edgescale documentation · machine a install docker harbor machine b install edgescale service...

EdgeScale DocumentationRelease on-premise 1912

EdgeScale

Revision: 81b66ce

CONTENTS

1 EdgeScale Overview 11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Supported Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Installation 32.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Install Docker Harbor on machine A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Install EdgeScale service on machine B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.4 How to access the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Getting Started 113.1 Basic Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Quick Start Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Bootstrap & OTA 214.1 Bootstrap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 OTA Update Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

5 User Management 335.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.2 Apply Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.3 Create Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355.4 Set User Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.5 Activate/Deactivate user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.6 Check Detail Information Of User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6 OEM Config 396.1 CA Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396.2 Service Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

7 Device Management 437.1 Device Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.2 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457.3 Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

8 Application Management 558.1 App Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558.2 Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

9 Solution Management 71

i

9.1 Solution Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719.2 Solution Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

10 Monitor 7910.1 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7910.2 Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7910.3 Task Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

11 Connect to EdgeScale 8311.1 Connect Linux devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

12 Secure Solution 8912.1 Prepare Secure Bootstrap Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8912.2 Prepare Secure Solution Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8912.3 Create Device and Bootup in Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9012.4 Enforce the Secure Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9012.5 Read Pub Key From Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9012.6 Upload Device db to Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

13 Container Security 9313.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9313.2 Setup a Secure Private Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9413.3 Use a trusted registry and image on EdgeScale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

14 ESCLI Usage 10314.1 ESCLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10314.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10314.3 Common Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

15 Connect Public Cloud 11315.1 Azure IoT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11315.2 Ali-Cloud IoT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11515.3 AWS Greengrass Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11815.4 Google IoT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11815.5 IBM Watson IoT Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

16 Bring your board to EdgeScale 12116.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12116.2 Software Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12116.3 Enable the OTA Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

17 Application Notes 12517.1 Enable AI framework: TensorFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12517.2 Connect to Secure Element chip: A71CH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

18 Frequently Asked Questions (FAQ) 12718.1 How to access EdgeScale? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12718.2 I have a container app. How to deploy it to my device? . . . . . . . . . . . . . . . . . . . . . . . . . 12718.3 I have a system image. How to deploy it to my device? . . . . . . . . . . . . . . . . . . . . . . . . . 12818.4 My software image is stored at another place. How to connect it with EdgeScale service? . . . . . . 12818.5 Which platforms are supported by EdgeScale? Does it support x86? . . . . . . . . . . . . . . . . . . 12818.6 Is EdgeScale open-source? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12818.7 How to fix the following issue when board is boot up with ubuntu rootfs? . . . . . . . . . . . . . . . 12818.8 How to create a device and enroll it with escli? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12818.9 How to make the size of the Docker image small? . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

ii

CHAPTER

ONE

EDGESCALE OVERVIEW

1.1 Overview

EdgeScale is a unified, scalable, and secure device management solution for Edge Computing applications. It en-ables OEMs and developers to leverage cloud compute frameworks like AWS Greengrass, Azure IoT, and Aliyun onLayerscape devices.

EdgeScale provides the missing piece of device security and management needed for customers to securely deployand manage many Edge computing devices from the cloud. End-users and developers can use the EdgeScale clouddashboard to securely enroll Edge devices, monitor their health, attest, and deploy container applications and firmwareupdates.

EdgeScale can also be used as a development environment to build containers and generate firmware.

1.2 Supported Features

• EdgeScale dashboard for users

• EdgeScale command line tool for users

• EdgeScale Restful APIs for developers

• Secure device enrollment

• Secure key/certificate provisioning

• OTA: firmware update

• Device status monitoring on the cloud

• Dynamic deployment of container-based applications

1.3 Supported Devices

• LS1012A: QorIQ Layerscape LS1012A Low Power Communication Processor

• LS1021A: QorIQ Layerscape LS1021A Dual-Core Communications Processor with LCD Controller

• LS1028A: QorIQ Layerscape LS1028A Dual-Core Communications Processor with TSN, GPU

• LS1043A: QorIQ Layerscape LS1043A Multicore Communications Processors



1

EdgeScale Documentation, Release on-premise 1912


• LX2160A: QorIQ Layerscape LX2160A Multicore Communications Processors

• LS1012A-FRWY: Lowcost LS1012A derivatives

• LS1046A-FRWY: Lowcost LS1046A derivatives

2 Chapter 1. EdgeScale Overview

CHAPTER

TWO

INSTALLATION

This is the step by step guide on how to install the EdgeScale services on private cloud or local x86 host.

2.1 Prerequisites

Two machines are needed and they can communicate with each other.

Name DescriptionMachine A install Docker HarborMachine B install EdgeScale service

2.1.1 Machine A

software versionUbuntu 18.04Docker 18.09

2.1.2 Machine B

software versionUbuntu 18.04Kubernetes 1.15.3Docker 18.09.7Nodejs 10.16.2Python 3.6Golang 1.10.4

Below are the required TCP ports need to be open.

3


Service Port Descriptionredis 6379 NoSQL databasepostgres 5432 SQL databaseminio 9000 Storage serviceminio-api 10086 Upload download APIhaproxy 443 Port forwardingkong 8443 API Gatewaynamed 53 DNS servernginx 12443 Dashboardb-est 11443 Temporary issuance of certificatese-est 10443 Formal issuance of certificatesapp-server 7443 Deploy apps servermqtt 8883 MQTT servermft 8082 Device enroll apiopenfaas 8000/9090 Gateway and prometheus

2.2 Install Docker Harbor on machine A

2.2.1 I. Get the source code and deploy Docker Harbor

$ git clone https://github.com/edgeverse/edgescale-cloud.git$ cd ~/edgescale-cloud/install/harbor$ sudo bash install_harbor.sh

2.3 Install EdgeScale service on machine B

2.3.1 I. Get the source code

$ git clone https://github.com/edgeverse/edgescale-cloud.git

2.3.2 II. Build the web frontend and deploy

If you agree to the NXP SEMICONDUCTORS SOFTWARE LICENSE AGREEMENT , you could download ref-erence front-end GUI source code, via http://nxp.com/edgescale . After extracting it, execute the following com-mand.(note: edgescale.demo is default domain name.)

$ cd dcca-portal/$ docker run -it --rm -v "$PWD":"/code" ebiven/vue-cli npm install$ docker run -it --rm -v "$PWD":"/code" ebiven/vue-cli npm run build --env-abs=api.→˓edgescale.demo --env-storage=s3.edgescale.demo$ zip -r dashboard.zip edgescale/$ mv dashboard.zip ~/edgescale-cloud/install/kubernetes/resource

2.3.3 III. Configure url/account/certificate for the services

Check and configure the url/account for the services. Below is the default and example config file.

4 Chapter 2. Installation

https://github.com/edgeverse/edgescale-cloud/wiki/NXP-Semiconductors-Software-License-Agreement

https://www.nxp.com/webapp/swlicensing/sso/downloadSoftware.sp?catid=EDGESCALE


$ vim ~/edgescale-cloud/install/kubernetes/config/vars.json

1 {2 "env":{3 "domain_name":"edgescale.demo", --> Second-level domain

→˓name used throughout the service.4 "faas_passwd":"edgescale",5 "faas_user":"admin", --> Openfaas

→˓certification information.6 "harbor_user":"admin",7 "harbor_passwd":"Harbor12345", --> Docker Harbor

→˓password.8 "harbor_domain":"docker.edgescale.demo",9 "harbor_project_name":"library", --> The project name

→˓uploaded by the docker image used in the service.10 "harbor_host_ip":"" --> local Docker Harbor

→˓service IP(machine A IP).11 },12 "service":{13 "ADMIN_EMAIL_PWD":"", --> SMTP sender email

→˓password.14 "SMTP_HOST":"", --> SMTP service host.15 "ADMIN_EMAIL":"", --> SMTP sender email.16 "SMTP_PORT":"",17 },18 "db":{19 "pg_passwd":"edgescale",20 "pg_user":"root",21 "pg_database":"edgescale",22 "pg_es_passwd":"edgescale", --> Storage device info

→˓database.23 "kong_user":"kong",24 "kong_passwd":"kong",25 "kong_database":"kong", --> Kong used database

→˓name.26 "pg_max_connections":1000 --> Postgres max

→˓connections.27 },28 "minio":{29 "access_key":"CSSFSisdfEIKNC", --> S3 liked object

→˓storage service access credential .30 "secret_key":"isdEDegDFfsdfSDjsdlsdfDAO+k"31 }

Check and configure certificates for the services. Below are the default and example certificates.

$ cd ~/edgescale-cloud/install/kubernetes/j2_conf

The following tree structure shows the default/example certificates for the services

1 b-est2 b-est.crt.j2 --> Access to Service B-est requires a certificate.(API:

→˓https://int.b-est.edgescale.demo)3 b-est.key.j24 b-est-rootca.crt.j2 --> Temporary root CA used to issue certificates to

→˓service E-est.5 b-est-rootca.key.j2

(continues on next page)

2.3. Install EdgeScale service on machine B 5


(continued from previous page)

6 b-est.trust.crt.j2 --> The set of trusted certificates in the B-est service.7 e-est8 e-est.crt.j2 --> Access to Service E-est requires a certificate.(API:

→˓https://int.e-est.edgescale.demo)9 e-est.key.j2

10 e-est-rootca.crt.j2 --> Formal root CA used to issue certificates to service→˓E-est for device used.

11 e-est-rootca.key.j212 e-est.trust.crt.j2 --> Must contain the temporary root CA in Service B-est.

→˓That is file called b-est-rootca.crt.j2.13 emqtt14 emq_cert.j2 --> Used for mqtt secure connections. (API: https://int.

→˓msg.edgescale.demo)15 emq_key.j216 kong17 edgescale.crt --> This is rest API used certificate (API: https://api.

→˓edgescale.demo)18 edgescale.key19 nginx20 nginx.crt --> Dashboard secure visited (API: https://console.

→˓edgescale.demo)21 nginx.key

Tip:

If you want to change the default domain name or you don’t have a trusted certificate, please follow belowinstructions to create your own auto-signed certificate.

$ openssl genrsa -out server.key 1024$ openssl req -new -x509 -key server.key -out ca.crt -days 3650$ openssl req -new -key server.key -out server.csr$ openssl x509 -req -days 3650 -in api.csr -CA ca.crt -CAkey server.key -→˓CAcreateserial -out api.crt

2.3.4 IV. Build service images and push to Docker Harbor

$ export http_proxy={Your porxy service}$ export https_proxy={Your proxy service}$ cd ~/edgescale-cloud/build/$ python3 build_services.py

2.3.5 V. Install and uninstall the services

Note: Root user can be used to avoid entering password during the setup.

Install the services.

$ cd ~/edgescale-cloud/install && sudo bash private-deployment-k8s.sh

Uninstall the services and clean the host.



$ cd ~/edgescale-cloud/install && sudo bash uninstall-private-deployment-k8s.sh

2.4 How to access the dashboard

If the domain name is not the official one, please configure the client PC before access with browser.

2.4.1 LINUX:

$ vi /etc/hosts

Note: “x.x.x.x” represents the server host IP that you installed the service on.

1 x.x.x.x console.edgescale.demo2 x.x.x.x api.edgescale.demo3 x.x.x.x s3.edgescale.demo

Import your auto-signed CA into the client PC.

$ sudo cp yourRootca.crt /usr/local/share/ca-certificates/ca.crt$ sudo update-ca-certificates

2.4.2 WINDOWS:

Please follow the instructions import CA certificate into your client.

2.4. How to access the dashboard 7


After the import was successful. Please reboot the client machine.

Configure the DNS server address.

2.4. How to access the dashboard 9


Access https://console.edgescale.demo with default user accounts and passwords for trial:

Username Passwordoem_test 123456789admin_test 123456789


https://console.edgescale.demo

CHAPTER

THREE

GETTING STARTED

3.1 Basic Concept

3.1.1 Bootstrap and Operational Image

Bootstrap image is the “golden” image used to authenticate device with EdgeScale cloud and update new version ofsoftware images, namely operational images. The bootstrap image is a small stable flash booted image with minimalsoftware packages connected to EdgeScale cloud. It is seldom updated. The operational image is usually a fullfunctional SD card booted image with a built-in docker engine and supports container-based apps. If the device doesnot support SD boot, the boot loader is supposed at flash and the root file system is stored on the SD card.

3.1.2 Identification and Certificate

The identification info is a device-specific private key generated at the cloud. It will be used as the initial credentialto connect EdgeScale cloud to the device. During device on-boarding, this private key will be used to sign devicemeta data and the cloud can verify this feature by the corresponding public key. After this step, EdgeScale will issuea certificate to enable cloud communications for the device.

Note: This private key is only generated for devices not provisioned by secure manufacturing. For secure provision-ing, please check the “secure solution” section.

Currently this data is created as a shell script and can be downloaded from the dashboard while creating a device.Sometimes it is also called identification image.

3.1.3 Device Model

The device model describes the metadata and management characteristics of a device. It determines which version ofthe software images will be installed on the device automatically.

3.2 Quick Start Guide

3.2.1 Register and Sign-in

• Register an account: open a web browser and connect to EdgeScale Portal

11

https://console.edgescale.org


It will send an email to the admin: [email protected]

After approval, you will get an email with a random password. Please log in and set a new passwd.

• When the account is available, you can sign in.

• Follow the account setting and reset password.

3.2.2 Prepare Device

1. Create Device

• Go to SmartConnect -> My Devices and Create

12 Chapter 3. Getting Started

mailto:[email protected]


2. Download & Provision Device Identity

• Fill in the form with SN number and device model info (select from suggested data).

• Click Submit to register the device. A popup window will prompt you to download the device credential.

• Download the device identity info.

bootstrap-enroll-<device ID>-iot.gateway.ls1043ardb.nxp.sh

• Check that the device is created.

3.2. Quick Start Guide 13


• Copy the script file to your Linux host.

• In Terminal, change directory to where the scipt file located, and execute the script file (Linux bash script) onthe Linux host with the SD card inserted. Line started with $ indicates commands typed in Terminal.

$ sudo fdisk -l #find the location of the sd card in the form of dev/<sdx>$ sudo ./bootstrap-enroll-2f63c75eaa50535087e623c5c0f22721.iot.gateway.ls1043ardb.nxp.→˓sh d̄ev/<sdx>Install EdgeScale AAA service Private key to Disk /dev/sdd: 7.4 GiB, 7948206080 bytes,→˓ 15523840 sectors- Yes|No ---$ Yes[...]048576 bytes (1.0 MB, 1.0 MiB) copied, 0.00334797 s, 313 MB/s[...]048576 bytes (1.0 MB, 1.0 MiB) copied, 0.00155437 s, 675 MB/s

• Note: If you encounter error “command not found” when executing the shell script, try to change access per-mission chmod u+x <filename> before running it. Be aware that running the script will erase the device,so check the name carefully before doing so.

After this step, the device identity information is saved on some reserved area of the SD card. Next, we need to preparethe software image for the device, which includes building and installing the image on the SD card.

3. Deploy EdgeScale agents on the device

There are two ways to install the EdgeScale agents on the device.

3.1 Build EdgeScale agents from source

Below is an example for enabling EdgeScale client in LSDK based image. Please check LSDK and the building tool:flex-builder for more information. This is for non-secure mode. If booting device with secure boot checking ispreferred, please refer to the “secure solution” section.

• Preconditions

EdgeScale client depends on golang 1.9 environment. If the system is installed with an older version, please update itto 1.9

$ rm -rf ~/go && curl -L https://redirector.gvt1.com/edgedl/go/go1.9.4.linux-amd64.→˓tar.gz | tar xz -C ~/

• Enable the EdgeScale components in LSDK:


https://lsdk.github.io

https://lsdk.github.io


To support the customized domain name feature, one patch should be applyed to flexbuild, this patch is placed inprivate-cloud-edgescale repository, to clone this repository, please refer to I. Get the source code and deploy DockerHarbor.

$ cd flexbuild$ patch -p1 < <path>/private-cloud-edgescale/patches/flexbuild-lsdk1909-updates.patch$ source setup.env

$ vi configs/build_lsdk.cfg# change the below line from n to y:CONFIG_BUILD_QORIQ_EDGESCALE=y

$ export ES_DOMAIN_SUFFIX="yourdomain.com"$ export ES_CERTIFICATE_PATH="/path/for/self-signed/edgescale/certificates"

• Note: ES_DOMAIN_SUFFIX and ES_CERTIFICATE_PATH are used to customize domain name, if you don’twant to use other domain name, you can use “edgescale.demo” as domain name suffix, the self-signed certifi-cates can be got from III. Configure url/account/certificate for the services.

• Build the images:

$ flex-builder clean$ flex-builder -m <machine>

• Note: The autobuild takes considerable amount of time to complete. Please make sure that your computer hasstable Internet connection during this process.

3.2 Install pre-built pkg on the device

Note: Currently, only Debian pkg is supported.

This package could be used for:

1. LSDK1909 image without built-in EdgeScale agents.

2. Any ODM/OEM board derived from LSDK rootfs after LSDK1909.

Note: Due to the change of SD card layout after LSDK1906, we broke the backward compatibility. At present,theDebian package only works with LSDK1906/1909

Download the Debian package according to the following table.

Version Platform packagev1909 ARM64 EdgeScale Agents 64bitv1909 ARM32 EdgeScale agents 32bit

• You can use commands to get the Debian package, such as wget <website_above>.

• Use the following command to run the Debian package:

=> dpkg -i edgescale-agents_1909_arm64.deb


https://image.edgescale.org/private-cloud/1909/debian-pkg/edgescale-agents_1909_arm64.deb

https://image.edgescale.org/private-cloud/1909/debian-pkg/edgescale-agents_1909_arm32.deb


4. Manually deploy the image to the SD card

In this mode, the image is installed manually on the SD card. Deploying image from cloud dashboard is not supported.

• Insert the SD card into x86 host Identify the physical device with fdisk -l or cat /proc/partitions.The SD card will be identified as /dev/sdx, where x could typically be a, b, c.

• Unmount the SD card if auto mounted

sudo umount /dev/<sdx>

• Install the solution image

The required images that were assembled in the previous step will be available under “flexbuild_<version>”directory on the host machine.

Assume the solution image components are stored in build/images

$ cd build/images$ flex-installer -b bootpartition_LS_arm64_edgescale_lts_4.9.tgz -r rootfs_ubuntu_→˓bionic_LS_arm64_edgescale.tgz

-f firmware_[ls1043ardb|ls1046ardb]_uboot_sdboot.img -s 8 -d /dev/→˓<sdx>

• Note: please mount the second and third partition of the SD card and check that bootparti-tion_LS_arm64_edgescale_lts_4.9.tgz and rootfs_ubuntu_bionic_LS_arm64.tgz are installed to the SD cardsuccessfully. If the second partition is empty, please run the following command to install:

$ cd build/images$ mount the second partition to <p2-dest-dir>$ tar zxvf bootpartition_LS_arm64_edgescale_lts_4.9.tgz -C <p2-dest-dir>$ umount <p2-dest-dir>

• Insert the SD card into the target board and boot.

For OTA (automatically deploy the image from cloud), please refer to Bootstrap.

5. Bring the Device On-line

• Cleanly unmount the SD card from the host, and insert it in the target platform.

• Power up the target and stop in u-boot (CTRL-C). Help regarding starting the board or troubleshooting can befound in the board’s Getting Started Guide.

• Reset to boot from the SD card.

=> cpld reset sd

• Platform will start up, connect to the Internet, and register with the cloud infrastructure.

• Verify Device Certificate Enrollment with dmesg.

[ 30.159672] Checking for ethernet port fm1-mac3[ 40.242777] Link detected: yes[ 45.000582] network ethernet port is fm1-mac3[ 45.004823] fm1-mac3 Link encap:Ethernet HWaddr 00:04:9f:04:1e:3c[ 45.005105] inet addr:192.168.147.137 Bcast:192.168.147.255 Mask:255.→˓255.255.0

...





[ 45.010835] Setting time from www.baidu.com[ 47.349473] Tue Apr 24 12:43:18 UTC 2018[ 47.629792] No valid certificate found, starting 3 Phases Certificate Enrollment[ 47.630061] starting Phase1[ 61.902924] starting Phase2[ 66.152794] starting Phase3[ 67.629686] create PKCS10 request[ 72.118433] Starting E-EST certificate Enrollment[ 73.265688] set Hostname to 2f63c75eaa50535087e623c5c0f22721.iot.gateway.→˓ls1043ardb.nxp

...

[ 83.353776] Start kubelet[ 83.998282] 1+0 records in[ 83.998558] 1+0 records out[ 83.998766] 512 bytes copied, 0.00045336 s, 1.1 MB/s[ 84.030918] ./ota-statuscheck: 17: [: x: unexpected operator[ 84.031286] ./ota-statuscheck: 21: [: x: unexpected operator[ 84.033247] 0+1 records in[ 84.033499] 1+0 records out[ 84.033741] 512 bytes copied, 0.00041832 s, 1.2 MB/s

• It is recommended to update local time zone of the device:

$ dpkg-reconfigure tzdata

• Refresh My Devices will show the device as online

3.2.3 Deploy APP

1. Deploy APP to device

• Follow Edge Software Store -> App Store -> App Market, select one APP (filtered by tag) andadd to My App



• Click Deploy in My app

• Select device(s) and then click Deploy App



2. Monitor APP task

• Click Task to check deployment task status, click taskname to check app status.

3. Running APP

Find the APP running card and click top-right icon to check App Log

• Find the IP address to open the related service.

For example, Image Classification APP


CHAPTER

FOUR

BOOTSTRAP & OTA

4.1 Bootstrap

To enroll your device in EdgeScale, the bootstrap image needs to be programmed first and then reboot the board.After the device is authenticated, the OTA process will start to install corresponding solution image associated withthe device model.

This guide will introduce you how to build and flash the bootstrap image for the device to finish the enrollment inEdgeScale.

The current OTA uses single boot source. Only booting from QSPI/NOR/Flexspi-NOR flash is supported for Layer-Scape platforms.

For OTA support, SD card is needed. OTA control logic is in the BL2 stage of the boot process. Specifically it is in thebl2_<boot_mode>.pbl and programmed on the first 1MB area of QSPI/NOR/Flexspi-NOR flash. Bootstrap imagesexcept bl2_<boot_mode>.pbl are installed on SD card. Solution firmware image is installed on QSPI/NOR/Flexspi-NOR flash and OS images are installed on SD card partitions.

For recovery, watchdog timer is enabled in BL2 stage, and monitors the system until Linux kernel watchdog timertakes over with new configuration. During the period, it will automatically reboot hanged systems. Then the bootstrapimage will start and roll back to previous working solution image.

4.1.1 Boot mode on each platforms

PLATFORM QSPI NOR Flexspi-NORls1012ardb yesls1012afrwy yesls1028ardb yesls1043ardb yesls1046ardb yesls1046afrwy yesls1088ardb yesls2088ardb yeslx2160ardb yes

For ls1021atwr, single boot source OTA is not available and dual boot source OTA is still used.

For i.MX platforms, single boot source is also used for OTA. Booting from SD or Flexspi-NOR flash is supported.OTA control logic is in the SPL stage of the boot process. Secure Boot is not supported yet.

21


4.1.2 Build the bootstrap image

Below is an example for how to build bootstrap image from source. Currently the bootstrap image is built with yoctoenvironment.

• Supported boards

ls1012ardb ls1012afrwy ls1028ardb ls1043ardb ls1046ardb ls1046afrwy ls1088ardb-pb ls2088ardb lx2160ardbls1021atwr

• Setup the Yocto project

Follow below guide to get your build host ready:yocto

• Install the repo utility

$ mkdir ~/bin$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo$ chmod a+x ~/bin/repo

• Download the metadata

$ export PATH=${PATH}:~/bin$ mkdir yocto-sdk$ cd yocto-sdk$ repo init -u https://source.codeaurora.org/external/qoriq/qoriq-components/yocto-→˓sdk -b refs/tags/yocto_2.6_es_1909_update_291119$ repo sync --no-clone-bundle

• Build the image

Take ls1012ardb as an example:

1.Setup build environment

$ . ./setup-env -m ls1012ardb

Note: To build single bootstrap images, need to add following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = " single-boot"

Note: To build images with customized domain name, need to add following lines tobuild_ls1012ardb/conf/local.conf. if “edgescale.demo” is used as domain name suffix, please use self-signedcertificates mentioned in III. Configure url/account/certificate for the services.

# Change the domain suffix to what you want to use.The domain name must be the same→˓as the one in the certificateES_DOMAIN_SUFFIX = "yourdomain.com"

# Define this line when self-signed certificates are usedES_CERTIFICATE_PATH = "/path/for/self-signed/edgescale/certificates"

2.Build EdgeScale bootstrap image

$ bitbake single-source-bootstrap

22 Chapter 4. Bootstrap & OTA

https://www.yoctoproject.org/docs/2.6/brief-yoctoprojectqs/brief-yoctoprojectqs.html


Note: EdgeScale bootstrap images will be found under tmp/deploy/images/ls1012ardb/single-source-bootstrap/.

Note: To build images with optee, need to add following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = " optee"

Note: To enable the ima_evm feature, need to add following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = " ima-evm"

Note: To enable the Manufacture, need to add following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = " mft"

Note: To enable the secure model, need to add following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = " secure"ROOTFS_IMAGE = "fsl-image-edgescale"KERNEL_ITS = "kernel-all.its"

Note: Key pairs and files required for the EdgeScale secure bootstrap images will be found undertmp/deploy/images/ls1012ardb/.

Without setting the specified key path, the generated key is random

To use the specified key pair,need to modify following lines to ../sources/meta-qoriq-demos/recipes-devtools/cst/cst_git.bbappend

#SECURE_PRI_KEY = "/path/srk.pri"#SECURE_PUB_KEY = "/path/srk.pub"

Note: ls1021atwr bootstrap image doesn’t support single bootstrap,It can only be compiled with “bitbake edgescale-bootstrap” to build images . you need to add following line to build_ls1021atwr/conf/local.conf

DISTRO_FEATURES_append = " ota"

4.1.3 Build the bootstrap with docker

EdgeScale bootstrap images can be built using the docker which includes all the yocto build environment in thecontainer.

Run the following command to build the cross-build yocto environment:

4.1. Bootstrap 23


$ docker build \--build-arg http_proxy=$http_proxy \--build-arg https_proxy=$https_proxy \--build-arg host_uid=$(id -u) \--build-arg host_gid=$(id -g) \--no-cache \-t edgescale-bootstrap:v1 .

Note: If the proxy is required, please set the proxy using the following commands:

$ export http_proxy=”xxxxxxxxx”

$ export https_proxy=”xxxxxxxxx”

Once the building container is ready, we can start it to build the target image. Take ls1046ardb as an example:

$ mkdir -p yocto/build_ls1046ardb yocto/downloads yocto/sstate-cache$ docker run -it --name edgescale-bootstrap-ls1046ardb \

-v $PWD/yocto/build_ls1046ardb:/home/edgescale/yocto-sdk/build_ls1046ardb \-v $PWD/yocto/downloads:/home/edgescale/yocto-sdk/downloads \-v $PWD/yocto/sstate-cache:/home/edgescale/yocto-sdk/sstate-cache edgescale-

→˓bootstrap:v1

Note: you can get the bootstrap images from the following two locations:

inside docker container: /home/edgescale/yocto-sdk/build_ls1046ardb/tmp/deploy/images/ls1046ardb/single-bootstrap/

outside docker container(local host): $PWD/yocto/build_ls1046ardb/tmp/deploy/images/ls1046ardb/single-bootstrap/

4.1.4 Image Download

Download the pre-built bootstrap images according to the following table. Only work with LSDK1909 solution im-ages. Images for previous LSDK release versions are not available.



4.1.5 Bootstrap Image

Version Platform Imagesv1909 LS1012ARDB ls1012ardb-qspi.imgv1909 LS1012ARDB bl2_qspi_ls1012ardb.pblv1909 LS1012AFRWY ls1012afrwy-qspi.imgv1909 LS1012AFRWY bl2_qspi_ls1012afrwy.pblv1909 LS1043ARDB ls1043ardb-nor.imgv1909 LS1043ARDB bl2_nor_ls1043ardb.pblv1909 LS1046ARDB ls1046ardb-qspi.imgv1909 LS1046ARDB bl2_qspi_ls1046ardb.pblv1909 LS1046AFRAWY ls1046afrwy-qspi.imgv1909 LS1046AFRAWY bl2_qspi_ls1046afrwy.pblv1909 LS1088ARDB_PB ls1088ardb-pb-qspi.imgv1909 LS1088ARDB_PB bl2_qspi_ls1088ardb-pb.pblv1909 LS2088ARDB ls2088ardb-nor.imgv1909 LS2088ARDB bl2_nor_ls2088ardb.pblv1909 LS1021ATWR ls1021atwr-nor.imgv1909 LS1028ARDB lS1028ardb-xspi.imgv1909 LS1028ARDB bl2_xspi_ls1028ardb.pblv1909 LX2160ARDB lx2160ardb-xspi.imgv1909 LX2160ARDB bl2_xspi_lx2160ardb.pblv1909 IMX6 imx6qsabresd-sdboot.imgv1909 IMX8MQ imx8mqevk-sdboot.imgv1909 IMX8MM-SD imx8mmevk-sdboot.imgv1909 IMX8MM-NOR imx8mmevk-norboot.imgv1909 SPL SPL

4.1.6 Flash bootstrap image

Precondition

• Setup the tftp server.

• Copy the bootstrap image to tftp server.

• Configure network for the board to ensure it can connect to the tftp server.

LS1012ARDB/LS1012AFRWY/LS1028ARDB/LS1046ARDB/ls1046AFRWY

LS1088ARDB/LX2160ARDB

• Create device in EdgeScale dashboard and download the identification image.

• Program the identification image to SD on a Linux PC:

$ sudo fdisk -l # find the /dev/sdx for the SD card e.g. /dev/sdb$ sudo umount /dev/<sdx>$ sudo ./bootstrap-enroll-<deviceID>.sh /dev/<sdx>

• Boot up the board with a working boot-loader, then run the following commands in u-boot prompt to flash thebootstrap BL2 image:

4.1. Bootstrap 25

https://image.edgescale.org/private-cloud/1909/ls1012ardb/firmware_ls1012ardb_uboot_qspiboot.img

https://image.edgescale.org/private-cloud/1909/ls1012ardb/bl2_qspi_ls1012ardb.pbl

https://image.edgescale.org/private-cloud/1909/ls1012afrwy/firmware_ls1012afrwy_uboot_qspiboot.img

https://image.edgescale.org/private-cloud/1909/ls1012afrwy/bl2_qspi_ls1012afrwy.pbl

https://image.edgescale.org/private-cloud/1909/ls1043ardb/firmware_ls1043ardb_uboot_norboot.img

https://image.edgescale.org/private-cloud/1909/ls1043ardb/bl2_nor_ls1043ardb.pbl

https://image.edgescale.org/private-cloud/1909/ls1046ardb/firmware_ls1046ardb_uboot_qspiboot.img

https://image.edgescale.org/private-cloud/1909/ls1046ardb/bl2_qspi_ls1046ardb.pbl

https://image.edgescale.org/private-cloud/1909/ls1046afrwy/firmware_ls1046afrwy_uboot_qspiboot.img

https://image.edgescale.org/private-cloud/1909/ls1046afrwy/bl2_qspi_ls1046afrwy.pbl

https://image.edgescale.org/private-cloud/1909/ls1088ardb_pb/firmware_ls1088ardb-pb_uboot_qspiboot.img

https://image.edgescale.org/private-cloud/1909/ls1088ardb_pb/bl2_qspi_ls1088ardb-pb.pbl

https://image.edgescale.org/private-cloud/1909/ls2088ardb/firmware_ls2088ardb_uboot_norboot.img

https://image.edgescale.org/private-cloud/1909/ls2088ardb/bl2_nor_ls2088ardb.pbl

https://image.edgescale.org/private-cloud/1909/ls1021atwr/ls1021atwr-nor.img

https://image.edgescale.org/private-cloud/1909/ls1028ardb/firmware_ls1028ardb_uboot_xspiboot.img

https://image.edgescale.org/private-cloud/1909/ls1028ardb/bl2_xspi_ls1028ardb.pbl

https://image.edgescale.org/private-cloud/1909/lx2160ardb/firmware_lx2160ardb_uboot_xspiboot.img

https://image.edgescale.org/private-cloud/1909/lx2160ardb/bl2_xspi_lx2160ardb.pbl

https://image.edgescale.org/private-cloud/1909/imx6/firmware_imx6qsabresd_uboot_sdboot.img

https://image.edgescale.org/private-cloud/1909/imx8mq/firmware_imx8mqevk_uboot_sdboot.img

https://image.edgescale.org/private-cloud/1909/imx8mm/firmware_imx8mmevk_uboot_sdboot.img

https://image.edgescale.org/private-cloud/1909/imx8mm/firmware_imx8mmevk_uboot_norboot.img

https://image.edgescale.org/private-cloud/1909/imx6/SPL


=> tftp 0xa0000000 /tftpboot/bl2_qspi_<ls1012ardb/ls1012afrwy/ls1046ardb/ls1046afrwy/→˓ls1088ardb-pb>.pbl/bl2_xspi_<ls1028ardb/lx2160ardb>.pbl=> sf probe 0:0=> sf erase 0 0x3e00000 # for ls1012afrwy, sf erase 0 0x100000=> sf write 0xa0000000 0 0x100000

• Program the bootstrap Firmware image to SD on a Linux PC or in u-boot prompt:

$ dd if=firmware_<ls1012ardb/ls1012afrwy/ls1046ardb/ls1046afrwy/ls1088ardb-pb>_uboot_→˓qspiboot.img/firmware_<ls1028ardb/lx2160ardb>_uboot_xspiboot.img of=/dev/<sdx>→˓bs=1k seek=0

or

=> tftp 0xa0000000 /tftpboot/firmware_<ls1012ardb/ls1012afrwy/ls1046ardb/ls1046afrwy/→˓ls1088ardb-pb>_uboot_qspiboot.img/firmware_<ls1028ardb/lx2160ardb>_uboot_xspiboot.→˓img=> mmc write 0xa0000000 0 $cnt

• Make sure SD card is inserted and the board is switched to boot from QSPI/FlexSPI-NOR flash, then run thefollowing command in u-boot prompt to start the OTA process:

=> reset

LS1043ARDB

• Create device in the EdgeScale dashboard and download the identification image.




=> tftp 0xa0000000 /tftpboot/bl2_nor_ls1043ardb.pbl=> protect off all=> erase 0x60000000 +0x3e00000=> cp.b 0xa0000000 0x60000000 0x100000


$ dd if=firmware_ls1043ardb_uboot_norboot.img of=/dev/<sdx> bs=1k seek=0

or

=> tftp 0xa0000000 /tftpboot/firmware_ls1043ardb_uboot_norboot.img=> mmc write 0xa0000000 0 $cnt

• Make sure SD card is inserted and the board is switched to boot from NOR flash, then run the following com-mand in u-boot prompt to start the OTA process:

=> reset



LS2088ARDB

• Create device in EdgeScale dashboard and download the identification image.




=> tftp 0xa0000000 /tftpboot/bl2_nor_ls2088ardb.pbl=> protect off all=> erase 0x580000000 +0x3e00000=> cp.b 0xa0000000 0x580000000 0x100000


$ dd if=firmware_ls2088ardb_uboot_norboot.img of=/dev/<sdx> bs=1k seek=0

or

=> tftp 0xa0000000 /tftpboot/firmware_ls2088ardb_uboot_norboot.img=> mmc write 0xa0000000 0 $cnt

• Make sure SD card is inserted and the board is switched to boot from NOR flash, then run the following com-mand in u-boot prompt to start the OTA process:

=> reset

LS1021ATWR

• Create device in the EdgeScale dashboard and download the identification image.



• Insert the SD card to the board, then boot the board to enter u-boot prompt.

• Run the following commands to flash the bootstrap image:

=> tftp 0xa0000000 /tftpboot/ls1021atwr-nor.img=> pro off all=> erase 0x64000000 +$filesize=> cp.b 0xa0000000 0x64000000 $filesize

• Run the following command in u-boot environment to start the OTA process:

=> reset

4.1. Bootstrap 27


4.2 OTA Update Procedure

4.2.1 Precondition

The SD storage range of 63M~64M is reserved to store OTA status information. This area is accessible for both thebootstrap image and the new SD image.

4.2.2 OTA Layout

Unified 64MiB memory layout of SD media on all Layerscape platforms

Unified 64MiB memory layout of NOR/QSPI/Flexspi-NOR media on all Layerscape platforms



Unified 2MB memory layout of SD media on Layerscape platforms

Unified 2MB memory layout of QSPI media on Layerscape platforms

4.2. OTA Update Procedure 29


4.2.3 OTA Process

• OTA_STATUS_INIT(OTAstatus=NULL): When the board boots up for the first time, the bootstrap image willstart. It will get the latest image from the cloud and install the firmware image on flash and the OS image on SDcard.

• OTA_STATUS_INSTALLED(OTAstatus=1): The installed solution image will boot up.

• OTA_STATUS_ONLINE(OTAstatus=0): The installed solution image boots up successfully. EdgeScale servicestarts and the device is online.

• OTA_STATUS_FAILED(OTAstatus=2): The installed solution image fails to boot up.

• OTA_STATUS_DEPLOY(OTAstatus=8): Deploy a new solution image to the device.

• OTA_STATUS_INSTALL(OTAstatus=4): The deployed solution image is downloaded and will be installed.

• OTA_STATUS_IDLE(OTAstatus=3): OTA script will check if there is a new version of the image for the deviceperiodically.

Warning: OTA is a totally automatic process monitored by watchdog timer to avoid the forever hang.

The watchdog is configured in BL2 to monitor the firmware loadinging and running. It expects the Linux kernel toreconfigure and take over in 2~3 minutes.

If you interrupt the auto reboot process by manual operation at U-Boot prompt, please disable the watchdog first.Otherwise, the board will be reset by the BL2 watchdog timer setting.

Run following commands manually in U-Boot prompt to prevent the watchdog reset.

LS1046ARDB/LS1046AFRWY/LS1012ARDB/LS1012AFRWY: => mw 0x1ee00c0 0x00420000

LS1043ARDB: => mw 0x1ee00c0 0x00460000

LS1028ARDB/LS1088ARDB/LS2088ARDB/LX2160ARDB: => mw 0xc000c00 0x1acce551

=> mw 0xc000008 0x0



4.2.4 Procedure

To automatically deploy the solution image to the device, please refer to the work flow below:

• Create device, bind model and build the solution image with EdgeScale agents.

Please refer to Quick Start Guide.

• Compress all the software images as a tgz file.

tar czvf edgescale_lsdk1909-ls1046_image_qspiboot.tgz \bootpartition_LS_arm64_edgescale_lts_4.14.tgz \firmware_ls1046ardb_uboot_qspiboot.img \rootfs_ubuntu_bionic_LS_arm64_edgescale.tgz

• Upload the compressed solution image to a storage server and get the download URL link.

Currently, EdgeScale will NOT host user’s binary images with the assumption that users have their own publicstorage.

• Create the solution image via EdgeScale dashboard:

Click Create button and go to the solution creating page.

Model name, solution name and version are required.

– Model Name: Choose a model for solution

– Solution Name: The name for solution

– Version: The version for solution

4.2. OTA Update Procedure 31


• Specify solution permission and tag.

– Private: Can’t be seen by others

– Public: Can be seen by others

– Tags: Add tags to the solution

• Specify solution image location (URL link).

Specify Firmware Location A specific firmware address (Image URL).

Upload Firmware Image User can upload a local firmware image.

• Click submit button and finish creating the solution.

• Download and flash the bootstrap image to the device as introduced in previous “Bootstrap” section.


CHAPTER

FIVE

USER MANAGEMENT

5.1 Introduction

User management includes Apply Account, Audit Account and Create Account. Before logging in to the system, usersshould apply for an account first. The administrator will check the application and create an account for users.

5.2 Apply Account

• Click Apply Now button on the login page. Go to apply account page. These items are required: First Name,Last Name, Email, Account Type, Company Name.

33


• After clicking Apply Now button, there will be a new item (marked with red box) on Account > AccountAudit page.

Administrator can audit users’ applications (only administrator can see this):

• Approved: Application will be passed and the administrator will create an account, then send the accountinformation to user’s email. Users can change the password according to the email.

• Rejected: Application will be rejected and the administrator will send the reject information to user’s email.

34 Chapter 5. User Management


5.3 Create Account

• Click Account > Account List on left banner, then go to user list page.

• Click Create button (marked with red frame) to go to user create page.

5.3. Create Account 35


• After clicking the submit button, there will be a new item (marked with red box) on user list page.

5.4 Set User Limit

• Click the setting button (marked with red box) to open the setting limit dialog:

• Device: set the max number of devices a user can create

• Deploy: set the max number of solution a user can deploy

• Max create solution: set the max number of solutions a user can create

• Max bind model: set the max number of models a user can bind to models



5.5 Activate/Deactivate user

• Click the action button (marked with red box) to open the warning dialog:

• Active: You are going to activate this user, do you want to continue?

• Inactive: You are going to disable this user, do you want to continue?

5.5. Activate/Deactivate user 37


5.6 Check Detail Information Of User

• Click the name on the table, then go to user detail page. On this page, the administrator can check user’s basicinformation and device, model, solution, and application information.


CHAPTER

SIX

OEM CONFIG

6.1 CA Config

Click Portal -> Config on the left navigation. The Config page has two items, one is for CA and the other is forservice:

6.1.1 CA Config

Fill in the fields with Root CA and Private Key from your certificates bundle package.

• Root CA: OEM CA, used to protect OEM specific service

• Private Key: Used for issuing the secondary certificate

• Trust chain: Verify secondary or lower level certificate

Once the CA is updated by this config, the communication between the device and the OEM specific service will beprotected by this CA.

6.2 Service Config

Click Create button.

39


6.2.1 Service Config

Add Private Registry Service

• Service Name: A readable name for this service

• URL: Service URL, e.g. https://service.oem.com

• Port: Service port, e.g. 80 for web

• Token: Private docker repo access token Optional field, current only support dockerrepo service

40 Chapter 6. OEM Config

https://service.oem.com


6.2. Service Config 41


42 Chapter 6. OEM Config

CHAPTER

SEVEN

DEVICE MANAGEMENT

7.1 Device Model

The device model describes the metadata and management characteristics of a device. This metadata determines the version of firmware or the solution software which will be running on the device. Currently, the model is composed of the following fields:

vendor.platform.type.model

• Vendor: The manufacture of the device

• Platform: The main CPU used on the device

• Type: General functionality of the device, such as gateway, l2switch, firewall.

• Model: The device’s model number. On most devices, it can be found on the label located on the front,back, side, or bottom.

For example, a reference board made by NXP could take the model string as: nxp.ls1043a.gateway.rdb

7.1.1 Create a New Device Model

There are two parts in model, Public Model and Private Model, users can create private model.If user wants to public the model, can send a request to administrator, after approved, the model can bepublic.

• Click Devices -> Device Model -> Create.

43


• Input the device model arguments. Select from the pull down box or provide new data.

If this device model is only used by yourself, make sure private is selected.

• Go back to the device model list and check that the new model is generated.

• Click audit button, purple frame button, and can send a request to administrator.

44 Chapter 7. Device Management


7.2 Device

7.2.1 Create and Enroll Device

Click Devices -> Device List -> Create

• Fill in the SN number and device model (select from the drop-down list) in the following form:

• Please refer to the Quick Start Guide and Bootstrap to enroll device manually or automatically (OTA process).

7.2.2 Inactivate a Device

Inactivating a device means to disable the device’s functionality from the cloud. After the instruction is sent to thedevice, the identification and certificate will be erased and the device will be disconnected from the cloud. Nonetheless,the bootstrap image will not be erased and the device can go through the enrollment process as a new device.

7.2. Device 45


7.2.3 Activate a Device

When the device is in “Inactive” state, click the Active button on the device page, and the bootscript downloadwindow will pop up. The bootscript contains the device identity and device-specific private key. The device can gothrough the enrollment process again with the script and connect to the cloud.



7.2.4 Device Lifecycle

The device lifecycle shows users which state the device is in and the number of devices in a certain state. Devicelifecycle is divided into six states:

• Created: the logic device is registered at cloud

• New: factory-reset state, the physical device is booted and trying to connect cloud

• Authenticated: device sends the enroll/re-enroll information to cloud, the device is get authenticated

• Active: The device is issued with valid certificate

• Inactive: the certificate is expired or erased

• Retired: destroy the device, erase the sensitive info on device and the device is dis-functional

7.2. Device 47


7.2.5 Device Area

Device area display shows the user where the device is located. When the device location information is not available,it is displayed as “others”.



7.2.6 Device Detail

Device detail page displays more information of the device’s running status:

• App Number: Number of running APPs on the device

• CPU Usage: percentage of CPU load

• Mem Usage: percentage of memory used

• EdgeScale Version: EdgeScale agents version

• Device Logs: including system log and EdgeScale agents logs

• Statistics: Including CPU Usage, Mem Usage and Disk Usage

7.2. Device 49


7.2.7 Delete Device

To delete a device, click Delete button of the corresponding device in the “DeviceList” page. It will ask for user’sconfirmation before it is deleted.



7.2.8 Monitor Device

When the user starts a device, a start time will be sent to the database. EdgeScale will receive the start time and showa mark (marked with red box) on device list page to show that the device is online. When user turns off the device, themark will be offline.

7.2.9 Erasing Device

When the user clicks the Destroy button on device detail page, a pop up window will emerge. If the user clicksYes, all the data on the device will be erased.

7.3 Device Group

For effective and quick device management, EdgeScale allows users to manage several devices at once by categorizingthem into groups. EdgeScale supports both dynamic groups and static groups, system groups and custom groups.

7.3.1 Device Group Types

System Groups Default groups created by EdgeScale

1. Model: Device group(s) per device model

7.3. Device Group 51


2. Customer: Device group(s) per customer

Custom Groups Created by users for specific requirements. Users can view, edit, and delete groups.

1. Static Groups: Manually created by the user by adding specific devices to a group. Thesegroups change only when a user manually changes the devices in the group.

2. Dynamic Groups: Groups that are dynamically defined by matching user-specified criteria.Devices in the group change based on their changing criteria.

Here are the things users can do with device groups:

• Create, describe, or delete a static device group.

• Add device(s) into a static device group.

• Remove device(s) from a static device group.

• List the dynamic device groups created by the system and static groups created by the user.

• List the devices in a group.

• Add, delete, or update the attributes of a static group.

7.3.2 Create a Device Group

Click Devices -> Device Group -> Create

After clicking Submit button, there will be a new group item in the list.



7.3.3 Check Group Detail Information

Click group id and the page will link to the group detail page.

7.3.4 Bind and Remove Devices

Click Add button to bind devices to the current device group.

7.3. Device Group 53


Click Bind to Group to bind all devices selected to the current group. On Group List page, select devices,and remove button can be used. Click it to remove all selected devices from the current group.

7.3.5 Deploy SW to device group

Click deploy icon (red box content), and a deploy dialog will show up:

On deploy dialog, customers can select to deploy app or solution. Select the target app or solution.

• Click deploy button, target apps or solution will be deployed to device in this group, and a task will becreated.

• Click Save as template button, current deploy setting will be saved as a template, and a templatewill be created.


CHAPTER

EIGHT

APPLICATION MANAGEMENT

8.1 App Store

8.1.1 Introduction

App store is the digital distribution platform for dockerized applications running on devices. It supports users to view,search, deploy, and monitor applications on end devices.

The following are the major function modules:

• Create

• Delete

• View

• Update

• Deploy

8.1.2 Public & Private App

Private: The App is only visible to and maintained by the owner.

Public: The App is visible to every user.

If an App needs to be changed from private to public, the owner of the App should be responsible for the qualityassurance.

8.2 Application Management

8.2.1 Get Available Apps

Click EdgeScale Software Store on the top navigation bar.

• Click App Market to view public Apps list page.

• Click My App to my Apps list page.

55


8.2.2 Add App in Market into My App

Click App Market > Add to My APP to add one App from Market to My App.

8.2.3 View and Edit App

Click an App’s name to view the details of the App in Market, or edit the App in My App.

56 Chapter 8. Application Management


• Click App permission to configure if the App would be visible to other users.

8.2. Application Management 57


Apply for a public store: Enroll the App into EdgeScale public App store with justification.

• Click App Documents to edit App documents.

• Click Edit to update the basic configuration of the App.

• Click Add to add more docker run arguments.



8.2.4 Create App

Click Create App button to create a new App.

All the fields marked with “*” are mandatory.

Step1: Input the basic info.

• App Name (mandatory): The name for the App

• Description: The description for the App

• Upload Icon: Upload the App’s icon

Step2 : Input the configuration info.

• Registry (mandatory): Select the registry for the App container

• Image Name (mandatory): The image name for the App container

• Version (mandatory): The version of the App container



• Commands: Shell commands, like “/bin/bash -c”, etc.

• Arguments: Command arguments

• Host Network: Connect a container to a network

• Host Port: Container host port

• Container Port: Container port

• Host Path: Container host path

• Mount Path: Container host path

• Cap Add: Add Linux capabilities

Click submit button to create the App.



8.2.5 Delete App

Click My App > Delete to remove an App out of My App.

8.2.6 Deploy App

1. Deploy an App to device

Click Edge Software Store > App Store > My App > Deploy.

Step:

• App Version: Choose the App’s version

• More Arguments: Specify the “docker run” command arguments for deployment

• Devices: Choose devices

• Deploy App: Deploy the App to devices



Click Deploy button to begin the deployment, then go to the task page.

2. Deploy an App to group devices

Click Smart Connect > Device > Device Group.



Select one or more Apps. Click Deploy, then Apps selected will be deployed to every device in this group.

3. Deploy Apps from task template

Click Smart Connect > Task > Task Template.



In this new page, we can preview and edit the template.

Click Deploy to create a new deployment task, then switch to task page to view the latest deployment status.



8.2.7 Arguments for App

1. Arguments setting of creating App



2. Argument of deployment



3. Docker run command



4. Application argument


CHAPTER

NINE

SOLUTION MANAGEMENT

9.1 Solution Store

9.1.1 Introduction

Solution store is a visual solution control system. It is designed as a tool for users to manage solution software.

The major components are:

• Create

• Delete

• View

• Update

• Deploy

9.1.2 Public & Private Solution

Private: The Solution is only visible and maintained by the owners.

Public: The Solution is visible to every user.

9.2 Solution Management

9.2.1 Get Available Solution

Click Edge Software Store on the top navigation bar.

• Click Solution Market to view public solution list page.

• Click My Solution to view private solution list page.

71


Click the solution title to open solution detail page.

9.2.2 Deploy Solution

If automatic OTA is configured, the device accepts solution image update commands from the cloud. Users can selecta solution image in the store and deploy it to device(s).

Click Deploy button to deploy the solution to devices.

72 Chapter 9. Solution Management


Step1: Filter devices (According to Location, Name and Tags, system will find target devices).

Step2: Select devices to deploy the solution.

Step3: Click Deploy button to deploy solution.

9.2. Solution Management 73


9.2.3 Create Solution

Click the Edge Software Store at the top of the page and the Solution Store in the left navigation bar.

Click Create button to open the “solution create” page.

All the fields marked with “*” are mandatory.

Step1: Input basic information.

Model Name: Choose a model for the solution Solution Name: Specify the name of the solution Version: Specifythe version of the solution

Step2: Define permission of the solution.

Permission: Private solution is visible to the solution owner. Public solution is visible to all users. Tags: Apply tagsto the solution.

Step3: Configure firmware settings.

• Specify the firmware location (Image URL, assuming this image is uploaded in a public file storage).



• Upload Firmware Image - users can upload a local firmware image (NOT supported yet).

Click Submit button to create the new solution.

9.2.4 Solution Component Update

This section introduces how to update the system software components such as firmware, Uboot, kernel, dtb, rootfs,etc.

Warning: Updating the system software component is risky. Please make sure the software component is com-patible with the software image on the device. Otherwise, it may stop the system from booting or functioningnormally.

1. Precondition:

• Device is online.

• Device is already deployed with the full solution image. The component version is the same as the full solutionimage.

2. Prepare components that need to be upgraded (u-boot, boot partition) and install.sh.

Step1: Provide the install script of how to deploy the software component image on the device.

Note: The install script must be named as “install.sh”. Below example only works with LSDK solution image. Youshould adapt the install script to the target device and the software system.

For example, to update components on ls2088ardb with LSDK image:

• The install script for Uboot should be:

#!/bin/bash

download_path=/run/media/mmcblk0p3/updateImagesif [ -e ${download_path}/firmware*.img ];then

update_file=`ls ${download_path}/*firmware*.img`flex-installer -f $update_file -d /dev/mmcblk0

fi

• The install script for kernel should be:



#!/bin/bash

download_path=/run/media/marble0p3/appendages

if [ -e ${download_path}/boot*.tgz ];thenupdate_file=`ls ${download_path}/*boot*.tgz`ls | grep -v lost+found | xargs rm -rf {}tar zxf $update_file -C /run/media/mmcblk0p2

fi

Step2: Tar components that need to be upgraded with the install script.

#packaging the Uboot image with install script$tar czvf install.tgz firmware_ls2088ardb_uboot_norboot.img install.sh

#packaging the boot partition image with install script$tar czvf install.tgz bootpartition_LS_arm64_lts_4.14.tgz install.sh

Step3: Create the solution component image.

Please refer to Create Solution

Note: When updating the solution component image, the checkbox ‘Have the installer in solution’ must be marked.

Fill in the image URL in the solution and submit.



Step4: Deploy component image.

Please refer to Deploy Solution

Select the solution component image you created for deployment.


CHAPTER

TEN

MONITOR

10.1 Devices

Click Here to see more on device monitor

10.2 Task

10.2.1 Introduction

Task is designed as a tool for users to monitor the status of APPs/solutions deployment (including delete, view).

10.2.2 Get Task List

Click Task > Task List on the left navigation bar.

Click task’s id to open the task detail page:

79

https://doc.edgescale.org/device.html


10.3 Task Template

10.3.1 Introduction

Task template is designed as a tool for users to save already existed tasks into a template (including delete, view).

10.3.2 Get Task Template List

Click Task > Task Template on the left navigation bar.

Click task’s Save As Template icon to save current task into a template.

Click Submit button. There will be a template item in template list.

80 Chapter 10. Monitor


Click template id (red box content). The page will link to template detail page.

Click deploy icon (green box content). The page will link to edit and deploy page.

10.3. Task Template 81


After finishing editing, click deploy button to deploy the modified template. If you click the save button, all changeswill be saved without being deployed.

82 Chapter 10. Monitor

CHAPTER

ELEVEN

CONNECT TO EDGESCALE

11.1 Connect Linux devices

11.1.1 Build EdgeScale Client

Currently, EdgeScale only supports building EdgeScale client with flex-builder on LSDK based images. Please referto 3. Deploy EdgeScale agents on the device for building instructions.

11.1.2 OTA: Auto Deployment

Introduction

A solution image can be deployed to one or more devices from the EdgeScale web page. This guide will introduce toyou how to deploy a solution to the device.

1. Click Software > Solution on the left navigation to go to solution page.

2. Click Deploy button of the selected solution (e.g. edgescalecli001-test) to go to the ‘Filter’ page.

83


3. Fill in the device filter conditions and click Query Devices button to go to the ‘Select devices’ page.

4. Select one device and click Next Step: Preview button to go to the ‘Preview’ Page.

84 Chapter 11. Connect to EdgeScale


5. Click Next Step: Deploy button to go to the ‘Status Monitor’ Page.

11.1.3 Non-OTA: Manual Deployment

In this mode, the image built by flex-builder is manually installed on SD/USB/SATA storage. After this, the dockerbased application can be deployed from the cloud. For more details about how to manually build and deploy the LSDKdistro with EdgeScale client to storage, please refer to the LSDK doc: https://lsdk.github.io/.

1. Log in to EdgeScale, create device, bind device model at the dashboard, and download the identification imagelike:bootstrap-enroll-<device-name>.sh

2. Boot up the board using the LSDK tiny itb image, format and create new partition on storage, then deploy theLSDK boot partition and rootfs into the storage. e.g. For ls1046a: In u-boot:

=> setenv bootargs root=/dev/ram0 rw console=ttyS0,115200 earlycon=uart8250,mmio,→˓0x21c0500 ramdisk_size=0x10000000=> tftp a0000000 lsdk_linux_arm64_tiny.itb=> bootm 0xa0000000#ls1046ardb

In Linux:

$ flex-installer -i pf -d sd$ cd /run/media/mmcblk0p3 # then download the boot partition and rootfs you generated→˓using LSDK into this partition.$ flex-installer -i install -b <bootpartition> -r <rootfs> -m ls1046ardb -d sd$ reboot

3. Boot up the board form storage. e.g. For ls1046ardb In u-boot:

=> cpld reset sd

4. After booting up board from storage, copy and run the identification image and start the enrollment process.

$ bash bootstrap-enroll-<device-name>.sh /dev/mmcblk0$ startup.sh

11.1.4 Enable i.MX Linux with EdgeScale

This guide describes how to enable i.mx8mmevk with Edgescale.

1. Register an account and the device

Following Quick Start Guide to register account, register the i.mx linux device and download the device identificationimage.

2. Download and program the bootstrap images

To enable i.mx8mmevk in Edgescale, both sdboot image and norboot image should be programmed. for i.mx8mqevkand i.mx6qsabresd, only sdboot image is required, you can get the images from Image Download.

To program norboot image(only for i.mx8mmevk), run the following commands:

=> tftp 0x42000000 imx8mm/firmware_imx8mmevk_uboot_norboot.img=> sf probe=> sf erase 0 440000=> sf write 0x42000000 0 440000

11.1. Connect Linux devices 85

https://lsdk.github.io/

https://image.edgescale.org/private-cloud/1909/imx8mm/firmware_imx8mmevk_uboot_sdboot.img

https://image.edgescale.org/private-cloud/1909/imx8mm/firmware_imx8mmevk_uboot_norboot.img


Note: if you use SD boot mode, but nothing is shown in serial terminal, you need to download and program aworkable imx8mmevk sdcard image into the SD card refer to following command:

$ bzip2 -d edgescale-1909-imx8mmevk.sdcard.bz2

$ sudo dd if=edgescale-1909-imx8mmevk.sdcard of=/dev/sdx bs=4M && sync

Once you have programmed above sdcard image, you can boot up board from SD card and program the norboot image.please switch to nor boot mode after programing the noboot image.

To program sdboot image(for i.mx8mmevk/i.mx8mqevk/imx6qsabresd), run the following command on your PC:

$ sudo dd if=firmware_imx<xxxx>_uboot_sdboot.img of=/dev/<sdx> bs=512 skip=8 seek=8 &&→˓ sync

for imx6qsabresd, besides sdboot image, you also need to program SPL into the SD card using following command:

$ sudo dd if=SPL of=/dev/<sdx> bs=1k seek=1 && sync

3. Program the identification image to SD on a Linux PC.

Make sure the SD card is partition as below:

$ /dev/sdb1 131072 2228223 2097152 1G 83 Linux$ /dev/sdb2 2228224 10616831 8388608 4G 83 Linux$ /dev/sdb3 10616832 23199743 12582912 6G 83 Linux$ /dev/sdb4 23199744 30719999 7520256 3.6G 83 Linux

Note: Use the fdisk command for SD card partition and use mkfs.ext4 command to format each partition. The startand end sector of first three partitions should be same with above example.

Program the device identification image

$ sudo fdisk -l # find the /dev/<sdx> for the SD card e.g. /dev/<sdx>$ sudo umount /dev/<sdx>$ sudo ./bootstrap-enroll-<deviceID>.sh /dev/<sdx>

4. Reset to OTA

Boot up the board to get the u-boot prompt, run ‘reset’ command to start the OTA process:

=> reset

5. Deploy app

Please refer Deploy APP for deployment of apps.

11.1.5 Build EdgeScale images on i.MX

1. Download the build environment


https://image.edgescale.org/1909/edgescale-1909-imx8mmevk.sdcard.bz2

https://image.edgescale.org/private-cloud/1909/imx6/SPL


$ mkdir fsl-arm-yocto-bsp$ cd fsl-arm-yocto-bsp$ repo init -u https://source.codeaurora.org/external/imx/imx-manifest -b imx-linux-→˓sumo -m imx-4.14.78-1.0.0_demo_edgescale.xml$ repo sync$ cd sources$ rm -rf meta-edgescale$ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/meta-→˓edgescale

2. Build bootstrap/solution image

Take imx8mqevk as an example:

• Setup build environment

$ MACHINE=imx8mqevk DISTRO=fsl-imx-xwayland source edgescale-setup.sh bld-xwaylandAdd the lines to the configuration file - conf/local.conf

GOVERSION = "1.10%"DISTRO_FEATURES_append = " ota"

Note: To build images with customized domain name, need to add following lines to conf/local.conf. if“edgescale.demo” is used as domain name suffix, please use self-signed certificates mentioned in III. Configureurl/account/certificate for the services.

# Change the domain suffix to what you want to use.The domain name must be the same→˓as the one in the certificateES_DOMAIN_SUFFIX = "yourdomain.com"

# Define this line when self-signed certificates are usedES_CERTIFICATE_PATH = "/path/for/self-signed/edgescale/certificates"

Note: For imx6qsabresd

Add below line to sources/meta-fsl-bsp-release/imx/meta-sdk/conf/distro/include/fsl-imx-preferred-env.inc

PREFERRED_PROVIDER_virtual/bootloader_mx6 = “uboot-ota”

• Build EdgeScale bootstrap image

$ bitbake edgescale-bootstrap-imx

• Build EdgeScale solution image

Note: Remove the following line from build configuration file – conf/local.conf

DISTRO_FEATURES_append = ” ota”

For imx6qsabresd

Remove below in sources/meta-fsl-bsp-release/imx/meta-sdk/conf/distro/include/fsl-imx-preferred-env.inc

PREFERRED_PROVIDER_virtual/bootloader_mx6 = “uboot-ota”

11.1. Connect Linux devices 87


$bitbake core-image-weston

3. Create EdgeScale solution

IMX8MMEVK/IMX8MQEVK

tar czvf full-image.tgz Image \u-boot.itb \fsl-<machine>-evk.dtb \core-image-weston-<machine>.rootfs.tgz

IMX6QSABRESD

tar czvf full-image.tgz zImage \u-boot-dtb.img \imx6q-sabresd.dtb \

core-image-weston-imx6qsabresd-rootfs.tgz

Upload the compressed solution image to a storage server and get the download link. Please refer to Create Solutionto create a solution in Edgescale.


CHAPTER

TWELVE

SECURE SOLUTION

This section is very platform dependent and we Strongly suggest reading the security chapter of the LSDK documentfirst before running any real instructions on the device.

In order to build a secure solution, you need to boot the board securely. Steps to do so can be found in LSDKdocument’s “security chapter”.

12.1 Prepare Secure Bootstrap Image

• Generate key pair using CST tool.

CST tool can be built from source and key pair generation is one of the functionality. Generally, the key pairshould be generated once and keep safe. The private key will be used to sign images and the public keywill be fused into the device to verify the image signature.

# build cst tool from source$ flex-builder -c cst

$ cd <flex-builder dir>/packages/apps/cst

# generate RSA key pair: srk.pub and srk.pri, 1024bit$ ./gen_keys 1024

12.1.1 Demo Key Pair Download

Download the demo key pair according to the following table.

Version Platform Imagesv1909 demo key pair srk.tgz

• Build the secure bootstrap image

For build the secure bootstrap image with the specified key pair , please refer to Bootstrap.

12.2 Prepare Secure Solution Image

• Specify the key pairs for secure boot in configs/build_lsdk.cfg

SECURE_PRI_KEY=/home/xx/path/srk.priSECURE_PUB_KEY=/home/xx/path/srk.pub

89

https://image.edgescale.org/1909/srk.tgz


• Building EdgeScale agents as introduced in LSDK user guide. See more at 3. Deploy EdgeScale agents on thedevice.

12.3 Create Device and Bootup in Secure Mode

• Create device via EdgeScale dashboard or escli command line tools.

• Program secure bootstrap image into the device. See more at Bootstrap.

12.4 Enforce the Secure Boot

In production systems, secure boot is enforced via blowing the ITS fuse.

In development environment, if you are booting the board securely using SB_EN bit, you need to ensure that ITS bitis set. This can be done via code-warrior (ccs). For this you would need to put the core in boot hold-off by setting thecorresponding bit in RCW.

• Set the ITS bit through CCS when the system is in boot hold off state.

#Boot up the system

#Connect CodeWarrior/ccs

#Set the ITS bit if ITS not fused$ ccs::write_mem <dap chain position> 0x1e80200 4 0 0x00000004

#Get the Core Out of Boot Hold-Off$ ccs::write_mem <dap chain position> 0x1ee00e4 4 0 0x1

12.5 Read Pub Key From Device

This public key is derived from srk.pub generated by CST tool and used for device authentication. mp_app ispart of the secure object library and is integrated with LSDK rootfs.

• Get MP public key:

– Boot up system with secure mode.

– Get public key in the device with tool mp_app:

mp_app -p

Public key x part = 671fe89daca42004d648b2ad7ddeb2a0ca7e47556e73f376aab45061fca74603

Public key y part = 9519e09aab4da3a972511d3ca7e842e8bb1d02e744cc85ff4e65c0ca6fbb7376

Public key in form of x followed by y is saved in pub_key file

90 Chapter 12. Secure Solution


12.6 Upload Device db to Cloud

To securely enroll the device to the cloud, some data from the device needs to be uploaded to the cloud. This dataincludes:

1. Manufacturing Protection Public Key - Public part of the ECC key pair generated after secure boot process.Steps are given in the Section “Read pub key from device”.

2. Factory UID or FUID

3. OEM UID (To obtain 2 and 3, please refer to the SoC SFP block memory map from the Reference Manual)

#csv file schema: FUID, OEMID, SK_PUB_X, SK_PUB_Y, MODEL_ID

$ escli device upload-db -f <db.csv>

4. Create device on dashboard with SN: <FUID>:<OEMID>

12.6. Upload Device db to Cloud 91


92 Chapter 12. Secure Solution

CHAPTER

THIRTEEN

CONTAINER SECURITY

13.1 Overview

13.1.1 Introduction

We use the following features to ensure the docker security when reviewing container and image security onEdgeScale:

• Kernel namespaces

• Control groups

• Docker daemon attack surface

• Linux kernel capabilities

• Use trusted docker private registry

• Use trusted images (signature and verification)

• Vulnerability Static Analysis for Containers

13.1.2 Illustrated

Container security on EdgeScale illustrated.

93


Steps to use it:

• 1. Setup a secure Private Registry.

• 2. Use a trusted registry and image on EdgeScale.

13.2 Setup a Secure Private Registry

13.2.1 Components

• Docker CE client

• Notary

• Docker private Registry

• Nginx

• Harbor

13.2.2 Install the Trusted Private Docker Registry - Harbor

Install Docker CLI and Docker compose

What’s Harbor

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extendsthe open source Docker Distribution by adding the functionalities usually required by users such as security, identityand management. Having a registry closer to the build and run environment can improve the image transfer efficiency.Harbor supports replication of images between registries, and also offers advanced security features such as usermanagement, access control and activity auditing.

94 Chapter 13. Container Security

https://docs.docker.com/install

https://github.com/theupdateframework/notary

https://github.com/docker/docker-registry

https://www.nginx.com/

https://github.com/goharbor/harbor


Prerequisites for the target host

Harbor is deployed as several Docker containers, and therefore can be deployed on any Linux distribution that supportsDocker. The target host requires Python, Docker, and Docker Compose to be installed.

• Hardware

Resource Capacity DescriptionCPU minimal 2 CPU 4 CPU is preferredMem minimal 4GB 8GB is preferredDisk minimal 40GB 160GB is preferred

• Software

Software Version DescriptionPython version 2.7

or higherNote that you may have to install Python on Linux distributions (Gentoo, Arch) thatdo not come with a Python interpreter installed by default

Dockerengine

version 1.10or higher

For installation instructions, please refer to: https://docs.docker.com/engine/installation/

DockerCompose

version 1.6.0or higher

For installation instructions, please refer to: https://docs.docker.com/compose/install/

Openssl latest is pre-ferred

Generate certificate and keys for Harbor

• Network ports

Port Proto-col

Description

443 HTTPS Harbor UI and API will accept requests on this port for https protocol443 HTTPS Connections to the Docker Content Trust service for Harbor, only needed when Notary is en-

abled80 HTTP Harbor UI and API will accept requests on this port for http protocol

Downloading installer package

We offer two installation methods to setup Harbor. By default, we recommend offline installation.

Package Platform Image URLoffline Linux harbor-offline-installer.tgzonline Linux harbor-online-installer.tgz

Installation steps

Download installer package and decompress.

$ tar xvf harbor-offline-installer.tgz$ cd harbor-offline-installer$ mkdir /root/cert && cd harbor-installer

Get a certificate.

• You can request a new certificate with trusted certificate provider.

13.2. Setup a Secure Private Registry 95

https://docs.docker.com/engine/installation/

https://docs.docker.com/engine/installation/

https://docs.docker.com/compose/install/

https://docs.docker.com/compose/install/

https://image.edgescale.org/container/harbor-offline-installer.tgz

https://image.edgescale.org/container/harbor-online-installer.tgz


• The certificate usually contains a .crt file and a .key file, e.g. regisrty.edgescale.org.crt and reg-istry.edgescale.org.key.

• About the certificate conventions, please refer to the chapter Use a trusted registry and imageon EdgeScale -> Remarks.

Install by https.

• Edit file harbor.cfg, replace field ssl_cert, ssl_cert_key and hostname with your domain name.

• For example:

$ cp cert/registry-1.edgescale.org.key /root/cert/$ cp cert/registry-1.edgescale.org.crt /root/cert/$ ./install.sh --with-notary --with-clair

Login and push

$ cp registry-1.edgescale.org-CA.crt /usr/local/share/ca-certificates/$ update-ca-certificates$ service docker restart$ docker login -u admin -p Harbor12345 registry-1.edgescale.org$ docker pull hello-world$ docker tag hello-world registry-1.edgescale.org/library/hello-world$ docker push registry-1.edgescale.org/library/hello-world

13.3 Use a trusted registry and image on EdgeScale

13.3.1 Enable Trusted Container for EdgeScale

Add OEM information to EdgeScale

Click Admin -> Endpoint Config

• Fill in the fields Root CA and Private Key from your certificate’s bundle package.

• Root CA: Verify the security of the external connection

• Private Key: Issued to the secondary certificate

• Trust Chain: Verify secondary or lower level certificate



After filling in the fields, you can update a new certificate package.

• Fill example:

Add private registry service

Click Create button to add your private registry.

• Service Name: Current supported service can be added.

• URL: Service URL.

• Port: Service port.

• Token: Docker login token content. Optional field, currently only docker repo serviceis supported.

13.3. Use a trusted registry and image on EdgeScale 97


• Fill example:

• Get the token content. See below example for reference.

Add trust container service

Click Create button to add your trusted server address.



• Fill example.

List all services

If you want to see all services available, you can find them by:

Add Docker registry

Click Admin -> Docker Registry -> Create, Then Fill docker registry server.

• Fill example.



13.3.2 Pushing Trusted Container Image on Target Host

Download Private Registry Certificate

$ cp registry-1.edgescale.org-CA.crt /usr/local/share/ca-certificates/$ update-ca-certificates$ service docker restart$ docker login -u admin -p Harbor12345 registry-1.edgescale.org

Enable content trust on your target host

$ export DOCKER_CONTENT_TRUST=1$ export DOCKER_CONTENT_TRUST_SERVER="https://trust.edgescale.org"

Push a signed image to Private Registry

$ docker tag debian registry-1.edgescale.org/library/debian$ docker push registry-1.edgescale.org/library/debian:latestThe push refers to repository [registry-1.edgescale.org/library/debian]dd60b611baaa: Pushed1.0: digest: sha256:6d8fda39c2eb8fdc7b18c27f53fb6c01ac7721e7d55e7d6ae4cf6b1f3f0109fb→˓size: 529Signing and pushing trust metadataEnter passphrase for root key with ID 83320be:Enter passphrase for new repository key with ID 7411b4b:Repeat passphrase for new repository key with ID 7411b4b:Enter passphrase for new repository key with ID 7411b4b:Repeat passphrase for new repository key with ID 7411b4b:Enter passphrase for new repository key with ID 7411b4b:Repeat passphrase for new repository key with ID 7411b4b:Finished initializing "registry-1.edgescale.org/library/debian"Successfully signed registry-1.edgescale.org/library/debian:latest

13.3.3 Create Trusted App on EdgeScale

Next, you need to create a trusted App on EdgeScale.



Click Edge Software Store -> APP Store -> My App -> +

• Fill the App Name, Description and upload App logo.

• Choose your added registry server address and fill in other basic info.

• Click submit, then click My App to see the App created.



For more details, please see the chapter Application Management.

13.3.4 Deploy Trusted APP from EdgeScale

Regarding the deployment of Apps, please see the chapter Application Management -> Deploy App.

13.3.5 Remarks

• We recommend naming your private registry and trusted service by the following naming conventions.

– Private Registry domain name - registry.A.B

– Trust Server domain name - trust.A.B

• Regarding the domain certificate issued, the below condition must be followed.

– The domain name *.A.B issued by CA provider.


CHAPTER

FOURTEEN

ESCLI USAGE

14.1 ESCLI Overview

CLI is the acronym for command-line interface. EdgeScale CLI (ESCLI) is used to maximize productivity. CLI offersgreater capability than a dashboard, exposing more, finer-grained commands, especially when the task must be donerepeatedly. Such scenario would likely occur if a company manages thousands or millions of nodes. For example, CLIhelps developers build a firmware image and push it out to multiple devices with only a few commands.

14.2 Installation

ESCLI is verified with Ubuntu 16.04 Linux system and python 2.7.

$ git clone https://github.com/NXP/escli$ cd escli$ sudo python setup.py install

14.3 Common Usage

The usage of EdgeScale CLI is:

$ escli

Usage: escli [OPTIONS] COMMAND [ARGS]...

CLI to interact with EdgeScale server and execute your commands, defaultconfig file is ~/.edgescale/cli_conf.ini

Options:-H, --host TEXT EdgeScale host server address--debug enable debug mode, default False-h, --help Show this message and exit.

Commands:app applications managementdevice device register and management.instance docker or application instances managementlogin login to EdgeScalelogout Logout from EdgeScalemodel model of device management.


103



repo docker's repository registry.solution solution image management.task service to deploy application or solution.vendor manufacturer vendor management.

14.3.1 Login to EdgeScale

There are two ways to log in to the EdgeScale server as shown by the two commands below. Please use only one ofthem to log in to the EdgeScale system. Once logging in successfully, a token file will be generated and the user’stoken will be saved in file “~/.edgescale/token.txt”. Simultaneously, a configuration file is generated with the defaultEdgeScale API server name and API version defined in this file (~/.edgescale/cli_conf.ini). You can edit it if needed.

$ escli login Input user’s name and password according the prompt.$ escli login -u <username> -p <password>

14.3.2 Device commands

With the device related commands, users can create new devices, and check and query the device status.

Device command help usage

$ escli deviceUsage: escli device [OPTIONS] COMMAND [ARGS]...

device register and management.

Options:-h, --help Show this message and exit.

Commands:create create a new device.delete Remove device by id or nameget-cert Get device private key & certification by...list List your Devicesshow show device information.

Create new device

$ escli device create -hUsage: escli device create [OPTIONS]

Create a new device.

Options:-d, --description TEXT Description--fuid TEXT device's fuid [required]--model_id INTEGER device model's id [required]-h, --help Show this message and exit.

Parameters notes:


104 Chapter 14. ESCLI Usage



fuid: factory uuid, here we can type some string or number insteadmode_id: device’s model ID, can be get by command “escli model list”

Query the device list

$ escli device list+-----+----------------------------------------------------------+---------+----------→˓------------------+---------+| id | Device name | Status |→˓Create time | IP addr |+=====+==========================================================+=========+============================+=========+| 663 | 13d3ddee9bda56ae84e8ab578f625e3e.iot.gateway.ls1046a.nxp | offline | 2018-05-→˓31 06:03:57.123579 | None || | | |→˓ |

$ escli device list --id 663----------------------------------------------------------------------

id: 663name: 13d3ddee9bda56ae84e8ab578f625e3e.iot.gateway.ls1046a.nxpcreated_at: 2018-05-31T06:03:57.123Zlast_report: Nonemode {"platform": "ls1046a", "model": "iot", "vendor": "nxp", "type

→˓": "gateway"}certname: 13d3ddee9bda56ae84e8ab578f625e3e.iot.gateway.ls1046a.nxpuid: 13d3ddee9bda56ae84e8ab578f625e3ecpu_usage: Nonemem_usage: Nonees_version: Noneapp_num: Nonemac: 00:00:00:00:00:00

Delete device

$ escli device delete --id=xxx

Upload device metadata to cloud

With this command, users can upload the device metadata to the cloud in batches. An example metadata file is“example/dev_db.csv”. It contains device fuid, OEM_DI, SK_PUB_X, and SK_PUB_Y.

$ escli device upload-db -f dev_data.csv.

14.3.3 Application commands

With the application commands, users can create new Apps, deploy Apps to devices, query the App status, and checkinstance status.

14.3. Common Usage 105


Help usage

$ escli appUsage: escli app [OPTIONS] COMMAND [ARGS]...

applications management


Commands:create create a new applicationdel-instance delete the docker instancedelete Remove a applicationdeploy Deploy one application to deviceinstance query and list the docker instances of userlist List your Applicationsshow query and show specific application (id...

Create application

$ escli app create -hUsage: escli app create [OPTIONS]

Create a new Application.

Options:--name TEXT application name to be created [required]--image_name TEXT docker image name, e.g., media_server:latest [required]--vendor_id INTEGER vendor_id default null--commands TEXT docker application command default null--args TEXT args of application command default null--pic TEXT application skin picture file default null--description TEXT Description, default null-h, --help Show this message and exit.

Query application

$ escli app list+-----+------------------------+--------------------+-----------+--------------+| id | name | display_name | is_public | description |+=====+========================+====================+===========+==============+| 398 | edgerepos-aiwebapp | edgerepos-aiwebapp | 0 | || 391 | testname1 | display1 | 0 | description1 || 385 | LSDK1806-New-feature- | New-feature-LS1046 | 0 | || | LS1046 | | | |

Deploy application to device

$ escli app deploy -hUsage: escli app deploy [OPTIONS]





Deploy one application to device

Options:--device TEXT device's name [required]--app_id INTEGER application's id [required]-h, --help Show this message and exit.

Check instance status

$ escli app instance+---------------+--------+-----------------+-------------+---------+| instance_name | status | deployed_device | create_time | message |+===============+========+=================+=============+=========++---------------+--------+-----------------+-------------+---------+

Delete Application

$ escli app delete -hUsage: escli app delete [OPTIONS]

Remove a application

Options:--id INTEGER delete according to application id [required]-h, --help Show this message and exit.

14.3.4 Instance commands

With the instance commands, users can reboot a docker instance, check instance log, and deploy/delete an instanceto/from devices.

Help usage

$ escli instanceUsage: escli instance [OPTIONS] COMMAND [ARGS]...

docker or application instances management


Commands:delete delete the docker instancedeploy Deploy one application to device, same as...describe show history and event for docker instancelist query and list the docker instances of userlogs show the docker instance logreboot reboot the docker instance, remember to backup your instance data



Check instance description

$ escli instance describe --name face-recognition-3e333ca6f8274f

2019-01-23T07:42:59Z: pending 35d07fcae2d1538ebb5f8972e1ddc523.lsdk.generic.→˓ls1046ardb.nxp Wait to schedule and launch2019-01-23T07:43:15Z: creating 0%: aa2cf31b9627: Verifying Checksum2019-01-23T07:43:16Z: creating 50%: aa2cf31b9627: Download complete2019-01-23T07:43:16Z: creating 100%: aa2cf31b9627: Pull complete2019-01-23T07:43:17Z: creating 100%: Digest:

→˓sha256:edf26fe09753cd52dfcf9fdbdd7ad88205722d14fa74f2618dcd3d6cf835d7742019-01-23T07:43:18Z: starting Download image done, app is starting.2019-01-23T07:43:19Z: starting Download image done, app is starting.2019-01-23T07:44:18Z: running running

Check instance logs

$ escli instance logs --name face-recognition-3e333ca6f8274f

92.120.166.93 - - [09/Jan/2019 02:32:20] "GET /phpmyadmin/ HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:32:20] "GET /console/faces/com_sun_web_ui/jsp/

→˓version/version_30.jsp HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:32:21] "GET /console/faces/com_sun_web_ui/jsp/

→˓version/version_4.jsp HTTP/1.1" 404 -1547001185: New connection from 92.120.166.93 on port 1883.1547001185: Socket error on client <unknown>, disconnecting.1547001245: New connection from 92.120.166.93 on port 1883.1547001245: Socket error on client <unknown>, disconnecting.92.120.166.93 - - [09/Jan/2019 02:34:23] "GET /cgi-bin/htsearch?Exclude=%60/etc/

→˓passwd%60 HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:34:23] "POST /xmlrpc.php HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:34:23] "GET /jkstatus/ HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:34:23] "GET /CFIDE/administrator/enter.cfm?

→˓locale=../../../../../../../lib/password.properties%00en HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:34:23] "GET /cgi-bin/php.ini HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:34:23] "POST /cgi-bin/home.tcl HTTP/1.1" 404 -92.120.166.93 - - [09/Jan/2019 02:34:23] "POST /cgi-bin/test-cgi HTTP/1.1" 404 -

Reboot an instance

$ escli instance reboot --name ibm-iot-3e333ca6f8274f069a10aa45bb32ebf7+-----------------------------------------+-----------+-----------------------------

→˓------------+----------------------+-----------------------------+| instance_name | status | deployed_device

→˓ | create_time | message |

→˓+=========================================+===========+=========================================+======================+=============================+| ibm-iot- | rebooting |

→˓3aad486f5ed75dd7815d26637f106840.lsdk.g | 2019-03-06T02:00:33Z |→˓ || 3e333ca6f8274f069a10aa45bb32ebf7 | | eneric.ls2088ardb.nxp

→˓ | | Wait to schedule and launch || | |

→˓ | | |





+-----------------------------------------+-----------+-----------------------------→˓------------+----------------------+-----------------------------+

14.3.5 Solution commands

With the solution commands, users can upload new solutions, deploy solution to devices, and edit the solution images.

Help usage

$ escli solutionUsage: escli solution [OPTIONS] COMMAND [ARGS]...

solution image management.


Commands:create create a solution imagedelete Remove solution by id or namedeploy Deploy solution image to board, use "escli...list List your solution itemsshow show a specific solution information (id...update update solution image_url and permission

Create new solution

$ escli solution create -hUsage: escli solution create [OPTIONS]

Create and upload a solution.

Options:--name TEXT solution name and version, e.g.,

lsdk_solutionname1:version2 [required]--image_url TEXT solution image URL, e.g.,

http://sun.ap.testhost/testpath/testimgage.tgz[required]

--model_id INTEGER model's id, escli model list [required]--public_key TEXT image signed public key default null--private make the image as private, default False-h, --help Show this message and exit.

Edit the solution image

$ escli solution update -hUsage: escli solution update [OPTIONS]

update solution image_url and permission





Options:--id INTEGER solution id [required]--image_url TEXT solution image URL, e.g.,

http://sun.ap.testhost/testpath/testimgage.tgz [required]--private make the image as private, default False-h, --help Show this message and exit.

14.3.6 Task commands

With the task commands, users can deploy applications or solution images to devices, and check each task status.

Deploy one application to a device

$ escli task deploy-app -hUsage: escli task deploy-app [OPTIONS]

Create task to deploy application.

Options:--device_id TEXT device id list [required]--id INTEGER application's id [required]--app_version TEXT application's version default 1806-h, --help Show this message and exit.

Deploy one solution image to a device

$ escli task deploy-solution -hUsage: escli task deploy-solution [OPTIONS]

Create task to deploy solution image to a board given.

Options:--device_id TEXT device id list [required]--id INTEGER solution's id [required]-h, --help Show this message and exit.

Check task status

$ escli task list+-----+-----------------+---------+------------------------------------------+| id | type | status | metadata |+=====+=================+=========+==========================================+| 478 | deploy_solution | Running | lsdk1806-ls1046-test-tc1;model_id:4 || 477 | deploy_solution | Running | lsdk1806-ls1046-test-tc1;model_id:4 || 474 | deploy_solution | Running | lsdk-1803;model_id:4 || 473 | deploy_solution | Running | LSDK1806-newFeature-1046-1806;model_id:4 || 472 | deploy_solution | Running | LSDK1806-newFeature-1046-1806;model_id:4 || 470 | deploy_solution | Running | LSDK1806-newFeature-1046-1806;model_id:4 |+-----+-----------------+---------+------------------------------------------+



14.3.7 Docker repository commands

With the repo commands, users can get the docker repository list and get command to log in to EdgeScale repository.

Help usage

$ escli repoUsage: escli repo [OPTIONS] COMMAND [ARGS]...

docker's repository registry.


Commands:get-login get a docker command to login EdgeScale...list query and show the docker registry list

get-login

The command is used to get token to log in to EdgeScale docker repository.

$ escli repo get-login

*** The previous docker login token will be expired.

*** Do you want to continue? [y/N]: y

*** Command to login EdgeScale registry:docker login -u xxxx -p 6964e3953ad4bb5b registry.edgescale.org/xxxx

14.3.8 Other commands

Model

The command is used to create, delete, or edit the device model.

$ escli modelUsage: escli model [OPTIONS] COMMAND [ARGS]...

model of device management.


Commands:create Create new model name, e.g, yun-ls1043a-gateway-nxpdelete Delete model by IDlist query and show the available model listupdate Update model with a new name

Vendor

The command is used to create or check device vendor list.



$ escli vendor -hUsage: escli vendor [OPTIONS] COMMAND [ARGS]...

manufacturer vendor management.


Commands:create create a new manufacturer vendor, admin is requireddelete Remove a vendor by vendor id, admin is requiredlist query and show the vendor list


CHAPTER

FIFTEEN

CONNECT PUBLIC CLOUD

This section will introduce to you how to integrate the public cloud service provider’s IoT SDK with EdgeScale.

15.1 Azure IoT Setup

15.1.1 Overall picture of the Azure setup

15.1.2 Hardware logistics

• Extra Ethernet cable

• Ethernet Router

• Power Strip

• SD card (8 or 32GB)

113


• Connect LS1012ARDB to a Linux PC by a serial port. The port device can be found as device /dev/ttyACMx(x can be 0, 1, etc).

15.1.3 Steps for cloud

• Register a free user account: free account.

• Follow the setup in the iot-edge quick-start

1. Create an IoT hub with Azure CLI.

2. Register an IoT Edge device.

• After the device registration, a connection string will appear.

15.1.4 Steps for board

$ iotedgectl setup --edge-hostname "nxp-iot-ls1012rdb" --connection-string→˓"HostName=RoyIotHub.azure-devices.net;DeviceId=LS1012ARDB-01;→˓SharedAccessKey=yT4r08JimivFTPGrBtw7xlxvQC4OqN0qzn2/aur8K3o=" --auto-cert-gen-force-→˓no-passwords

• Replace the string with your device string generated in previous step of device registration.

• A different host name other than “nxp-iot-ls1012rdb” needs to be used, but the name should not be the localhost.

$ iotedgectl start

15.1.5 Deploy a module

• Deploy a module.

• View generated data.

114 Chapter 15. Connect Public Cloud

https://azure.microsoft.com/free

https://docs.microsoft.com/en-us/azure/iot-edge/quickstart-linux


15.2 Ali-Cloud IoT Setup

15.2.1 Overall picture of the Ali-Cloud IoT setup

15.2.2 Hardware logistics

• Extra Ethernet cable

• Ethernet Router

• Power Strip

• SD card (8 or 32GB)

• Connect LS1012ARDB or LS1043/6ARDB to a Linux PC by a serial port. The port device can be found asdevice /dev/ttyACMx (x can be 0, 1, etc).

15.2.3 Steps for cloud

• Register a free user account: Register account

• Follow the setup in the IoT SDK introduction

1. Create the IoT product and Create the device

2. Create topic

3. Create message queue

4. Setup the server subscribe

15.2. Ali-Cloud IoT Setup 115

https://account.aliyun.com/register/register.htm?lang=&oauth_callback=http%3A//workorder.console.aliyun.com/console.htm%3Flang%3D%23/ticket/list/

https://help.aliyun.com/document_detail/30522.html?spm=a2c4g.11186623.6.539.Q3Rizk

https://help.aliyun.com/document_detail/73724.html?spm=a2c4g.11186623.6.577.4OnT84

https://help.aliyun.com/document_detail/73725.html?spm=a2c4g.11186623.6.578.hjABLShttps://help.aliyun.com/document_detail/73725.html?spm=a2c4g.11186623.6.578.hjABLS

https://help.aliyun.com/document_detail/73732.html?spm=a2c4g.11186623.6.584.Jmlqvahttps://help.aliyun.com/document_detail/73732.html?spm=a2c4g.11186623.6.584.Jmlqva

https://help.aliyun.com/document_detail/27414.html?spm=a2c4g.11186623.6.539.o5O8IR

https://help.aliyun.com/document_detail/50496.html?spm=5176.10695662.1996646101.searchclickresult.7e191f67QiBPOjhttps://help.aliyun.com/document_detail/50496.html?spm=5176.10695662.1996646101.searchclickresult.7e191f67QiBPOj


• The product, device, topic, and message queue can then be seen:



15.2.4 Steps for board

• Download Ali IoT SDK IoT-SDKV2.0.tar.bz2 or other versions.

15.2. Ali-Cloud IoT Setup 117


• Replace “PRODUCT_KEY”, “DEVICE_NAME” and “DEVICE_SECRET” with your device in Ali Cloud.

• Build the binary files and run.

15.2.5 Steps for MNS

• Download MNS SDK

• Get Access Key

• Install Python SDK. pip install aliyun-python-sdk-core

pip install aliyun-python-sdk-iot

• Modify the MNS SDK according to the requirement.

• Build the binary files and run.

15.3 AWS Greengrass Setup

AWS Greengrass core can run as a container, so EdgeScale can deploy it.

Please refer to Getting Started with AWS Greengrass. And, create certificates and groups to deploy Greengrass core.

There is a Docker image edgerepos/aws-greengrass on hub.docker.com, which can act as a base image which includes the package greengrass-linux-aarch64-1.6.0.tar.gz. Users can create a new Docker image based on this image. Add this line to the Dockerfile to include the base Docker image:FROM edgerepos/aws-greengrass:latest

And add certificates you got from the website of the AWS Greengrass and the config file.

Make sure the storage driver of the Docker engine on the device is “devicemapper”. This can prevent problems whenGreengrass is running in a Docker container. Details here.

Add these lines in /etc/docker/daemon.json to change the storage driver.

{"storage-driver": "devicemapper"

}

15.4 Google IoT Setup

To create a new Google IoT App for EdgeScale, users can integrate the python application program with the Dockerbase image, edgerepos/google-iot. The base image contains Google Cloud Client for python and Google Cloud SDK.

Add this line to the Dockerfile to include the base Docker image: FROM edgerepos/google-iot:latest

And, add user’s application program.

Please refer to Google Cloud IoT Documentation.

15.5 IBM Watson IoT Setup

To create a new IBM Watson IoT APP for EdgeScale, user can integrate the python application program with theDocker base image, edgerepos/ibm-iot. The base image contains IBM Watson IoT library for Python.

Add this line to the Dockerfile to include the base Docker image: FROM edgerepos/ibm-iot:latest


http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/32305/cn_zh/1490269182462/aliyun-mns-python-sdk-1.1.4.zip?spm=5176.doc32305.2.1.4H66HN&file=aliyun-mns-python-sdk-1.1.4.ziphttp://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/32305/cn_zh/1490269182462/aliyun-mns-python-sdk-1.1.4.zip?spm=5176.doc32305.2.1.4H66HN&file=aliyun-mns-python-sdk-1.1.4.zip

https://ak-console.aliyun.com/#/accesskey

https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-gs.html

https://hub.docker.com/r/edgerepos/aws-greengrass/

https://forums.aws.amazon.com/message.jspa?messageID=832291

https://hub.docker.com/r/edgerepos/google-iot/

https://cloud.google.com/iot/docs/

https://hub.docker.com/r/edgerepos/ibm-iot/


And, add user’s application program.

Please refer to Getting started with Watson IoT Platform.

15.5. IBM Watson IoT Setup 119

https://console.bluemix.net/docs/services/IoT/index.html#gettingstartedtemplate

CHAPTER

SIXTEEN

BRING YOUR BOARD TO EDGESCALE

16.1 Introduction

EdgeScale is a cloud-based service platform. To bring your board to EdgeScale, the first step is to make the EdgeScaleagent run on the board.

EdgeScale agent is a client software package running on the device side, connecting and interacting with EdgeScalecloud service. You can find the reference implementation for NXP Layerscape platform at github.

Note: Currently, we only support Linux on ARM platform.

16.2 Software Dependencies

This section lists the software dependencies for EdgeScale agents and Linux kernel options for running demo Apps.

16.2.1 EdgeScale agent dependencies

EdgeScale agent is supposed to run on Linux. The software package dependencies are as below:

Package Version Commentbash 4.4.18coreutils 8.30curl 7.64.0ca-certificates 16.04+ ubuntu distrodocker 18.09.1-ce running containerethtool 4.19 ifconfig, ipgawk 4.2.1 awkgrep 3.1hostname 3.20isc-dhcp-client 4.4.1 dhclientmount 2.31.1openssl 1.1.0gpsmisc 23.2 killallstart-stop-daemon 1.18.2.5

121

https://github.com/NXP/qoriq-edgescale-eds


Note: Above are verified versions that can work with EdgeScale as expected. Other versions may also be workablebut are not verified.

16.2.2 Kernel options to enable docker

Please refer to configure docker

16.2.3 Kernel options to run demo Apps

Please refer to configure demo

16.3 Enable the OTA Feature

16.3.1 Introduction

In this section, we describe how to get the build environment and the construction process for bootstrap images.

16.3.2 Supported boards

ls1012ardb ls1021atwr ls1043ardb ls1046ardb ls1088ardb-pb ls2088ardb lx2160ardb

16.3.3 Set up the use build project

• Install the repo utility:

$ mkdir ~/bin$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo$ chmod a+x ~/bin/repo

• Download the metadata:

$ export PATH=${PATH}:~/bin$ mkdir yocto-sdk$ cd yocto-sdk$ repo init -u https://source.codeaurora.org/external/qoriq/qoriq-components/yocto-→˓sdk -b edgescale$ repo sync --no-clone-bundle

16.3.4 Building images

Take ls1012ardb as an example:

• Setup build envrionment.

$ . ./setup-env -m ls1012ardb

• Build images used to generate EdgeScale bootstrap images.

122 Chapter 16. Bring your board to EdgeScale

https://wiki.gentoo.org/wiki/Docker

https://github.com/NXP/qoriq-edgescale-eds/blob/integration/edgescale_demo_kernel.config


$ bitbake edgescale-bootstrap

Note: 1.Images will be found under tmp/deploy/images/ls1012ardb/edgescale-bootstrap.

2.To build images with optee, you need to add the following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = ” edgescale-optee”

3.To enable the ima_evm feature, you need to add the following line to build_ls1012ardb/conf/local.conf

DISTRO_FEATURES_append = ” ima-evm”

Please contact admin: [email protected] for co-operation.

16.3. Enable the OTA Feature 123

mailto:[email protected]


124 Chapter 16. Bring your board to EdgeScale

CHAPTER

SEVENTEEN

APPLICATION NOTES

17.1 Enable AI framework: TensorFlow

Please refer to the application note to enable TensorFlow at the device side.

17.2 Connect to Secure Element chip: A71CH

Please refer to the a71ch application note to enable a71ch at the device side.

125

https://s3-us-west-2.amazonaws.com/edgescale.org/release/documentation/appnote_enable_tensorflow_on_LS1046_with_LSDK_v0.1.pdf

https://s3-us-west-2.amazonaws.com/edgescale.org/release/documentation/appnote_enable_a71ch_on_LS1012_with_LSDK_v0.1.pdf


126 Chapter 17. Application Notes

CHAPTER

EIGHTEEN

FREQUENTLY ASKED QUESTIONS (FAQ)

18.1 How to access EdgeScale?

1. Request an account from console.edgescale.org and get user/passwd.

2. Access EdgeScale by one of the following ways:

EdgeScale provides user dashboard, command line tool and Restful APIs for interactions.

Dashboard: Sign-in console.edgescale.org

Command line tool: escli, https://github.com/NXP/escli

Restful APIs: https://doc.edgescale.org/api

3. A typical workflow for the user would be as follows:

18.2 I have a container app. How to deploy it to my device?

Push your container image to hub.docker.com and get the URL link. You can also push your container image toEdgeScale with escli tool.

Register the app at AppStore and link the image URL with the app. It will be put on MyApps.

Deploy the app from MyApps, follow the process to select your device and deploy.

Check the deploy result from Task -> My Task on the left panel and click the task item.

127

https://github.com/NXP/escli

https://doc.edgescale.org/api


18.3 I have a system image. How to deploy it to my device?

Push your system image on some storage site like AWS s3 and get the URL link. You can also upload your systemimage to EdgeScale with dashboard.

Register the systerm image at Solution store and link the image URL with the solution. It will be put onSolution store as a private image.

Deploy the image from Solution store, follow the process to select your device and deploy.

Check the deploy result from Task -> My Task on the left panel and click the task item.

18.4 My software image is stored at another place. How to connect itwith EdgeScale service?

Register your software image with the URL link and make sure it could be downloaded.

18.5 Which platforms are supported by EdgeScale? Does it supportx86?

Currently, it supports ARM64 and ARM32 platform. x86 is not supported yet.

18.6 Is EdgeScale open-source?

EdgeScale consists of two parts: EdgeScale cloud service and client (device agents).

EdgeScale client is open-source and can be found at https://github.com/NXP/qoriq-edgescale-eds

EdgeScale cloud service is going to open-source soon.

18.7 How to fix the following issue when board is boot up with ubunturootfs?

E0211 16:29:14.093572 3902 kubelet_node_status.go:106] Unable to register node→˓"7a429148085b57deb6ea4c8036651234.yun.gateway.ls1043a.nxp" with API server: Post→˓https://int.app.edgescale.org:443/api/v1/nodes: x509: certificate has expired or is→˓not yet valid

The error message indicates the certificate is expired on the board. The issue is caused by incorrect date setting. Pleaseupdate the system time and hardware time to current time.

18.8 How to create a device and enroll it with escli?

1. Use escli model create to create a new model. Skip this if you want to use existed models.

128 Chapter 18. Frequently Asked Questions (FAQ)

https://github.com/NXP/qoriq-edgescale-eds


2. Use command escli device create –fuid xxx –model_id yyy to create a new device, then run “bootstrap-enroll-<device>”.sh /dev/zzz, (zzz is the SD card which will be attached to device board), model_id is the model’s idcreated in step #1.

3. Use command escli solution create to create a new solution. model_id is the one created by step #1. Pleaserefer to 3. Deploy EdgeScale agents on the device for solution image build. Skip it if you want to use existedsolution images.

4. Program the bootstrap image to board’s nor/qspi flash. Refer to Bootstrap for detailed steps.

5. Insert the SD card prepared in step #2 to board’s MMC slot.

6. Reset the board. The board will then download the solution image created in step #3 automatically.

7. After the solution image is installed, you will see this device is online and ready to deploy application.

18.9 How to make the size of the Docker image small?

When packaging an application in a Docker image, the image size would be bigger than expected. To keep the sizesmall, the following tips could be helpful.

18.9.1 1. Programming Application in Go Language

Applications in Go can include almost all dependencies by itself. When packaging them in Docker image, it’s unnec-essary to include a base image from a released OS. Just package them with the dependency files (e.g. certification). Itcan reduce the image size greatly. An example Dockerfile to package an application called “hello” is as follows:

FROM scratchCOPY hello .CMD ["./hello"]

To not depend on external libraries at runtime, there are some tips on the Go compilation. To remove the dependenceon the system library, disable cgo using “CGO_ENABLED=0”. And, add ‘-extldflags “-static”’ to the -ldflags. Thismeans to link external libraries statically. This way, the Go application would not link the external libraries at runtime.

In addition, the Go compiler supports some flags to reduce the size of the execution files. The “-s” flag means gettingrid of the symbol table, and the “-w” means getting rid of the debug information. Adding “-s” and “-w” in the -ldflagscan reduce the file size considerably.

For example, compile “hello.go”: CGO_ENABLED=0 go build -ldflags=“-s -w” -ldflags ‘-extldflags “-static”’hello.go

18.9.2 2. Use Google’s Distroless Images

Google distroless is a project that provides the minimal size of the base images. It supports a minimal runtime for java,c, nodejs, and so on.

An example for nodejs, “hello.js” is as follows:

FROM gcr.io/distroless/nodejsCOPY hello.js /appWORKDIR /appCMD ["hello.js"]

18.9. How to make the size of the Docker image small? 129

https://github.com/GoogleContainerTools/distroless


18.9.3 3. Use Docker Multi-Stage Builds

In practice, one Docker image could not solve all problems. In the building stage, the Docker image includes compilerand other tools. And, in the production environment, it needs a minimal size of Docker image. So, multiple Dockerimages are needed for building, testing, and production. Docker multi-stage builds provides a good solution. It caninclude multiple Docker images in one single Dockerfile.

An example to build a Go application and output a minimal docker image:

FROM golang:1.7.3 as builderWORKDIR /go/src/github.com/test/hello/COPY hello.go .RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -ldflags \'-extldflags "-static→˓"\' -o hello .

FROM scratchWORKDIR /root/COPY --from=builder /go/src/github.com/test/hello/hello .CMD ["./hello"]

130 Chapter 18. Frequently Asked Questions (FAQ)