qemu_use_kvm and \
+            (qemu_use_kvm == 'True' and 'x86' in machine or
+             get_bb_var('MACHINE') in qemu_use_kvm.split()):
+        args.kvm = True
+    else:
+        args.kvm = None  # Autodetect
+    args.no_gui = True
+    args.gdb = False
+    args.pcap = None
+    args.overlay = None
+    args.dry_run = False
+    args.secondary_network = False
+
+    qemu = QemuCommand(args)
+    cmdline = qemu.command_line()
+    print('Booting image with run-qemu-ota...')
+    s = subprocess.Popen(cmdline)
+    sleep(10)
+    return qemu, s
+
+
+def qemu_terminate(s):
+    try:
+        s.terminate()
+    except KeyboardInterrupt:
+        pass
+
+
+def qemu_send_command(port, command):
+    command = ['ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p ' +
+               str(port) + ' "' + command + '"']
+    s2 = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    stdout, stderr = s2.communicate(timeout=60)
+    return stdout, stderr, s2.returncode
+
+
+def akt_native_run(testInst, cmd, **kwargs):
+    # run a command supplied by aktualizr-native and checks that:
+    # - the executable exists
+    # - the command runs without error
+    # NOTE: the base test class must have built aktualizr-native (in
+    # setUpClass, for example)
+    bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'base_prefix', 'libdir', 'bindir'],
+                          'aktualizr-native')
+    sysroot = bb_vars['SYSROOT_DESTDIR'] + bb_vars['base_prefix']
+    sysrootbin = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir']
+    libdir = bb_vars['libdir']
+
+    program, *_ = cmd.split(' ')
+    p = '{}/{}'.format(sysrootbin, program)
+    testInst.assertTrue(os.path.isfile(p), msg="No {} found ({})".format(program, p))
+    env = dict(os.environ)
+    env['LD_LIBRARY_PATH'] = libdir
+    result = runCmd(cmd, env=env, native_sysroot=sysroot, ignore_status=True, **kwargs)
+    testInst.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
+
+
+def verifyNotProvisioned(testInst, machine):
+    print('Checking output of aktualizr-info:')
+    ran_ok = False
+    for delay in [5, 5, 5, 5, 10, 10, 10, 10]:
+        stdout, stderr, retcode = testInst.qemu_command('aktualizr-info')
+        if retcode == 0 and stderr == b'':
+            ran_ok = True
+            break
+        sleep(delay)
+    testInst.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
+
+    # Verify that device has NOT yet provisioned.
+    testInst.assertIn(b'Couldn\'t load device ID', stdout,
+                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
+    testInst.assertIn(b'Couldn\'t load ECU serials', stdout,
+                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
+    testInst.assertIn(b'Provisioned on server: no', stdout,
+                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
+    testInst.assertIn(b'Fetched metadata: no', stdout,
+                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
+
+
+def verifyProvisioned(testInst, machine):
+    # Verify that device HAS provisioned.
+    ran_ok = False
+    for delay in [5, 5, 5, 5, 10, 10, 10, 10]:
+        stdout, stderr, retcode = testInst.qemu_command('aktualizr-info')
+        if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0:
+            ran_ok = True
+            break
+        sleep(delay)
+    testInst.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
+
+    testInst.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
+    testInst.assertIn(b'Primary ecu hardware ID: ' + machine.encode(), stdout,
+                      'Provisioning failed: ' + stderr.decode() + stdout.decode())
+    testInst.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
+    p = re.compile(r'Device ID: ([a-z0-9-]*)\n')
+    m = p.search(stdout.decode())
+    testInst.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
+    testInst.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
+    logger = logging.getLogger("selftest")
+    logger.info('Device successfully provisioned with ID: ' + m.group(1))
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/lib/oeqa/selftest/cases/updater_minnowboard.py b/lib/oeqa/selftest/cases/updater_minnowboard.py
new file mode 100644
index 0000000..f5df584
--- /dev/null
+++ b/lib/oeqa/selftest/cases/updater_minnowboard.py
@@ -0,0 +1,60 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, get_bb_var
+from testutils import qemu_launch, qemu_send_command, qemu_terminate, verifyProvisioned
+
+
+class MinnowTests(OESelftestTestCase):
+
+    def setUpLocal(self):
+        layer_intel = "meta-intel"
+        layer_minnow = "meta-updater-minnowboard"
+        result = runCmd('bitbake-layers show-layers')
+        # Assume the directory layout for finding other layers. We could also
+        # make assumptions by using 'show-layers', but either way, if the
+        # layers we need aren't where we expect them, we are out of luck.
+        path = os.path.abspath(os.path.dirname(__file__))
+        metadir = path + "/../../../../../"
+        if re.search(layer_intel, result.output) is None:
+            self.meta_intel = metadir + layer_intel
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_intel)
+        else:
+            self.meta_intel = None
+        if re.search(layer_minnow, result.output) is None:
+            self.meta_minnow = metadir + layer_minnow
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_minnow)
+        else:
+            self.meta_minnow = None
+        self.append_config('MACHINE = "intel-corei7-64"')
+        self.append_config('OSTREE_BOOTLOADER = "grub"')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.qemu, self.s = qemu_launch(efi=True, machine='intel-corei7-64')
+
+    def tearDownLocal(self):
+        qemu_terminate(self.s)
+        if self.meta_intel:
+            runCmd('bitbake-layers remove-layer "%s"' % self.meta_intel, ignore_status=True)
+        if self.meta_minnow:
+            runCmd('bitbake-layers remove-layer "%s"' % self.meta_minnow, ignore_status=True)
+
+    def qemu_command(self, command):
+        return qemu_send_command(self.qemu.ssh_port, command)
+
+    def test_provisioning(self):
+        print('Checking machine name (hostname) of device:')
+        stdout, stderr, retcode = self.qemu_command('hostname')
+        self.assertEqual(retcode, 0, "Unable to check hostname. " +
+                         "Is an ssh daemon (such as dropbear or openssh) installed on the device?")
+        machine = get_bb_var('MACHINE', 'core-image-minimal')
+        self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
+        # Strip off line ending.
+        value = stdout.decode()[:-1]
+        self.assertEqual(value, machine,
+                         'MACHINE does not match hostname: ' + machine + ', ' + value +
+                         '\nIs TianoCore ovmf installed on your host machine?')
+
+        verifyProvisioned(self, machine)
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/lib/oeqa/selftest/cases/updater_native.py b/lib/oeqa/selftest/cases/updater_native.py
new file mode 100644
index 0000000..1fc9cb8
--- /dev/null
+++ b/lib/oeqa/selftest/cases/updater_native.py
@@ -0,0 +1,47 @@
+# pylint: disable=C0111,C0325
+import logging
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var
+from testutils import akt_native_run
+
+
+class SotaToolsTests(OESelftestTestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        super(SotaToolsTests, cls).setUpClass()
+        logger = logging.getLogger("selftest")
+        logger.info('Running bitbake to build aktualizr-native tools')
+        bitbake('aktualizr-native')
+
+    def test_push_help(self):
+        akt_native_run(self, 'garage-push --help')
+
+    def test_deploy_help(self):
+        akt_native_run(self, 'garage-deploy --help')
+
+    def test_garagesign_help(self):
+        akt_native_run(self, 'garage-sign --help')
+
+
+class GeneralTests(OESelftestTestCase):
+
+    def test_feature_sota(self):
+        result = get_bb_var('DISTRO_FEATURES').find('sota')
+        self.assertNotEqual(result, -1, 'Feature "sota" not set at DISTRO_FEATURES')
+
+    def test_feature_usrmerge(self):
+        result = get_bb_var('DISTRO_FEATURES').find('usrmerge')
+        self.assertNotEqual(result, -1, 'Feature "sota" not set at DISTRO_FEATURES')
+
+    def test_feature_systemd(self):
+        result = get_bb_var('DISTRO_FEATURES').find('systemd')
+        self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES')
+
+    def test_java(self):
+        result = runCmd('which java', ignore_status=True)
+        self.assertEqual(result.status, 0,
+                         "Java not found. Do you have a JDK installed on your host machine?")
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/lib/oeqa/selftest/cases/updater.py b/lib/oeqa/selftest/cases/updater_qemux86_64.py
index 473b2a8..bef6cdc 100644
--- a/lib/oeqa/selftest/cases/updater.py
+++ b/lib/oeqa/selftest/cases/updater_qemux86_64.py
@@ -2,48 +2,16 @@
 import os
 import logging
 import re
-import subprocess
 import unittest
 from time import sleep
 
 from oeqa.selftest.case import OESelftestTestCase
 from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
-from qemucommand import QemuCommand
-
-
-class SotaToolsTests(OESelftestTestCase):
-
-    @classmethod
-    def setUpClass(cls):
-        super(SotaToolsTests, cls).setUpClass()
-        logger = logging.getLogger("selftest")
-        logger.info('Running bitbake to build aktualizr-native tools')
-        bitbake('aktualizr-native')
-
-    def test_push_help(self):
-        akt_native_run(self, 'garage-push --help')
-
-    def test_deploy_help(self):
-        akt_native_run(self, 'garage-deploy --help')
-
-    def test_garagesign_help(self):
-        akt_native_run(self, 'garage-sign --help')
+from testutils import qemu_launch, qemu_send_command, qemu_terminate, \
+    akt_native_run, verifyNotProvisioned, verifyProvisioned
 
 
 class GeneralTests(OESelftestTestCase):
-
-    def test_feature_sota(self):
-        result = get_bb_var('DISTRO_FEATURES').find('sota')
-        self.assertNotEqual(result, -1, 'Feature "sota" not set at DISTRO_FEATURES')
-
-    def test_feature_usrmerge(self):
-        result = get_bb_var('DISTRO_FEATURES').find('usrmerge')
-        self.assertNotEqual(result, -1, 'Feature "sota" not set at DISTRO_FEATURES')
-
-    def test_feature_systemd(self):
-        result = get_bb_var('DISTRO_FEATURES').find('systemd')
-        self.assertNotEqual(result, -1, 'Feature "systemd" not set at DISTRO_FEATURES')
-
     def test_credentials(self):
         logger = logging.getLogger("selftest")
         logger.info('Running bitbake to build core-image-minimal')
@@ -62,11 +30,6 @@ class GeneralTests(OESelftestTestCase):
                         (deploydir, imagename), ignore_status=True)
         self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
 
-    def test_java(self):
-        result = runCmd('which java', ignore_status=True)
-        self.assertEqual(result.status, 0,
-                         "Java not found. Do you have a JDK installed on your host machine?")
-
 
 class AktualizrToolsTests(OESelftestTestCase):
 
@@ -143,16 +106,6 @@ class AutoProvTests(OESelftestTestCase):
         value = stdout.decode()[:-1]
         self.assertEqual(value, machine,
                          'MACHINE does not match hostname: ' + machine + ', ' + value)
-        print(value)
-        print('Checking output of aktualizr-info:')
-        ran_ok = False
-        for delay in [1, 2, 5, 10, 15]:
-            stdout, stderr, retcode = self.qemu_command('aktualizr-info')
-            if retcode == 0 and stderr == b'':
-                ran_ok = True
-                break
-            sleep(delay)
-        self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
 
         verifyProvisioned(self, machine)
 
@@ -201,136 +154,6 @@ class ManualControlTests(OESelftestTestCase):
                       'Aktualizr should have run' + stderr.decode() + stdout.decode())
 
 
-class RpiTests(OESelftestTestCase):
-
-    def setUpLocal(self):
-        # Add layers before changing the machine type, otherwise the sanity
-        # checker complains loudly.
-        layer_rpi = "meta-raspberrypi"
-        layer_upd_rpi = "meta-updater-raspberrypi"
-        result = runCmd('bitbake-layers show-layers')
-        # Assume the directory layout for finding other layers. We could also
-        # make assumptions by using 'show-layers', but either way, if the
-        # layers we need aren't where we expect them, we are out of luck.
-        path = os.path.abspath(os.path.dirname(__file__))
-        metadir = path + "/../../../../../"
-        if re.search(layer_rpi, result.output) is None:
-            self.meta_rpi = metadir + layer_rpi
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_rpi)
-        else:
-            self.meta_rpi = None
-        if re.search(layer_upd_rpi, result.output) is None:
-            self.meta_upd_rpi = metadir + layer_upd_rpi
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_upd_rpi)
-        else:
-            self.meta_upd_rpi = None
-
-        # This is trickier that I would've thought. The fundamental problem is
-        # that the qemu layer changes the u-boot file extension to .rom, but
-        # raspberrypi still expects .bin. To prevent this, the qemu layer must
-        # be temporarily removed if it is present. It has to be removed by name
-        # without the complete path, but to add it back when we are done, we
-        # need the full path.
-        p = re.compile(r'meta-updater-qemux86-64\s*(\S*meta-updater-qemux86-64)\s')
-        m = p.search(result.output)
-        if m and m.lastindex > 0:
-            self.meta_qemu = m.group(1)
-            runCmd('bitbake-layers remove-layer meta-updater-qemux86-64')
-        else:
-            self.meta_qemu = None
-
-        self.append_config('MACHINE = "raspberrypi3"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
-
-    def tearDownLocal(self):
-        if self.meta_qemu:
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu, ignore_status=True)
-        if self.meta_upd_rpi:
-            runCmd('bitbake-layers remove-layer "%s"' % self.meta_upd_rpi, ignore_status=True)
-        if self.meta_rpi:
-            runCmd('bitbake-layers remove-layer "%s"' % self.meta_rpi, ignore_status=True)
-
-    def test_rpi(self):
-        logger = logging.getLogger("selftest")
-        logger.info('Running bitbake to build core-image-minimal')
-        self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"')
-        bitbake('core-image-minimal')
-        credentials = get_bb_var('SOTA_PACKED_CREDENTIALS')
-        # Skip the test if the variable SOTA_PACKED_CREDENTIALS is not set.
-        if credentials is None:
-            raise unittest.SkipTest("Variable 'SOTA_PACKED_CREDENTIALS' not set.")
-        # Check if the file exists.
-        self.assertTrue(os.path.isfile(credentials), "File %s does not exist" % credentials)
-        deploydir = get_bb_var('DEPLOY_DIR_IMAGE')
-        imagename = get_bb_var('IMAGE_LINK_NAME', 'core-image-minimal')
-        # Check if the credentials are included in the output image.
-        result = runCmd('tar -jtvf %s/%s.tar.bz2 | grep sota_provisioning_credentials.zip' %
-                        (deploydir, imagename), ignore_status=True)
-        self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
-
-
-class GrubTests(OESelftestTestCase):
-
-    def setUpLocal(self):
-        layer_intel = "meta-intel"
-        layer_minnow = "meta-updater-minnowboard"
-        result = runCmd('bitbake-layers show-layers')
-        # Assume the directory layout for finding other layers. We could also
-        # make assumptions by using 'show-layers', but either way, if the
-        # layers we need aren't where we expect them, we are out of luck.
-        path = os.path.abspath(os.path.dirname(__file__))
-        metadir = path + "/../../../../../"
-        if re.search(layer_intel, result.output) is None:
-            self.meta_intel = metadir + layer_intel
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_intel)
-        else:
-            self.meta_intel = None
-        if re.search(layer_minnow, result.output) is None:
-            self.meta_minnow = metadir + layer_minnow
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_minnow)
-        else:
-            self.meta_minnow = None
-        self.append_config('MACHINE = "intel-corei7-64"')
-        self.append_config('OSTREE_BOOTLOADER = "grub"')
-        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
-        self.qemu, self.s = qemu_launch(efi=True, machine='intel-corei7-64')
-
-    def tearDownLocal(self):
-        qemu_terminate(self.s)
-        if self.meta_intel:
-            runCmd('bitbake-layers remove-layer "%s"' % self.meta_intel, ignore_status=True)
-        if self.meta_minnow:
-            runCmd('bitbake-layers remove-layer "%s"' % self.meta_minnow, ignore_status=True)
-
-    def qemu_command(self, command):
-        return qemu_send_command(self.qemu.ssh_port, command)
-
-    def test_grub(self):
-        print('Checking machine name (hostname) of device:')
-        stdout, stderr, retcode = self.qemu_command('hostname')
-        self.assertEqual(retcode, 0, "Unable to check hostname. " +
-                         "Is an ssh daemon (such as dropbear or openssh) installed on the device?")
-        machine = get_bb_var('MACHINE', 'core-image-minimal')
-        self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
-        # Strip off line ending.
-        value = stdout.decode()[:-1]
-        self.assertEqual(value, machine,
-                         'MACHINE does not match hostname: ' + machine + ', ' + value +
-                         '\nIs TianoCore ovmf installed on your host machine?')
-        print(value)
-        print('Checking output of aktualizr-info:')
-        ran_ok = False
-        for delay in [1, 2, 5, 10, 15]:
-            stdout, stderr, retcode = self.qemu_command('aktualizr-info')
-            if retcode == 0 and stderr == b'':
-                ran_ok = True
-                break
-            sleep(delay)
-        self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
-
-        verifyProvisioned(self, machine)
-
-
 class ImplProvTests(OESelftestTestCase):
 
     def setUpLocal(self):
@@ -371,25 +194,8 @@ class ImplProvTests(OESelftestTestCase):
         value = stdout.decode()[:-1]
         self.assertEqual(value, machine,
                          'MACHINE does not match hostname: ' + machine + ', ' + value)
-        print(value)
-        print('Checking output of aktualizr-info:')
-        ran_ok = False
-        for delay in [1, 2, 5, 10, 15]:
-            stdout, stderr, retcode = self.qemu_command('aktualizr-info')
-            if retcode == 0 and stderr == b'':
-                ran_ok = True
-                break
-            sleep(delay)
-        self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
-        # Verify that device has NOT yet provisioned.
-        self.assertIn(b'Couldn\'t load device ID', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
-        self.assertIn(b'Couldn\'t load ECU serials', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
-        self.assertIn(b'Provisioned on server: no', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
-        self.assertIn(b'Fetched metadata: no', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
+
+        verifyNotProvisioned(self, machine)
 
         # Run aktualizr-cert-provider.
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
@@ -446,25 +252,8 @@ class HsmTests(OESelftestTestCase):
         value = stdout.decode()[:-1]
         self.assertEqual(value, machine,
                          'MACHINE does not match hostname: ' + machine + ', ' + value)
-        print(value)
-        print('Checking output of aktualizr-info:')
-        ran_ok = False
-        for delay in [1, 2, 5, 10, 15]:
-            stdout, stderr, retcode = self.qemu_command('aktualizr-info')
-            if retcode == 0 and stderr == b'':
-                ran_ok = True
-                break
-            sleep(delay)
-        self.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
-        # Verify that device has NOT yet provisioned.
-        self.assertIn(b'Couldn\'t load device ID', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
-        self.assertIn(b'Couldn\'t load ECU serials', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
-        self.assertIn(b'Provisioned on server: no', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
-        self.assertIn(b'Fetched metadata: no', stdout,
-                      'Device already provisioned!? ' + stderr.decode() + stdout.decode())
+
+        verifyNotProvisioned(self, machine)
 
         # Verify that HSM is not yet initialized.
         pkcs11_command = 'pkcs11-tool --module=/usr/lib/softhsm/libsofthsm2.so -O'
@@ -474,7 +263,7 @@ class HsmTests(OESelftestTestCase):
         softhsm2_command = 'softhsm2-util --show-slots'
         stdout, stderr, retcode = self.qemu_command(softhsm2_command)
         self.assertNotEqual(retcode, 0, 'softhsm2-tool succeeded before initialization: ' +
-                        stdout.decode() + stderr.decode())
+                            stdout.decode() + stderr.decode())
 
         # Run aktualizr-cert-provider.
         bb_vars = get_bb_vars(['SOTA_PACKED_CREDENTIALS'], 'aktualizr-native')
@@ -521,13 +310,6 @@ class HsmTests(OESelftestTestCase):
 
 
 class SecondaryTests(OESelftestTestCase):
-    @classmethod
-    def setUpClass(cls):
-        super(SecondaryTests, cls).setUpClass()
-        logger = logging.getLogger("selftest")
-        logger.info('Running bitbake to build secondary-image')
-        bitbake('secondary-image')
-
     def setUpLocal(self):
         layer = "meta-updater-qemux86-64"
         result = runCmd('bitbake-layers show-layers')
@@ -566,13 +348,6 @@ class SecondaryTests(OESelftestTestCase):
 
 
 class PrimaryTests(OESelftestTestCase):
-    @classmethod
-    def setUpClass(cls):
-        super(PrimaryTests, cls).setUpClass()
-        logger = logging.getLogger("selftest")
-        logger.info('Running bitbake to build primary-image')
-        bitbake('primary-image')
-
     def setUpLocal(self):
         layer = "meta-updater-qemux86-64"
         result = runCmd('bitbake-layers show-layers')
@@ -606,99 +381,48 @@ class PrimaryTests(OESelftestTestCase):
         self.assertEqual(stderr, b'', 'Error: ' + stderr.decode())
 
 
-def qemu_launch(efi=False, machine=None, imagename=None):
-    logger = logging.getLogger("selftest")
-    logger.info('Running bitbake to build core-image-minimal')
-    bitbake('core-image-minimal')
-    # Create empty object.
-    args = type('', (), {})()
-    if imagename:
-        args.imagename = imagename
-    else:
-        args.imagename = 'core-image-minimal'
-    args.mac = None
-    # Could use DEPLOY_DIR_IMAGE here but it's already in the machine
-    # subdirectory.
-    args.dir = 'tmp/deploy/images'
-    args.efi = efi
-    args.machine = machine
-    qemu_use_kvm = get_bb_var("QEMU_USE_KVM")
-    if qemu_use_kvm and \
-       (qemu_use_kvm == 'True' and 'x86' in machine or \
-        get_bb_var('MACHINE') in qemu_use_kvm.split()):
-        args.kvm = True
-    else:
-        args.kvm = None  # Autodetect
-    args.no_gui = True
-    args.gdb = False
-    args.pcap = None
-    args.overlay = None
-    args.dry_run = False
-    args.secondary_network = False
-
-    qemu = QemuCommand(args)
-    cmdline = qemu.command_line()
-    print('Booting image with run-qemu-ota...')
-    s = subprocess.Popen(cmdline)
-    sleep(10)
-    return qemu, s
-
-
-def qemu_terminate(s):
-    try:
-        s.terminate()
-    except KeyboardInterrupt:
-        pass
-
-
-def qemu_send_command(port, command):
-    command = ['ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhost -p ' +
-               str(port) + ' "' + command + '"']
-    s2 = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    stdout, stderr = s2.communicate(timeout=60)
-    return stdout, stderr, s2.returncode
-
-
-def akt_native_run(testInst, cmd, **kwargs):
-    # run a command supplied by aktualizr-native and checks that:
-    # - the executable exists
-    # - the command runs without error
-    # NOTE: the base test class must have built aktualizr-native (in
-    # setUpClass, for example)
-    bb_vars = get_bb_vars(['SYSROOT_DESTDIR', 'base_prefix', 'libdir', 'bindir'],
-                          'aktualizr-native')
-    sysroot = bb_vars['SYSROOT_DESTDIR'] + bb_vars['base_prefix']
-    sysrootbin = bb_vars['SYSROOT_DESTDIR'] + bb_vars['bindir']
-    libdir = bb_vars['libdir']
-
-    program, *_ = cmd.split(' ')
-    p = '{}/{}'.format(sysrootbin, program)
-    testInst.assertTrue(os.path.isfile(p), msg="No {} found ({})".format(program, p))
-    env = dict(os.environ)
-    env['LD_LIBRARY_PATH'] = libdir
-    result = runCmd(cmd, env=env, native_sysroot=sysroot, ignore_status=True, **kwargs)
-    testInst.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
-
-
-def verifyProvisioned(testInst, machine):
-    # Verify that device HAS provisioned.
-    ran_ok = False
-    for delay in [5, 5, 5, 5, 10, 10, 10, 10]:
-        stdout, stderr, retcode = testInst.qemu_command('aktualizr-info')
-        if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0:
-            ran_ok = True
-            break
-        sleep(delay)
-    testInst.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
-    testInst.assertIn(b'Primary ecu hardware ID: ' + machine.encode(), stdout,
-                  'Provisioning failed: ' + stderr.decode() + stdout.decode())
-    testInst.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
-    p = re.compile(r'Device ID: ([a-z0-9-]*)\n')
-    m = p.search(stdout.decode())
-    testInst.assertTrue(m, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
-    testInst.assertGreater(m.lastindex, 0, 'Device ID could not be read: ' + stderr.decode() + stdout.decode())
-    logger = logging.getLogger("selftest")
-    logger.info('Device successfully provisioned with ID: ' + m.group(1))
+class ResourceControlTests(OESelftestTestCase):
+    def setUpLocal(self):
+        layer = "meta-updater-qemux86-64"
+        result = runCmd('bitbake-layers show-layers')
+        if re.search(layer, result.output) is None:
+            # Assume the directory layout for finding other layers. We could also
+            # make assumptions by using 'show-layers', but either way, if the
+            # layers we need aren't where we expect them, we are out of luck.
+            path = os.path.abspath(os.path.dirname(__file__))
+            metadir = path + "/../../../../../"
+            self.meta_qemu = metadir + layer
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu)
+        else:
+            self.meta_qemu = None
+        self.append_config('MACHINE = "qemux86-64"')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+        self.append_config('IMAGE_INSTALL_append += " aktualizr-resource-control "')
+        self.append_config('RESOURCE_CPU_WEIGHT_pn-aktualizr = "1000"')
+        self.append_config('RESOURCE_MEMORY_HIGH_pn-aktualizr = "50M"')
+        self.append_config('RESOURCE_MEMORY_MAX_pn-aktualizr = "1M"')
+        self.qemu, self.s = qemu_launch(machine='qemux86-64')
+
+    def tearDownLocal(self):
+        qemu_terminate(self.s)
+        if self.meta_qemu:
+            runCmd('bitbake-layers remove-layer "%s"' % self.meta_qemu, ignore_status=True)
+
+    def qemu_command(self, command):
+        return qemu_send_command(self.qemu.ssh_port, command)
+
+    def test_aktualizr_resource_control(self):
+        print('Checking aktualizr was killed')
+        stdout, stderr, retcode = self.qemu_command('systemctl --no-pager show aktualizr')
+        self.assertIn(b'CPUWeight=1000', stdout, 'CPUWeight was not set correctly')
+        self.assertIn(b'MemoryHigh=52428800', stdout, 'MemoryHigh was not set correctly')
+        self.assertIn(b'MemoryMax=1048576', stdout, 'MemoryMax was not set correctly')
+        self.assertIn(b'ExecMainStatus=9', stdout, 'Aktualizr was not killed')
+
+        self.qemu_command('systemctl --runtime set-property aktualizr MemoryMax=')
+        self.qemu_command('systemctl restart aktualizr')
 
+        stdout, stderr, retcode = self.qemu_command('systemctl --no-pager show --property=ExecMainStatus aktualizr')
+        self.assertIn(b'ExecMainStatus=0', stdout, 'Aktualizr did not restart')
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/lib/oeqa/selftest/cases/updater_raspberrypi.py b/lib/oeqa/selftest/cases/updater_raspberrypi.py
new file mode 100644
index 0000000..bb7cfa3
--- /dev/null
+++ b/lib/oeqa/selftest/cases/updater_raspberrypi.py
@@ -0,0 +1,78 @@
+# pylint: disable=C0111,C0325
+import os
+import logging
+import re
+import unittest
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var
+
+
+class RpiTests(OESelftestTestCase):
+
+    def setUpLocal(self):
+        # Add layers before changing the machine type, otherwise the sanity
+        # checker complains loudly.
+        layer_rpi = "meta-raspberrypi"
+        layer_upd_rpi = "meta-updater-raspberrypi"
+        result = runCmd('bitbake-layers show-layers')
+        # Assume the directory layout for finding other layers. We could also
+        # make assumptions by using 'show-layers', but either way, if the
+        # layers we need aren't where we expect them, we are out of luck.
+        path = os.path.abspath(os.path.dirname(__file__))
+        metadir = path + "/../../../../../"
+        if re.search(layer_rpi, result.output) is None:
+            self.meta_rpi = metadir + layer_rpi
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_rpi)
+        else:
+            self.meta_rpi = None
+        if re.search(layer_upd_rpi, result.output) is None:
+            self.meta_upd_rpi = metadir + layer_upd_rpi
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_upd_rpi)
+        else:
+            self.meta_upd_rpi = None
+
+        # This is trickier that I would've thought. The fundamental problem is
+        # that the qemu layer changes the u-boot file extension to .rom, but
+        # raspberrypi still expects .bin. To prevent this, the qemu layer must
+        # be temporarily removed if it is present. It has to be removed by name
+        # without the complete path, but to add it back when we are done, we
+        # need the full path.
+        p = re.compile(r'meta-updater-qemux86-64\s*(\S*meta-updater-qemux86-64)\s')
+        m = p.search(result.output)
+        if m and m.lastindex > 0:
+            self.meta_qemu = m.group(1)
+            runCmd('bitbake-layers remove-layer meta-updater-qemux86-64')
+        else:
+            self.meta_qemu = None
+
+        self.append_config('MACHINE = "raspberrypi3"')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-auto-prov "')
+
+    def tearDownLocal(self):
+        if self.meta_qemu:
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu, ignore_status=True)
+        if self.meta_upd_rpi:
+            runCmd('bitbake-layers remove-layer "%s"' % self.meta_upd_rpi, ignore_status=True)
+        if self.meta_rpi:
+            runCmd('bitbake-layers remove-layer "%s"' % self.meta_rpi, ignore_status=True)
+
+    def test_build(self):
+        logger = logging.getLogger("selftest")
+        logger.info('Running bitbake to build core-image-minimal')
+        self.append_config('SOTA_CLIENT_PROV = "aktualizr-auto-prov"')
+        bitbake('core-image-minimal')
+        credentials = get_bb_var('SOTA_PACKED_CREDENTIALS')
+        # Skip the test if the variable SOTA_PACKED_CREDENTIALS is not set.
+        if credentials is None:
+            raise unittest.SkipTest("Variable 'SOTA_PACKED_CREDENTIALS' not set.")
+        # Check if the file exists.
+        self.assertTrue(os.path.isfile(credentials), "File %s does not exist" % credentials)
+        deploydir = get_bb_var('DEPLOY_DIR_IMAGE')
+        imagename = get_bb_var('IMAGE_LINK_NAME', 'core-image-minimal')
+        # Check if the credentials are included in the output image.
+        result = runCmd('tar -jtvf %s/%s.tar.bz2 | grep sota_provisioning_credentials.zip' %
+                        (deploydir, imagename), ignore_status=True)
+        self.assertEqual(result.status, 0, "Status not equal to 0. output: %s" % result.output)
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb b/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
index 1a515a2..0700ac6 100644
--- a/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
+++ b/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
@@ -4,7 +4,7 @@ interfaces through systemd-networkd"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit systemd
+inherit allarch systemd
 
 RPROVIDES_${PN} = "virtual/network-configuration"
 
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
index 0628a61..6b2dd27 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-auto-prov-creds.bb
@@ -3,6 +3,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 DEPENDS = "aktualizr-native zip-native"
 ALLOW_EMPTY_${PN} = "1"
 
diff --git a/recipes-sota/aktualizr/aktualizr-auto-prov.bb b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
index 308f552..4b68491 100644
--- a/recipes-sota/aktualizr/aktualizr-auto-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-auto-prov.bb
@@ -5,6 +5,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 DEPENDS = "aktualizr-native zip-native"
 RDEPENDS_${PN}_append = "${@' aktualizr-auto-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 PV = "1.0"
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
index b9bb1f6..da17d77 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov-creds.bb
@@ -3,6 +3,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 # WARNING: it is NOT a production solution. The secure way to provision devices
 # is to create certificate request directly on the device (either with HSM/TPM
 # or with software) and then sign it with a CA stored on a disconnected machine.
diff --git a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
index a932475..414cb5e 100644
--- a/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-ca-implicit-prov.bb
@@ -6,6 +6,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 DEPENDS = "aktualizr aktualizr-native openssl-native"
 RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 
diff --git a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
index 27aba0f..77c6720 100644
--- a/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
+++ b/recipes-sota/aktualizr/aktualizr-hsm-prov.bb
@@ -5,6 +5,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 DEPENDS = "aktualizr aktualizr-native"
 RDEPENDS_${PN}_append = "${@' aktualizr-ca-implicit-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
 
diff --git a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
index 305b5e5..d962876 100644
--- a/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
+++ b/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
@@ -3,12 +3,14 @@ HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+inherit allarch
+
 DEPENDS = "aktualizr-native"
 RDEPENDS_${PN} = "aktualizr"
 
 SRC_URI = ""
 
-
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
     install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota_uboot_env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
diff --git a/recipes-sota/aktualizr/aktualizr_git.bb b/recipes-sota/aktualizr/aktualizr_git.bb
index 49c4e5e..f2f62b5 100755
--- a/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/recipes-sota/aktualizr/aktualizr_git.bb
@@ -25,6 +25,7 @@ SRC_URI = " \
   file://aktualizr-secondary.service \
   file://aktualizr-secondary.socket \
   file://aktualizr-serialcan.service \
+  file://10-resource-control.conf \
   ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
   "
 
@@ -62,6 +63,15 @@ PACKAGECONFIG[load-tests] = "-DBUILD_LOAD_TESTS=ON,-DBUILD_LOAD_TESTS=OFF,"
 PACKAGECONFIG[serialcan] = ",,,slcand-start"
 PACKAGECONFIG[ubootenv] = ",,,u-boot-fw-utils aktualizr-uboot-env-rollback"
 
+# can be overriden in configuration with `RESOURCE_xxx_pn-aktualizr`
+# see `man systemd.resource-control` for details
+
+# can be used to lower aktualizr priority, default is 100
+RESOURCE_CPU_WEIGHT = "100"
+# will be slowed down when it reaches 'high', killed when it reaches 'max'
+RESOURCE_MEMORY_HIGH = "100M"
+RESOURCE_MEMORY_MAX = "80%"
+
 do_compile_ptest() {
     cmake_runcmake_build --target build_tests
 }
@@ -118,6 +128,15 @@ do_install_append () {
         install -m 0755 ${B}/src/sota_tools/garage-sign/bin/* ${D}${bindir}
         install -m 0644 ${B}/src/sota_tools/garage-sign/lib/* ${D}${libdir}
     fi
+
+    # resource control
+    install -d ${D}/${systemd_system_unitdir}/aktualizr.service.d
+    install -m 0644 ${WORKDIR}/10-resource-control.conf ${D}/${systemd_system_unitdir}/aktualizr.service.d
+
+    sed -i -e 's|@CPU_WEIGHT@|${RESOURCE_CPU_WEIGHT}|g' \
+           -e 's|@MEMORY_HIGH@|${RESOURCE_MEMORY_HIGH}|g' \
+           -e 's|@MEMORY_MAX@|${RESOURCE_MEMORY_MAX}|g' \
+           ${D}${systemd_system_unitdir}/aktualizr.service.d/10-resource-control.conf
 }
 
 PACKAGESPLITFUNCS_prepend = "split_hosttools_packages "
@@ -132,7 +151,7 @@ python split_hosttools_packages () {
 
 PACKAGES_DYNAMIC = "^aktualizr-.* ^garage-.*"
 
-PACKAGES =+ "${PN}-examples ${PN}-secondary ${PN}-configs ${PN}-host-tools"
+PACKAGES =+ "${PN}-resource-control ${PN}-examples ${PN}-secondary ${PN}-configs ${PN}-host-tools"
 
 ALLOW_EMPTY_${PN}-host-tools = "1"
 
@@ -142,6 +161,10 @@ FILES_${PN} = " \
                 ${systemd_unitdir}/system/aktualizr.service \
                 "
 
+FILES_${PN}-resource-control = " \
+                ${systemd_system_unitdir}/aktualizr.service.d/10-resource-control.conf \
+                "
+
 FILES_${PN}-configs = " \
                 ${sysconfdir}/sota/* \
                 ${libdir}/sota/* \
@@ -157,6 +180,7 @@ FILES_${PN}-secondary = " \
                 ${systemd_unitdir}/system/aktualizr-secondary.socket \
                 ${systemd_unitdir}/system/aktualizr-secondary.service \
                 "
+
 BBCLASSEXTEND = "native"
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/recipes-sota/aktualizr/files/10-resource-control.conf b/recipes-sota/aktualizr/files/10-resource-control.conf
new file mode 100644
index 0000000..254713c
--- /dev/null
+++ b/recipes-sota/aktualizr/files/10-resource-control.conf
@@ -0,0 +1,6 @@
+[Service]
+CPUAccounting=true
+CPUWeight=@CPU_WEIGHT@
+MemoryAccounting=true
+MemoryHigh=@MEMORY_HIGH@
+MemoryMax=@MEMORY_MAX@
diff --git a/recipes-sota/config/aktualizr-auto-reboot.bb b/recipes-sota/config/aktualizr-auto-reboot.bb
index ad4d17c..f360d9e 100644
--- a/recipes-sota/config/aktualizr-auto-reboot.bb
+++ b/recipes-sota/config/aktualizr-auto-reboot.bb
@@ -5,6 +5,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 SRC_URI = " \
             file://35-enable-auto-reboot.toml \
             "
diff --git a/recipes-sota/config/aktualizr-disable-send-ip.bb b/recipes-sota/config/aktualizr-disable-send-ip.bb
index 8dd2647..07c12ca 100644
--- a/recipes-sota/config/aktualizr-disable-send-ip.bb
+++ b/recipes-sota/config/aktualizr-disable-send-ip.bb
@@ -5,6 +5,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 SRC_URI = " \
             file://30-disable-send-ip.toml \
             "
diff --git a/recipes-sota/config/aktualizr-log-debug.bb b/recipes-sota/config/aktualizr-log-debug.bb
index 098faf4..0c03786 100644
--- a/recipes-sota/config/aktualizr-log-debug.bb
+++ b/recipes-sota/config/aktualizr-log-debug.bb
@@ -5,6 +5,8 @@ SECTION = "base"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
+inherit allarch
+
 SRC_URI = " \
             file://05-log-debug.toml \
             "
diff --git a/scripts/qemucommand.py b/scripts/qemucommand.py
index 4abfd4e..cafab6d 100644
--- a/scripts/qemucommand.py
+++ b/scripts/qemucommand.py
@@ -97,6 +97,8 @@ class QemuCommand(object):
             "-serial", "tcp:127.0.0.1:%d,server,nowait" % self.serial_port,
             "-m", "1G",
             "-usb",
+            "-object", "rng-random,id=rng0,filename=/dev/urandom",
+            "-device", "virtio-rng-pci,rng=rng0",
             "-device", "usb-tablet",
             "-show-cursor",
             "-vga", "std",