Containers on the Edge: Deploying Embedded Linux Systems With Modern D... Tanya Sharma & Deep Kateja

The Linux Foundation

6 chapters7 takeaways18 key terms6 questions

Overview

This video explores deploying embedded Linux systems using modern containerization technologies, focusing on containers on the edge. It explains the principles of edge computing, the advantages of using Docker containers for portability, immutability, and isolation, and addresses the unique challenges of resource-constrained, intermittently connected, and security-sensitive edge environments. The presentation covers CI/CD pipelines, over-the-air (OTA) updates for both firmware and containers, optimization strategies for smaller, more efficient container images, and robust security practices. A live demo on a Raspberry Pi illustrates the end-to-end process of code commit, automated build, registry push, and over-the-air deployment.

How was this?

Save this permanently with flashcards, quizzes, and AI chat

Chapters

Edge computing is a distributed paradigm that moves computation and data storage closer to data sources, improving response times and saving bandwidth.
It complements cloud computing by handling local processing and real-time updates, whereas cloud excels at centralized analytics.
Key characteristics include distributed architecture, resource constraints (limited CPU, RAM, power), intermittent connectivity, and heightened security sensitivity due to physical accessibility.

Understanding edge computing is crucial because it enables faster, more responsive applications and services, especially for IoT devices and real-time systems where cloud latency is unacceptable.

Smart devices at home like Google Home that receive automatic updates over Wi-Fi, demonstrating the need for localized processing and updates without manual intervention.

Containers offer portability, allowing applications to run consistently across diverse hardware, CPUs, and operating systems.
Immutability ensures that updates replace entire read-only images, preventing configuration drift common in distributed systems.
Fast rollouts and rollbacks are possible because only updates, not the entire system, are deployed, minimizing downtime.
Isolation and reproducibility mean that what is tested in development is exactly what runs on the edge device, eliminating 'works on my machine' issues.
Containers are more resource-efficient than virtual machines, sharing the host OS kernel and consuming less CPU and RAM, which is vital for constrained edge devices.

Containers provide a standardized, efficient, and reliable way to package and deploy applications to edge devices, overcoming many of the complexities associated with traditional embedded system development.

Deploying updated AI/ML inference models frequently without needing to flash full firmware images, leveraging container portability and fast update cycles.

Resource limitations: Edge devices have minimal CPU, RAM, and storage, prohibiting heavy runtimes or full orchestration platforms.
Hardware diversity: Dealing with various chipsets, architectures, and interfaces necessitates multi-architecture images and device-specific configurations.
Intermittent connectivity: Systems must tolerate network disconnects, high latency, or expensive bandwidth, and function offline with local registries.
Over-the-air (OTA) update safety: Updates must be automatic, support dual partitions for rollback, and verify the OS and container runtime images.
Security: Physical access to devices requires measures like disk encryption and disabling debug ports, alongside hardware root of trust.

Recognizing these challenges is essential for designing robust, secure, and maintainable edge solutions that can operate reliably in diverse and often unpredictable environments.

Devices operating for 10-15 years require container images and OS kernels that are maintainable over long periods, while also protecting against physical tampering.

Docker solves the 'it works on my machine' problem by packaging applications with all their dependencies into lightweight, portable containers.
Docker Hub provides a registry for sharing and pulling pre-built container images, accelerating development workflows.
Docker Compose simplifies managing multi-container applications with a single YAML file and command.
Docker's `buildx` enables creating multi-architecture images (e.g., ARM64 and AMD64) from a single machine, crucial for diverse edge hardware.
Key Docker optimization strategies include multi-stage builds (reducing image size and attack surface), binary stripping (removing debug symbols), and selecting minimal base images like Alpine or Distroless.

Docker provides the tools and ecosystem necessary to build, share, and deploy containerized applications efficiently, especially for heterogeneous environments like the edge.

Using `docker buildx` to create a single image that can run on both a developer's laptop (AMD64) and a Raspberry Pi (ARM64) without modification.

CI/CD pipelines (e.g., GitHub Actions) automate the build, test, and deployment of container images, essential for managing numerous edge devices.
Automated workflows authenticate, build multi-arch images, and push them to registries, often with image attestation for security.
Over-the-air (OTA) updates are critical for remote device management, avoiding physical access.
Firmware updates can use a dual-partition strategy (A/B partitions) for atomic updates and easy rollback.
Container updates can be optimized by sending only binary diffs or using canary deployments to test updates on a small subset of devices before full rollout.

Implementing robust CI/CD and OTA update mechanisms ensures that edge devices can be reliably and securely updated remotely, maintaining their functionality and security posture over time.

A GitHub push triggers a GitHub Action that builds a multi-arch Docker image, pushes it to a registry, and a scheduled script on the Raspberry Pi pulls and deploys the new container, demonstrating the automated update flow.

Compute and memory efficiency are achieved by setting resource limits (CPU, RAM) for containers, allowing the system to kill non-compliant containers to prioritize critical ones.
Smart scheduling prioritizes more important containers (e.g., ADAS over infotainment) and can defer less critical tasks like batch analytics or log writing.
Minimizing hardware writes by mounting the root filesystem as read-only and pushing logs to RAM before periodic cloud sync reduces wear on storage.
Security involves hardening the kernel, running containers without root privileges, and establishing a secure supply chain with vulnerability scanning and image signing.
A secure supply chain includes pre-commit checks for secrets, signing CI pipelines, scanning for vulnerabilities, and using immutable registries with admission controllers as a final gatekeeper.

Optimizing resource usage and implementing layered security are paramount for the long-term reliability, performance, and integrity of edge devices, protecting them from misuse and failure.

Mounting the root filesystem as read-only and storing logs in RAM temporarily to minimize writes to the physical hardware, thereby extending its lifespan.

Key takeaways

1Edge computing brings processing closer to data sources to reduce latency and bandwidth usage, complementing cloud infrastructure.
2Containers, particularly Docker, are essential for edge deployments due to their portability, immutability, efficiency, and isolation capabilities.
3Embedded Linux systems present unique challenges like resource constraints, hardware diversity, and intermittent connectivity that require specialized solutions.
4Multi-architecture builds using tools like Docker `buildx` are critical for deploying applications across the wide range of hardware found at the edge.
5Optimizing container images through multi-stage builds, stripping binaries, and choosing minimal base images significantly reduces size and improves performance on resource-limited devices.
6Automated CI/CD pipelines and secure OTA update mechanisms are fundamental for managing and maintaining fleets of edge devices efficiently and reliably.
7Layered security, from kernel hardening to secure supply chains and non-root container execution, is vital to protect physically accessible edge devices from threats.

Key terms

Edge ComputingContainersDockerEmbedded LinuxCI/CDOver-the-Air (OTA) UpdatesMulti-architecture ImagesMulti-stage BuildsResource ConstraintsImmutabilityConfiguration DriftHardware Root of TrustDocker `buildx`Alpine LinuxDistroless ImagesImage AttestationCanary DeploymentsDual Partition Updates

Test your understanding

1What is the primary benefit of edge computing compared to traditional cloud computing for certain applications?
2How do containers address the 'it works on my machine' problem in distributed environments like the edge?
3What are the main challenges faced when deploying applications to resource-constrained edge devices?
4Why is creating multi-architecture container images important for edge deployments, and how does Docker `buildx` facilitate this?
5Describe the dual-partition (A/B) strategy for Over-the-Air (OTA) firmware updates and its advantages.
6What are some key optimization techniques for reducing the size and improving the performance of Docker images intended for edge devices?