For the most part, container technologies have been developed for traditional enterprise IT environments and have enabled modern cloud architecture. But there are also similarities and advantages to adopting containers for the Industrial Internet of Things (IIoT), according to Tim Winter, chief technology officer at Machfu, a provider of IIoT solutions.

A container is a lightweight virtualization technology that consists of an entire runtime environment: an application, plus all its dependencies, libraries and other binaries, and configuration files needed to run it, bundled into a single package. By containerizing an application platform and its dependencies, differences in operating system distributions and underlying infrastructure are abstracted away. 

“A container software development process creates a repository of  ‘stuff,’ which is your application and the supporting software, and it builds what’s called a container image – kind of like a layer cake of the application and supporting software,” said Harry Forbes, an analyst at ARC Advisory Group. 

According to research firm Gartner, more than 75% of global organizations will use containerized apps in production by 2022. 

The Benefits of Containers 

Because all application elements “containerized” into a package, the application can be shipped off to run on any computing environment, reducing complexity as applications are deployed and updated in different environments, Forbes said.

Containers can also benefit a fast-changing environment through their isolation. Modules interact with one another only through well-defined application programming interfaces (APIs) and are otherwise independent. Thus modules can be updated without affecting others, 

Isolation becomes important as the pace of changes and updates to applications increases. 

So too, containers also enable the Holy Grail of edge computing: that is, intelligent, or AI-enabled, processes at the edge.

“With the growing demand to process data in real time and avoid the high costs of transferring and storing the high-volume and high-speed raw telemetry data onto the cloud,” said Ayush Tiwari, senior IoT product manager, PTC, an IIoT solution provider, “more IoT users are preferring to pre-process the data, transform it and run their custom business logic right at the edge.” Then artificial intelligence and machine learning-enabled models can be trained and deployed via on-premises, isolated containers on edge devices.

In addition, because it’s critical to secure and update software deployed at the edge with the latest patches and features, it has become important to run containerized workloads that can be easily managed and operated from the cloud, he said.

“By shifting certain workloads to the edge of the network, connected products spend less time communicating with the cloud, can react faster to local changes in context, and operate reliably even in low-network bandwidth areas,” Tiwari said.

[For more coverage on Industrial IoT, take part in Industrial IoT World this December.}

Using Containers for IIoT Devices: Partitioning Improves Security

As such, containers are compelling for such non-enterprise uses as IIoT edge devices. Because these containerized packages and their contents are partitioned from one another and the rest of the system, they can be updated individually without affecting other containerized applications on the same server, according to Winter.

When using containerization technologies for IIoT, it’s important to think about the partitioning properties of a container (known as sandboxing), he said. 

“So, instead of having just one container that performs all the monolithic operations at the edge, could we have, conceptually, two containers? One container, for example, might be responsible for acquiring data and another container might be responsible for configuring the edge device,” Winter said.

Partitioning edge functionalities between different containers means one container can be granted greater privileges than another, Winter said.

“In the utility industry, there are different drivers for security and things like that where partitioning pieces of the application …  are advantages,” he said. 

An application component, for example, that periodically reads, assesses and reports alarms could be granted read-only privileges to interact with an edge device. However, an application whose role it is to perform a software upgrade on the edge device would have to have more privileges and would be secured in a different way, Winter said.

“From the enterprise side it may be like an administrator role, as opposed to a read-only data acquisition role,” he said. “So being able to partition the functions at the edge is consistent with modern security best practices.”

The ability to separate application components enhances implementation by preventing the behavior of one application from directly affecting another, and also allows developers to more easily enhance edge devices, according to Winter. In addition, implementing operating system-level controls and policies allows developers – by design – to better limit the potential effect of security breaches on a system. 

But because the applications are separated, developers have to implement an inter-process communication (IPC) scheme/remote procedure call (RPC) scheme so separate applications can interact within the edge node, Winter said. Developers also have to authenticate and control these IPC/RPC schemes so they allow only approved interactions, he added. 

“You really cannot run a process on the device itself in an industrial setting because most of the devices are very, very simple sensors and they have a very small CPU [central processing unit],” said Stefano Iannucci, assistant professor, Department of Computer Science and Engineering, Mississippi State University.

“So you really need to combine all these sensors and actuators in a way that they are orchestrated by some process that is necessarily run by other components,” he added.

These components can run either in the cloud or on the edge – and most of the time, these components run in containers.

“With the Industrial Internet of Things, you use containers to implement the functionalities that could not be otherwise implemented in the things themselves,” Iannucci said.

One benefit of containers for IIoT is that developers can create container development-and-deployment environments that enforce specific work and testing processes before they deploy applications into production environments, according to Forbes.

Forbes explained the steps necessary for developers to use containers to develop applications for IIoT.

“There’s a development pipeline … to create the repository, where they keep all the various versions of the software they have and the container system, such as Docker, which is the software that packages all this stuff,” Forbes said.

The container deployment then takes the elements from the repository, builds a container image, and pushes it out to a target system, he said. 

“And the target system is where the IIoT comes in,” Forbes said. “You may have one target system, you may have a hundred, you may have a thousand. And [using containers] it’s not significantly more difficult to update a thousand systems than it is to update one. “Containers are a very economical and excellent way to manage an application that you have running in a hundred or a thousand places.”

At the same time, containers don’t solve every problem, and indeed, they invite a few. Containers are ephemeral—they can be created and torn down easily—so visibility into them and tracking can be problematic.