awesome-ubuntu-core

Build secure IoT devices with Ubuntu Core.

Everything you love about Ubuntu, locked down for security. Helping you make safer things – because we’re all connected.

Officail Prebuilt Boards and Images

• Ubuntu Core 18 (stable)

Packaging

• snapcore/snapcraft - Package, distribute, and update any app for Linux and IoT.

Testing

• snapcore/spread - Convenient full-system test (task) distribution.
• snapcore/spread-images - This project provides a set of tasks and scripts used to create and update images used by spread.
• snapcore/spread-cron - spread-cron triggers spread tasks in response to events.

Development Environment

5G tracer

• oai-tracer - OpenAirInterface RAN tracer and visualizer.

Build server

• fabrica - Build snaps by simply pointing a web form to a git tree.

Containerization

• distrobuilder - Image builder for LXC and LXD.
• kubectl - Command line client for controlling a Kubernetes cluster.

Databases

• Beekeeper Studio - An open source SQL editor and database management app.
• DataGrip - IntelliJ-based IDE for databases and SQL.

Drivers

• hw-probe - Check operability of computer hardware and find drivers.

GraphQL

Snaps for development of GraphQL-based communication. For other tools refer to e.g. awesome-graphql#tools.

• Insomnia - HTTP and GraphQL Client.

gRPC

Snaps for development of gRPC-based communication. For other tools refer to e.g. awesome-grpc#tools.

JSON

• fx - Command-line tool and terminal JSON viewer.

Key value stores

• RedisDesktopManager - Cross-platform GUI management tool for Redis.

Machine learning

Snaps for development of machine learning models. For other tools refer to e.g. awesome-machine-learning or awesome-production-machine-learning.

• Netron - Visualizer for neural network, deep learning and machine learning models.

MQTT clients

Snaps for development of MQTT-based communication. For other tools refer to e.g. awesome-mqtt#tools.

• mqtt-explorer - MQTT Client.
• mqttx - MQTT 5.0 Client.

ROS2

• Micro XRCE-DDS Agent - Bridge between Micro XRCE-DDS clients and DDS.

Monitoring

• influxdb - Scalable datastore for metrics, events, and real-time analytics.
• grafana - Metrics dashboard and graph editor.
• prometheus - Monitoring system and time series database.

Virtualization

• Multipass - Recommended method to create Ubuntu VMs on Ubuntu, Mac or Windows workstations.

Performance optimization

• cpustat - periodic cpu utilization statistics.
• fast - Test your internet download speed from terminal.
• stress-ng - A tool to load, stress test and benchmark a computer system.

Prototyping

• arduino - Write code and upload it to your Arduino-compatible board.
• node-red - Low-code programming for event-driven applications.
• LibrePBC - EDA software to develop printed circuit boards.

Runtime

• snapcore/snapd - The snapd and snap tools enable systems to work with .snap files.

Security hardening

• nmap - Utility for network discovery and security auditing.
• ssh-audit - SSH server and client security configuration auditor.

Base Snaps

• snapcore/core18 - This is a base snap for snapd that is based on Ubuntu 18.04.
• snapcore/core20 - This is a base snap for snapd that is based on Ubuntu 20.04.
• snapcore/bare-base - An empty base snap that contains nothing except the directories required as mount points.

Gadget snaps (board support)

• snapcore/pi-gadget - Universal pi (pi2,pi3,pi4,cm3) gadget snap for core18.
• snapcore/pi3-gadget - The gadget snap for the Raspberry Pi 3 development board.
• snapcore/pc-amd64-gadget - The gadget snap for Personal Computers using 64bit Intel or AMD processors.

Reference models

• snapcore/models - Reference Models for customized, device specific Ubuntu Core image builds.

Util libraries

• snapcore/snapd-glib - Library to allow GLib based applications access to snapd, the daemon that controls Snaps.
• snapcore/snapcraft-preloads - Individual libraries that can be preloaded in snaps to ensure behavior is consistent with confinement rules.

Snaps (for production)

• Application frameworks
  • Kura - Eclipse Kura™, An OSGi-based Application Framework for M2M Service Gateways.
• Bluetooth
  • bluez - Official Linux Bluetooth protocol stack.
• Cloud integration
  • AWS IoT Greengrass - Bring local compute, messaging, data caching, sync and ML inference capabilities to edge devices.
• Containerization
  • docker - Docker container runtime.
  • kata-containers - Lightweight virtual machines that seamlessly plug into the containers ecosystem.
  • kubernetes-worker - A complete Kubernetes worker.
  • lxd - System container manager and API.
• Deployment
  • Snap Store Proxy - A smart caching proxy for the Snap Store.
• Firewall
  • ufw - Uncomplicated Firewall.
• Key value stores
  • etcd - Resilient key-value store by CoreOS.
• Private Cloud
  • MAAS (Metal as a Service) - Very fast server provisioning for your data centre (edge server as a cloud).
• UI toolkits
  • mir-kiosk - A minimal Mir based shell for kiosk type applications.
  • Electron - Build cross-platform desktop apps with JavaScript, HTML, and CSS (needs to be integrated with mir-kiosk via XWayland and Snapd Wayland interface). Use any JavaScript/TypeScript frontend framework you like.
  • Qt - Create beautiful user interfaces (on Ubuntu Core).
• Wayland compositors
  • SWAY - 3-compatible Wayland compositor.

Common snap dependencies

• i3-wm - Improved dynamic tiling window manager.
• libegl1-mesa - Free implementation of the EGL API -- runtime.
• libgl1-mesa-glx - Free implementation of the OpenGL API -- GLX runtime.
• xwayland - X Clients under Wayland.

Documentation

• Ubuntu Core
  • Ubuntu Core vs. Ubuntu Server comparison table - More lightweight, faster and more secure by design.
  • Booting
    • secboot - Lightweight secure boot mechanism.
  • NetworkManager - System network service that manages your network devices and connections and attempts to keep network connectivity active when available.
    • networkd - System service that manages networks.
    • netplan - YAML network configuration abstraction for various backends (NetworkManager, networkd).
• Snapcraft
  • Tools
    • snapctl - provide both specific environmental feedback and limited control from within the context of a snap’s execution environment to snapd (typically run from a script within a snap).
    • snapd REST API - Access to snapd’s state and many of its key functions.
  • Snapcraft.yaml reference - Single page reference for the snapcraft format.
  • hooks - A hook is an executable file that runs within a snap’s confined environment when a certain action occurs.
  • environment variables - consume, set, and pass-through specific environment variables to support building and running snaps.
  • Interfaces (not for Ubuntu Core only, for Ubuntu Desktop as well)
    • account-control (core) - add/remove user accounts or change passwords
    • accounts-service - allows communication with the accounts service
    • adb-support - allows operating as Android Debug Bridge service
    • alsa (core) - play or record sound
    • appstream-metadata - allows access to AppStream metadata
    • audio-playback - allows audio playback via supporting services
    • audio-record - allows audio recording via supported services
    • autopilot-introspection (core) - be controlled by Autopilot software
    • avahi-control (core) - advertise services over the local network
    • avahi-observe (core) - detect services and devices over the local network
    • block-devices - access to disk block devices
    • bluetooth-control (core) - access Bluetooth hardware directly
    • bluez (core) - use Bluetooth devices
    • bool-file - allows access to specific file with bool semantics
    • broadcom-asic-control (core) - control Broadcom network switches
    • browser-support (core) - use functions essential for Web browsers
    • calendar-services - allows communication with Evolution Data Server calendar no
    • camera (core) - use your camera or webcam
    • can-bus - allows access to the CAN bus
    • cifs-mount - allows the mounting and unmounting of CIFS filesystems
    • classic-support (core) - enable resource access to classic snap
    • contacts-service - allows communication with the Evolution Data Server address book
    • content (core) - access resources across snaps
    • (core-support (core) - deprecated since snap 2.34)
    • cpu-control - set certain CPU values
    • cups-control (core) - print documents
    • daemon-notify - allows sending daemon status changes to service manager
    • dbus (core) - allow snaps to communicate over D-Bus
    • dcdbas-control (core) - shut down or restart Dell devices
    • desktop - provides access to common desktop elements
    • desktop-legacy - enables the use of legacy desktop methods (including input method and accessibility services)
    • device-buttons - use any device-buttons
    • display-control - allows configuring display parameters
    • docker (core) - start, stop, or manage Docker containers
    • docker-support (core) - allows operating as the Docker daemon
    • dummy - allows testing without additional permissions
    • dvb - allows access to all DVB devices and APIs
    • firewall-control (core) - configure a network firewall
    • framebuffer (core) - access to universal framebuffer devices
    • fuse-support (core) - enables access to the FUSE filesystems
    • fwupd (core) - allows operating as the fwupd service
    • gpg-keys - read GPG user configuration and keys
    • gpg-public-keys - read GPG non-sensitive configuration and public keys
    • gpio (core) - access specific GPIO pins
    • gpio-control - allows to export/unexport and control all GPIOs
    • gpio-memory-control - allows write access to all GPIO memory
    • greengrass-support (core) - allows operating as the Greengrass service
    • gsettings (core) - provides access to any GSettings item for current user
    • hardware-observe (core) - access hardware information
    • hardware-random-control (core) - provide entropy to hardware random number generator
    • hardware-random-observe (core) - use hardware-generated random numbers
    • hidraw (core) - access hidraw devices
    • home (core) - access non-hidden files in the home directory
    • hostname-control - allows configuring the system hostname
    • i2c (core) - access i²c devices
    • iio (core) - access IIO devices
    • intel-mei - access to the Intel MEI management interface
    • io-ports-control (core) - allows access to all I/O ports
    • jack1 - allows interaction with the JACK audio connection server
    • joystick (core) - use any connected joystick
    • juju-client-observe - read the Juju client configuration
    • kernel-module-control (core) - insert, remove and query kernel modules
    • kernel-module-observe - query kernel modules
    • kubernetes-support (core) - use functions essential for Kubernetes
    • kvm (core) - allows access to the kvm device
    • libvirt (core) - provides access to the libvirt service
    • locale-control (core) - change system language and region settings
    • location-control (core) - allows operating as the location service
    • location-observe (core) - access your location
    • login-session-control - allows setup of login sessions and grants privileged access to user sessions
    • login-session-observe - allows reading login and session information
    • log-observe (core) - read system logs
    • lxd (core) - provides access to the LXD socket
    • lxd-support (core) - allows operating as the LXD service
    • maliit (core) - use an on-screen keyboard
    • media-hub (core) - access snaps providing the media-hub interface
    • mir (mir) - enables access to the Mir display service
    • modem-manager (core) - use and configure modems
    • mount-observe (core) - read mount table and quota information
    • mpris (core) - control music and video players
    • multipass-support - multipass-support allows operating as the Multipass service
    • netlink-audit (core) - allows access to kernel audit system through Netlink
    • netlink-connector (core) - communicate through the kernel Netlink connector
    • network (core) - enables network access
    • network-bind (core) - operate as a network service
    • network-control (core) - change low-level network settings
    • network-manager (core) - configure and observe networking via NetworkManager
    • network-manager-observe (core) - allows observing NetworkManager settings
    • network-observe (core) - query network status information
    • network-setup-control (core) - change network settings via Netplan
    • network-setup-observe (core) - read network settings
    • network-status (core) - access the NetworkingStatus service
    • ofono (core) - allows operating as the oFono service
    • online-accounts-service (core) - access to the Online Accounts service
    • opengl (core) - access OpenGL/GPU hardware
    • openvswitch (core) - control Open vSwitch hardware
    • openvswitch-support (core) - enables kernel support for Open vSwitch
    • optical-drive (core) - read/write access to CD/DVD drives
    • packagekit-control - control the PackageKit service
    • password-manager-service (core) - read, add, change, or remove saved passwords
    • personal-files - read or write files in the user’s home directory
    • physical-memory-control (core) - read and write memory used by any process
    • physical-memory-observe (core) - read memory used by any process
    • ppp (core) - access to configure and observe PPP networking
    • process-control (core) - pause or end any process on the system
    • (pulseaudio (core) - play and record sound, deprecated -> audio-playback, audio-record)
    • raw-usb (core) - access USB hardware directly
    • raw-volume - access specific disk partitions
    • removable-media (core) - read/write files on removable storage devices
    • screencast-legacy - allows screen recording and audio recording alongside writing to arbitrary filesystem paths
    • screen-inhibit-control (core) - prevent screen sleep, lock and screensaver
    • serial-port (core) - access serial port hardware
    • shutdown (core) - restart or power off the device
    • snapd-control (core) - install or remove software
    • spi (core) - access specific SPI devices
    • ssh-keys - access SSH private and public keys
    • ssh-public-keys - access SSH public keys
    • storage-framework-service (core) - operate as, or interact with, the Storage Framework
    • system-backup - read-only access to the system for backups
    • system-files - read or write files in the system
    • system-observe (core) - read process and system information
    • system-packages-doc - access system documentation in /usr/share/doc
    • system-trace (core) - monitor or control any running program
    • thumbnailer-service (core) - create thumbnail images from local media files
    • time-control (core) - change the date and time
    • timeserver-control (core) - change time server settings
    • timezone-control (core) - change the time zone
    • tpm (core) - allows access to the Trusted Platform Module device
    • u2f-devices - use any U2F devices
    • ubuntu-download-manager (core) - use the Ubuntu Download Manager
    • udisks2 (core) - access the UDisks2 service
    • uhid (core) - create kernel UID devices from user-space
    • uio - access uio devices
    • unity7 (core) - access legacy desktop resources from Unity7
    • unity8 (core) - share data with other Unity 8 apps
    • unity8-calendar (core) - read/change shared calendar events in Ubuntu Unity 8
    • unity8-contacts (core) - read/change shared contacts in Ubuntu Unity 8
    • upower-observe (core) - access battery level and power usage
    • wayland (core) - access compositors providing the Wayland protocol
    • x11 (core) - monitor mouse/keyboard input and graphics output of other apps
  • Plugins
    • Local plugin - Own plugins for adjusting build system support, adding build system support and/or custom stage-packages deb repos.
    • Plugins (Programming lanugages)
      • npm plugin- create parts that use Node.js and/or the JavaScript package manager, npm (core/20)
      • nodejs plugin - create parts that use Node.js and/or the JavaScript package manager, npm (core/18)
      • conda plugin - used for parts incorporating the Conda open source package manager system (core/18)
      • flutter plugin - easily build and deploy parts for the expressive Flutter UI toolkit (core/18)
      • python plugin - used for parts incorporating projects written with Python 2 or Python 3 (core/18, core20)
      • rust plugin - build parts from projects written in Rust and using Cargo for dependency management (core/18, core20)
    • Platforms (Platforms)
      • Linux kernel
        • kbuild plugin - build parts that use the Linux kernel build system (kBuild)
        • kernel plugin - derived from the kbuild plugin and used to build your own kernel
      • Robot Operating System:
        • colcon plugin - build colcon-based parts, typically used with version 2 of the Robot Operating System (ROS 2)
    • Platforms (Tools)
      • dump simply dumps the contents from the specified source
      • nil useful for parts with no source to import
      • plainbox-provider create parts containing a Plainbox test collection known as a provider
  • Security
    • AppArmor - AppArmor is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources.
    • cgroups - Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour.
    • seccomp
• Snapstore
  • Snap Store
  • Snap Store Proxy

Whitepapers

• Ubuntu Core - Security
• Secure IoT device management - Build and deploy a central IoT management solution

Blog

• Snappy Ubuntu Core now on AWS
• Ubuntu Core: an independent security analysis

Forums

• discourse.ubuntu.com

Supported distributions

Snap builtin support

• Ubuntu
  • Ubuntu Cloud (production runtime)
  • Ubuntu Core (production runtime)
  • Ubuntu Desktop (development machine)
  • Ubuntu Server (production runtime)
• Ubuntu Desktop flavors (development machines)
  • Ubuntu Budgie
  • Kubuntu
  • Ubuntu Kylin
  • Lubuntu
  • Mate
  • Ubuntu Studio
  • Xubuntu
• Solus 3 and above (development machine)
• Zorin OS (development machine)

Compatible distribution build systems

• Yocto project via meta-snappy

IoT and Device Services

• Canonical Ubuntu IoT and device services
  • START SMART: Canonical will validate your hardware, package your apps and prepare your device image (30,000 USD).
  • Full Disk Encryption: Enable full disk encryption with hardware key management and optional key escrow (30,000 USD).
  • Secure Boot: Enable secure boot, ensuring that the device will only run its certified workload (30,000 USD).
  • Device Enablement: If Canonical’s certified hardware list doesn’t include what you need, we may be willing to enable your preferred board (30,000 USD).
  • FIPS Certification: Meet Federal information processing requirements with a FIPS-certified kernel and cryptographic libraries (45,000 USD).
  • Kernel Livepatch: Reduce the number of reboots significantly by live patching your running kernel (60,000 USD).
  • High Availability Kubernetes: With Canonical MicroK8s you gain a fully CNCF conformant cloud-native Kubernetes for device application operations (15,000 USD).

Companies using Ubuntu Core

• ABB - Ubuntu Core 20 secures Linux for IoT
• Bosch Rexroth - Bosch Rexroth adopts Ubuntu Core and snaps for app-based ctrlX AUTOMATION platform
• DELL - The Dell Edge Gateway 3000 launches with Ubuntu Core 16
• Jabil - Ubuntu Core 20 secures Linux for IoT
• Rigado - Reducing IoT time to market with Ubuntu Core & Snaps
• M2MLabs - Internet of Things: M2MLabs
• Mobica - Mobica adopting Ubuntu Core for embedded device development
• Rigado - Rigado cuts customers’ time-to-market with Ubuntu Core and AWS
• Plus One Robotics - Ubuntu Core 20 secures Linux for IoT

Books

• Getting Started with Ubuntu Core for Raspberry Pi 3
• Mastering Linux Security and Hardening: Secure Your Linux Server and Protect it