Update Strategies for the Edge There’s a better way. @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Kat Cosgrove IoT Engineer Developer Advocate Twitter: @Dixie3Flatline Email: katc@jfrog.com jfrog.com/shownotes @jfrog | Copyright © 2019 JFrog. All Rights Reserved

How large is the Edge? @jfrog | Copyright © 2019 JFrog. All Rights Reserved

20,400,000,000 That’s a lot of devices. @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Updates Today They don’t update; device is effectively single-use OR It’s time-consuming, complicated, or requires physical access @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Why change? @jfrog | Copyright © 2019 JFrog. All Rights Reserved

It’s beyond inconvenient Edge computing is massive and growing

  • Consumer - Industrial - Medical Slow OTA updates are annoying Wired updates are expensive and more annoying @jfrog | Copyright © 2019 JFrog. All Rights Reserved

It’s dangerous Unpatched bugs can be a huge vulnerability

Expose private data Harnessed for a botnet Used for cryptocurrency mining Safety implications for medical @jfrog | Copyright © 2019 JFrog. All Rights Reserved

What’s slowing us down? @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Not building for it. Many devices are not made to be updated.

  • Designed to run one version until the end - “Update strategy” here is flashing the device - Bugs are inevitable @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Between 1 and 25 Number of bugs per 1000 LOC @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Connectivity Concerns We can’t rely on the device’s network

  • Networks may be unstable - Bandwidth may be low - Network probably isn’t secure @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Hardware Variations - It’s 20.4 billion devices - Lots of specialized hardware - Variations in memory, storage space, architecture How do we design something that handles so much variety? @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Think future-forward. Updates are your friend. Embrace updates, not security nightmares. @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Get better with age. Your product should not be getting worse from the moment it ships. @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Build robust. Brittle software means a brittle device, and that doesn’t inspire trust. @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Modern DevOps tools. Your developers will thank you and things will run more smoothly. @jfrog | Copyright © 2019 JFrog. All Rights Reserved

The Proof of Concept @jfrog | Copyright © 2019 JFrog. All Rights Reserved

@jfrog | Copyright © 2019 JFrog. All Rights Reserved

Cars Now - Majority not designed for OTA updates OTA updates are still slow and inconvenient Little standardization Significant portion of recalls are due to software @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Cars as Edge Devices - Presented a range of solvable pain points in one device - Tangible example for end users and manufacturers - Device in question meant speed, reliability, and safety were equally important @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Workflows and Tools @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Two Distinct Workflows Software Updates Firmware Updates

  • Without flashing firmware - No interruption of user - Takes only seconds - Relies on K3S and Helm @jfrog |
  • More difficult update - Takes only minutes - Rollback if there is a failure - Relies on Mender, Yocto, and Artifactory Copyright © 2019 JFrog. All Rights Reserved

Software Workflow @jfrog | Copyright © 2019 JFrog. All Rights Reserved

PIPELINES VCS & CI Code & Build CD ARTIFACTORY XRAY Schedule Containers K3S + Helm ACCESS @jfrog | Copyright © 2019 JFrog. All Rights Reserved Deploy to production (car) MISSION CONTROL

@jfrog | Copyright © 2019 JFrog. All Rights Reserved

@jfrog | Copyright © 2019 JFrog. All Rights Reserved

JFrog Xray - Vulnerability scanning tool All major package types supported Continuously scans your artifacts Risk Based Security’s VulnDB @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Kubernetes, but 5 less @jfrog | Copyright © 2019 JFrog. All Rights Reserved

K3S - Lightweight Kubernetes, designed for Edge devices - Uses only 512mb of RAM - 40mb binary - Very minimal OS requirements @jfrog | Copyright © 2019 JFrog. All Rights Reserved

A package manager for Kubernetes @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Helm “Charts” describe complex applications

Easily repeatable installation Final authority on application Easy to version Supports rollbacks @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Helm Charts @jfrog | Copyright © 2019 JFrog. All Rights Reserved

The Result - Software Application updates are quick and efficient

Average of 35 seconds from dev to car No interruption for the user Can happen while device is in use Could happen silently, depends on device purpose @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Firmware Workflow @jfrog | Copyright © 2019 JFrog. All Rights Reserved

PIPELINES VCS & CI CODE & BUILD XRAY ARTIFACTORY EMBEDDED OS ACCESS @jfrog | Copyright © 2019 JFrog. All Rights Reserved Deploy to production (car) MISSION CONTROL

OTA updates for embedded Linux devices @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Mender Overview Ticks several of the boxes we’re looking for:

Updates are signed and verified Supports automatic rollbacks Several distinct installation strategies Dual A/B strategy @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Mender - A/B Two partitions are on the device

  • Bootloader aware of “active” - Update streams to “inactive” - Automatically revert to previous partition on failure Update A User Space A Update B Kernel Initramfs A Now let’s handle the size of our builds. @jfrog | User Space B Copyright © 2019 JFrog. All Rights Reserved Kernel Initramfs B Bootloader

Custom Linux distributions for any hardware architecture @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Yocto Overview - Eliminates OS bloat Drastically reduces resources required BitBake recipes and layers define your build Layers for common configurations are provided Custom layers to isolate applications or behaviors @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Yocto Layers @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Yocto and Artifactory - After first build, we can make things much faster Yocto cache allows for incremental updates Build cache can be stored in Artifactory Reduces time required to build by up to 50% @jfrog | Copyright © 2019 JFrog. All Rights Reserved

The Result - Firmware - Cuts the total time after first build to 5-10 minutes Build is as small as possible Updates are signed and secure Automatic rollbacks in case of failure Success! @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Wrapping Up @jfrog | Copyright © 2019 JFrog. All Rights Reserved

Edge and IoT updates are broken This is a security problem that must be addressed Modern DevOps tools are here to help @jfrog | Copyright © 2019 JFrog. All Rights Reserved

THANKS! @Dixie3Flatline katc@jfrog.com jfrog.com/shownotes @jfrog | Copyright © 2019 JFrog. All Rights Reserved