Container Technology Energizes Edge Computing

New Opportunities with Container Technology

The security, portability, and agility of container technology complement the proven capabilities of the leading real-time operating system (RTOS), VxWorks®, now available for containerized deployments at the intelligent edge.

As the complexity of applications and their supporting infrastructures create new potential attack vectors for increasingly sophisticated hackers to exploit, containers in embedded systems offer a means to deliver responsive, secure application delivery to the intelligent edge. With these capabilities, aerospace and defense organizations, energy providers, large-scale manufacturers, and medical organizations can take advantage of low-latency, high-bandwidth performance for the most challenging applications.

In an article for ARC Advisory Group titled “Industrial Edge Containers,” Harry Forbes noted, “Thinking about these new capabilities and how they might be used, it seems to me that in the longer term, today’s sharp border between embedded systems and edge computing will become much blurrier. Indeed, today’s real-time embedded applications may eventually become a special case within a broader set of edge applications that are containerized and orchestrated very much the way cloud apps are deployed today.”¹

One good example of this trend: Avionics systems have evolved from fundamentally hardware-based solutions to agile, highly upgradable, software-defined infrastructures, enabling new technologies to be incorporated into systems on the fly, without substantial hardware replacements. Software container technology promises to be an effective means of countering cybersecurity threats through quick updates and patches, delivering benefits to both the commercial and aerospace/ defense sectors. The benefits of software containers, however, can only be fully realized if the security aspects of the technology are well understood and necessary protections are integrated into solutions as part of a DevSecOps process.

Forecast CAGR of the application container market, 2021–2026³

Container Technology Comes of Age

To make it easier to deploy long-lifecycle, embedded solutions that require minimal footprints, Wind River® introduced container technology to Wind River Linux in 2019.

VXWORKS WITH OCI COMPLIANCE

To further strengthen development of mission-critical applications — particularly well suited for edge computing use cases — Wind River recently launched VxWorks with OCI-compliant container support, making it possible to harness the same cloud infrastructure, tooling, and workflow that developers have used in familiar IT environments.

In developing container support for VxWorks, Wind River has pioneered a technological advance for RTOS applications and ushered in a new era, enabling small-footprint embedded solutions that are robust enough for critical edge-computing applications in a variety of industry sectors.

Docker, CoreOS, and other leaders in the container technology field established ground rules for container use and specifications to achieve compliance with open standards. Details on this open standard, as well as tools and sample code, are available through the Open Container Initiative and GitHub repositories.

Once application binaries have been developed, a standard Docker file is generated. An open-source tool, Buildah, then creates the container image, which is a packaged file bundle containing the components of the application. The container is then pushed to the container registry and copied to the targeted hosts as well. The container registry itself — a Docker hub, Amazon ECR, Harbor, or any other OCI-compliant registry — is available for secure container access over the lifecycle of the application. Updates posted to the registry can be pulled automatically or manually by any legitimate host using the application — or set of applications — packaged in the container. (See Figure 2, previous page.)

The process of distributing the containers can be handled in several different ways. For example, an aircraft after landing can taxi to the maintenance area, connect to the service infrastructure at the airport, and pull any recently updated containers from the registry in the system server. The container updates will then be incorporated into the aircraft system. A vehicle equipped with modern wireless capabilities can be driving past a 5G base station, receive a transmission with updates in a container, and then proceed to install the updates automatically once the car is parked at home in the garage.

Because the technologies used in the VxWorks container implementation follow the OCI guidelines to the letter, developers know that containers they build will function reliably across infrastructures that are constructed according to the OCI standard. Proprietary solutions for software deployment, on the other hand, lack the agility and predictability of standards-based solutions and are generally unpopular in the industry for those reasons. In contrast, OCI-compliant tools — following both the Image Format specification and Runtime specification — effectively span the ecosystem composed of container platforms and container engines, as well as standards-based cloud provider environments and on-premises infrastructures.

Ensuring Container Security

Security is a vital issue in any type of software deployment, and if container technology is to become successful in environments that call for heightened security — such as aerospace and defense, automotive applications, energy grids and subsystems, robotics implementations, and so on — extra measures for hardening solutions are needed.

Cloud-native, open-source registries typically provide a layer of security when using containers. For example, Harbor employs policies and rolebased access control to secure container components. Each container image is scanned to ensure that it is free of known vulnerabilities and then signed as trusted before distribution. For sensitive, mission-critical deployments, Harbor provides a level of assurance when moving containers across cloud-native compute platforms.

Following DevSecOps software development best practices is one of the most effective means of protecting container security. The Department of Defense has published the Container Hardening Guide (October 2020), which outlines DevSecOps processes that are important for guarding against security breaches.

The VxWorks container engine takes advantage of security features available in VxWorks, including verifying digital signatures. System architects can develop a level of security consistent with the attack surface and operating environment in which a container is deployed. A range of protections is available, from initial boot operations through the power-down sequence. The principles of the CIA triad — confidentiality, integrity, and availability — represent the foundational concept upon which VxWorks container security is based.

A Confluence of Technologies Gives Birth to the Intelligent Edge

Computer solutions that are optimally suited for the intelligent edge are a growing need as more and more applications require low-latency, high-bandwidth performance to meet requirements.

To deliver the necessary degree of performance, the intelligent edge relies on several emerging technologies, including 5G networking, artificial intelligence and machine learning, IoT and mobility advances, and — increasingly — container technology.

Among the use cases in which containers can help resolve challenges at the edge are:

• Manufacturing operations and industrial robotics: AI-based automation is bolstered by compact, low-power installations that require the mission-critical reliability delivered by an embedded RTOS.
• Innovative healthcare delivery: Remote patient care, health monitoring systems, counseling, and other healthcare practices that have helped medical organizations deal with the COVID-19 pandemic can benefit from the security and agility of container technology.
• Autonomous vehicles and smart city operations: Lightweight, low-power operations are a vital factor in many embedded use cases involving AI-controlled vehicles, communication between vehicles, traffic flow monitoring, advanced driver assist systems (ADAS), and citywide warning and alert systems.
• Retail customer personalization and communication: Automated information kiosks, personalized signage displays, rich media product demonstrations, and online ordering systems can tap into the flexibility and power of container technology implemented at the intelligent edge.

To illustrate the process involved in performing a live container update on a running system, Wind River Senior Director of Product Management Michel Chabroux produced a video demonstration that depicts the process.

The demonstration shows a Python web server and simulates the need for an end-of-field update to be accomplished manually. “That update,” Chabroux said, “consists of shutting down the application and retrieving the new version from the container registry.” Docker Hub is used for the demonstration, but any other container registry deployed at the edge, such as Iron Bank, could be used as well. In the example, the container is pulled from the registry and restarted with a new version of the application.

Knowing the container is available, Chabroux continued, “we can now pull it directly from the running system. VxWorks at the edge is going to pull an OCI container just like you would do on any system.” The data from Docker Hub confirms that the container has been downloaded. Logic can be employed verifying that the container has all the correct data.

The demonstration shows the ease with which a live VxWorks system can manage container deployment, updating an application that was shut down and then restarting the new version, operating in the same way container deployment is handled in a typical IT environment.