In [None]:
# Overview

*ide49* is based on [Balena](https://www.balena.io/what-is-balena), a version of [Docker](https://www.docker.com/) optimized for IoT devices, rather than datacenters.

```{figure} figures/app.png
:alt: balena_app
:width: 400px
:align: center

Structure of a Docker application. A single Linux kernel is shared between the host and one or more user containers.
```

The balenaOS takes the function of the host operating system. Unlike other operating systems (Windows, MacOS, ...), it is highly specialized to run individual services in so-called containers. In *ide49* available containers include micropython, code-server, duplicati, etc and more can be added over time to provide additional functionality.

A set of [configuration files](https://github.com/iot49/ide49) describes the application. The [docker-compose.yml](https://github.com/iot49/ide49/blob/main/docker-compose.yml) file lists all user containers along with configuration parameters and information about how they interact. E.g. containers may be permitted to share files (`volumes`) or communicate over dedicated networks that are inaccessible from outside.

Each container presents a separate instance of Linux, and usually implement just one function. This arrangement minimizes undesired interaction e.g. between incompatible libraries used in various application programs. It's like having a separate computer for each task (code editor, backup, etc).

The software installed in each container is described with a Dockerfile. For example, the first line in the Dockerfile for the [micropython](https://github.com/iot49/ide49/blob/main/core/micropython/Dockerfile) specifies that this service is derived from a slightly customized version of an "official" [Jupyter docker image](https://jupyter-docker-stacks.readthedocs.io/en/latest/using/selecting.html#jupyter-scipy-notebook). This image is based on Ubuntu Linux and includes, notably, the Jupyter Notebook server as well as a host of libraries for scientific computation and plotting. Following the FROM statement are instructions for installing additional software and configuration files including the IoT Kernel used for interacting with the MicroPython REPL. 

## BalenaEngine

In Balena, the balenaEngine takes the function of the docker deamon in standard docker apps. It is accessed from the host with the `balena-engine` command. 

%%service host
balena-engine --help

To get a list of all running containers, type:

In [1]:
%%service host
balena-engine ps --format "table {{.Names}}\t{{.Size}}\t{{.Image}}"

NAMES                                                          SIZE                      IMAGE
micropython_4326350_2006136_52d3260cfa7974104feb37cd5f7b10e2   108MB (virtual 3.31GB)    92e31d0562f3
esp-idf_4326361_2006136_52d3260cfa7974104feb37cd5f7b10e2       211MB (virtual 4.08GB)    3a3cec03f2f0
bluetooth_4326363_2006136_52d3260cfa7974104feb37cd5f7b10e2     140MB (virtual 917MB)     b8f19d396651
rust_4326364_2006136_52d3260cfa7974104feb37cd5f7b10e2          106MB (virtual 1.09GB)    d731539ad951
arm32_4326358_2006136_52d3260cfa7974104feb37cd5f7b10e2         211MB (virtual 2.14GB)    8d13346713a1
nginx_4326349_2006136_52d3260cfa7974104feb37cd5f7b10e2         3B (virtual 29.7MB)       9aaac23e700e
balena-cli_4326362_2006136_52d3260cfa7974104feb37cd5f7b10e2    0B (virtual 1.64GB)       bb952f8265bd
wireshark_4326355_2006136_52d3260cfa7974104feb37cd5f7b10e2     1.03MB (virtual 1.21GB)   be89f6dc2961
mosquitto_4326354_2006136_52d3260cfa7974104feb37cd5f7b10e2     0B (virtual 11.8MB)       

The balenaEngine has many more features. For example, to get the build history for the arm32 image run

In [1]:
%%service host
balena-engine history 92e31d0562f3 --format "table {{.Size}}\t{{.CreatedBy}}" # --no-trunc

SIZE                CREATED BY
22.7MB              /bin/bash -o pipefail -c echo "force rebuild…
9.49MB              /bin/bash -o pipefail -c pip install --defau…
355MB               /bin/bash -o pipefail -c mamba install --qui…
0B                  /bin/bash -o pipefail -c #(nop)  USER 1000
3.52kB              /bin/bash -o pipefail -c groupadd gpio  && u…
527B                /bin/bash -o pipefail -c #(nop) COPY file:bb…
501B                /bin/bash -o pipefail -c #(nop) COPY file:f3…
119B                /bin/bash -o pipefail -c #(nop) COPY file:54…
182MB               /bin/bash -o pipefail -c apt-get update --ye…
0B                  /bin/bash -o pipefail -c #(nop)  ENV DEBIAN_…
0B                  /bin/bash -o pipefail -c #(nop)  USER root
0B                  CMD ["/bin/bash" "/usr/local/bin/start.sh"]
0B                  WORKDIR /home/iot
0B                  USER 1000
11.5kB              RUN |1 IOT_USER=iot /bin/bash -o pipefail -c…
9.85kB              COPY conf /usr/local/bin/ # bui

## Networking

Containers use networks for communication. *ide49* makes use of two separate networks:

* an internal network used only for communication within the app, and
* the host network, used to access the Internet.

Most containers have access only to the internal network. The `nginx` webserver acts as a reverse proxy to pass requests received from browsers on port 443 (and port 80, which is forwarded to 443) to the appropriate container on the internal network. The single ingress allows centralized handling of encryption and password verification in one place. The nginx configration is at

In [1]:
!cat /service-config/nginx/nginx.conf

# /etc/nginx/nginx.conf

user                                nginx;
worker_processes                    1;

error_log                           /var/log/nginx/error.log warn;
pid                                 /var/run/nginx.pid;


events {
    worker_connections              256;
}

http {
    include                         /etc/nginx/mime.types;
    default_type                    application/octet-stream;

    log_format main                 '$remote_addr - $remote_user "$request" '
                                    '$status $body_bytes_sent "$http_referer" '
                                    '"$http_x_forwarded_for"';

    access_log                      /var/log/nginx/access.log main;

    sendfile                        on;
    keepalive_timeout               65;
    # gzip                          on;

    # http -> https redirect
    server {
        listen                      80;
        return                      301 https://$host$request_uri;
    }

    server {

   

The network confiuration is available from the balena-engine:

In [1]:
%%service host
balena-engine ps --format "table {{.Names}}\t{{.Ports}}"

NAMES                                                          PORTS
micropython_4326350_2006136_52d3260cfa7974104feb37cd5f7b10e2   8888/tcp
esp-idf_4326361_2006136_52d3260cfa7974104feb37cd5f7b10e2       8888/tcp, 8890/tcp
bluetooth_4326363_2006136_52d3260cfa7974104feb37cd5f7b10e2     
rust_4326364_2006136_52d3260cfa7974104feb37cd5f7b10e2          8888/tcp, 8893/tcp
arm32_4326358_2006136_52d3260cfa7974104feb37cd5f7b10e2         8888-8889/tcp
nginx_4326349_2006136_52d3260cfa7974104feb37cd5f7b10e2         0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp
balena-cli_4326362_2006136_52d3260cfa7974104feb37cd5f7b10e2    8891/tcp
wireshark_4326355_2006136_52d3260cfa7974104feb37cd5f7b10e2     
mosquitto_4326354_2006136_52d3260cfa7974104feb37cd5f7b10e2     0.0.0.0:1883->1883/tcp, 0.0.0.0:8883->8883/tcp, 0.0.0.0:9001-9002->9001-9002/tcp
plotserver_4326356_2006136_52d3260cfa7974104feb37cd5f7b10e2    8080/tcp
smb_4326353_2006136_52d3260cfa7974104feb37cd5f7b10e2           0.0.0.0:139->139/tcp, 0.0.0.0:445->

Unlike other containers, the `micropython` service is member of the host network to enable access to bluetooth (if available). It also means servers (e.g. webservers) running in the `micropython` container can be accessed from from the internet without password protection and encryption from `nginx`. This is convenient for development but also poses a security risk especially if the device is not behind a firewall (as e.g. provided by a home router).

## Storage

Broadly, [Docker](https://docs.docker.com/storage/) containers distinguish two kinds of data storage.

### Owned by the container

That's the default and includes all operating system related files, installed software (compilers, etc). 

Although it's possible to make changes (e.g. with `apt-get` run inside the container), those changes do not persist between updates and hence should be limited to testing new features. A better solution is to instead modify the *ide49* app, per instruction in the next section.

This part of storage is "private" to the container and invisible from other containers in the same app (e.g. *ide49*).

### Mounted into the container (volumes)

Storage can also be "mounted" from the "host", the underlying operating system that runs the Docker app, *ide49*. For example, `/home/iot` and the subfolders of `/service-config` are mounted. The `volumes` section of the `docker-compose.yml` file lists all mounts.

The same volumes can be mounted into several containers (at the same or different locations). This enables data sharing. For example, all volumes are mounted in the `duplicati` container for backup and `micropython` and `code-server` containers for editing. 

For example the configuration for `nginx` (webserver), is mounted in `/service-config` in the `code-server` and `micropython` containers for editing, and at `/etc/nginx` in the `nginx` service.

Changes to volumes persist between container updates. 

### Samba fileshare

In addition to the types of storage discussed above, *ide49* can also be configured to mount `/home/iot` from a Samba file server.

Uses include sharing the same data between several *ide49* instances or in situations where a shared file server, perhaps with centralized backup, is preferred.

For convenience, the entire home directory (`/home/iot`) is mounted. This can cause some undesired behavior. For example, databases frequently use status files (e.g. locks) used by the running instance. Sharing those with another device (running perhaps a different instance of the same database) can result in conflicts.

To prevent this, the local iot volume is always available at `/service-config/iot-home`. Unlike `/home/iot`, this copy is never "hidden" by a Samba mount. *ide49* is configured to store status information (e.g. for `jupyter`) in `/service-config/iot-home` rather than `/home/iot`.

### Mounts

The `duplicati` service automtically mounts USB storage devices at `/mnt`. These devices can also be manually mounted in other containers (e.g. `micropython`). Avoid simultaneous access of the same storage device from multiple containers to avoid data corruption.

Below is an example of mounting an attached device (e.g. USB thumb drive).

In [None]:
%%bash

# 1) find device, e.g. /dev/sdc1
sudo fdisk -l

# 2) create mount point
sudo mkdir -p /mnt/media

# 3) mount volume
sudo mount /dev/sdc1 /mnt/media

# 4) use data ...
ls /mnt/media

# 5) unmount
sudo umount /mnt/media