Existing container solutions for resource-constrained microcontrollers lack runtime dynamic configurability, making them ill-suited for multi-tenant scenarios in dynamic heterogeneous environments. This work proposes and implements a lightweight container runtime middleware that, for the first time, enables container-granularity dynamic scheduling and fine-grained resource access control on Cortex-M microcontrollers. The system employs a metadata-driven architecture and a runtime abstraction layer, ensuring compatibility with execution environments such as RIOT OS and integrating WebAssembly via WAMR. Experimental results on mainstream IoT development boards demonstrate that container-to-host service invocation incurs less than 4 ms of overhead. Furthermore, the system successfully validates a novel application paradigm in TinyML contexts, where native RTOS executes inference while containers retain model weights.

Software containerization technologies for resource-limited devices enable multi-tenant microcontrollers, which allow running multiple applications with different permission levels. However, current solutions lack run time configuration over various settings on container scheduling and container permissions to host resources. This limits the applicability of constrained containerization in dynamic and heterogeneous environments. This paper introduces TinyContainer, a lightweight software container management middleware designed for multi-tenant microcontrollers. TinyContainer provides per-container configurable scheduling and fine-grained access control to host resources through a metadata-driven approach, supporting multiple runtimes via a runtime abstraction layer. We analyze the performance of TinyContainer with a small WebAssembly runtime, CS4WAMR, and RIOT OS, a common RTOS. We report on experiments using popular IoT boards based on various Cortex-M microcontrollers. We show the endpoint system brought by TinyContainer allowing to regulate access of containers to host resources and provide host services to containers with an overhead of up to 4 ms per call. In particular, we showcase a TinyML use case, whereby containers retain data and model weights, while model inference is delegated to native host RTOS services.