netPI is a Raspberry Pi 3 architecture based platform for implementing Cloud, Internet of Things and Industry 4.0 customized
automation projects safely over containerized software utilizing Docker. Hilscher designed it in cooperation with Element14,
the Raspberry manufacturer, and upgraded it specially for industrial use. Its single-circuit board combines the Pi 3
circuitry, its standard interfaces, Hilscher's multi-protocol Industrial Network SoC netX plus two extra Industrial Ethernet
ports. By design netPI's overall software architecture complies with the Cyber Security Standard IEC 62443 for Industrial
Automation and Control Systems to counter threats such as unauthorized accesses, software manipulation and eavesdropping
and relies on a security enhanced Linux. Default access for configuring and managing it is granted via a web-based GUI.
Additional software and applications can only be applied by accredited users using the preinstalled Docker virtualization
environment in isolated and safe containers to be inline with the security concept.
netPI is a Docker host. Docker is a software that packs applications into containers and runs them as they would run on system-level but isolated in their private virtual environments. Any container is launched from a specific image template that is a software snapshot of everything the container needs to run autonomously such as operating system, directories, tools, applications, user-added files and configuration settings. When a container is created Docker virtualizes an instance of the self-contained image and adds dynamic aspects to it like an own drive volume, network stack, namespaces and control groups. This form of isolation allows to run multiple containers at a time without influencing each other or the Docker host. Image templates are portable and can be exchanged across registries. This enables distributing and shipping ones work to everybody either in privat or public manner. For easy on-board Docker management netPI provides the Docker web UI portainer.io as front end to the user.
With Raspberry the focus is "the affordable PC for everybody" with an open and customizable software ecosystem like Raspbian OS. The brilliant playground concept at platform's best price/performance ratio is encouraging the community to the day realizing even the most unusual computer projects with it. But openness embeds drawbacks. When applications are directed to the industry security is coming significantly to the fore. In the majority of today's Raspberry projects the provided software 1.) is a chaotic mix of multiple components embedding unpredictable security risks and 2.) has never been assessed and designed concerning security at all.
netPI however is different and its security concept was considered from the beginning. Docker plays a significant role in this concept.
Docker starts containers with a white list restricted set of capabilities to make the Docker host system immune to external exposures by default. But Docker is running as root and could pass this privilege and others on to a container. However the simple example of a containerized web server application binding just a specific port on providing its web content makes clear that in nearly 100% of all cases giving privileges is not needed at all. Security comes first here. Even if the web server is perfectly operating, an intruder would never succeed to become system root independent how vulnerable it is if the container is of type non-root. So with Docker security is just a matter of provided container privileges. The IEC 62443 claims to live a consequent asset life-cycle security and risk management in an administered way. It prescribes that only suitably trained and accredited personnel are entitled to manage as critically identified components such as Docker. So netPI's security rises and falls with the administrators responsible for its setup.
There are two possibilities dealing with container images. Either you use already built images with ready-made applications or you build own images fitting your demands.
Building an own image is easy. An image needs a base and in best case it consists just of that. The base consist usually of an operating system like Ubuntu, Debian or CentOS. Those and many more are offered prebuilt on Docker's public registry Docker Hub ready for pulling. Naturally the well-known Raspbian is provided too. On top of this image you can add and install everything your application shall consist of. When ready you make the final commit of your customized image. You can keep it private or upload it to the registry for others.
netPI is a Docker host only. You can deploy images and run containers from them but you cannot build images on-board. netPI's security concept prohibits SSH servicing and hence you can't get access to Docker build commands. Since containers run the same on any compatible hardware use a Raspberry Pi 3 instead for image development. We feel $30 for the consumer Pi is a low and riskless invest for getting familiar with Docker, making usability and performance tests of applications before moving them onto the professional netPI. Try it out today and install Docker with a single command on your Pi as described here.
Two Fieldbus nodes provide an input and output channel to netPI's on-board Industrial Network SoC netX. A configuration node sets netX to run either as PROFINET IO device or EtherNet/IP adapter with a configurable number of cyclic I/O data to be exchanged with a bus master controller. The input node injects the latest received master data to the flow on changes, while the output node works the other direction and forwards data from the flow to the master.
netPI features a FRAM to store high-frequency data non-volatile.Two FRAM nodes provide random read and write access to this memory. The input node reads data from a specific FRAM location and injects it into the flow. The output node writes data from the flow to a specific FRAM location.
With both the Pi CPU and the netX SoC connectivity to many other systems can be realized. This is the reason why netPI comes with an expansion slot at its bottom where additional networking modules can be applied. The modules can be of type serial like RS485 or RS232, type CAN, type digital or analog I/O, type IO-Link master and more. For each of these modules we will be providing additional nodes if not supported by existing Node-RED default nodes to follow the idea of maximum connectivity. We expect the expansion modules sales starting December 2017. At this time we will start updating you with further details about the modules and nodes.
|Main Processor||Broadcom BCM2837, |
64Bit quad-core @1.2Ghz
|RAM Memory||1 GByte|
|FRAM Memory||8 KByte|
|Flash Memory||8 GByte, MLC NAND (3000w/e)|
|Interfaces||4 x USB 2.0A (max. load 1A), |
1 x HDMI, 1 x Wifi/BT
|Real-time clock||supercapacitor buffered |
(7 days backup)
|Industrial Network SoC||netX 51 |
|Ethernet||1 x RJ45 standard, 10/100Mbit/s |
2 x RJ45 industrial, 10/100Mbit/s
|Indicators||8 LEDs, 2 programmable |
|Trusted platform||TPM 1.2 (inactive)|
|Dimensions||140 x 35 x 105 mm (H x W x L) |
|Enclosure||Metallic, top hat rail-mountable, IP 20|
|Power Consumption||min. 4,2W (no USB), |
max. 9W (USBs max. load 1A)
|Temperatures||-20°C ... +60°C operating, |
-40°C ... +85°C storage
|Approvals||CE (FCC/UL pending)|
|EMC||EN 55011:2009, IEC 61000-6-2/3:2005, |
|Shock and Vibration||IEC 60068-2-27:2008-02, |
|Operating System||Yocto based Linux, Kernel 4.9.x or higher |
(AppArmor secured, applied RT-patch)
|Docker||17.04.0-ce or higher with portainer.io web UI|