OpenNVR is built explicitly to operate in mathematically air-gapped or significantly constrained networks. However, maintaining underlying Linux operating system hygiene against newly discovered CVEs (Common Vulnerabilities and Exposures) is critical to maintaining a zero-trust architecture.

To solve this, OpenNVR implements a sophisticated Over-The-Air (OTA) delivery mechanism designed to patch vulnerabilities seamlessly, without requiring an administrator to execute raw shell commands directly across their NVR fleet.

Automated OS-Level Scrubbing

Unlike standard applications that only update their own binary, the OpenNVR UI can natively hook into the host OS package managers (when authorized securely via internal Docker socket bindings).

This allows you to verify zero-day vulnerabilities natively from the UI.

1. Navigate to the System Health & OTA dashboard.
2. Select Scan for Vulnerabilities.
3. The FastAPI engine queries internal security repositories and cross-references them against your active Linux kernel and installed OpenNVR container tags.

Executing OTA Deployments

If a critical patch is located, OpenNVR manages the download, staging, and execution phases cleanly.

1. Staging: The NVR securely downloads the digitally signed tarballs or container runtime images onto an isolated partition.
2. Rebooting the Engine: The orchestrator pauses active RTSP ingest tunneling via MediaMTX momentarily to cleanly close out video fragments.
3. Application: The opennvr-core container reboots into the patched environment, restoring all camera connections identically beneath the new security constraint.

[!TIP] The OTA subsystem guarantees atomic transactions. If a security patch dramatically fails post-installation, the system natively rolls back the Docker configuration to the previous known-good state, ensuring 24/7 uptime guarantees.