向模块授予对设备本地存储的访问权限Give modules access to a device's local storage

除了使用 Azure 存储服务或在设备的容器存储中存储数据外,还可以将存储专用于主机 IoT Edge 设备本身,以提高可靠性,特别是在脱机操作时。In addition to storing data using Azure storage services or in your device's container storage, you can also dedicate storage on the host IoT Edge device itself for improved reliability, especially when operating offline.

若要启用从模块存储到主机系统上的存储的链接,请为模块创建指向容器中存储文件夹的环境变量。To enable a link from module storage to the storage on the host system, create an environment variable for your module that points to a storage folder in the container. 然后,使用创建选项将存储文件夹绑定到主机上的文件夹。Then, use the create options to bind that storage folder to a folder on the host machine.

例如,如果要启用 IoT Edge 中心以将消息存储在设备的本地存储中并在以后检索它们,可以在 Azure 门户的“运行时设置”部分中配置环境变量和创建选项 。For example, if you wanted to enable the IoT Edge hub to store messages in your device's local storage and retrieve them later, you can configure the environment variables and the create options in the Azure portal in the Runtime Settings section.

  1. 为 IoT Edge 中心和 IoT Edge 代理添加名为 storageFolder 的环境变量,使之指向模块中的目录。For both IoT Edge hub and IoT Edge agent, add an environment variable called storageFolder that points to a directory in the module.

  2. 为 IoT Edge 中心和 IoT Edge 代理添加绑定,以便将主机上的本地目录连接到模块中的目录。For both IoT Edge hub and IoT Edge agent, add binds to connect a local directory on the host machine to a directory in the module. 例如:For example:

    为本地存储添加创建选项和环境变量

也可直接在部署清单中配置本地存储。Or, you can configure the local storage directly in the deployment manifest. 例如:For example:

"systemModules": {
    "edgeAgent": {
        "settings": {
            "image": "mcr.microsoft.com/azureiotedge-agent:1.0",
            "createOptions": {
                "HostConfig": {
                    "Binds":["<HostStoragePath>:<ModuleStoragePath>"]
                }
            }
        },
        "type": "docker",
        "env": {
            "storageFolder": {
                "value": "<ModuleStoragePath>"
            }
        }
    },
    "edgeHub": {
        "settings": {
            "image": "mcr.microsoft.com/azureiotedge-hub:1.0",
            "createOptions": {
                "HostConfig": {
                    "Binds":["<HostStoragePath>:<ModuleStoragePath>"],
                    "PortBindings":{"5671/tcp":[{"HostPort":"5671"}],"8883/tcp":[{"HostPort":"8883"}],"443/tcp":[{"HostPort":"443"}]}}}
        },
        "type": "docker",
        "env": {
            "storageFolder": {
                "value": "<ModuleStoragePath>"
            }
        },
        "status": "running",
        "restartPolicy": "always"
    }
}

<HostStoragePath><ModuleStoragePath> 替换为你的主机和模块存储路径;两个值都必须是绝对路径。Replace <HostStoragePath> and <ModuleStoragePath> with your host and module storage path; both values must be an absolute path.

例如,在 Linux 系统上,"Binds":["/etc/iotedge/storage/:/iotedge/storage/"] 表示主机系统上的目录 /etc/iotedge/storage 映射到容器中的目录 /iotedge/storage/ 。For example, on a Linux system, "Binds":["/etc/iotedge/storage/:/iotedge/storage/"] means the directory /etc/iotedge/storage on your host system is mapped to the directory /iotedge/storage/ in the container. 再举一个例子,在 Windows 系统上,"Binds":["C:\\temp:C:\\contemp"] 表示主机系统上的目录 C:\temp 映射到容器中的目录 C:\contempOn a Windows system, as another example, "Binds":["C:\\temp:C:\\contemp"] means the directory C:\temp on your host system is mapped to the directory C:\contemp in the container.

另外,在 Linux 设备上,确保模块的用户配置文件对主机系统目录具有所需的读取、写入和执行权限。Additionally, on Linux devices, make sure that the user profile for your module has the required read, write, and execute permissions to the host system directory. 回到启用 IoT Edge 中心以将消息存储到设备的本地存储的先前示例,你需要向其用户配置文件(UID 为 1000)授予权限。Returning to the earlier example of enabling IoT Edge hub to store messages in your device's local storage, you need to grant permissions to its user profile, UID 1000. (IoT Edge 代理以根用户身份运行,因此不需额外的权限。)在 Linux 系统上,可以通过多种方式管理目录权限,包括使用 chown 来更改目录所有者,然后使用 chmod 来更改权限,例如:(The IoT Edge agent operates as root, so it doesn't need additional permissions.) There are several ways to manage directory permissions on Linux systems, including using chown to change the directory owner and then chmod to change the permissions, such as:

sudo chown 1000 <HostStoragePath>
sudo chmod 700 <HostStoragePath>

可以从 docker 文档中找到有关如何创建选项的更多详细信息。You can find more details about create options from docker docs.

模块存储中的加密数据Encrypted data in module storage

当模块调用 IoT Edge 守护程序的工作负载 API 来加密数据时,系统会使用模块 ID 和模块的生成 ID 来派生加密密钥。When modules invoke the IoT Edge daemon's workload API to encrypt data, the encryption key is derived using the module ID and module's generation ID. 如果从部署中删除了某个模块,然后将另一具有相同模块 ID 的模块部署到同一设备,则会使用生成 ID 来保护机密。A generation ID is used to protect secrets if a module is removed from the deployment and then another module with the same module ID is later deployed to the same device. 可以使用 Azure CLI 命令 az iot hub module-identity show 查看模块的生成 ID。You can view a module's generation id using the Azure CLI command az iot hub module-identity show.

如果要跨代在模块之间共享文件,则这些文件不能包含任何机密,否则无法解密。If you want to share files between modules across generations, they must not contain any secrets or they will fail to be decrypted.

后续步骤Next steps

有关从模块访问主机存储的其他示例,请参阅使用 IoT Edge 上的 Azure Blob 存储在边缘存储数据For an additional example of accessing host storage from a module, see Store data at the edge with Azure Blob Storage on IoT Edge.