2020-10-29 –, Beginner Room
Production-ready embedded Linux systems require - among other traits - operational robustness while occupying a compact storage space. Besides, those systems often lack network connectivity. On top of that, running containers on this type of system brings up many challenges from the industrialization point of view.
This presentation will describe how these problems can be addressed from a system industrialization perspective, and how these requirements can be implemented using a immutable root filesystem featuring build-time Docker image integration. A quick demonstration will highlight these approaches using a meta-layer developed to put those techniques in practice.
Our use-case is to run one or more Docker containers on an embedded platform with a read-only root filesystem and no connectivity. Also, the Yocto build system itself is also containerized, which brings up additional challenges.
The first part focuses on the description of the challenges raised by this use-case, which are the reproducibility of the generated image, the build-time provisioning of a container image, and the reliability of the target system - and how these requirements can be met. Integrating Docker container images in a Yocto system often implies a host-side container engine running on the build machine.
Using a Docker container to perform the build phase allows the build environment to be portable and reproducible on any Linux machine. However, in our approach of embedding Docker containers, this situation requires to propose a “Docker-in-Docker” solution within Yocto.
Reliability of the embedded system is one of the most important priorities and the writable backend storage options will be discussed regarding Docker's launch at boot time. Regarding all these requirements, we focus on two possibilities for integrating Docker containers within a Yocto system.
The first possibility is to embed a Docker image file into the root filesystem. At boot time, the target system will launch Docker, initialize a Docker store in a writable partition from that image, in order to run it and load the Docker image archive.
The second possibility is to embed the Docker store (i.e. /var/lib/docker) into the target root filesystem at build time, in which case the image will be pulled and integrated by Bitbake.
Finally, a quick demonstration will highlight both possibilities with our custom meta-layer.
After working six years for the French government as a software developer, Sandra crossed the Atlantic to be part of the Connected Devices and Product Engineering team at Savoir-Faire Linux in Montréal. She has mostly been working on building board support packages (BSPs) for several clients. Sandra likes to cook with Yocto, Buildroot build system and also actual food.
Sébastien LE STUM is an embedded engineer and Director at Savoir-faire Linux.
After years building hardened Linux kernels and distributions for Cybersecurity and French defence equipments, he continued his Linux journey by helping industrials building their products and solve their problems using open-source solutions in the Linux ecosystem.
Cybersecurity and Linux enthusiasts, playing with TPM and UEFI apps from time to time, he also enjoys crafting random applications in Rust.