Running AWS IoT Greengrass in a Docker container
AWS IoT Greengrass can be configured to run in a Docker
You can download a Dockerfile through Amazon CloudFront
that has the AWS IoT Greengrass Core software and dependencies installed. To modify
the Docker image to run on different platform architectures or reduce the size of
the Docker image,
see the README file in the Docker package download.
To help you get started experimenting with AWS IoT Greengrass, AWS also provides prebuilt
Docker images that have the AWS IoT Greengrass Core software and dependencies installed.
You can download an image from Docker Hub
This topic describes how to download the latest AWS IoT Greengrass Docker image from Amazon ECR and run it on a Windows, macOS, or
Linux
(x86_64) platform. The topic contains the following steps:
The following features aren't supported when you run AWS IoT Greengrass in a Docker container:
-
Connectors that run in Greengrass container mode. To run a connector in a Docker container, the connector must run in No container mode. To find connectors that support No container mode, see AWS-provided Greengrass connectors. Some of these connectors have an isolation mode parameter that you must set to No container.
-
Local device and volume resources. Your user-defined Lambda functions that run in the Docker container must access devices and volumes on the core directly.
These features aren't supported when the Lambda runtime environment for the Greengrass group is set to No container, which is required to run AWS IoT Greengrass in a Docker container.
Prerequisites
Before you start this tutorial, you must do the following.
-
You must install the following software and versions on your host computer based on the AWS Command Line Interface (AWS CLI) version that you choose.
-
To access Amazon Elastic Container Registry (Amazon ECR) resources, you must grant the following permission.
-
Amazon ECR requires users to grant the
ecr:GetAuthorizationTokenpermission through an AWS Identity and Access Management (IAM) policy before they can authenticate to a registry and push or pull images from an Amazon ECR repository. For more information, see Amazon ECR Repository Policy Examples and Accessing One Amazon ECR Repository in the Amazon Elastic Container Registry User Guide.
-
Step 1: Get the AWS IoT Greengrass container image from Amazon ECR
AWS provides Docker images that have the AWS IoT Greengrass Core software installed.
For steps that show how to pull the latest image from Amazon ECR,
choose
your operating system:
Run the following commands in your computer terminal.
Log in to the AWS IoT Greengrass registry in Amazon ECR.
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin https://216483018798.dkr.ecr.us-west-2.amazonaws.comIf successful, the output prints
Login Succeeded.Retrieve the AWS IoT Greengrass container image.
docker pull 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestNote The
latestimage contains the latest stable version of the AWS IoT Greengrass Core software installed on an Amazon Linux 2 base image. You can also pull other images from the repository. To find all available images, check the Tags page on Docker Hubor use the aws ecr list-images command. For example: aws ecr list-images --region us-west-2 --registry-id 216483018798 --repository-name aws-iot-greengrass-
Enable symlink and hardlink protection. If you're experimenting with running AWS IoT Greengrass in a container, you can enable the settings for the current boot only.
Note You might need to use sudo to run these commands.
-
To enable the settings for the current boot only:
echo 1 > /proc/sys/fs/protected_hardlinks echo 1 > /proc/sys/fs/protected_symlinks -
To enable the settings to persist across restarts:
echo '# AWS Greengrass' >> /etc/sysctl.conf echo 'fs.protected_hardlinks = 1' >> /etc/sysctl.conf echo 'fs.protected_symlinks = 1' >> /etc/sysctl.conf sysctl -p
-
Enable IPv4 network forwarding, which is required for AWS IoT Greengrass cloud deployment and MQTT communications to work on Linux. In the
/etc/sysctl.conffile, setnet.ipv4.ip_forwardto 1, and then reloadsysctls.sudo nano /etc/sysctl.conf # set this net.ipv4.ip_forward = 1 sudo sysctl -pNote You can use the editor of your choice instead of nano.
Run the following commands in your computer terminal.
Log in to the AWS IoT Greengrass registry in Amazon ECR.
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin https://216483018798.dkr.ecr.us-west-2.amazonaws.comIf successful, the output prints
Login Succeeded.Retrieve the AWS IoT Greengrass container image.
docker pull 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestNote The
latestimage contains the latest stable version of the AWS IoT Greengrass Core software installed on an Amazon Linux 2 base image. You can also pull other images from the repository. To find all available images, check the Tags page on Docker Hubor use the aws ecr list-images command. For example: aws ecr list-images --region us-west-2 --registry-id 216483018798 --repository-name aws-iot-greengrass
Run the following commands in a command prompt. Before you can use Docker commands on Windows, Docker Desktop must be running.
Log in to the AWS IoT Greengrass registry in Amazon ECR.
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin https://216483018798.dkr.ecr.us-west-2.amazonaws.comIf successful, the output prints
Login Succeeded.Retrieve the AWS IoT Greengrass container image.
docker pull 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestNote The
latestimage contains the latest stable version of the AWS IoT Greengrass Core software installed on an Amazon Linux 2 base image. You can also pull other images from the repository. To find all available images, check the Tags page on Docker Hubor use the aws ecr list-images command. For example: aws ecr list-images --region us-west-2 --registry-id 216483018798 --repository-name aws-iot-greengrass
Step 2: Create and configure the Greengrass group and core
The Docker image has the AWS IoT Greengrass Core software installed, but you must create a Greengrass group and core. This includes downloading certificates and the core configuration file.
-
Follow the steps in Configure AWS IoT Greengrass on AWS IoT. Skip the step where you download the AWS IoT Greengrass Core software. The software and its runtime dependencies are already set up in the Docker image.
Step 3: Run AWS IoT Greengrass locally
After your group is configured, you're ready to configure and start the core. For steps that show how to do this, choose your operating system:
Run the following commands in your computer terminal.
-
Decompress the certificates and configuration file (that you downloaded when you created your Greengrass group) into a known location, such as
/tmp. For example:tar xvzfhash-setup.tar.gz -C /tmp/ -
Review Server Authentication in the AWS IoT Developer Guide and choose the appropriate root CA certificate. We recommend that you use Amazon Trust Services (ATS) endpoints and ATS root CA certificates.
Run the following commands to download the root CA certificate to the directory where you decompressed the certificates and configuration file. Certificates enable your device to connect to AWS IoT over TLS.
Replace
/tmpwith the path to the directory.Important Your root CA certificate type must match your endpoint. Use an ATS root CA certificate with an ATS endpoint (preferred) or a VeriSign root CA certificate with a legacy endpoint. Only some AWS Regions support legacy endpoints. For more information, see Service endpoints must match the root CA certificate type.
-
For ATS endpoints (preferred), download the appropriate ATS root CA certificate. The following example downloads
AmazonRootCA1.pem.cd /tmp/certs/ sudo wget -O root.ca.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem -
For legacy endpoints, download a VeriSign root CA certificate. Although legacy endpoints are acceptable for the purposes of this tutorial, we recommend that you use an ATS endpoint and ATS root CA certificate.
cd /tmp/certs/ sudo wget -O root.ca.pem https://www.websecurity.digicert.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
Note The
wget -Oparameter is the capital letter O. -
Start AWS IoT Greengrass and bind-mount the certificates and configuration file in the Docker container.
Replace
/tmpwith the path where you decompressed your certificates and configuration file.docker run --rm --init -it --name aws-iot-greengrass \ --entrypoint /greengrass-entrypoint.sh \ -v /tmp/certs:/greengrass/certs \ -v /tmp/config:/greengrass/config \ -p 8883:8883 \ 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestThe output should look like this example:
Setting up greengrass daemon Validating hardlink/softlink protection Waiting for up to 30s for Daemon to start Greengrass successfully started with PID: 10
Run the following commands in your computer terminal.
-
Decompress the certificates and configuration file (that you downloaded when you created your Greengrass group) into a known location, such as
/tmp. For example:tar xvzfhash-setup.tar.gz -C /tmp/ -
Review Server Authentication in the AWS IoT Developer Guide and choose the appropriate root CA certificate. We recommend that you use Amazon Trust Services (ATS) endpoints and ATS root CA certificates.
Run the following commands to download the root CA certificate to the directory where you decompressed the certificates and configuration file. Certificates enable your device to connect to AWS IoT over TLS.
Replace
/tmpwith the path to the directory.Important Your root CA certificate type must match your endpoint. Use an ATS root CA certificate with an ATS endpoint (preferred) or a VeriSign root CA certificate with a legacy endpoint. Only some AWS Regions support legacy endpoints. For more information, see Service endpoints must match the root CA certificate type.
-
For ATS endpoints (preferred), download the appropriate ATS root CA certificate. The following example downloads
AmazonRootCA1.pem.cd /tmp/certs/ sudo wget -O root.ca.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem -
For legacy endpoints, download a VeriSign root CA certificate. Although legacy endpoints are acceptable for the purposes of this tutorial, we recommend that you use an ATS endpoint and ATS root CA certificate.
cd /tmp/certs/ sudo wget -O root.ca.pem https://www.websecurity.digicert.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
Note The
wget -Oparameter is the capital letter O. -
Start AWS IoT Greengrass and bind-mount the certificates and configuration file in the Docker container.
Replace
/tmpwith the path where you decompressed your certificates and configuration file.docker run --rm --init -it --name aws-iot-greengrass \ --entrypoint /greengrass-entrypoint.sh \ -v /tmp/certs:/greengrass/certs \ -v /tmp/config:/greengrass/config \ -p 8883:8883 \ 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestThe output should look like this example:
Setting up greengrass daemon Validating hardlink/softlink protection Waiting for up to 30s for Daemon to start Greengrass successfully started with PID: 10
-
Use a utility such as WinZip or 7-Zip to decompress the certificates and configuration file that you downloaded when you created your Greengrass group. For more information, see the WinZip
documentation. Locate the downloaded
hash-setup.tar.gzC:\Users\%USERNAME%\Downloads\. -
Review Server Authentication in the AWS IoT Developer Guide and choose the appropriate root CA certificate. We recommend that you use Amazon Trust Services (ATS) endpoints and ATS root CA certificates.
Run the following commands to download the root CA certificate to the directory where you decompressed the certificates and configuration file. Certificates enable your device to connect to AWS IoT over TLS.
Important Your root CA certificate type must match your endpoint. Use an ATS root CA certificate with an ATS endpoint (preferred) or a VeriSign root CA certificate with a legacy endpoint. Only some AWS Regions support legacy endpoints. For more information, see Service endpoints must match the root CA certificate type.
-
For ATS endpoints (preferred), download the appropriate ATS root CA certificate. The following example downloads
AmazonRootCA1.pem.-
If you have curl
installed, run the following commands in your command prompt. cd C:\Users\%USERNAME%\Downloads\certs curl https://www.amazontrust.com/repository/AmazonRootCA1.pem -o root.ca.pem -
Otherwise, in a web browser, open the Amazon Root CA 1
certificate. Save the document as root.ca.pemin theC:\Users\%USERNAME%\Downloads\certsdirectory, which contains the decompressed certificates.Note Depending on your browser, save the file directly from the browser or copy the displayed key to the clipboard and save it in Notepad.
-
-
For legacy endpoints, download a VeriSign root CA certificate. Although legacy endpoints are acceptable for the purposes of this tutorial, we recommend that you use an ATS endpoint and ATS root CA certificate.
-
If you have curl
installed, run the following commands in your command prompt. cd C:\Users\%USERNAME%\Downloads\certs curl https://www.websecurity.digicert.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem -o root.ca.pem -
Otherwise, in a web browser, open the VeriSign Class 3 Public Primary G5 root CA certificate
. Save the document as root.ca.pemin theC:\Users\%USERNAME%\Downloads\certsdirectory, which contains the decompressed certificates.Note Depending on your browser, save the file directly from the browser or copy the displayed key to the clipboard and save it in Notepad.
-
-
-
Start AWS IoT Greengrass and bind-mount the certificates and configuration file in the Docker container. Run the following commands in your command prompt.
docker run --rm --init -it --name aws-iot-greengrass --entrypoint /greengrass-entrypoint.sh -v c:/Users/%USERNAME%/Downloads/certs:/greengrass/certs -v c:/Users/%USERNAME%/Downloads/config:/greengrass/config -p 8883:8883 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestWhen Docker prompts you to share your
C:\drive with the Docker daemon, allow it to bind-mount theC:\directory inside the Docker container. For more information, see Shared drivesin the Docker documentation. The output should look like this example:
Setting up greengrass daemon Validating hardlink/softlink protection Waiting for up to 30s for Daemon to start Greengrass successfully started with PID: 10
If the container doesn't open the shell and exits immediately, you can debug the issue by bind-mounting the Greengrass runtime logs when you start the image. For more information, see To persist Greengrass runtime logs outside of the Docker container.
Step 4: Configure "No container" containerization for the Greengrass group
When you run AWS IoT Greengrass in a Docker container, all Lambda functions must run without containerization. In this step, you set the default containerization for the group to No container. You must do this before you deploy the group for the first time.
In the AWS IoT console, choose Greengrass, and then choose Groups.
Choose the group whose settings you want to change.
Choose Settings.
-
Under Lambda runtime environment, choose No container.
-
Choose Update default Lambda execution configuration. Review the message in the confirmation window, and then choose Continue.
For more information, see Setting default containerization for Lambda functions in a group.
By default, Lambda functions use the group containerization setting. If you override the No container setting for any Lambda functions when AWS IoT Greengrass is running in a Docker container, the deployment fails.
Step 5: Deploy Lambda functions to the AWS IoT Greengrass Docker container
You can deploy long-lived Lambda functions to the Greengrass Docker container.
-
Follow the steps in Module 3 (part 1): Lambda functions on AWS IoT Greengrass to deploy a long-lived Hello World Lambda function to the container.
Step 6: (Optional) Deploy devices that interact with Greengrass running in the Docker container
You can also deploy Greengrass devices that interact with AWS IoT Greengrass when it's running in a Docker container.
-
Follow the steps in Module 4: Interacting with devices in an AWS IoT Greengrass group to deploy devices that connect to the core and send MQTT messages.
Stopping the AWS IoT Greengrass Docker container
To stop the AWS IoT Greengrass Docker container, press Ctrl+C in your terminal or
command prompt. This action sends SIGTERM
to the Greengrass daemon process to tear
down the Greengrass daemon process and all Lambda processes that were started by the
daemon process. The Docker container
is initialized with /dev/init process as PID 1, which helps in removing any leftover zombie processes.
For more information, see the Docker run reference
Troubleshooting AWS IoT Greengrass in a Docker container
Use the following information to help troubleshoot issues with running AWS IoT Greengrass in a Docker container.
Error: Cannot perform an interactive login from a non TTY device.
Solution: This error can occur when you run the
aws ecr get-login-password command. Make sure that you installed the latest
AWS CLI version 2 or version 1. We recommend that you use the AWS CLI version 2. For
more
information, see Installing the AWS CLI
in the AWS Command Line Interface User Guide.
Error: Unknown options: -no-include-email.
Solution: This error can occur when you run the
aws ecr get-login command. Make sure that you have the latest AWS CLI version
installed (for example, run: pip install awscli --upgrade --user). If you're
using Windows and you installed the CLI using the MSI installer, you must repeat the
installation process. For more information, see Installing the
AWS Command Line Interface on Microsoft Windows in the AWS Command Line Interface User Guide.
Warning: IPv4 is disabled. Networking will not work.
Solution: You might receive this warning or a similar
message when running AWS IoT Greengrass on a Linux computer. Enable IPv4 network forwarding
as described
in this step. AWS IoT Greengrass cloud deployment and MQTT
communications don't work when IPv4 forwarding isn't enabled. For more information,
see
Configure namespaced kernel parameters (sysctls) at runtime
Error: A firewall is blocking file Sharing between windows and the containers.
Solution: You might receive this error or a
Firewall Detected message when running Docker on a Windows computer.
This can also occur if you are signed in on a virtual private network
(VPN) and your network settings are preventing the shared drive from being mounted.
In that
situation, turn off VPN and re-run the Docker container.
Error: An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::<account-id>:user/<user-name> is not authorized to perform: ecr:GetAuthorizationToken on resource: *
You might receive this error when running the aws ecr get-login-password
command if you don't have sufficient permissions to access an Amazon ECR repository.
For more
information, see Amazon ECR Repository Policy
Examples and Accessing One
Amazon ECR Repository in the Amazon ECR User Guide.
For general AWS IoT Greengrass troubleshooting help, see Troubleshooting AWS IoT Greengrass.
Debugging AWS IoT Greengrass in a Docker container
To debug issues with a Docker container, you can persist the Greengrass runtime logs or attach an interactive shell to the Docker container.
To persist Greengrass runtime logs outside of the Docker container
You can run the AWS IoT Greengrass Docker container after bind-mounting the
/greengrass/ggc/var/log directory. The logs persist even after the
container exits or is removed.
- On Linux or macOS
-
Stop any Greengrass Docker containers running on the host, and then run the following command in a terminal. This bind-mounts the Greengrass
logdirectory and starts the Docker image.Replace
/tmpwith the path where you decompressed your certificates and configuration file.docker run --rm --init -it --name aws-iot-greengrass \ --entrypoint /greengrass-entrypoint.sh \ -v /tmp/certs:/greengrass/certs \ -v /tmp/config:/greengrass/config \ -v /tmp/log:/greengrass/ggc/var/log \ -p 8883:8883 \ 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestYou can then check your logs at
/tmp/logon your host to see what happened while Greengrass was running inside the Docker container. - On Windows
-
Stop any Greengrass Docker containers running on the host, and then run the following command in a command prompt. This bind-mounts the Greengrass
logdirectory and starts the Docker image.cd C:\Users\%USERNAME%\Downloads mkdir log docker run --rm --init -it --name aws-iot-greengrass --entrypoint /greengrass-entrypoint.sh -v c:/Users/%USERNAME%/Downloads/certs:/greengrass/certs -v c:/Users/%USERNAME%/Downloads/config:/greengrass/config -v c:/Users/%USERNAME%/Downloads/log:/greengrass/ggc/var/log -p 8883:8883 216483018798.dkr.ecr.us-west-2.amazonaws.com/aws-iot-greengrass:latestYou can then check your logs at
C:/Users/%USERNAME%/Downloads/logon your host to see what happened while Greengrass was running inside the Docker container.
To attach an interactive shell to the Docker container
You can attach an interactive shell to a running AWS IoT Greengrass Docker container. This can help you investigate the state of the Greengrass Docker container.
- On Linux or macOS
-
While the Greengrass Docker container is running, run the following command in a separate terminal.
docker exec -it $(docker ps -a -q -f "name=aws-iot-greengrass") /bin/bash - On Windows
-
While the Greengrass Docker container is running, run the following commands in a separate command prompt.
docker ps -a -q -f "name=aws-iot-greengrass"Replace
gg-container-idwith thecontainer_idresult from the previous command.docker exec -itgg-container-id/bin/bash
