Install or uninstall Azure IoT Edge for Linux

The Azure IoT Edge runtime is what turns a device into an IoT Edge device. The runtime can be deployed on devices as small as a Raspberry Pi or as large as an industrial server. Once a device is configured with the IoT Edge runtime, you can start deploying business logic to it from the cloud. To learn more, see Understand the Azure IoT Edge runtime and its architecture.

This article lists the steps to install the Azure IoT Edge runtime on Linux devices.

Prerequisites

  • A registered device ID

    If you registered your device with symmetric key authentication, have the device connection string ready.

    If you registered your device with X.509 self-signed certificate authentication, have at least one of the identity certificates that you used to register the device and its matching private key available on your device.

  • A Linux device

    Have an X64, ARM32, or ARM64 Linux device. Microsoft provides installation packages for Ubuntu Server 18.04 and Raspberry Pi OS Stretch operating systems.

    For the latest information about which operating systems are currently supported for production scenarios, see Azure IoT Edge supported systems

    Note

    Support for ARM64 devices is in public preview.

  • Prepare your device to access the Microsoft installation packages.

    Install the repository configuration that matches your device operating system.

    • Ubuntu Server 18.04:

      curl https://packages.microsoft.com/config/ubuntu/18.04/multiarch/prod.list > ./microsoft-prod.list
      
    • Raspberry Pi OS Stretch:

      curl https://packages.microsoft.com/config/debian/stretch/multiarch/prod.list > ./microsoft-prod.list
      

    Copy the generated list to the sources.list.d directory.

    sudo cp ./microsoft-prod.list /etc/apt/sources.list.d/
    

    Install the Microsoft GPG public key.

    curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
    sudo cp ./microsoft.gpg /etc/apt/trusted.gpg.d/
    

Azure IoT Edge software packages are subject to the license terms located in each package (usr/share/doc/{package-name} or the LICENSE directory). Read the license terms prior to using a package. Your installation and use of a package constitutes your acceptance of these terms. If you do not agree with the license terms, do not use that package.

Install a container engine

Azure IoT Edge relies on an OCI-compatible container runtime. For production scenarios, we recommended that you use the Moby engine. The Moby engine is the only container engine officially supported with Azure IoT Edge. Docker CE/EE container images are compatible with the Moby runtime.

Update package lists on your device.

sudo apt-get update

Install the Moby engine.

sudo apt-get install moby-engine

If you get errors when installing the Moby container engine, verify your Linux kernel for Moby compatibility. Some embedded device manufacturers ship device images that contain custom Linux kernels without the features required for container engine compatibility. Run the following command, which uses the check-config script provided by Moby, to check your kernel configuration:

curl -sSL https://raw.githubusercontent.com/moby/moby/master/contrib/check-config.sh -o check-config.sh
chmod +x check-config.sh
./check-config.sh

In the output of the script, check that all items under Generally Necessary and Network Drivers are enabled. If you are missing features, enable them by rebuilding your kernel from source and selecting the associated modules for inclusion in the appropriate kernel .config. Similarly, if you are using a kernel configuration generator like defconfig or menuconfig, find and enable the respective features and rebuild your kernel accordingly. Once you have deployed your newly modified kernel, run the check-config script again to verify that all the required features were successfully enabled.

Install IoT Edge

The IoT Edge security daemon provides and maintains security standards on the IoT Edge device. The daemon starts on every boot and bootstraps the device by starting the rest of the IoT Edge runtime.

The steps in this section represent the typical process to install the latest version on a device that has internet connection. If you need to install a specific version, like a pre-release version, or need to install while offline, follow the Offline or specific version installation steps later in this article.

Update package lists on your device.

sudo apt-get update

Check to see which versions of IoT Edge are available.

apt list -a iotedge

If you want to install the most recent version of the security daemon, use the following command that also installs the latest version of the libiothsm-std package:

sudo apt-get install iotedge

Or, if you want to install a specific version of the security daemon, specify the version from the apt list output. Also specify the same version for the libiothsm-std package, which otherwise would install its latest version. For example, the following command installs the most recent version of the 1.0.10 release:

sudo apt-get install iotedge=1.0.10* libiothsm-std=1.0.10*

If the version that you want to install isn't listed, follow the Offline or specific version installation steps later in this article. That section shows you how to target any previous version of the IoT Edge security daemon, or release candidate versions.

The IoT Edge service provides and maintains security standards on the IoT Edge device. The service starts on every boot and bootstraps the device by starting the rest of the IoT Edge runtime.

The IoT identity service was introduced along with version 1.2 of IoT Edge. This service handles the identity provisioning and management for IoT Edge and for other device components that need to communicate with IoT Hub.

The steps in this section represent the typical process to install the latest version on a device that has internet connection. If you need to install a specific version, like a pre-release version, or need to install while offline, follow the Offline or specific version installation steps later in this article.

Note

The steps in this section show you how to install IoT Edge version 1.2, which is currently in public preview. If you are looking for the steps to install the latest generally available version of IoT Edge, view the 1.1 (LTS) version of this article.

If you already have an IoT Edge device running an older version and want to upgrade to 1.2, use the steps in Update the IoT Edge security daemon and runtime. Version 1.2 is sufficiently different from previous versions of IoT Edge that specific steps are necessary to upgrade.

Update package lists on your device.

sudo apt-get update

Check to see which versions of IoT Edge are available.

apt list -a aziot-edge

If you want to install the most recent version of IoT Edge, use the following command that also installs the latest version of the identity service package:

sudo apt-get install aziot-edge

Provision the device with its cloud identity

Now that the container engine and the IoT Edge runtime are installed on your device, you're ready for the next step, which is to set up the device with its cloud identity and authentication information.

Choose the next section based on which authentication type you want to use:

Option 1: Authenticate with symmetric keys

At this point, the IoT Edge runtime is installed on your Linux device, and you need to provision the device with its cloud identity and authentication information.

This section walks through the steps to provision a device with symmetric key authentication. You should have registered your device in IoT Hub, and retrieved the connection string from the device information. If not, follow the steps in Register an IoT Edge device in IoT Hub.

On the IoT Edge device, open the configuration file.

sudo nano /etc/iotedge/config.yaml

Find the provisioning configurations of the file and uncomment the Manual provisioning configuration using a connection string section, if it isn't already uncommented.

# Manual provisioning configuration using a connection string
provisioning:
  source: "manual"
  device_connection_string: "<ADD DEVICE CONNECTION STRING HERE>"

Update the value of device_connection_string with the connection string from your IoT Edge device. Make sure that any other provisioning sections are commented out. Make sure the provisioning: line has no preceding whitespace and that nested items are indented by two spaces.

To paste clipboard contents into Nano Shift+Right Click or press Shift+Insert.

Save and close the file.

CTRL + X, Y, Enter

After entering the provisioning information in the configuration file, restart the daemon:

sudo systemctl restart iotedge

Create the configuration file for your device based on a template file that is provided as part of the IoT Edge installation.

sudo cp /etc/aziot/config.toml.edge.template /etc/aziot/config.toml

On the IoT Edge device, open the configuration file.

sudo nano /etc/aziot/config.toml

Find the Provisioning section of the file and uncomment the manual provisioning with connection string lines.

# Manual provisioning with connection string
[provisioning]
source = "manual"
connection_string = "<ADD DEVICE CONNECTION STRING HERE>"

Update the value of connection_string with the connection string from your IoT Edge device.

To paste clipboard contents into Nano Shift+Right Click or press Shift+Insert.

Save and close the file.

CTRL + X, Y, Enter

After entering the provisioning information in the configuration file, apply your changes:

sudo iotedge config apply

Option 2: Authenticate with X.509 certificates

At this point, the IoT Edge runtime is installed on your Linux device, and you need to provision the device with its cloud identity and authentication information.

This section walks through the steps to provision a device with X.509 certificate authentication. You should have registered your device in IoT Hub, providing thumbprints that match the certificate and private key located on your IoT Edge device. If not, follow the steps in Register an IoT Edge device in IoT Hub.

On the IoT Edge device, open the configuration file.

sudo nano /etc/iotedge/config.yaml

Find the provisioning configurations section of the file and uncomment the Manual provisioning configuration using an X.509 identity certificate section. Make sure that any other provisioning sections are commented out. Make sure the provisioning: line has no preceding whitespace and that nested items are indented by two spaces.

# Manual provisioning configuration using an x.509 identity certificate
provisioning:
  source: "manual"
  authentication:
    method: "x509"
    iothub_hostname: "<REQUIRED IOTHUB HOSTNAME>"
    device_id: "<REQUIRED DEVICE ID PROVISIONED IN IOTHUB>"
    identity_cert: "<REQUIRED URI TO DEVICE IDENTITY CERTIFICATE>"
    identity_pk: "<REQUIRED URI TO DEVICE IDENTITY PRIVATE KEY>"

Update the following fields:

  • iothub_hostname: Hostname of the IoT hub the device will connect to. For example, {IoT hub name}.azure-devices.net.
  • device_id: The ID that you provided when you registered the device.
  • identity_cert: URI to an identity certificate on the device. For example, file:///path/identity_certificate.pem.
  • identity_pk: URI to the private key file for the provided identity certificate. For example, file:///path/identity_key.pem.

Save and close the file.

CTRL + X, Y, Enter

After entering the provisioning information in the configuration file, restart the daemon:

sudo systemctl restart iotedge

Create the configuration file for your device based on a template file that is provided as part of the IoT Edge installation.

sudo cp /etc/aziot/config.toml.edge.template /etc/aziot/config.toml

On the IoT Edge device, open the configuration file.

sudo nano /etc/aziot/config.toml

Find the Provisioning section of the file and uncomment the lines for manual provisioning with X.509 identity certificate. Make sure that any other provisioning sections are commented out.

# Manual provisioning with x.509 certificates
[provisioning]
source = "manual"
iothub_hostname = "<REQUIRED IOTHUB HOSTNAME>"
device_id = "<REQUIRED DEVICE ID PROVISIONED IN IOTHUB>"

[provisioning.authentication]
method = "x509"

identity_cert = "<REQUIRED URI OR POINTER TO DEVICE IDENTITY CERTIFICATE>"

identity_pk = "<REQUIRED URI TO DEVICE IDENTITY PRIVATE KEY>"

Update the following fields:

  • iothub_hostname: Hostname of the IoT hub the device will connect to. For example, {IoT hub name}.azure-devices.net.
  • device_id: The ID that you provided when you registered the device.
  • identity_cert: URI to an identity certificate on the device, for example: file:///path/identity_certificate.pem. Or, dynamically issue the certificate using EST or a local certificate authority.
  • identity_pk: URI to the private key file for the provided identity certificate, for example: file:///path/identity_key.pem. Or, provide a PKCS#11 URI and then provide your configuration information in the PKCS#11 section later in the config file.

Save and close the file.

CTRL + X, Y, Enter

After entering the provisioning information in the configuration file, apply your changes:

sudo iotedge config apply

Verify successful configuration

Verify that the runtime was successfully installed and configured on your IoT Edge device.

Tip

You need elevated privileges to run iotedge commands. Once you sign out of your machine and sign back in the first time after installing the IoT Edge runtime, your permissions are automatically updated. Until then, use sudo in front of the commands.

Check to see that the IoT Edge system service is running.

sudo systemctl status iotedge
sudo iotedge system status

If you need to troubleshoot the service, retrieve the service logs.

journalctl -u iotedge
sudo iotedge system logs

Use the check tool to verify configuration and connection status of the device.

sudo iotedge check

Tip

Always use sudo to run the check tool, even after your permissions are updated. The tool needs elevated privileges to access the config file to verify configuration status.

View all the modules running on your IoT Edge device. When the service starts for the first time, you should only see the edgeAgent module running. The edgeAgent module runs by default and helps to install and start any additional modules that you deploy to your device.

sudo iotedge list

Offline or specific version installation (optional)

The steps in this section are for scenarios not covered by the standard installation steps. This may include:

  • Install IoT Edge while offline
  • Install a release candidate version

Use the steps in this section if you want to install a specific version of the Azure IoT Edge runtime that isn't available through apt-get install. The Microsoft package list only contains a limited set of recent versions and their sub-versions, so these steps are for anyone who wants to install an older version or a release candidate version.

Using curl commands, you can target the component files directly from the IoT Edge GitHub repository.

  1. Navigate to the Azure IoT Edge releases, and find the release version that you want to target.

  2. Expand the Assets section for that version.

  3. Every release should have new files for the IoT Edge security daemon and the hsmlib. If you're going to install IoT Edge on an offline device, download these files ahead of time. Otherwise, use the following commands to update those components.

    1. Find the libiothsm-std file that matches your IoT Edge device's architecture. Right-click on the file link and copy the link address.

    2. Use the copied link in the following command to install that version of the hsmlib:

      curl -L <libiothsm-std link> -o libiothsm-std.deb && sudo dpkg -i ./libiothsm-std.deb
      
    3. Find the iotedge file that matches your IoT Edge device's architecture. Right-click on the file link and copy the link address.

    4. Use the copied link in the following command to install that version of the IoT Edge security daemon.

      curl -L <iotedge link> -o iotedge.deb && sudo dpkg -i ./iotedge.deb
      

Note

If your device is currently running IoT Edge version 1.1 or older, uninstall the iotedge and libiothsm-std packages before following the steps in this section. For more information, see Update from 1.0 or 1.1 to 1.2.

  1. Navigate to the Azure IoT Edge releases, and find the release version that you want to target.

  2. Expand the Assets section for that version.

  3. Every release should have new files for IoT Edge and the identity service. If you're going to install IoT Edge on an offline device, download these files ahead of time. Otherwise, use the following commands to update those components.

    1. Find the aziot-identity-service file that matches your IoT Edge device's architecture. Right-click on the file link and copy the link address.

    2. Use the copied link in the following command to install that version of the identity service:

      curl -L <identity service link> -o aziot-identity-service.deb && sudo dpkg -i ./aziot-identity-service.deb
      
    3. Find the aziot-edge file that matches your IoT Edge device's architecture. Right-click on the file link and copy the link address.

    4. Use the copied link in the following command to install that version of IoT Edge.

      curl -L <iotedge link> -o aziot-edge.deb && sudo dpkg -i ./aziot-edge.deb
      

Now that the container engine and the IoT Edge runtime are installed on your device, you're ready for the next step, which is to Provision the device with its cloud identity.

Uninstall IoT Edge

If you want to remove the IoT Edge installation from your device, use the following commands.

Remove the IoT Edge runtime.

sudo apt-get remove iotedge
sudo apt-get remove aziot-edge

Use the --purge flag if you want to delete all the files associated with IoT Edge, including your configuration files. Leave this flag out if you want to reinstall IoT Edge and use the same configuration information in the future.

When the IoT Edge runtime is removed, any containers that it created are stopped but still exist on your device. View all containers to see which ones remain.

sudo docker ps -a

Delete the containers from your device, including the two runtime containers.

sudo docker rm -f <container name>

Finally, remove the container runtime from your device.

sudo apt-get remove --purge moby-cli
sudo apt-get remove --purge moby-engine

Next steps

Continue to deploy IoT Edge modules to learn how to deploy modules onto your device.