Introduction
Modern web and cloud applications are dynamic and amenable to change, driven by the adoption of technologies and tools such as microservice-based architectures, Docker, Kubernetes, and sophisticated CI/CD pipelines. While these server-side technologies have evolved rapidly over the years, the development and deployment of embedded devices and systems has remained relatively unchanged. However, as embedded devices grow more capable—processing increasing amounts of data at the edge and running AI workloads— and face growing cybersecurity challenges, organizations are actively seeking ways to modernize their development practices with cloud-native principles such as application containers and agile CI/CD workflows.
However, traditional Linux-based containerization technologies like Docker can pose challenges for resource-constrained edge and IoT devices that have less than 1GB of memory, and are impossible to support on MCU-based devices that can’t run Linux. We refer to this as the 'Linux barrier', and it underscores the need for a more lightweight, portable runtime solution that doesn’t rely on a Linux OS.
WebAssembly (Wasm) has emerged as a promising foundational technology to address this challenge. While initially designed for the browser, Wasm's potential extends far beyond it through the WebAssembly System Interface (WASI). WASI, developed through collaboration between the W3C and Bytecode Alliance, provides standardized system interfaces that enable Wasm applications to run securely outside the browser—from cloud servers to resource-constrained MCUs. Check out this previous blog from Atym's CTO Stephen Berard for more context on the origins of WebAssembly and benefits for use cases outside of the browser.
In this blog, I will compare the benefits and challenges of a DIY approach to using WebAssembly to modernize embedded software development to leveraging pre-packaged solutions like the Linux Foundation's open-source Ocre project. I will close with how Atym is building on Ocre to provide a commercial device edge orchestration solution with the performance, security and usability benefits that enterprises require for production deployments. My primary focus is on MCU-based devices because there is well-established precedent for Linux-capable systems using traditional container technologies, but I will outline how WebAssembly can provide a universal foundation for devices of all types.
The DIY Approach
We're seeing organizations increasingly explore homegrown solutions to leverage WebAssembly to modernize their embedded development, drawn by its promise of language flexibility and efficient execution. Their journey of augmenting firmware with software typically begins with successfully compiling existing code to Wasm modules and getting them to run on a device—an exciting first step that demonstrates WebAssembly's potential.
However, this initial success quickly leads to more complex challenges as teams move beyond proof-of-concept. Running Wasm modules in production requires tackling numerous additional concerns: How do you package and distribute applications across a device fleet? How do you manage execution and resources across multiple containers? What about updates, monitoring, and handling failures in the field? These questions reveal that getting code to run on a since device is just the beginning.
But before teams even start diving into running Wasm on resource-constrained embedded devices, they must first tackle hardware selection and bring-up—a complex topic that we will not cover in detail here. What is important to understand is that once a hardware platform is selected, organizations typically find themselves building and maintaining a complex, three-layered architecture to support containerized applications. Each layer presents its own challenges and requires specific expertise, making this approach particularly resource intensive.
1. Base Platform Layer: The foundation of the system, including the Operating System, hardware support, and system resources.
2. Wasm Runtime Layer: The middleware that handles Wasm execution, networking, and security.
3. Development and Deployment Layer: The tooling and processes for building, testing, and deploying containerized applications.
Layer 1: Base Platform
For the base layer, teams must choose between running bare metal, using an embedded OS, or adopting a Real-Time Operating System (RTOS) to support WebAssembly execution. While bare-metal implementations are possible, they add significant complexity in manually managing scheduling, memory, and interrupts. An RTOS is a common choice for MCU-based devices due to its built-in real-time scheduling, memory management, and interrupt handling, which enable efficient execution of Wasm-based containers as applications.
Teams typically leverage lightweight RTOS options like Zephyr, FreeRTOS, or ThreadX, which offer built-in support for various microcontroller architectures. Configuring these operating environments requires deep expertise in C/C++ programming, optimizing memory allocation, and partitioning to establish secure hardware abstraction layers and peripheral drivers. Careful system resource management is crucial for ensuring reliable operation on these highly constrained devices, as every kilobyte of memory and clock cycle must be accounted for.
The technical challenges at this layer are significant, requiring teams to balance the needs of the RTOS, the WebAssembly runtime, and the application workloads above—all within tight resource constraints that vary significantly across MCU families and models.
Layer 2: Runtime
This layer involves implementing a WebAssembly runtime environment specifically for resource-constrained devices. Teams will most likely select and configure an appropriate Wasm runtime like WAMR (WebAssembly Micro Runtime) to handle module execution and isolation on resource-constrained hardware.
Configuration focuses on memory allocation, interrupt handling, and peripheral access control—a few of many considerations. Developers must also address runtime startup time, module loading strategies, execution optimization techniques and more. Security at this level is critical, forming the backbone of the system's defense against vulnerabilities. They must carefully evaluate each WebAssembly runtime's resource consumption, execution performance, and compatibility with their target silicon architecture.
Layer 3: Development and Deployment
Here teams must create the tools and processes necessary for building and deploying Wasm modules to their devices, which includes developing build systems that can create Wasm binaries suitable for their runtime. For WebAssembly-based solutions, developers need additional tooling to support Wasm compilation targets and manage language-specific requirements. They will also need to develop mechanisms for getting these modules onto devices and managing their lifecycle—starting, stopping, and updating them in the field.
What starts as a seemingly straightforward build process can quickly become complex, especially when managing multiple modules, different programming languages, and deployment across numerous devices. Teams often find themselves creating custom tools and scripts to handle these operations, adding another layer of maintenance overhead to their development process.
DIY Considerations
While the initial path of compiling and running Wasm modules might seem straightforward, moving to production requires substantial expertise and infrastructure. Organizations quickly discover they need deep knowledge of MCU environments, runtime optimization, and container management to create a viable solution that scales in the real world. Teams frequently encounter performance bottlenecks, memory limitations, and compatibility issues that require custom workarounds.
Additionally, different WebAssembly runtimes have varying levels of support for WASI extensions and WASI components, particularly in MCU environments. Key factors such as runtime footprint, execution model (JIT vs. AOT), and compatibility with constrained hardware must be carefully evaluated. Developers must assess these attributes based on their specific device constraints and application requirements. Additionally, maintaining runtime updates alongside application code introduces another layer of dependency management within the software stack.
Ocre: An Open-Source Alternative
As organizations move beyond basic Wasm modules and discover the complexities of production deployment, Ocre emerges as a compelling solution. As an open-source project hosted within the Linux Foundation's LF Edge umbrella, the Ocre runtime serves as a complete execution target for containerized applications on resource-constrained devices and systems. It addresses many of the fundamental challenges that teams discover in their DIY journey while maintaining the flexibility developers need. Backed by an active community, Ocre continues to evolve through contributions from developers who understand the unique challenges of embedded systems.
Ocre requires less than 256KB of memory for the entire runtime—over 1000x smaller than traditional container solutions like Docker, containerd, and Podman running on Linux. This ultra-light footprint enables cloud-native principles to extend past the "Linux barrier," with the sweet spot for Ocre being MCU, MPU, and CPU-based edge devices with 1MB to 1GB of memory. It makes it possible to run Wasm-based containers on MCU-based devices, and can be an attractive alternative to traditional container technologies for MPU and CPU-based devices to save memory, conserve power, and/or lower BOM cost.
At the base level, Ocre leverages Zephyr as its reference RTOS to take advantage of its robust architecture and extensive support of over 700 boards. However, Ocre's architecture is platform-agnostic, allowing the community to port it to other operating environments (e.g., FreeRTOS, VxWorks, Linux) in the future as needed.
The Ocre runtime provides what organizations typically struggle to build themselves: robust container execution, lifecycle management, compatibility with OCI (Open Container Initiative) standards, and more. It offers a standard set of APIs for system, storage, network, and hardware operations, ensuring compatibility with existing embedded software and libraries. Security features include a fine-grained permissions model, container signature verification, image validation, and inter-container communication.
And thanks to its WebAssembly foundation, developers can use any programming language that targets Wasm to build their containers—including C/C++, Golang, Rust, JavaScript, and many others. This flexibility opens new possibilities for embedded development as teams are no longer restricted to traditional embedded developer skillsets and tools, enabling faster iteration, and affording modern development practices previously reserved for cloud applications. Existing C/C++ code can be deployed on devices in containers alongside new containerized applications developed in other languages.
The development experience is further streamlined through pre-configured tooling, including a ready-to-use C-toolchain development container, the Ocre CLI for container management, and comprehensive code samples to help developers get up and running quickly.
Ocre Considerations
Compared to DIY approaches, Ocre provides organizations with a solid foundation to move beyond basic Wasm modules. Teams benefit from a complete, production-ready Wasm runtime environment out of the box rather than building and maintaining their own runtime management, security policies, APIs, execution environment, and deployment tools. Ocre’s pre-built tooling, standards-based container format, and optimized footprint dramatically accelerates the path from proof-of-concept to initial deployment—eliminating many of the technical hurdles teams face when building solutions from scratch.
While Ocre provides a powerful foundation for containerized applications on devices, organizations moving toward production deployment will still discover that they need additional capabilities. As deployments scale, requirements emerge for centralized fleet management, monitoring, enterprise support, and tools for managing applications across hundreds or thousands of devices. And while Ocre's open-source nature provides flexibility and community support, enterprises typically require the reliability and support guarantees that come with commercial solutions.
Atym: Enterprise Container Management for Embedded Systems
Ocre provides enterprise-grade capabilities for running WebAssembly-based containers on embedded devices, but it is not a complete solution. This is where Atym builds upon Ocre's strong foundation, leveraging its capabilities as part of a complete device edge orchestration solution that is purpose-built for production scale. Whether an organization has already begun working with Ocre or is looking to start fresh, Atym offers a complete managed solution with enterprise support and available white-glove service throughout the containerization journey.
Atym's architecture combines an enterprise-hardened runtime, called the Atym Runtime with the powerful Atym Hub orchestration platform. The runtime extends Ocre's core capabilities with enhanced APIs, security, and performance features, while the Hub provides the centralized management and deployment capabilities that enterprises need for production environments.
The Atym Runtime
At its foundation, the Atym runtime builds upon Ocre's core capabilities enhanced by simplifying the implementation of security features including silicon-based root of trust, secure boot, hardware-based encryption, and the ability to meet important regulations that enterprises rely on. In addition, Atym offers professional services for custom board support, ensuring organizations can deploy containers on their specific hardware with confidence.
Atym’s board support is augmented by the utilization of Zephyr as the reference RTOS, enabling silicon swaps to be performed in days rather than the weeks or months typically required with a traditional firmware approach, which can be done with minimal to no change to the application logic above. This flexibility eliminates concerns about hardware lock-in and ensures organizations can quickly adapt to new silicon options, keeping their products competitive and future-proof.
The Atym Hub
Working in tandem with the Atym runtime, the Atym Hub serves as the central management and control plane for device fleets, making large-scale device orchestration both possible and straightforward. The Hub is built on modern Kubernetes architecture to ensure enterprise-grade scalability and reliability, and while delivered as a SaaS solution by default, there are on-premise and hybrid deployment options available.
The Atym Hub’s comprehensive management capabilities include simplified device onboarding, application deployment automation, and granular hardware policy controls. Its intuitive UI provides full fleet visibility and control out of the box and its well-documented API set enables seamless integration with existing platforms, tools, and CI/CD pipelines. Additionally, organizations can leverage the built-in container registry or connect to their existing repositories, offering flexibility in container management approaches.
Performance and security are enhanced through features like Ahead-of-Time (AoT) compilation, which accelerates on-device performance by optimizing code before deployment. The platform is designed for white-labeling while maintaining enterprise-grade security through robust certificate management and Role-Based Access Control (RBAC). Secure device provisioning, real-time monitoring, and fractional over-the-air updates of both application containers and the Atym Runtime itself round out the Hub's fleet management capabilities, ensuring reliable and secure device operations at scale.
Developer Tools
To streamline the development process, Atym provides a ready-to-use development container with pre-configured C/C++ toolchains (with support for additional languages coming soon), comprehensive documentation, samples and personalized support.
Additionally, the Atym CLI provides comprehensive container and device management through intuitive commands, as well as providing support for CI/CD pipelines and build processes. Developers can build and push containers to the registry, manage container execution on devices, handle user access, and maintain their device fleet—all through a familiar command-line interface that integrates seamlessly with existing development workflows.
Atym and Ocre Feature Comparison
The table below outlines the benefits Atym's commercial solution provides over Ocre as a core enabler. While both solutions support essential features like container execution and core WASI components, Atym extends functionality in several areas that are critical for deploying and managing fleets of devices at scale.
Performance optimization is a key differentiator—Atym adds seamless Ahead-of-Time (AOT) compilation to Ocre's Wasm runtime—optimizing deployed code to the native instruction set of the silicon to deliver that near-native performance that is crucial for resource-constrained devices. In addition, security enhancements are substantial, with Atym adding secure provisioning, updates, and more. Check out this blog for more detail on macro trends in embedded security and how both Ocre and Atym can help.
For operations teams, Atym introduces centralized management capabilities including device grouping, remote deployment, and centralized logging, as well as a web console for simplified administration. Logging frequency can be adjusted without updating or rebooting devices and the feature is particularly valuable for troubleshooting issues across distributed device fleets. When issues are identified, patching devices is as simple as pushing an update of only the affected application container, reducing the amount of bits transmitted across the wire and greatly reducing the risk of “bricking” the device in the field. This prevents costly truck rolls to physically access remote equipment.
Lastly, Atym's formal production support, SBOM integration, and dedicated container registry transform what would otherwise need to be built on top of Ocre to yield a complete enterprise solution. These features are particularly valuable for regulated industries where compliance and security documentation are mandatory requirements.
Endless Applications
Atym offers a new way to build and deploy applications for embedded devices across numerous industries and use cases. It’s the “easy button” for leveraging WebAssembly for container deployment and management on resource-constrained hardware, creating opportunities that would be resource and cost-prohibitive with DIY approaches and foundational open-source implementations like Ocre.
For example, in industrial environments, organizations can deploy and manage containerized applications across large device fleets for use cases in factory automation, quality control, condition monitoring, predictive maintenance, and more. In the energy and utility sector, companies can securely manage distributed energy resources, enabling remote updates and monitoring across widespread infrastructure while maintaining strict security requirements. Makers of connected products can accelerate their ability to deploy on-device AI to enable new customer experiences and preserve privacy.
The modular nature of containerized applications particularly shines by extending microservice architectures—previously only practical in cloud environments—to resource-constrained embedded devices. Just as web and cloud technologies evolved toward containerized microservices for improved scalability and maintainability, embedded systems can now follow the same path. Applications can be decomposed into discrete, independently deployable containers, enabling teams to update specific functionality without affecting the entire system. For example, when working with AI and ML models, as algorithms improve, teams can deploy updated models by simply replacing the relevant container rather than re-flashing entire system images, an approach that would require significant custom tooling with DIY WebAssembly implementations.
Additionally, Atym’s benefits extend beyond MCU-based devices to offer compelling advantages over traditional Docker containerization. Its significantly smaller runtime footprint reduces system overhead while maintaining container isolation and management capabilities. This efficiency translates to either deploying more application logic in the same memory footprint, lowering power consumption, or cost-reducing the hardware BOM—critical factors in embedded deployments where every resource matters. Additionally, the unified management approach means organizations can use the same tools and processes across their entire device fleet, from MCU-based devices to more capable hardware.
Standards Leadership and Stability
By partnering with Atym, organizations also gain crucial insulation from the rapid evolution of WebAssembly standards and specifications. Through active participation in forums such as the WebAssembly System Interface Community Group (WASI CG), embedded SIG, and the Margo initiative, Atym is directly shaping the future of embedded containerization and emerging APIs across the edge continuum.
As a major contributor to the Ocre project, which serves as a reference implementation of these standards, Atym helps ensure containerized applications have a solid foundation on resource-constrained devices. This involvement allows Atym to provide a stable platform for building, deploying, and managing applications while shielding customers from disruptive changes. Rather than requiring teams to constantly track and adapt to evolving specifications, Atym manages the standards transition, providing consistent interfaces and clear migration paths while handling the complexity behind the scenes.
Atym Considerations
Atym addresses the key challenges of scale, security, and manageability for organizations deploying containerized applications in production environments. The ability to manage device fleets through a single interface is combined with enterprise-grade features, security, deployment tools, and support. This makes Atym an attractive solution for deployments in industrial, enterprise, and consumer use cases where scalability, reliability, and security are paramount.
From a business perspective, Atym's comprehensive approach eliminates the need for organizations to build and maintain multiple disparate systems. The platform's fleet management capabilities, deployment automation, and integrated development tools significantly reduce time-to-market while lowering operational overhead. This consolidation of functionality, combined with professional services and custom board support, allows organizations to focus on their core application development rather than infrastructure management.
Moreover, Atym's leadership role in WebAssembly standards development ensures organizations can confidently build on a stable platform while staying ahead of industry evolution, making it an ideal partner for long-term embedded containerization initiatives.
Wrapping Up
The shift toward software containerization represents a significant evolution in how we think about embedded development. As traditionally embedded devices continue to grow in complexity, increasingly leverage technologies like AI, and are faced with growing cybersecurity challenges, the ability to manage and update applications independently becomes crucial.
While the use of WebAssembly for containerization in the embedded world is rapidly evolving, the path forward is becoming clearer. Organizations can begin their journey by experimenting with the potential of Wasm on their devices. Ocre provides an excellent foundation for this exploration, offering the core capabilities needed to validate containerization approaches.
Atym builds upon this foundation with the enterprise features, management capabilities, security enhancements, and commercial support required for production scale in the real world. This natural progression allows organizations to grow their containerization initiatives at their own pace while ensuring a clear path to commercial success and being able to focus their resources on innovation and the customer experience rather than building fundamental plumbing.
Comments