[using-containers-on-embedded-linux](https://sergioprado.blog/using-containers-on-embedded-linux/) | [ Running containers on embedded Linux ](https://www.youtube.com/watch?v=b3ViCfkU3J4&t=2422s) | [docker](https://github.com/moby/moby) | [Integrating Docker containers in Yocto](https://www.youtube.com/watch?v=rrYnYJ8LxWM) | [Embedded Containers as a Deployment Component via the Yocto Project ](https://www.youtube.com/watch?v=8twRZzp3Pi8) | [yoctoproject](https://docs.yoctoproject.org/singleindex.html) | [ Yocto, Docker and Raspberry Pi ](https://www.youtube.com/watch?v=8Zdf1TmFIEs)

# Using Containers on Embedded Linux

## Would it be a Good Idea to Use Containers on an Embedded Linux System?

Some time ago, I wrote an introductory article on Linux containers. In that article, I highlighted several embedded Linux distributions based on containers, including Linux microPlatform from Foundries.io, Torizon from Toradex, and balenaOS from balena.

These projects provide a Linux distribution built around a container-based infrastructure using Docker to run and manage containers. The idea is to install the distribution on your embedded hardware platform and develop or run applications inside container images.

## Linux Containers

By the end of the article, I raised some questions. Are embedded systems equipped with sufficient hardware resources to run containers? How can we efficiently package cross-compiled applications and their dependencies into container images? And, how do we manage software licenses for various artifacts (base OS, container images, etc.)?

This article will delve into these challenges and provide more clarity. But first, let's look at the motivations behind using containers in embedded Linux systems.

![](https://sergioprado.blog/images/20200114-containers.png)

## Why Would We Use Containers on an Embedded Linux System?

### Motivations for Using Containers

A major motivation for using containers comes from the frustration developers face with traditional build systems. Many developers, especially those transitioning from the microcontroller world, find it difficult to grasp the concepts and tools offered by build systems such as Buildroot or the OpenEmbedded/Yocto Project. These build systems can be overwhelming, and developers sometimes want to avoid building everything from scratch.

It is often more productive to work with a ready-made Linux distribution. The process of creating and maintaining a customized Linux distribution with a build system is more time-consuming compared to creating container images. With containers, developers can focus on application development, spending less time managing the underlying infrastructure.

Additionally, containers help extend a distribution with new applications by simply adding new container images. The availability of ready-to-use container images in Docker Hub can significantly speed up development. Containers improve productivity by simplifying deployment and management tasks.

Embedded devices are increasingly part of larger, more complex solutions. A containerized infrastructure can help manage these devices more efficiently, dividing system components (such as user interface applications, web servers, databases, and network tools) into isolated containers. This makes managing the "building blocks" of the system (installation, uninstallation, configuration, updates) much easier.

One of the key advantages of containers is the ease with which they enable robust, fast, and fail-safe update systems. Since container images are easily distributable, large file transfers over networks are avoided, which is especially beneficial for devices with limited connectivity. The ability to stop and start containers effortlessly makes updating systems simpler, with reduced risk of issues. This encourages more frequent updates, improving the quality and security of the product, which in turn builds consumer confidence.

Containers also allow better control over the hardware resources of a system. Fine-grained control over CPU, memory, and I/O usage can be achieved by partitioning the system's resources between containers. Each container can be isolated, with restricted permissions and controlled communication between processes, which strengthens security by reducing attack vectors.

Another challenge that containers address is the problem of legacy applications requiring older versions of specific libraries. With containers, the application is packaged together with its dependencies, making it easier to manage different versions without the need to maintain complex execution environments.

Furthermore, containers promote the development of modular systems that are more portable and reusable. A container image can be reused across different products and devices, provided they share the same hardware architecture and kernel compatibility.

In essence, containers bring the technology of microservices and the culture of DevOps into the world of embedded systems!

### But There Are Challenges

Despite the clear advantages, there are still challenges to be addressed:

1. **Increased Resource Consumption**  
   Containers can increase the consumption of hardware resources, particularly CPU, memory, and storage. The base Linux distribution must include components to manage and run container images (e.g., Docker engine). Additionally, as each container image is an isolated environment, this results in duplicated libraries and an increase in storage and RAM usage during execution. To mitigate this, container images must be designed with resource optimization in mind.

2. **Flash Memory Wear and Tear**  
   Frequent writes to the file system can wear out flash memory, which is often used in embedded systems. Embedded systems are typically designed to last for many years (often 10+ years), and excessive writes to flash memory could lead to failure or file system corruption. To combat this, efforts should be made to minimize writes to the flash device.

3. **Cross-Compiling Containers**  
   Creating a container image for a target platform (e.g., ARMv7) with cross-compiled binaries is not a straightforward task. For example, creating a Docker container image for ARMv7 with Qt5, glibc, libusb, and a Qt5 application on an x86-64 host requires specialized tools like Docker Buildx. However, cross-compilation may not always produce optimized code for the target platform. While build systems like Buildroot or OpenEmbedded/Yocto Project can solve this, they come with their own learning curve—something many developers seek to avoid when adopting containers.

   Some vendors are working to simplify this process. For instance, Toradex offers a plugin for Visual Studio that helps developers compile applications, package them into Docker container images, and deploy them to the target system with a single click.

4. **Creating and Deploying the Final Image**  
   Developing applications in containers is simple—just install the base image and develop within containers. However, managing changes in the base image and integrating the entire system (base Linux distribution + container images) into a final production image is more complex. A strategy for provisioning this final image in production environments is necessary.

5. **Software License Management**  
   A significant challenge in using containers is managing software licenses. With embedded systems relying on free software, manufacturers are obligated to provide license compliance information and source code for the software used in the product. But how do you consolidate licensing information for both the base Linux distribution and the various container images?

6. **Version Management**  
   Although containers make updates easier, they can complicate the management of device versions in the field. With containers, it is possible to update individual container images independently, leading to a scenario where multiple versions of a container are running on devices. This can create compatibility issues between container versions, which may result in system failures if the wrong combinations are used. A well-structured update system is required to manage container versions and dependencies effectively.

## Conclusion

So, are containers the future of embedded Linux systems? The answer isn’t entirely clear.

The container-based approach is innovative, representing a paradigm shift that brings server-side technologies and DevOps practices to the edge of embedded systems. It’s particularly useful for rapid prototyping and for developing systems that rely on different, incompatible versions of the same libraries.

However, for simpler embedded Linux projects, containers may seem inefficient. The control offered by traditional build systems like Buildroot or OpenEmbedded/Yocto Project is highly valued, especially for developers accustomed to fine-tuning their systems to optimize every byte and CPU cycle.

That said, hardware is becoming more commoditized, and understanding how microservices and DevOps practices can be applied to embedded Linux systems is crucial. Perhaps I just need a paradigm shift to fully grasp the potential of containerized embedded Linux systems.

In the end, only time and the market will reveal the true potential of containers in embedded Linux systems.


[ Designing Secure Containerized Applications for Embedded Linux Devices ](https://www.youtube.com/watch?v=ZxEPNQW7D6s&t=260s)

[ADDITIONAL RESOURCES](https://www.youtube.com/watch?v=ACPKAE8RXgM) | [ADDITIONAL RESOURCES](https://www.youtube.com/watch?v=vl8RBLmGxPg) | [ADDITIONAL RESOURCES](https://www.youtube.com/watch?v=jPbcQEffzJo) | [containerd runc](https://medium.com/@bibhup_mishra/docker-vs-containerd-vs-runc-c39ffd4156fb)

# **Docker vs Containerd vs RunC: Leveraging Containers for AI on Embedded Systems**

In the world of containers, terms like Docker, Containerd, and RunC often come up. Each plays a vital role in container ecosystems, but they are especially relevant when running AI applications on embedded systems. Let's break down their differences and explore how to choose the right solution for deploying AI workloads in constrained environments.

---

### **Understanding the Stack**

1. **Docker**
   - **What It Is**: A high-level container management tool that simplifies building, shipping, and running containers.
   - **Why It Matters**: Docker provides a developer-friendly interface, allowing you to easily create and manage container images using Dockerfiles.
   - **Relevance for AI on Embedded Systems**:
     - Quick setup for development and testing.
     - Pre-built AI container images available on Docker Hub, reducing setup time.
     - Overhead: Docker may introduce unnecessary overhead for resource-constrained embedded devices.

2. **Containerd**
   - **What It Is**: A mid-level container runtime that handles container lifecycle management (e.g., starting, stopping, and managing images).
   - **Why It Matters**: Containerd is lightweight compared to Docker and provides all the necessary functionalities to run containers without the additional overhead of a high-level tool.
   - **Relevance for AI on Embedded Systems**:
     - Better performance on devices with limited CPU and memory resources.
     - Integrates well with Kubernetes if orchestration is needed.
     - Allows a more tailored runtime environment for specific AI applications.

3. **RunC**
   - **What It Is**: A low-level container runtime that implements the Open Container Initiative (OCI) runtime specification.
   - **Why It Matters**: RunC is the foundation for container execution, providing the isolation and resource management needed to run containers.
   - **Relevance for AI on Embedded Systems**:
     - Minimal overhead, making it suitable for ultra-constrained devices.
     - Full control over container execution and resource isolation.
     - Requires more manual configuration and expertise.

---

### **Challenges of Running AI on Embedded Systems**

Embedded systems often have limited resources (CPU, memory, storage) and specific hardware acceleration (e.g., GPUs, TPUs, or NPUs) for running AI workloads. Containers help address these challenges by:
- **Standardizing Deployment**: AI models and dependencies are packaged into lightweight containers.
- **Improving Portability**: Containers ensure that the AI application runs consistently across different devices.
- **Resource Isolation**: Containers provide fine-grained control over resource allocation, which is critical for embedded systems.

However, the choice of the container runtime significantly impacts performance and resource efficiency. Here’s how Docker, Containerd, and RunC stack up for embedded AI applications.

---

### **Best Practices for Choosing a Container Runtime**

1. **Start with Docker for Development**:
   - Use Docker for building and testing your AI application.
   - Leverage Docker’s rich ecosystem of tools, such as Docker Compose, to simulate multi-container setups during development.

2. **Optimize with Containerd for Deployment**:
   - When deploying to embedded systems, switch to Containerd to reduce overhead.
   - Containerd’s integration with Kubernetes can help manage multiple AI containers efficiently if your device operates in a cluster environment.

3. **Use RunC for Maximum Efficiency**:
   - For highly constrained devices, RunC offers the lowest overhead.
   - Ideal for edge AI applications where every bit of performance matters.
   - Requires custom scripts or tooling to manage containers, which might increase complexity.

---

### **Case Study: Deploying AI Models on an Embedded Device**

Imagine deploying a real-time object detection model on an embedded system, such as a Raspberry Pi or NVIDIA Jetson Nano. Here’s how the stack might look:

- **Development Phase**:
  - Use Docker on a workstation to containerize the AI model and its dependencies (e.g., TensorFlow, PyTorch).
  - Test the container locally to ensure compatibility.

- **Deployment Phase**:
  - Transition to Containerd to reduce runtime overhead on the embedded device.
  - Use hardware acceleration libraries (e.g., CUDA for Jetson devices) inside the container.

- **Optimization Phase**:
  - For ultra-constrained environments, strip down the container runtime to RunC.
  - Manually configure resource limits (e.g., memory, CPU shares) to ensure efficient usage.

---

### **Conclusion**

When deploying AI applications on embedded systems, understanding the differences between Docker, Containerd, and RunC is essential:
- **Docker** is ideal for development and prototyping.
- **Containerd** strikes a balance between functionality and efficiency for deployment.
- **RunC** provides maximum performance for resource-constrained devices.

By choosing the right tool for each phase of your AI application’s lifecycle, you can optimize resource utilization and ensure reliable performance, even on the most constrained embedded systems. Containers are not just a trend—they are a powerful enabler for edge AI, and mastering these tools will put you ahead in the race for intelligent systems.



```bash

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx create --use --name raspi4
raspi4


ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx inspect --bootstrap
[+] Building 331.6s (1/1) FINISHED                                                                                        
 => [internal] booting buildkit                                                                                    331.6s
 => => pulling image moby/buildkit:buildx-stable-1                                                                 327.0s
 => => creating container buildx_buildkit_raspi40                                                                    4.6s
Name:          raspi4
Driver:        docker-container
Last Activity: 2025-01-23 17:01:27 +0000 UTC

Nodes:
Name:     raspi40
Endpoint: unix:///var/run/docker.sock
Error:    Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.47/containers/buildx_buildkit_raspi40/json": context deadline exceeded
ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx inspect --bootstrap
Name:          raspi4
Driver:        docker-container
Last Activity: 2025-01-23 17:01:27 +0000 UTC

Nodes:
Name:                  raspi40
Endpoint:              unix:///var/run/docker.sock
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.18.2
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         a11342d7a1d2
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:            false
 Filters:        type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration:  48h0m0s
 Max Used Space: 488.3MiB
GC Policy rule#1:
 All:            false
 Keep Duration:  1440h0m0s
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 43.77GiB
GC Policy rule#2:
 All:            false
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 43.77GiB
GC Policy rule#3:
 All:            true
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 43.77GiB

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker run --rm --privileged multiarch/qemu-user-static --reset -p yes

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx create --use --name raspi4 --platform linux/amd64,linux/arm64
ERROR: existing instance for "raspi4" but no append mode, specify the node name to make changes for existing instances

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx create --append --name raspi4 --node raspi40 --platform linux/amd64,linux/arm64
WARNING: new settings may not be used until builder is restarted
raspi4
ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx rm raspi4
raspi4 removed

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx create --use --name raspi4 --platform linux/arm64
raspi4
ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx inspect --bootstrap
[+] Building 3.6s (1/1) FINISHED                                                                                          
 => [internal] booting buildkit                                                                                      3.6s
 => => pulling image moby/buildkit:buildx-stable-1                                                                   2.1s
 => => creating container buildx_buildkit_raspi40                                                                    1.5s
Name:          raspi4
Driver:        docker-container
Last Activity: 2025-01-23 17:17:54 +0000 UTC

Nodes:
Name:                  raspi40
Endpoint:              unix:///var/run/docker.sock
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.18.2
Platforms:             linux/amd64*, linux/arm64*, linux/amd64/v2, linux/amd64/v3, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         69d9ddef78f8
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
GC Policy rule#0:
 All:            false
 Filters:        type==source.local,type==exec.cachemount,type==source.git.checkout
 Keep Duration:  48h0m0s
 Max Used Space: 488.3MiB
GC Policy rule#1:
 All:            false
 Keep Duration:  1440h0m0s
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 43.77GiB
GC Policy rule#2:
 All:            false
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 43.77GiB
GC Policy rule#3:
 All:            true
 Reserved Space: 9.313GiB
 Max Used Space: 93.13GiB
 Min Free Space: 43.77GiB

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx inspect raspi4


ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker login

ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx use raspi4


ferganey@ferganey-linux:~/Embedded_Systems/AutonomousVehiclesprojects/AI_Voice_Assistant_using_Raspi4/Yocto/Yocto_sources/poky/meta-userapp/recipes-docker/app/files$ docker buildx build --platform linux/arm64 -t ahmedferganey/raspi4-voice-assistant:v1.1 --push .



```