了解 Azure IoT Edge 运行时及其体系结构Understand the Azure IoT Edge runtime and its architecture

IoT Edge 运行时是将某个设备转换为 IoT Edge 设备的程序集合。The IoT Edge runtime is a collection of programs that turn a device into an IoT Edge device. 在 IoT Edge 运行时组件的共同作用下,IoT Edge 设备可以接收要在边缘上运行的代码并传递结果。Collectively, the IoT Edge runtime components enable IoT Edge devices to receive code to run at the edge and communicate the results.

IoT Edge 运行时负责 IoT Edge 设备上的以下功能:The IoT Edge runtime is responsible for the following functions on IoT Edge devices:

  • 在设备上安装和更新工作负荷。Install and update workloads on the device.
  • 维护设备上的 Azure IoT Edge 安全标准。Maintain Azure IoT Edge security standards on the device.
  • 确保 IoT Edge 模块始终处于运行状态。Ensure that IoT Edge modules are always running.
  • 将模块运行状况报告给云以进行远程监视。Report module health to the cloud for remote monitoring.
  • 管理下游设备与 IoT Edge 设备之间的通信。Manage communication between downstream devices and IoT Edge devices.
  • 管理 IoT Edge 设备上的模块间的通信。Manage communication between modules on the IoT Edge device.
  • 管理 IoT Edge 设备和云之间的通信。Manage communication between the IoT Edge device and the cloud.

运行时向 IoT 中心传达见解和模块运行状况

IoT Edge 运行时的职责分为两类:通信和模块管理。The responsibilities of the IoT Edge runtime fall into two categories: communication and module management. 这两个角色由作为 IoT Edge 运行时一部分的两个组件执行。These two roles are performed by two components that are part of the IoT Edge runtime. IoT Edge 中心负责通信,而 IoT Edge 代理则负责部署和监视模块。 The IoT Edge hub is responsible for communication, while the IoT Edge agent deploys and monitors the modules.

IoT Edge 中心和 IoT Edge 代理都是模块,就像 IoT Edge 设备上运行的其他任何模块一样。Both the IoT Edge hub and the IoT Edge agent are modules, just like any other module running on an IoT Edge device. 有时将它们称为“运行时模块”。They're sometimes referred to as the runtime modules.

IoT Edge 中心IoT Edge hub

IoT Edge 中心是组成 Azure IoT Edge 运行时的两个模块之一。The IoT Edge hub is one of two modules that make up the Azure IoT Edge runtime. 它通过公开与 IoT 中心相同的协议终结点,充当 IoT 中心的本地代理。It acts as a local proxy for IoT Hub by exposing the same protocol endpoints as IoT Hub. 这种一致性意味着客户端(无论是设备还是模块)可以连接到 IoT Edge 运行时,就像连接到 IoT 中心一样。This consistency means that clients (whether devices or modules) can connect to the IoT Edge runtime just as they would to IoT Hub.


IoT Edge 中心支持使用 MQTT 或 AMQP 进行连接的客户端,IoT Edge hub supports clients that connect using MQTT or AMQP. 它不支持使用 HTTP 的客户端。It does not support clients that use HTTP.

IoT Edge 中心不是在本地运行的完整版本的 IoT 中心。The IoT Edge hub isn't a full version of IoT Hub running locally. IoT Edge 中心将一些任务以无提示方式委托给 IoT 中心。IoT Edge hub silently delegates some tasks to IoT Hub. 例如,设备首次尝试连接时,IoT Edge 中心会将身份验证请求转发给 IoT 中心。For example, IoT Edge hub forwards authentication requests to IoT Hub when a device first tries to connect. 建立第一个连接之后,IoT Edge 中心会在本地缓存安全信息。After the first connection is established, security information is cached locally by IoT Edge hub. 无需再次在云中进行身份验证即可允许该设备的未来连接。Future connections from that device are allowed without having to authenticate to the cloud again.

为减少 IoT Edge 解决方案使用的带宽,IoT Edge 中心优化了对云的实际连接数量。To reduce the bandwidth that your IoT Edge solution uses, the IoT Edge hub optimizes how many actual connections are made to the cloud. IoT Edge 中心采用来自模块或下游设备的逻辑连接,并将它们组合为连接到云的单个物理连接。IoT Edge hub takes logical connections from modules or downstream devices and combines them for a single physical connection to the cloud. 此过程的详细信息对解决方案的其他部分透明。The details of this process are transparent to the rest of the solution. 即使客户端都通过相同连接进行发送,它们也会认为具有自己的云连接。Clients think they have their own connection to the cloud even though they are all being sent over the same connection.

IoT Edge 中心是物理设备和 IoT 中心之间的网关

IoT Edge 中心可以确定其是否连接到了 IoT 中心。IoT Edge hub can determine whether it's connected to IoT Hub. 如果连接丢失,IoT Edge 中心将在本地保存消息或孪生更新。If the connection is lost, IoT Edge hub saves messages or twin updates locally. 一旦重新建立连接,将同步所有数据。Once a connection is reestablished, it syncs all the data. 用于此临时缓存的位置由 IoT Edge 中心的模块孪生的属性决定。The location used for this temporary cache is determined by a property of the IoT Edge hub's module twin. 只要设备具有存储容量,缓存的大小就没有限制并且会增加。The size of the cache is not capped and will grow as long as the device has storage capacity. 有关详细信息,请参阅脱机功能 For more information, see Offline capabilities.

模块通信Module communication

IoT Edge 中心促进模块间通信。IoT Edge hub facilitates module to module communication. 使用 IoT Edge 中心作为消息中转站可以保持模块之间相互独立。Using IoT Edge hub as a message broker keeps modules independent from each other. 模块只需指定它们接受消息的输入和写入消息的输出。Modules only need to specify the inputs on which they accept messages and the outputs to which they write messages. 解决方案开发人员可以将这些输入和输出拼接在一起,以便于模块按特定于该解决方案的顺序处理数据。A solution developer can stitch these inputs and outputs together so that the modules process data in the order specific to that solution.

IoT Edge 中心促进模块间通信。

为了将数据发送到 IoT Edge 中心,模块会调用 SendEventAsync 方法。To send data to the IoT Edge hub, a module calls the SendEventAsync method. 第一个参数指定要发送消息的输出。The first argument specifies on which output to send the message. 下面的伪代码在 output1 上发送消息:The following pseudocode sends a message on output1:

ModuleClient client = await ModuleClient.CreateFromEnvironmentAsync(transportSettings);
await client.OpenAsync();
await client.SendEventAsync("output1", message);

若要接收消息,请注册一个回叫,用于处理在特定输入上传入的消息。To receive a message, register a callback that processes messages coming in on a specific input. 下面的伪代码注册要用于处理在 input1 上接收到的所有消息的函数 messageProcessor:The following pseudocode registers the function messageProcessor to be used for processing all messages received on input1:

await client.SetInputMessageHandlerAsync("input1", messageProcessor, userContext);

有关 ModuleClient 类及其通信方法的更多信息,请参阅首选 SDK 语言的 API 参考:C#CPythonJavaNode.jsFor more information about the ModuleClient class and its communication methods, see the API reference for your preferred SDK language: C#, C, Python, Java, or Node.js.

解决方案开发者负责指定用于确定 IoT Edge 中心如何在模块间传递消息的规则。The solution developer is responsible for specifying the rules that determine how IoT Edge hub passes messages between modules. 路由规则在云中定义,并向下推送到其模块孪生中的 IoT Edge 中心。Routing rules are defined in the cloud and pushed down to IoT Edge hub in its module twin. 使用 IoT 中心路由的同一语法定义在 Azure IoT Edge 中的模块之间的路由。The same syntax for IoT Hub routes is used to define routes between modules in Azure IoT Edge. 有关详细信息,请参阅了解如何在 IoT Edge 中部署模块和建立路由For more information, see Learn how to deploy modules and establish routes in IoT Edge.

模块之间的路由通过 IoT Edge 中心

IoT Edge 代理IoT Edge agent

IoT Edge 代理是构成 Azure IoT Edge 运行时的其他模块。The IoT Edge agent is the other module that makes up the Azure IoT Edge runtime. 它负责实例化模块、确保它们继续运行以及报告返回到 IoT 中心的模块的状态。It is responsible for instantiating modules, ensuring that they continue to run, and reporting the status of the modules back to IoT Hub. 此配置数据作为 IoT Edge 代理模块孪生的属性写入。This configuration data is written as a property of the IoT Edge agent module twin.

IoT Edge 安全守护程序在设备启动时启动 IoT Edge 代理。The IoT Edge security daemon starts the IoT Edge agent on device startup. 该代理从 IoT 中心检索其模块孪生并检查部署清单。The agent retrieves its module twin from IoT Hub and inspects the deployment manifest. 部署清单是一个 JSON 文件,它声明了需要启动的模块。The deployment manifest is a JSON file that declares the modules that need to be started.

部署清单中的每项都包含有关模块的特定信息,并由 IoT Edge 代理用于控制模块的生命周期。Each item in the deployment manifest contains specific information about a module and is used by the IoT Edge agent for controlling the module's lifecycle. 下面是一些更有趣的属性:Some of the more interesting properties are:

  • settings.image - IoT Edge 代理用来启动模块的容器映像。settings.image – The container image that the IoT Edge agent uses to start the module. 如果该映像受密码保护,则必须为 IoT Edge 代理配置容器注册表的凭据。The IoT Edge agent must be configured with credentials for the container registry if the image is protected by a password. 可以使用部署清单远程配置容器注册表的凭据,也可以在 IoT Edge 设备本身上通过更新 IoT Edge 程序文件夹中的 config.yaml 文件进行配置。Credentials for the container registry can be configured remotely using the deployment manifest, or on the IoT Edge device itself by updating the config.yaml file in the IoT Edge program folder.

  • settings.createOptions - 在启动模块的容器时直接传递到 Moby 容器守护程序的一个字符串。settings.createOptions – A string that is passed directly to the Moby container daemon when starting a module's container. 允许在此属性中为高级配置添加以下选项,如端口转发或附加数据量到模块的容器中。Adding options in this property allows for advanced configurations like port forwarding or mounting volumes into a module's container.  

  • status - IoT Edge 代理放置的模块的状态。status – The state in which the IoT Edge agent places the module. 通常,此值设置为“正在运行”,因为大多数人都希望 IoT Edge 代理立即启动设备上的所有模块。Usually, this value is set to running as most people want the IoT Edge agent to immediately start all modules on the device. 但是,可以将模块的初始状态指定为“已停止”,等待一定时间后再告知 IoT Edge 代理启动模块。However, you could specify the initial state of a module to be stopped and wait for a future time to tell the IoT Edge agent to start a module. IoT Edge 代理会向报告的属性中的云报告每个模块的状态。 The IoT Edge agent reports the status of each module back to the cloud in the reported properties. 所需属性和报告的属性之间存在差异指示了设备运行状况不正常。A difference between the desired property and the reported property is an indicator of a misbehaving device. 支持的状态为:The supported statuses are:

    • 正在下载Downloading
    • 正在运行Running
    • 不正常Unhealthy
    • 已失败Failed
    • 已停止Stopped
  • restartPolicy - IoT Edge 代理如何重启模块。restartPolicy – How the IoT Edge agent restarts a module. 可能的值包括:Possible values include:

    • never – IoT Edge 代理永远不会重启模块。never – The IoT Edge agent never restarts the module.
    • on-failure - 如果模块崩溃,IoT Edge 代理会重启它。on-failure - If the module crashes, the IoT Edge agent restarts it. 如果该模块完全关闭,IoT Edge 代理不会重启它。If the module shuts down cleanly, the IoT Edge agent doesn't restart it.
    • on-unhealthy - 如果模块崩溃或被视为不正常,IoT Edge 代理会重启它。on-unhealthy - If the module crashes or is considered unhealthy, the IoT Edge agent restarts it.
    • always - 如果模块崩溃、被视为不正常或者以任何方式关闭,IoT Edge 代理会重启它。always - If the module crashes, is considered unhealthy, or shuts down in any way, the IoT Edge agent restarts it.
  • imagePullPolicy - IoT Edge 代理是否会尝试自动拉取模块的最新映像。imagePullPolicy - Whether the IoT Edge agent attempts to pull the latest image for a module automatically or not. 如果未指定值,则默认值为 onCreateIf you don't specify a value, the default is onCreate. 可能的值包括:Possible values include:

    • on-create - 启动模块或根据新的部署清单更新模块时,IoT Edge 代理会尝试从容器注册表拉取模块映像。on-create - When starting a module or updating a module based on a new deployment manifest, the IoT Edge agent will attempt to pull the module image from the container registry.
    • never - IoT Edge 代理从来不会尝试从容器注册表拉取模块映像。never - The IoT Edge agent will never attempt to pull the module image from the container registry. 使用此配置时,你负责将模块映像放到设备上,并管理任何映像更新。With this configuration, then you're responsible for getting the module image onto the device and managing any image updates.

IoT Edge 代理会将运行时响应发送到 IoT 中心。The IoT Edge agent sends runtime response to IoT Hub. 下面是可能的响应的列表:Here is a list of possible responses:

  • 200 - 正常200 - OK
  • 400 - 部署配置格式不正确或无效。400 - The deployment configuration is malformed or invalid.
  • 417 - 没有为设备设置部署配置。417 - The device doesn't have a deployment configuration set.
  • 412 - 部署配置中的架构版本无效。412 - The schema version in the deployment configuration is invalid.
  • 406 - IoT Edge 设备脱机或不发送状态报告。406 - The IoT Edge device is offline or not sending status reports.
  • 500 - IoT Edge 运行时中出现了一个错误。500 - An error occurred in the IoT Edge runtime.

有关详细信息,请参阅了解如何在 IoT Edge 中部署模块和建立路由For more information, see Learn how to deploy modules and establish routes in IoT Edge.


IoT Edge 代理在 IoT Edge 设备的安全性中起着关键作用。The IoT Edge agent plays a critical role in the security of an IoT Edge device. 例如,它会执行某些操作,如启动之前验证模块的映像。For example, it performs actions like verifying a module's image before starting it.

有关 Azure IoT Edge 安全框架的详细信息,请阅读有关 IoT Edge 安全管理器的内容。For more information about the Azure IoT Edge security framework, read about the IoT Edge security manager.

后续步骤Next steps

了解 Azure IoT Edge 模块Understand Azure IoT Edge modules