Design Considerations for Software Distribution to Edge & IoT Applications
Make no mistake: You can’t overlook software distribution in DevOps. At risk are the reliability, security and speed of your software releases – and your business itself.
This is especially true in enterprises that are releasing across numerous edge endpoints or IoT devices. As your releases’ cadence and payload grow, software distribution challenges multiply, particularly at the edge.
Read on to learn about some of the challenges with software delivery for edge and IoT, how software distribution can help, and how enterprises can scale their secure, continuous software delivery for edge and IoT applications.
Software Distribution and the Edge Computing Market
Topio Networks, an industry-research firm tracking the edge and IoT markets, has identified a new high-growth subsegment in the edge landscape: software distribution, which they see as a significant and interesting area you should be paying attention to.
There are half a dozen companies in this edge software distribution subsegment currently, including JFrog, with JFrog Distribution. “JFrog is one of the leading companies in this space,” said Gavin Whitechurch, Co-founder and COO of Topio during the recent joint webinar “Scaling Continuous Software Delivery for Edge & IoT Applications.”
Edge Market Landscape
What Is Software Distribution?
Software distribution is about moving binaries from where they’re created (usually, in the development or CI/CD stages) to the runtime environments for deployment, whether in data centers/cloud servers, edge infrastructure, or embedded devices, explained Michael Vakulenko, JFrog’s IoT Product Manager, during the webinar.
In small systems, software distribution is fairly straightforward. However, in larger systems it can quickly become a big challenge to achieve reliable, secure and timely distribution of software releases quickly.
Modern distribution challenges include:
- Distributing binaries to thousands of servers, pods and edge nodes
- Dealing with multiple cloud platforms and regions across the globe, all with different regulations and issues
- Supporting hybrid, on-premises and edge deployments — often all at the same time
- Doing this quickly, securely, reliably and frequently
The need for enterprises to have scalable, secure and reliable software distribution will only deepen. Why? For starters, enterprises want to accelerate releases, with many now deploying software to production multiple times per day.
Simultaneously, binary artifacts keep getting larger, especially as container use grows. Meanwhile, IT infrastructures are becoming more complex, with hybrid and multi-cloud DevOps environments, and the adoption of edge computing and IoT devices.
Thus, cobbling together a distribution solution in-house doesn’t seem feasible. That’s why we created JFrog Distribution. “It frees developers, DevOps and SRE teams to focus on their apps rather than solving difficult software distribution challenges,” Vakulenko explained.
What about CDNs?
Content distribution networks (CDNs) are being pitched for software distribution, but they’re not built for this purpose, so they have notable weaknesses.
Let’s see how CDNs compare to a solution built from the ground up for software distribution, like JFrog’s:
- CDNs operate separately from your DevOps pipeline. JFrog Distribution is a native component of the JFrog DevOps Platform.
- CDNs’ reach extends only to a metro location. JFrog Distribution goes much farther — all the way to sites, like retail locations, office buildings, and even as a cache layer on the endpoint devices themselves.
- CDNs are usually optimized for cloud environments and even their “edge” locations are still on the public cloud, and not on mixed or on-prem infrastructure. JFrog Distribution can operate in mixed runtime environments, supporting both on-prem and hybrid deployments.
- Designed to serve mostly static files such as images for web apps, CDNs provide an infrastructure for HTTP downloads. JFrog Distribution supports package-specific protocols and serves as a local registry on the end point(s), along with accelerating deployments and supporting high concurrency of downloads.
- CDNs are designed to handle individual files. JFrog Distribution handles collections of binaries which constitute a release.
- CDNs only provide download statistics. JFrog Distribution offers you detailed deployment tracking, so you know what software is running where.
- CDNs are not package-aware or security-aware. JFrog Distribution is tightly integrated with your security processes and policies, allowing you to trace releases’ Software Bill of Materials (SBOM), and even block a distribution if security vulnerabilities are detected in the packages.
Edge Distribution and Application Release Issues
There are particular challenges associated with distributing software to the edge, as opposed to, say, a traditional data center.
These are some key challenges, which apply to all edge computing segments, including service provider edges, on-premises and regional data centers, as well as smart and constrained devices:
- Connectivity limitations, including intermittent bandwidth and long delays
- The need for remote management due to lack of skilled staff at each edge site
- Untrusted networks for nodes outside of the data center security perimeter
- The need for autonomous operation when there’s no cloud connectivity
- A large number of geographically dispersed nodes
Software Distribution in the JFrog Platform
Realizing how critical software distribution processes are to the modern DevOps stack, JFrog made Distribution an integral part of the JFrog end-to-end DevOps platform, enabling application delivery from any source, all the way to the edge.
The JFrog Platform covers all stages of the software binaries management lifecycle, from code to production — what we call BinOps. It includes a centralized artifact repository and container registry with JFrog Artifactory; security and compliance with JFrog Xray; CI/CD orchestration with JFrog Pipelines; and of course, JFrog Distribution.
An industry-unique solution, JFrog Distribution allows you to accelerate governed, secure package distribution across large-scale hybrid topologies and concurrency requirements — overcoming even limited bandwidth and network lag. With JFrog Distribution, users can accelerate binary software releases to a wide range of deployment targets, like public clouds, on-prem data centers, branch offices, regional sites, and IoT/edge devices.
Design Considerations for Software Distribution to the Edge
Let’s review the five key specific considerations required for an effective and secure solution to distribute software to the edge spectrum: from infrastructure edge such as store branches or POS, all the way to “thin” edges and IoT devices. We’ll also touch on how these design best practices are addressed in the JFrog solution.
1 — Distributed architecture across mixed environments
First, a distributed architecture is key for coping with large scale edge deployments, and with their high peak loads. JFrog Distribution’s Private Distribution Network (PDN) is designed from the ground up for large-scale distribution of software artifacts across mixed, distributed environments.
As a distributed network, PDN propagates software artifacts, like packages or container images, from a central Artifactory through multi-tier topology of distribution nodes which are organized into groups. Edge clients download software binaries from the closest distribution group.
Furthermore, distribution nodes are managed remotely by the JFrog Platform, to which they report their status and metrics. The platform displays a live topology view of the network.
PDN combines two network acceleration and optimization technologies in one agent: CDN and P2P. Because distribution nodes share the load of many simultaneous downloads to ensure network resiliency and because PDN can be deployed on any commodity hardware, they essentially add a cache layer (CDN) to accelerate deployments and high concurrency downloads (P2P) to any type of infrastructure node or device. They don’t require high-performance servers with large network capacity.
Finally, PDN deployment and configuration is simple — just define the parent, group name and security token in the distribution-node configuration and it will automatically join the network.
2 — Release integrity
Software releases usually contain multiple binaries which must be deployed simultaneously, so your distribution solution needs to maintain the interdependencies between these components, which can number in the thousands.
That’s where the concept of release integrity comes into play, so that incompatible components from different releases aren’t deployed.
JFrog ensures release integrity through release bundles — an atomic unit of software distribution that contains all of a release’s components with their metadata. Once the release bundle is created and signed – making it immutable and tamper-proof – JFrog propagates it to all PDN nodes or Distribution Edges that are part of your distribution infrastructure, or to your last mile of runtime environments.
An edge computing node can’t start downloading release components until all components arrive at the distribution node and are validated via the release bundle signature. That’s how JFrog ensures that the release arrives as an atomic block with all its internal coherence maintained throughout the distribution process.
3– Download optimization
Connectivity issues — limited bandwidth, high latency, unstable connections — create many issues in edge computing. Specifically, attempts to download large binary files often take too long or simply fail. Further complicating matters, edge nodes are often behind firewalls.
JFrog’s PDN optimizes downloads and enables efficient distribution of large binary files across many nodes. This is how it does it:
- Large files are divided into smaller chunks, and each chunk is downloaded over a separate TCP connection. This cuts download time and makes the download less vulnerable to connection errors.
- Typically, new releases only change a small percentage of the previous release’s files. In JFrog, distribution nodes analyze the release bundle manifest and download only new files, drastically reducing the bandwidth used.
- Next, JFrog distribution nodes can download chunks of files from peer nodes in the group, further accelerating downloads. To enable this, JFrog developed an efficient and resilient peer to peer (P2P) protocol based on HTTP and GRPC protocols.
- Also, JFrog downloads are firewall-friendly. To overcome firewall blocks, JFrog PDN, connections are always established from the distribution node to the parent node, so from inside the firewall environment out to the network.
- Distribution nodes periodically poll their parents for download notifications, and if there is a pending download they initiate it.
4 — Zero trust security
In edge deployments, distribution nodes are often installed outside of data centers’ security perimeters, and connect to the backend over untrusted networks. That’s why it’s critical to implement a zero-trust security model which includes authentication, authorization and encryption of all the connections between the nodes and the network.
In JFrog’s PDN, distribution nodes always connect to their parents using mutually authenticated TLS connections. The authentication is done using an industry-standard security model with certificates for each distribution node.
In addition, to download a binary file from the distribution node, an edge computing node must present a valid authorization token granting it permission. In short, our security model always includes encryption, authentication, and authorization of download plans.
5 — Local caching of software artifacts
Caching of software artifacts locally at edge sites like hospitals, oil platforms or fast-food restaurants has two main benefits:
- First, it enables autonomous operation of the site. That way, computing systems in the site can be restarted and reconfigured even without an internet connection to the central repository. This is critical when running dedicated Kubernetes clusters in edge sites.
- Second, you can significantly reduce bandwidth requirements by aggregating downloads of software artifacts, so that they’re downloaded only once instead of separately by each machine in the edge site.
PDN distribution nodes installed at edge sites will cache software binaries like Docker container images locally. The local cache can be warmed by downloading new software releases ahead of time.
Once the cache is warmed, local machines and devices can download binaries from the cache even without a connection to the cloud. Since binaries will be downloaded only once and used by all machines in the site, you’ll also significantly reduce bandwidth needs.
JFrog’s Private Distribution Network (PDN) Benefits
These are the five main design considerations for creating secure, efficient and reliable software distribution solutions for edge computing, and how they’re implemented in JFrog’s PDN, yielding such benefits as:
- Support for hybrid environments
- Speed and efficiency, while substantially reducing your server load
- Massive scalability, resiliency and high availability (HA) thanks to distributed architecture
- Support for flexible network topologies working over WAN or LAN
- Ability to proactively deploy artifacts ahead of time
- Secure, supporting encryption, authentication and authorization
- Support for containers and other packages
- Simplification of audits and regulatory compliance
- Low TCO
“We’re solving difficult issues for distributing software to large-scale systems, including edge systems, which frees customers to focus on their apps, instead of spending time putting together this solution themselves,” Vakulenko concluded in the joint webinar.
With JFrog’s recent acquisition of IoT software update and device management company Upswift — now JFrog Connect — our distribution capabilities for edge and IoT devices will become even stronger.
In addition to device management, JFrog Connect provides robust capability for IoT software updates, making devices a first class citizen in the DevOps Platform, enabbling fast, secure and reliable delivery from development to devices.
With PDN, JFrog covers distribution to edge sites – from thick to thin edges- spanning larger edge nodes, like a manufacturing plant, with powerful servers inside, all the way to embedded devices with JFrog Connect.
See It In Action!
To see a demo of PDN and learn more about these design considerations for scaling Edge and IoT application delivery, watch the recording of our joint webinar with Topio.
Developing IoT applications?
Learn more about JFrog Connect and create your free account to see how easy it is to update, connect and manage IoT devices.