准备在生产环境中部署 IoT Edge 解决方案Prepare to deploy your IoT Edge solution in production

如果已准备好将 IoT Edge 解决方案从开发环境转移到生产环境,请确保对其进行适当的配置,使其持续保持良好的性能。When you're ready to take your IoT Edge solution from development into production, make sure that it's configured for ongoing performance.

本文中提供的信息并非面面俱到。The information provided in this article isn't all equal. 为帮助你优先处理某些任务,每个部分首先会提供一些列表,将准备工作划分为两个部分:转移到生产环境之前要实施的“重要说明”,以及需要知道的“有用提示”。 To help you prioritize, each section starts with lists that divide the work into two sections: important to complete before going to production, or helpful for you to know.

设备配置Device configuration

IoT Edge 设备的类型多种多样,其中包括 Raspberry Pi、便携式计算机、服务器上运行的虚拟机,等等。IoT Edge devices can be anything from a Raspberry Pi to a laptop to a virtual machine running on a server. 可通过物理方式或虚拟连接来访问设备,而设备也有可能长时间处于隔离状态。You may have access to the device either physically or through a virtual connection, or it may be isolated for extended periods of time. 不管通过什么方式进行访问,都需要确保它在配置后能够正常使用。Either way, you want to make sure that it's configured to work appropriately.

  • 重要说明Important

    • 安装生产证书Install production certificates
    • 创建设备管理计划Have a device management plan
    • 使用 Moby 作为容器引擎Use Moby as the container engine
  • 有用提示Helpful

    • 选择上游协议Choose upstream protocol

安装生产证书Install production certificates

生产环境中的每个 IoT Edge 设备上需要安装设备证书颁发机构 (CA) 证书。Every IoT Edge device in production needs a device certificate authority (CA) certificate installed on it. 然后,在 config.yaml 文件中将该 CA 证书声明到 IoT Edge 运行时。That CA certificate is then declared to the IoT Edge runtime in the config.yaml file. 对于开发和测试场景,如果 config.yaml 文件中没有声明证书,则 IoT Edge 运行时将创建临时证书。For development and testing scenarios, the IoT Edge runtime creates temporary certificates if no certificates are declared in the config.yaml file. 但是,这些临时证书将在三个月后过期,并且对于生产方案而言并不安全。However, these temporary certificates expire after three months and aren't secure for production scenarios. 对于生产方案,你应该提供自己的设备 CA 证书,不管是自签名证书颁发机构颁发的证书,还是从商业证书颁发机构购买的证书。For production scenarios, you should provide your own device CA certificate, either from a self-signed certificate authority or purchased from a commercial certificate authority.

备注

目前存在一个 libiothsm 限制,会阻止使用在 2038 年 1 月 1 日或之后到期的证书。Currently, a limitation in libiothsm prevents the use of certificates that expire on or after January 1, 2038.

若要了解设备 CA 证书的作用,请参阅 Azure IoT Edge 如何使用证书To understand the role of the device CA certificate, see How Azure IoT Edge uses certificates.

若要详细了解如何在 IoT Edge 设备上安装证书并从 config.yaml 文件引用这些证书,请参阅在 IoT Edge 设备上管理证书For more information about how to install certificates on an IoT Edge device and reference them from the config.yaml file, see Manage certificate on an IoT Edge device.

创建设备管理计划Have a device management plan

在将任何设备投放到生产环境之前,应该知道如何管理将来的更新。Before you put any device in production you should know how you're going to manage future updates. 对于 IoT Edge 设备,要更新的组件列表可能包括:For an IoT Edge device, the list of components to update may include:

  • 设备固件Device firmware
  • 操作系统库Operating system libraries
  • 容器引擎,例如 MobyContainer engine, like Moby
  • IoT Edge 守护程序IoT Edge daemon
  • CA 证书CA certificates

有关详细信息,请参阅更新 IoT Edge 运行时For more information, see Update the IoT Edge runtime. 更新 IoT Edge 守护程序的当前方法需要通过物理方式或 SSH 访问 IoT Edge 设备。The current methods for updating the IoT Edge daemon require physical or SSH access to the IoT Edge device. 若要更新许多设备,请考虑在脚本中添加更新步骤,或使用 Ansible 等自动化工具。If you have many devices to update, consider adding the update steps to a script or use an automation tool like Ansible.

使用 Moby 作为容器引擎Use Moby as the container engine

容器引擎是任何 IoT Edge 设备的必备组件。A container engine is a prerequisite for any IoT Edge device. 生产环境中仅支持 Moby 引擎。Only moby-engine is supported in production. 其他容器引擎(例如 Docker)确实也能在 IoT Edge 上正常运行,但最好是将其用于开发。Other container engines, like Docker, do work with IoT Edge and it's ok to use these engines for development. 与 Azure IoT Edge 配合使用时,可以重新分配 Moby 引擎,Microsoft 将为此引擎提供服务。The moby-engine can be redistributed when used with Azure IoT Edge, and Microsoft provides servicing for this engine.

选择上游协议Choose upstream protocol

可同时为 IoT Edge 代理和 IoT Edge 中心配置用于与 IoT 中心进行上游通信的协议(确定所用端口)。You can configure the protocol (which determines the port used) for upstream communication to IoT Hub for both the IoT Edge agent and the IoT Edge hub. 默认协议为 AMQP,但可以根据网络设置更改协议。The default protocol is AMQP, but you may want to change that depending on your network setup.

两个运行时模块都包含 UpstreamProtocol 环境变量。The two runtime modules both have an UpstreamProtocol environment variable. 该变量的有效值为:The valid values for the variable are:

  • MQTTMQTT
  • AMQPAMQP
  • MQTTWSMQTTWS
  • AMQPWSAMQPWS

请在设备本身的 config.yaml 文件中配置 IoT Edge 代理的 UpstreamProtocol 变量。Configure the UpstreamProtocol variable for the IoT Edge agent in the config.yaml file on the device itself. 例如,如果 IoT Edge 设备位于阻止 AMQP 端口的代理服务器后面,则可能需要将 IoT Edge 代理配置为使用基于 WebSocket 的 AMQP (AMQPWS),这样才能与 IoT 中心建立初始连接。For example, if your IoT Edge device is behind a proxy server that blocks AMQP ports, you may need to configure the IoT Edge agent to use AMQP over WebSocket (AMQPWS) to establish the initial connection to IoT Hub.

IoT Edge 设备建立连接后,请务必在将来的部署中继续为两个运行时模块配置 UpstreamProtocol 变量。Once your IoT Edge device connects, be sure to continue configuring the UpstreamProtocol variable for both runtime modules in future deployments. 将 IoT Edge 设备配置为通过代理服务器进行通信中提供了此过程的示例。An example of this process is provided in Configure an IoT Edge device to communicate through a proxy server.

部署Deployment

  • 有用提示Helpful
    • 与上游协议保持一致Be consistent with upstream protocol
    • 为系统模块设置主机存储Set up host storage for system modules
    • 减少 IoT Edge 中心使用的内存空间Reduce memory space used by the IoT Edge hub
    • 不要使用模块映像的调试版本Do not use debug versions of module images

与上游协议保持一致Be consistent with upstream protocol

如果将 IoT Edge 设备上的 IoT Edge 代理配置为使用其他协议而不是默认的 AMQP,则应在所有将来的部署中声明同一协议。If you configured the IoT Edge agent on your IoT Edge device to use a different protocol than the default AMQP, then you should declare the same protocol in all future deployments. 例如,如果 IoT Edge 设备位于阻止 AMQP 端口的代理服务器后面,则你可能已将设备配置为通过基于 WebSocket 的 AMQP (AMQPWS) 进行连接。For example, if your IoT Edge device is behind a proxy server that blocks AMQP ports, you probably configured the device to connect over AMQP over WebSocket (AMQPWS). 将模块部署到设备时,请为 IoT Edge 代理和 IoT Edge 中心配置相同的 AMQPWS 协议,否则默认的 AMQP 将会替代设置,并阻止你重新连接。When you deploy modules to the device, configure the same AMQPWS protocol for the IoT Edge agent and IoT Edge hub, or else the default AMQP will override the settings and prevent you from connecting again.

只需为 IoT Edge 代理和 IoT Edge 中心模块配置 UpstreamProtocol 环境变量即可。You only have to configure the UpstreamProtocol environment variable for the IoT Edge agent and IoT Edge hub modules. 其他任何模块将采用运行时模块中设置的任何协议。Any additional modules adopt whatever protocol is set in the runtime modules.

将 IoT Edge 设备配置为通过代理服务器进行通信中提供了此过程的示例。An example of this process is provided in Configure an IoT Edge device to communicate through a proxy server.

为系统模块设置主机存储Set up host storage for system modules

IoT Edge 中心和代理模块使用本地存储来保留状态,并允许在模块、设备和云之间传递消息。The IoT Edge hub and agent modules use local storage to maintain state and enable messaging between modules, devices, and the cloud. 为了提高可靠性和性能,请将系统模块配置为使用主机文件系统上的存储。For better reliability and performance, configure the system modules to use storage on the host filesystem.

有关详细信息,请参阅系统模块的主机存储For more information, see Host storage for system modules.

减少 IoT Edge 中心使用的内存空间Reduce memory space used by IoT Edge hub

如果部署的受限设备的可用内存有限,可将 IoT Edge 中心配置为以更低的容量运行,并使用更少的磁盘空间。If you're deploying constrained devices with limited memory available, you can configure IoT Edge hub to run in a more streamlined capacity and use less disk space. 不过,这些配置确实会限制 IoT Edge 中心的性能,因此,请根据具体的解决方案找到适当的平衡点。These configurations do limit the performance of the IoT Edge hub, however, so find the right balance that works for your solution.

在受限的设备上不要进行性能优化Don't optimize for performance on constrained devices

IoT Edge 中心默认已进行性能优化,因此它会尝试分配较大的内存区块。The IoT Edge hub is optimized for performance by default, so it attempts to allocate large chunks of memory. 在 Raspberry Pi 等小型设备上,此配置可能会影响稳定性。This configuration can cause stability problems on smaller devices like the Raspberry Pi. 如果部署的设备的资源受限,建议在 IoT Edge 中心将 OptimizeForPerformance 环境变量设置为 falseIf you're deploying devices with constrained resources, you may want to set the OptimizeForPerformance environment variable to false on the IoT Edge hub.

OptimizeForPerformance 设置为 true 时,MQTT 协议标头将使用 PooledByteBufferAllocator(具有更佳性能,但会分配更多内存)。When OptimizeForPerformance is set to true, the MQTT protocol head uses the PooledByteBufferAllocator, which has better performance but allocates more memory. 分配器在 32 位操作系统或内存不足的设备上不能很好地工作。The allocator does not work well on 32-bit operating systems or on devices with low memory. 此外,如果针对性能进行了优化,RocksDb 会为其作为本地存储提供程序的角色分配更多内存。Additionally, when optimized for performance, RocksDb allocates more memory for its role as the local storage provider.

有关详细信息,请参阅小型设备的稳定性问题For more information, see Stability issues on smaller devices.

禁用未使用的协议Disable unused protocols

优化 IoT Edge 中心的性能并减少其内存用量的另一种方法是,针对未在解决方案中使用的所有协议禁用协议头。Another way to optimize the performance of the IoT Edge hub and reduce its memory usage is to turn off the protocol heads for any protocols that you're not using in your solution.

协议头的配置方式是在部署清单中为 IoT Edge 中心模块设置布尔环境变量。Protocol heads are configured by setting boolean environment variables for the IoT Edge hub module in your deployment manifests. 三个变量如下:The three variables are:

  • amqpSettings__enabledamqpSettings__enabled
  • mqttSettings__enabledmqttSettings__enabled
  • httpSettings__enabledhttpSettings__enabled

所有三个变量都带有两条下划线,可设置为 true 或 false。All three variables have two underscores and can be set to either true or false.

减少消息的存储时间Reduce storage time for messages

如果出于任何原因无法将消息传送到 IoT 中心,IoT Edge 中心模块会暂时存储消息。The IoT Edge hub module stores messages temporarily if they cannot be delivered to IoT Hub for any reason. 可以对 IoT Edge 中心保存未送达消息的时间进行配置,该时间过后就让这些消息过期。You can configure how long the IoT Edge hub holds on to undelivered messages before letting them expire. 如果设备上的内存不足,可在 IoT Edge 中心模块孪生中减小 timeToLiveSecs 值。If you have memory concerns on your device, you can lower the timeToLiveSecs value in the IoT Edge hub module twin.

timeToLiveSecs 参数的默认值为 7200 秒,即 2 小时。The default value of the timeToLiveSecs parameter is 7200 seconds, which is two hours.

不要使用模块映像的调试版本Do not use debug versions of module images

从测试方案转移到生产方案时,请记得从部署清单中删除调试配置。When moving from test scenarios to production scenarios, remember to remove debug configurations from deployment manifests. 确保部署清单中没有任何模块映像带有 .debug 后缀。Check that none of the module images in the deployment manifests have the .debug suffix. 如果添加了 create 选项用于公开模块中的调试端口,也请删除这些 create 选项。If you added create options to expose ports in the modules for debugging, remove those create options as well.

容器管理Container management

  • 重要说明Important
    • 管理对容器注册表的访问Manage access to your container registry
    • 使用标记管理版本Use tags to manage versions
  • 有用提示Helpful
    • 将运行时容器存储在专用注册表中Store runtime containers in your private registry

管理对容器注册表的访问Manage access to your container registry

在将模块部署到生产 IoT Edge 设备之前,请务必控制对容器注册表的访问,使外部用户无法访问容器映像或对其进行更改。Before you deploy modules to production IoT Edge devices, ensure that you control access to your container registry so that outsiders can't access or make changes to your container images. 使用专用(而不是公共)容器注册表来管理容器映像。Use a private, not public, container registry to manage container images.

教程和其他文档会指导你在 IoT Edge 设备上使用开发计算机上所用的相同容器注册表凭据。In the tutorials and other documentation, we instruct you to use the same container registry credentials on your IoT Edge device as you use on your development machine. 这些说明旨在帮助你更轻松地设置测试和开发环境,在生产方案中请勿遵照这些说明。These instructions are only intended to help you set up testing and development environments more easily, and should not be followed in a production scenario.

为了更安全地访问注册表,可以使用身份验证选项For a more secured access to your registry, you have a choice of authentication options. 一种建议使用的常用身份验证方法是使用 Active Directory 服务主体,该方法非常适用于应用程序或服务,它以自动或无人值守(无头)方式拉取容器映像,就像 IoT Edge 设备所做的那样。A popular and recommended authentication is to use an Active Directory service principal that's well suited for applications or services to pull container images in an automated or otherwise unattended (headless) manner, as IoT Edge devices do.

若要创建服务主体,请按创建服务主体中所述运行两个脚本。To create a service principal, run the two scripts as described in create a service principal. 这些脚本执行以下任务:These scripts do the following tasks:

  • 第一个脚本创建服务主体。The first script creates the service principal. 它输出服务主体 ID 和服务主体密码。It outputs the Service principal ID and the Service principal password. 将这些值安全地存储在记录中。Store these values securely in your records.

  • 第二个脚本创建要向服务主体授予的角色分配,以后可以根据需要运行这些角色分配。The second script creates role assignments to grant to the service principal, which can be run subsequently if needed. 对于 role 参数,建议应用 acrPull 用户角色。We recommend applying the acrPull user role for the role parameter. 有关角色列表,请参阅 Azure 容器注册表角色和权限For a list of roles, see Azure Container Registry roles and permissions.

若要使用服务主体进行身份验证,请提供你通过第一个脚本获取的服务主体 ID 和密码。To authenticate using a service principal, provide the service principal ID and password that you obtained from the first script. 在部署清单中指定这些凭据。Specify these credentials in the deployment manifest.

  • 对于用户名或客户端 ID,请指定服务主体 ID。For the username or client ID, specify the service principal ID.

  • 对于密码或客户端机密,请指定服务主体密码。For the password or client secret, specify the service principal password.

备注

实现增强的安全身份验证后,请禁用“管理员用户”设置,以便不再提供默认的用户名/密码访问权限。After implementing an enhanced security authentication, disable the Admin user setting so that the default username/password access is no longer available. 在 Azure 门户的容器注册表中,从左窗格菜单的“设置”下选择“访问密钥”。In your container registry in the Azure portal, from the left pane menu under Settings, select Access Keys.

使用标记管理版本Use tags to manage versions

标记是一个 Docker 概念,可用于区分 Docker 容器的版本。A tag is a docker concept that you can use to distinguish between versions of docker containers. 标记是附加在容器存储库末尾的后缀(如 1.0)。Tags are suffixes like 1.0 that go on the end of a container repository. 例如 mcr.microsoft.com/azureiotedge-agent:1.0For example, mcr.microsoft.com/azureiotedge-agent:1.0. 标记是可变的,随时可能更改为指向另一容器,因此,团队应该议定一种约定,以便今后在更新模块映像时遵循。Tags are mutable and can be changed to point to another container at any time, so your team should agree on a convention to follow as you update your module images moving forward.

标记还可帮助你针对 IoT Edge 设备强制实施更新。Tags also help you to enforce updates on your IoT Edge devices. 将模块的更新版本推送到容器注册表时,请递增标记。When you push an updated version of a module to your container registry, increment the tag. 然后,使用递增的标记将新部署推送到设备。Then, push a new deployment to your devices with the tag incremented. 容器引擎将递增的标记识别为新版本,并将最新模块版本提取到设备。The container engine will recognize the incremented tag as a new version and will pull the latest module version down to your device.

有关标记约定的示例,请参阅更新 IoT Edge 运行时,了解 IoT Edge 如何使用滚动更新标记和特定标记来跟踪版本。For an example of a tag convention, see Update the IoT Edge runtime to learn how IoT Edge uses rolling tags and specific tags to track versions.

将运行时容器存储在专用注册表中Store runtime containers in your private registry

你了解如何在专用 Azure 注册表中存储自定义代码模块的容器映像,但你也可以使用它来存储公共容器映像(例如将它用于 edgeAgent 和 edgHub 运行时模块)。You know about storing your container images for custom code modules in your private Azure registry, but you can also use it to store public container images such as for the edgeAgent and edgHub runtime modules. 如果有很严格的防火墙限制,则可能需要执行此操作,因为这些运行时容器存储在 Microsoft 容器注册表 (MCR) 中。Doing so may be required if you have very tight firewall restrictions as these runtime containers are stored in the Microsoft Container Registry (MCR).

使用 Docker pull 命令获取映像,并将其放入专用注册表中。Obtain the images with the Docker pull command to place in your private registry. 请注意,你将需要使用每个新版 IoT Edge 运行时来更新映像。Be aware that you will need to update the images with each new release of IoT Edge runtime.

IoT Edge 运行时容器IoT Edge runtime container Docker pull 命令Docker pull command
Azure IoT Edge 代理Azure IoT Edge Agent docker pull mcr.microsoft.com/azureiotedge-agent
Azure IoT Edge 中心Azure IoT Edge Hub docker pull mcr.microsoft.com/azureiotedge-hub

接下来,请确保在 edgeAgent 和 edgeHub 系统模块的 deployment.template.json 文件中更新映像引用。Next, be sure to update the image references in the deployment.template.json file for the edgeAgent and edgeHub system modules. mcr.microsoft.com 替换为这两个模块的注册表名称和服务器。Replace mcr.microsoft.com with your registry name and server for both modules.

  • edgeAgent:edgeAgent:

    "image": "<registry name and server>/azureiotedge-agent:1.0",

  • edgeHub:edgeHub:

    "image": "<registry name and server>/azureiotedge-hub:1.0",

网络Networking

  • 有用提示Helpful
    • 检查出站/入站配置Review outbound/inbound configuration
    • 允许从 IoT Edge 设备进行连接Allow connections from IoT Edge devices
    • 配置为通过代理进行通信Configure communication through a proxy

检查出站/入站配置Review outbound/inbound configuration

Azure IoT 中心与 IoT Edge 之间的信道始终配置为出站。Communication channels between Azure IoT Hub and IoT Edge are always configured to be outbound. 对于大多数 IoT Edge 方案,只需建立三个连接。For most IoT Edge scenarios, only three connections are necessary. 容器引擎需要连接到保存模块映像的一个或多个容器注册表。The container engine needs to connect with the container registry (or registries) that holds the module images. IoT Edge 运行时需要连接到 IoT 中心,以检索设备配置信息,以及发送消息和遥测数据。The IoT Edge runtime needs to connect with IoT Hub to retrieve device configuration information, and to send messages and telemetry. 如果使用自动预配,则 IoT Edge 守护程序需要连接到设备预配服务。And if you use automatic provisioning, the IoT Edge daemon needs to connect to the Device Provisioning Service. 有关详细信息,请参阅防火墙和端口配置规则For more information, see Firewall and port configuration rules.

允许从 IoT Edge 设备进行连接Allow connections from IoT Edge devices

如果网络设置要求显式允许从 IoT Edge 设备建立的连接,请查看以下 IoT Edge 组件列表:If your networking setup requires that you explicitly permit connections made from IoT Edge devices, review the following list of IoT Edge components:

  • IoT Edge 代理可能通过 WebSocket 来与 IoT 中心建立持久性 AMQP/MQTT 连接。IoT Edge agent opens a persistent AMQP/MQTT connection to IoT Hub, possibly over WebSockets.
  • IoT Edge 中心可能通过 WebSocket 来与 IoT 中心建立一个持久性 AMQP 连接或多个 MQTT 连接。IoT Edge hub opens a single persistent AMQP connection or multiple MQTT connections to IoT Hub, possibly over WebSockets.
  • IoT Edge 守护程序向 IoT 中心发出间歇性 HTTPS 调用。IoT Edge daemon makes intermittent HTTPS calls to IoT Hub.

在所有三种情况下,DNS 名称会与 *azure-devices.cn 模式匹配。In all three cases, the DNS name would match the pattern *.azure-devices.cn.

此外,容器引擎通过 HTTPS 向容器注册表发出调用。Additionally, the Container engine makes calls to container registries over HTTPS. 若要检索 IoT Edge 运行时容器映像,请使用 DNS 名称 mcr.microsoft.com。To retrieve the IoT Edge runtime container images, the DNS name is mcr.microsoft.com. 容器引擎连接到部署中配置的其他注册表。The container engine connects to other registries as configured in the deployment.

此清单可作为防火墙规则的入手点:This checklist is a starting point for firewall rules:

URL(* = 通配符)URL (* = wildcard) 出站 TCP 端口Outbound TCP Ports 使用情况Usage
mcr.microsoft.commcr.microsoft.com 443443 Microsoft 容器注册表Microsoft Container Registry
global.azure-devices-provisioning.cnglobal.azure-devices-provisioning.cn 443443 DPS 访问(可选)DPS access (optional)
*.azurecr.cn*.azurecr.cn 443443 个人和第三方容器注册表Personal and third-party container registries
*.blob.core.chinacloudapi.cn*.blob.core.chinacloudapi.cn 443443 从 blob 存储下载 Azure 容器注册表映像增量Download Azure Container Registry image deltas from blob storage
*.azure-devices.cn*.azure-devices.cn 5671、8883、4435671, 8883, 443 IoT 中心访问IoT Hub access
*.docker.io*.docker.io 443443 Docker 中心访问(可选)Docker Hub access (optional)

配置为通过代理进行通信Configure communication through a proxy

如果要在使用代理服务器的网络中部署设备,这些设备需要能够通过该代理进行通信,这样才能访问 IoT 中心和容器注册表。If your devices are going to be deployed on a network that uses a proxy server, they need to be able to communicate through the proxy to reach IoT Hub and container registries. 有关详细信息,请参阅将 IoT Edge 设备配置为通过代理服务器进行通信For more information, see Configure an IoT Edge device to communicate through a proxy server.

解决方案管理Solution management

  • 有用提示Helpful
    • 设置日志和诊断Set up logs and diagnostics
    • 考虑测试和 CI/CD 管道Consider tests and CI/CD pipelines

设置日志和诊断Set up logs and diagnostics

在 Linux 上,IoT Edge 守护程序使用日志作为默认的日志记录驱动程序。On Linux, the IoT Edge daemon uses journals as the default logging driver. 可以使用命令行工具 journalctl 查询守护程序日志。You can use the command-line tool journalctl to query the daemon logs. 在 Windows 上,IoT Edge 守护程序使用 PowerShell 诊断。On Windows, the IoT Edge daemon uses PowerShell diagnostics. 使用 Get-IoTEdgeLog 可以查询守护程序的日志。Use Get-IoTEdgeLog to query logs from the daemon. IoT Edge 模块使用 JSON 驱动程序(默认设置)进行日志记录。IoT Edge modules use the JSON driver for logging, which is the default.

. {Invoke-WebRequest -useb aka.ms/iotedge-win} | Invoke-Expression; Get-IoTEdgeLog

测试 IoT Edge 部署时,通常可以访问设备来检索日志和进行故障排除。When you're testing an IoT Edge deployment, you can usually access your devices to retrieve logs and troubleshoot. 在部署方案中,可能做不到这一点。In a deployment scenario, you may not have that option. 考虑如何收集有关生产环境中设备的信息。Consider how you're going to gather information about your devices in production. 一种做法是使用日志记录模块从其他模块收集信息,然后将其发送到云中。One option is to use a logging module that collects information from the other modules and sends it to the cloud. 日志记录模块的一个示例是 logspout-loganalytics,你也可以设计自己的模块。One example of a logging module is logspout-loganalytics, or you can design your own.

施加日志大小限制Place limits on log size

默认情况下,Moby 容器引擎不会设置容器日志大小限制。By default the Moby container engine does not set container log size limits. 一段时间后,这可能会导致设备中填满了日志,因此出现磁盘空间不足的情况。Over time this can lead to the device filling up with logs and running out of disk space. 请考虑采用以下选项来防止这种情况:Consider the following options to prevent this:

选项:设置应用到所有容器模块的全局限制Option: Set global limits that apply to all container modules

可以在容器引擎日志选项中限制所有容器日志文件的大小。You can limit the size of all container logfiles in the container engine log options. 以下示例将日志驱动程序设置为 json-file(建议),并对文件的大小和数量施加限制:The following example sets the log driver to json-file (recommended) with limits on size and number of files:

{
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "10m",
        "max-file": "3"
    }
}

将此信息添加(或附加)到名为 daemon.json 的文件,然后将此文件放到设备平台上的适当位置。Add (or append) this information to a file named daemon.json and place it the right location for your device platform.

平台Platform 位置Location
LinuxLinux /etc/docker/
WindowsWindows C:\ProgramData\iotedge-moby\config\

必须重启容器引擎才能使更改生效。The container engine must be restarted for the changes to take effect.

选项:调整每个容器模块的日志设置Option: Adjust log settings for each container module

可在每个模块的 createOptions 中执行此操作。You can do so in the createOptions of each module. 例如:For example:

"createOptions": {
    "HostConfig": {
        "LogConfig": {
            "Type": "json-file",
            "Config": {
                "max-size": "10m",
                "max-file": "3"
            }
        }
    }
}

Linux 系统上的其他选项Additional options on Linux systems

  • 通过将 journald 设置为默认的日志记录驱动程序,将容器引擎配置为向 systemd 日记发送日志。Configure the container engine to send logs to systemd journal by setting journald as the default logging driver.

  • 安装 logrotate 工具,以便从设备中定期删除旧日志。Periodically remove old logs from your device by installing a logrotate tool. 使用以下文件规范:Use the following file specification:

    /var/lib/docker/containers/*/*-json.log{
         copytruncate
         daily
         rotate7
         delaycompress
         compress
         notifempty
         missingok
    }
    

后续步骤Next steps