 Hi, I'm Peter Robinson. I'm here to talk about who, what, when, where, why, how for Fedora or IOT on Fedora or Fedora on IOT, depending on which way you want to look at it. So the who. The initiative was started by me. The role was provided around three years ago to do it as a full-time by the Senior Vice President of rail engineering and it was my remit is to basically investigate IOT how it would look from a Fedora rail ecosystem perspective so that you know ultimately we're not starting from ground zero. We have a small but growing community which is awesome and I actually have my first full-time team member other than me starting on Monday so welcome Patrick. Yes, Patrick's role is basically a very generic IOT security so he's going to be dealing with a whole bunch of things funnily enough around IOT security so but Patrick has a talk tomorrow that where he'll be covering some of this which is very exciting. So who's the audience for Fedora IOT? Well the Fedora community in general because obviously we're just using Fedora. There's an initial focus on a number of use cases. Industrial IOT, the term which I absolutely despise is industry 4.0. Oil and gas industry and we have a talk about that tomorrow where we actually have a Red Hat customer that is working with us in the Fedora space and so Chad and I will be talking about how we're dealing with some of the problems that the oil and gas industry has with regards to industrial control and various other bits and pieces. We have a partner that's interested in smart cities, automotive and a bunch of the community including people like the FPL are interested in home automation and smart homes. I would just like someone to automate the packing of my dishwasher. And it's one of the things that's quite interesting about Linux about IOT in the Linux space is we're actually getting net new people. We had a docs writer in February for about a month or so who massively improved the docs for getting started and one of the reasons for that was I was getting people going I've never used Linux before. How do I do this from Windows? Which from increasing the Fedora community and the Fedora ecosystem is a problem that we've wanted to have for some time and we've not. And so it's an interesting problem to solve and of course there's existing Fedora enterprise Linux and related users. So that's who we're talking about. It's now an official well has been for some time an official council objective. We're moving to an addition very soon where I've got a whole bunch of list of things to do and there's a few other things for others to do before we make that. It's obviously based on Fedora standing on the shoulder of giants, the Fedora wider ecosystem. Using Red Hat technology such as OS Tree, SystemD, Podman, FW Update Manager, as I've said to a bunch of different people that I've spoken to at Red Hat over the time it's basically the same puzzle pieces building a different puzzle. So all the same technologies but just we're producing an IOT picture and part of my role is upstream ecosystem. So the ARM ecosystem through Leonardo engaging in standard initiatives across distros to basically help improve the slot or even a little bit help improve the dumpster fire that is generally IOT. And so it's a very wide-ranging when. I started in this role almost three years ago. I don't know where time goes. I think three years will be the single longest role I've ever done in IOT. I've averaged usually two, two and a bit years before I've got bored and moved on and I see Denise in the background shaking her head. Like my role now compared to three years ago doesn't look anything like it was three years ago yet it looks very similar to what it was three years ago. I don't know how I'm going to actually be able to get bored anytime soon and like every time I look back I go wow that was busy and that was fast. It's not possible to get any busier and any faster and it just seems to keep accelerating, accelerating, accelerating. So our first official release was Fedora 29 as a spin. We obviously released Fedora 30. We're promoting to addition really soon now. We're generally doing around monthly feature releases. We're starting, we've started off, it started off quite slowly. Like when I first started doing this I thought three years ago it'll be a couple of months and I'll have you know the first release out and holy hell I was wrong. And we had all these dependencies and various other bits and pieces I wrapped and unwrapped and repackaged and dealt with and we eventually got there. But it's like quicker and quicker and quicker and quicker. Why? A traditional RPM DNF yum distro for IOT is not that great. If you've ever lost power during a update and you've tried to work out whether you end up with a bootable system or not and if it actually boots how to get it back to a consistent state, doing that across tens of thousands or hundreds of thousands of endpoints, millions of endpoints is impossible. Like if you've got 10 million endpoints out in the field and you've got a roller truck to fix them, that's a problem. I feel Fedora is a good base for an IOT distro. A lot of companies are throwing like the baby out with the bathwater and not doing basic enterprise style security like shipping telnet and not disabling it and things like that. And so we've got all this institutional security for enterprise and things like that that generally mostly just works. So why throw it all away and start from the beginning again? Fedora moves fast, which is good. Like for IOT and things like that, we can get the latest features and functionality in system D, in kernel, in tool chain, which around some of the things like the kernel self-protection project, things like that is going to be useful from an IOT perspective. And yeah, so it's, but one of the advantages we have is it's a generally new use case. We don't have legacy users, so we can think differently and evolve stuff because we don't have J2E platforms and traditional database platforms and things like that that we have to care about whether we break or not. Like it is net new platform from a Fedora ecosystem point of view. And so we can change and evolve things and break things because we don't have a tradition of like 20 odd years of Red Hat Linux legacy. How are we doing it? So based on RPM OS tree and other related atomic core OS technologies, uses OCI container stack, so podman, scopio, et cetera, a simple compose process will be supporting the image builder technology, big focus on security, lots of stuff around TPM2, IMA, system D, SECCOM, SELinux, Secureboot and all of that sort of stuff. Ultimately, it's a similar OS to the data center, but without the physical security. So things like storing all the credentials in TPM so they're not recoverable even from a running OS is useful in the data center and a lot of like security focused companies would be interested in it, but probably not as interested as say the latest version of Kubernetes or OpenShift or whatever it happens to be. Whereas when you go and strap a device to a light pole or a oil pump or something like that out in the field, you don't have that physical data center security. So device security and things like that is of critical focus. Yeah, so we're currently at what I would consider a first phase minimum viable product and we're moving quickly. So some of the components that we're sort of building on top of this MVP layer, things like OS updates, automatic update, rollback, auto scale out of updates. So start to trickle out updates to devices and then scale up or scale back depending on what sort of success rate you get. OS config management. So people are like, well, just use Ansible and like, well, yes, but if you've got 10 million devices and that are not necessarily always online, an Ansible run could take months to complete. So you need a concept of eventual consistency. And I don't know that there's a server out there that Ansible could run on to hit 10 million devices. At management and updates around that, well, that's going to look something like Kubernetes to some degree, but Kubernetes running on a device with 2G of RAM at the moment is interesting. Some form of device management. So hardware failures, firmware updates, things like that and provisioning support and standardization. We're looking at ignition from CoreOS for this, but it's missing a lot of stuff that is sort of on the nice to have for them, but critical for us. So things like TPM provisioning, device encryption, stuff like that. And how do we support the deployment of millions of devices? And there's a lot of initiatives around that from companies like Intel and that, but none of them are standardized and none of them are open standards. They're all very much how do we lock you into Azure, AWS, various other bits and pieces like that. And that's great, but overall, there needs to be an industry-wide standard for secure deployment of that. And I mentioned, you know, eventual consistency for occasionally connected devices. Where? So the usual space, we have an IoT landing page, which links to basically all of this. We have a Kanban board, Twitter, IRC, all the usual Fedora communication mediums. And that's me. Does anyone have any questions? Software defined radio? Untested? It's certainly a use case. Like a lot of this stuff, like, I only have so many hours in a day. And like sometimes, you know, ensuring things like the Raspberry Pi actually boot, take up a large chunk of time, and things like that. And so things like SDR are like in the back of my mind that people would be interested in it. And so if there's people interested in the community, I'm around. Well, so it depends on the use case. So from an SDR point of view, I've not had, I mean, that there's, we've got obviously Wi-Fi and wired Ethernet, like in a factory, it's probably actually going to be wired Ethernet. They're like 5G is a topic I talk about quite a bit. SDR is certainly an option. It's not something that I've spoken to a lot of companies about. So from that perspective, it just comes down to focus and time. No, so we're not focused on MCUs. One of the use cases I'm working on with the Armour ecosystem is using, like, Fedora IoT as a gateway to MCUs. So, so Zephyrtos is like an open source, real-time OS for like a whole bunch of different MCUs. And I work quite closely with a number of companies that are working on that. So the idea is that, like, this would be a gateway to those devices, whether connected by Bluetooth Mesh or 802.15.4 or those sort of technologies, or in some cases, like, hardwired with CAN is another way of communicating. And then this would be sort of the gateway for those devices, depending on what they do. Yeah, and, like, I've had in the back of my mind that things like SDR and amateur radio would be a use case that a lot of people would be interested in. Yeah, and I understand that, but that is not the only bit of IoT. Like, if you go into a factory, there'll be basically no wireless at all because of the big machines, just kill the signal and everything will be hardwired. So if you're, I mean, I've spoken with literally hundreds of companies with thousands of use cases. And, like, one of the companies I'm working with has, like, well over 100 different use cases, and that's one company. And so, like, everyone you speak to has a different idea of what IoT is. It's a bit like trying to define cloud five, 10 years ago. Everyone had a different idea as to what cloud was. IoT is basically that squared at the moment. Like, there is literally billions of use cases. Anyone else? Oh, I'm going to get off quite lightly with this. Excellent. So the question is, how much of the security work will go into the other additions? It will all be available. So some of the stuff we're looking at doing around, like, the system de-lockdown stuff and that will probably break a lot of stuff. I actively want to break that in the IoT use case. For the general use case, that's probably not such a good idea. But it will, like, it will all be going into... So some of the work that Patrick will be focused on will be around TPMs and stuff like that. And that will be going into Fedora and into the upstream community for any other distro. And so things like integrity measurement and astestation stuff in the kernel. Like, it's enabled in raw hide now and it will be a default allow policy in Fedora in general. We're going to have an active policy in Fedora IoT to enforce and measure stuff for a general purpose OS that will break shit. I don't care. Well, I do care, but I'm going to be actively opinionated on breaking stuff in IoT so that we can actively fix it and make things work in a much more focused manner. And of course, all of that stuff will roll into the standard distro. But there'll be different policies that people can turn on, enable and force what have you depending on what they want to do. Yes. Yep. Yeah, so we're primarily focused on running the application stacks in containers as opposed to on the base OS. Simply because they're more easy to update and that's the general direction enterprise is going as a whole. And, you know, a lot of one of the things that a number of, like, people are excited about is that basically they can use the same workflow they do in the data center on IoT without sort of changing things so they can have the same app dev process for containers on the edge or for applications on the edge that they do in the data center, say running on OpenShift style stuff. So you will be able to do layering and things like that as a whole. That can be quite problematic. It's randomly broken a number of times in raw height of late and needed to be fixed. And so, but, you know, so they're and it's interesting because there's at least six or seven start ups that I'm aware of that are actually playing around and using Fedora IoT and products, which is cool. And some of them, and like I had a question on the mailing list the other day, how do I do NPM install or PIP install on like a RPM OS tree read only file system? And it's like, you don't. So they're basically bundling it all into a big RPM and layering it on top. And I'm like, if you want to do that, it'll work, but it's not going to be our primary way of dealing with this. Because, I mean, ultimately, the advantage of containers is you can run four or five containers alongside each other and they're completely isolated from each other. So if some crappy IoT application decides to start doing bad things, it's isolated and doesn't affect the other devices on the other applications running on the device. Well, thank you, everybody. I'll be around. I have one other talk and we have a hack fest on Saturday, I think. Patrick will be giving his security talk tomorrow. And, you know, feel free to come and ask questions.