Develop Reference

Configuration Error in Azure IoT Edge installation - "configuration has correct URIs for daemon mgmt endpoint - Error"

Version details
OS: Ubuntu 18.04.5 LTS
aziot-edge: bionic,now 1.2.3-1 amd64
aziot-identity-service: bionic,now 1.2.2-1 amd64
docker: Docker version 20.10.8+azure, build 3967b7d28e15a020e4ee344283128ead633b3e0c
Verifying the installation shows that the aziot-identityd is in "Down-activating" state
# sudo iotedge system status
System services:
aziot-edged Running
aziot-identityd Down - activating
aziot-keyd Running
aziot-certd Running
aziot-tpmd Ready
aziot-identityd is in a bad state because:
aziot-identityd.service: Down - activating : Printing the last 10 log lines.
-- Logs begin at Fri 2020-11-06 12:29:56 IST, end at Fri 2021-09-10 19:07:13 IST. --
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [INFO] - Could not reconcile Identities with current device data. Reprovisioning.
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [INFO] - Updated device info for Edge1.
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: Hub client error
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [ERR!] - service encountered an error
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [ERR!] - caused by: Hub client error
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [ERR!] - caused by: internal error
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 2021-09-10T13:37:10Z [ERR!] - 0: <unknown>
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN aziot-identityd[1871]: 1: <unknown>
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN systemd[1]: aziot-identityd.service: Main process exited, code=exited, status=1/FAILURE
Sep 10 19:07:10 vm-DevIoTEdge1-poc-CentIN systemd[1]: aziot-identityd.service: Failed with result 'exit-code'.
iotedge check shows 2 configuration related errors:
# iotedge check --verbose
Configuration checks (aziot-identity-service)
---------------------------------------------
√ keyd configuration is well-formed - OK
√ certd configuration is well-formed - OK
√ tpmd configuration is well-formed - OK
√ identityd configuration is well-formed - OK
√ daemon configurations up-to-date with config.toml - OK
√ identityd config toml file specifies a valid hostname - OK
√ aziot-identity-service package is up-to-date - OK
√ host time is close to reference time - OK
√ preloaded certificates are valid - OK
√ keyd is running - OK
√ certd is running - OK
√ identityd is running - OK
× read all preloaded certificates from the Certificates Service - Error
could not load cert with ID "aziot-edged-trust-bundle"
Caused by:
parameter "id" has an invalid value
caused by: not found
√ read all preloaded key pairs from the Keys Service - OK
√ ensure all preloaded certificates match preloaded private keys with the same ID - OK
Connectivity checks (aziot-identity-service)
--------------------------------------------
√ host can connect to and perform TLS handshake with iothub AMQP port - OK
√ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - OK
√ host can connect to and perform TLS handshake with iothub MQTT port - OK
Configuration checks
--------------------
√ aziot-edged configuration is well-formed - OK
√ configuration up-to-date with config.toml - OK
√ container engine is installed and functional - OK
× configuration has correct URIs for daemon mgmt endpoint - Error
SocketError - SocketErrorCode (TimedOut) : Operation timed out
One or more errors occurred. (Got bad response: )
caused by: docker returned exit code: 1, stderr = SocketError - SocketErrorCode (TimedOut) : Operation timed out
One or more errors occurred. (Got bad response: )
√ aziot-edge package is up-to-date - OK
√ container time is close to host time - OK
‼ DNS server - Warning
Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub.
Please see https://aka.ms/iotedge-prod-checklist-dns for best practices.
You can ignore this warning if you are setting DNS server per module in the Edge deployment.
caused by: Could not open container engine config file /etc/docker/daemon.json
caused by: No such file or directory (os error 2)
√ production readiness: container engine - OK
‼ production readiness: logs policy - Warning
Container engine is not configured to rotate module logs which may cause it run out of disk space.
Please see https://aka.ms/iotedge-prod-checklist-logs for best practices.
You can ignore this warning if you are setting log policy per module in the Edge deployment.
caused by: Could not open container engine config file /etc/docker/daemon.json
caused by: No such file or directory (os error 2)
× production readiness: Edge Agent's storage directory is persisted on the host filesystem - Error
Could not check current state of edgeAgent container
caused by: docker returned exit code: 1, stderr = Error: No such object: edgeAgent
× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error
Could not check current state of edgeHub container
caused by: docker returned exit code: 1, stderr = Error: No such object: edgeHub
√ Agent image is valid and can be pulled from upstream - OK
Connectivity checks
-------------------
√ container on the default network can connect to upstream AMQP port - OK
√ container on the default network can connect to upstream HTTPS / WebSockets port - OK
√ container on the default network can connect to upstream MQTT port - OK
√ container on the IoT Edge module network can connect to upstream AMQP port - OK
√ container on the IoT Edge module network can connect to upstream HTTPS / WebSockets port - OK
√ container on the IoT Edge module network can connect to upstream MQTT port - OK
30 check(s) succeeded.
2 check(s) raised warnings.
4 check(s) raised errors.
TOML file has only the manual provisioning with connection string.

I had this error because my IOT Hub networks "Public network access" was set as "Disabled".
You can correct this by going the following:
Go to the Azure portal, and go to the IOT Hub resource in question.
Go to the Networking menu option.
Change the "Public network access" to either "All Networks" or "Selected IP ranges", depending on your use case. Remember if you select "Selected IP ranges", you must add the VM/IOT devices ip address to the list of allowed IP addresses.

I came across this question like too many times while I was working with an enterprise environment. My finding is more related to the environment and security aspect of the whole system.
For my case, my working environment was RedHat Linux and Azure is hosted on-prem with added layer of proxy server. Only one piece of advice to solve most common issues in such environment is to give all necessary permissions of rwx (read, write, all).
Pinpointing the problem asked, the identity daemon is failing because the aziot trust bundle is not loading properly.
read all preloaded certificates from the Certificates Service - Error
could not load cert with ID "aziot-edged-trust-bundle"
Check the certificate is properly setup to use device identity certificate.
Second error is related to daemon management socket:
× configuration has correct URIs for daemon mgmt endpoint - Error
SocketError - SocketErrorCode (TimedOut) : Operation timed out
One or more errors occurred. (Got bad response: )
caused by: docker returned exit code: 1, stderr = SocketError - SocketErrorCode (TimedOut) : Operation timed out
One or more errors occurred. (Got bad response: )
This can be resolved by manually giving ownership permission to mgmt.sock at /var/lib/iotedge location.
Nevertheless, there may be a variety of reasons for iotedge dps to not work and further iotAgent and iotHub to not start. It is better to go to the root of the issue and start resolving it.

Unable to access published webapi from outside windows domain

My network environment is a follows. I have a Windows Server 2016 domain controller and a member server.
On the member server I have IIS and Visual Studio 2019 installed.
I created a webapi in VS2019 that writes data to a SQL server. I am using Postman for testing.
Everyting works fine when I runt postman on the member server and on the DC. However when I run postman from my workstation which is NOT a member of the domain I get error 500.
Below is a snipit from the IIS log.
192.168.100.222 is my DC
192.168.100.10 is my stand alone Windows 10 workstation.
2020-11-02 15:31:13 ::1 POST /api/SleepDiary sSleepGuy=guy2#there.com&sPilotName=Rick%20Doe 80 - ::1 PostmanRuntime/7.26.5 - 204 0 0 834
2020-11-02 15:31:52 192.168.100.223 POST /api/SleepDiary sSleepGuy=guy2#there.com&sPilotName=Rick%20Doe 80 - 192.168.100.222 PostmanRuntime/7.26.5 - 204 0 0 16
2020-11-02 15:32:14 192.168.100.223 POST /api/SleepDiary sSleepGuy=guy1#there.com&sPilotName=Rick%20Doe 80 - 192.168.100.10 PostmanRuntime/7.26.8 - 500 0 0 225

Windows 2012 BitsTransfer

I have few servers with Windows 2012, but im not able to use Start-BitsTransfer cmdlet.
The same cmdlet works fine on Windows server Windows 2012 R2 and 2016. Do you know what should be enabled to in Windows Server 2012?
Start-BitsTransfer -source https://...
Start-BitsTransfer : An error occurred in the secure channel support
At line:1 char:1
+ Start-BitsTransfer -source https://...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-BitsTransfer], Exception
+ FullyQualifiedErrorId : StartBitsTransferCOMException,Microsoft.BackgroundIntelligentTransfer.Management.NewBitsTransferCommand

I believe WS2012 doesn't contain TLS 1.1/1.2 in its SecureProtocols registry key. From Microsoft Support:
The SecureProtocols registry entry that has value 0xA80 for enabling
TLS 1.1 and 1.2 will be added in the following paths:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
Per the TLS-SSL Settings article, for TLS 1.1 and 1.2 to be enabled
and negotiated on Windows 7, you MUST create the "DisabledByDefault"
entry in the appropriate subkey (Client) and set it to "0". These
subkeys will not be created in the registry since these protocols are
disabled by default.
Create the necessary subkeys for TLS 1.1 and 1.2; create the
DisabledByDefault DWORD values and set it to 0 in the following
locations:
For TLS 1.1 Registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client DWORD name: DisabledByDefault DWORD value: 0
For TLS 1.2 Registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client DWORD name: DisabledByDefault DWORD value: 0

Why is my application not being deployed on OpenShift?

I believe I have everything set up properly for my server but I keep getting this error
Starting NodeJS cartridge
Tue Jan 05 2016 10:49:19 GMT-0500 (EST): Starting application 'squadstream' ...
Waiting for application port (8080) become available ...
Application 'squadstream' failed to start (port 8080 not available)
-------------------------
Git Post-Receive Result: failure
Activation status: failure
Activation failed for the following gears:
568be5b67628e1805b0000f2 (Error activating gear: CLIENT_ERROR: Failed to
execute: 'control start' for /var/lib/openshift/568be5b67628e1805b0000f2/nodejs
#<IO:0x0000000082d2a0>
#<IO:0x0000000082d228>
)
Deployment completed with status: failure
postreceive failed
I have my git repo set up with all the steps followed properly.
https://github.com/ammark47/SquadStreamServer
Edit: I have another app on openshift that is on 8080. I'm not sure if that makes a difference.

If the other application is running on the same gear, then it is binding to port 8080 first, making it unavailable for your second application. You will need to run each application on it's own gear. Also, you need to make sure that you are binding to port 8080 on the correct IP address for your gear, you can't bind to 0.0.0.0 or 127.0.0.1

Can't connect to cassandra container via haproxy

I am trying to connect an external app to Cassandra which is running dockerized on a mesos cluster.
These are the the apps I have running on mesos:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
137760ce852a cassandra:latest "/docker-entrypoint.s" 15 minutes ago Up 15 minutes 7000-7001/tcp, 7199/tcp, 9160/tcp, 0.0.0.0:31634->9042/tcp mesos-1b65f33a-3d36-4bf4-8a77-32077d8d234a-S1.0db174cc-2e0c-4790-9cd7-1f142d08c6e2
fec5fc93ccfd cassandra:latest "/docker-entrypoint.s" 22 minutes ago Up 22 minutes 7000-7001/tcp, 7199/tcp, 9160/tcp, 0.0.0.0:31551->9042/tcp mesos-1b65f33a-3d36-4bf4-8a77-32077d8d234a-S1.0022a3d2-d695-43c4-b22f-f5274cbd03ce
ca729ee628bb tobilg/mesos-dns "./bootstrap.sh" About an hour ago Up About an hour mesos-1b65f33a-3d36-4bf4-8a77-32077d8d234a-S1.12593777-2295-42fa-a56d-1d3cc9fc70ff
3921002a8a5b python:3 "/bin/sh -c 'env >env" About an hour ago Up About an hour 0.0.0.0:31295->8080/tcp mesos-1b65f33a-3d36-4bf4-8a77-32077d8d234a-S1.b101ab59-2538-416f-80cf-29215794bd37
the app called peek is just being used for testing proposals. I can access it at the URL: http://192.168.56.101:10001 with no problems.
The 2 cassandra instances are a seed and another one for scaling up; forming a cluster.
The json description for deployment of the cassandra applications on marathon are as following:
/cassandra-seed
{
"id": "cassandra-seed",
"constraints": [["hostname", "CLUSTER", "docker-sl-vm"]],
"container": {
"type": "DOCKER",
"docker": {
"image": "cassandra:latest",
"network": "BRIDGE",
"portMappings": [ {"containerPort": 9042,"hostPort": 0,"servicePort": 0,"protocol": "tcp"} ]
}
},
"cpus": 0.5,
"mem": 512.0,
"instances": 1,
"backoffSeconds": 1,
"backoffFactor": 1.15,
"maxLaunchDelaySeconds": 3600
}
/cassandra
{
"id": "cassandra",
"constraints": [["hostname", "CLUSTER", "docker-sl-vm"]],
"container": {
"type": "DOCKER",
"docker": {
"image": "cassandra:latest",
"network": "BRIDGE",
"portMappings": [ {"containerPort": 9042,"hostPort": 0,"servicePort": 0,"protocol": "tcp"} ]
}
},
"env": {
"CASSANDRA_SEED_COUNT": "1",
"CASSANDRA_SEEDS": "cassandra-seed.marathon.mesos"
},
"cpus": 0.5,
"mem": 512.0,
"instances": 1,
"backoffSeconds": 1,
"backoffFactor": 1.15,
"maxLaunchDelaySeconds": 3600
}
haproxy configuration is as following:
global
daemon
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
tune.ssl.default-dh-param 2048
defaults
log global
retries 3
maxconn 2000
timeout connect 5s
timeout client 50s
timeout server 50s
listen stats
bind 127.0.0.1:9090
balance
mode http
stats enable
stats auth admin:admin
frontend marathon_http_in
bind *:80
mode http
frontend marathon_http_appid_in
bind *:81
mode http
frontend marathon_https_in
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
mode http
frontend cassandra_10003
bind *:10003
mode tcp
use_backend cassandra_10003
frontend cassandra-seed_10002
bind *:10002
mode tcp
use_backend cassandra-seed_10002
frontend dns_10000
bind *:10000
mode tcp
use_backend dns_10000
frontend peek_10001
bind *:10001
mode tcp
use_backend peek_10001
backend cassandra_10003
balance roundrobin
mode tcp
server docker-sl-vm_31634 192.168.56.102:31634
backend cassandra-seed_10002
balance roundrobin
mode tcp
server docker-sl-vm_31551 192.168.56.102:31551
backend dns_10000
balance roundrobin
mode tcp
server docker-sl-vm_31314 192.168.56.102:31314
backend peek_10001
balance roundrobin
mode tcp
server docker-sl-vm_31295 192.168.56.102:31295
The application I am trying to connect to Cassandra is a Play application. I am setting it like this:
akka.persistence {
journal.plugin = "cassandra-journal"
snapshot-store.plugin = "cassandra-snapshot-store"
}
cassandra-journal.contact-points = ["192.168.56.101:10003"]
cassandra-snapshot-store.contact-points = ["192.168.56.101:10003"]
The app starts up OK, but when I try to access it, I get the following error:
! #6o380dcg9 - Internal server error, for (GET) [/issues/list] ->
play.api.Application$$anon$1: Execution exception[[TimeoutException: deadline passed]]
at play.api.Application$class.handleError(Application.scala:296) ~[play_2.11-2.3.10.jar:2.3.10]
at play.api.DefaultApplication.handleError(Application.scala:402) [play_2.11-2.3.10.jar:2.3.10]
at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$14$$anonfun$apply$1.applyOrElse(PlayDefaultUpstreamHandler.scala:205) [play_2.11-2.3.10.jar:2.3.10]
at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$14$$anonfun$apply$1.applyOrElse(PlayDefaultUpstreamHandler.scala:202) [play_2.11-2.3.10.jar:2.3.10]
at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:36) [scala-library-2.11.7.jar:na]
Caused by: java.util.concurrent.TimeoutException: deadline passed
at akka.actor.dsl.Inbox$InboxActor$$anonfun$receive$1.applyOrElse(Inbox.scala:117) ~[akka-actor_2.11-2.4.0.jar:na]
at scala.PartialFunction$AndThen.applyOrElse(PartialFunction.scala:189) ~[scala-library-2.11.7.jar:na]
at akka.actor.Actor$class.aroundReceive(Actor.scala:480) ~[akka-actor_2.11-2.4.0.jar:na]
at akka.actor.dsl.Inbox$InboxActor.aroundReceive(Inbox.scala:62) ~[akka-actor_2.11-2.4.0.jar:na]
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:525) ~[akka-actor_2.11-2.4.0.jar:na]
[error] c.d.d.c.Session - Error creating pool to /172.17.0.2:9042
com.datastax.driver.core.TransportException: [/172.17.0.2:9042] Cannot connect
at com.datastax.driver.core.Connection.<init>(Connection.java:109) ~[cassandra-driver-core-2.1.5.jar:na]
at com.datastax.driver.core.PooledConnection.<init>(PooledConnection.java:32) ~[cassandra-driver-core-2.1.5.jar:na]
at com.datastax.driver.core.Connection$Factory.open(Connection.java:586) ~[cassandra-driver-core-2.1.5.jar:na]
at com.datastax.driver.core.SingleConnectionPool.<init>(SingleConnectionPool.java:76) ~[cassandra-driver-core-2.1.5.jar:na]
at com.datastax.driver.core.HostConnectionPool.newInstance(HostConnectionPool.java:35) ~[cassandra-driver-core-2.1.5.jar:na]
Caused by: org.jboss.netty.channel.ConnectTimeoutException: connection timed out: /172.17.0.2:9042
at org.jboss.netty.channel.socket.nio.NioClientBoss.processConnectTimeout(NioClientBoss.java:139) ~[netty-3.9.9.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioClientBoss.process(NioClientBoss.java:83) ~[netty-3.9.9.Final.jar:na]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) ~[netty-3.9.9.Final.jar:na]
at org.jboss.netty.channel.socket.nio.NioClientBoss.run(NioClientBoss.java:42) ~[netty-3.9.9.Final.jar:na]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) ~[netty-3.9.9.Final.jar:na]
[error] c.d.d.c.Session - Error creating pool to /172.17.0.2:9042
Does anyone know how to fix this? What am I doing wrong?
Thank you in advance...
UPDATE =============================
Interesting thing is that the keyspaces for my application were created (akka, akka_snapshots):
cqlsh> describe keyspaces;
akka_snapshot system_auth system system_distributed system_traces akka
UPDATE 2 =============================
I have just noticed that I can't even connect the app directly to the running cassandra (without going through the haproxy). So, I've changed the portMapping to:
"portMappings": [ {"containerPort": 9042,"hostPort": 0,"servicePort": 9042,"protocol": "tcp"} ]
and it worked. HOWEVER, it only allow me to startup one machine, because of the servicePort declaration.
The problem is right into the port mapping. Any clue?

I understand you're using haproxy for the service discovery of the Cassandra cluster. If so, it won't be successful if you don't have a mechanism that updates the configuration once the tasks from Marathon are changed (scaling etc.).
The problem why your Cassandra node can't talk to each other is presumably that the /cassandra app has no reference to /cassandra-seed .
According to the Cassandra Docker image docs you should be able to configure the CASSANDRA_SEEDS env parameter dynmically.
To be able to use the service name cassandra-seed.marathon.mesos if would be necessary to resolve it to an IP address first IMHO:
"CASSANDRA_SEEDS": "$(host cassandra-seed.marathon.mesos | awk '/has address/ { print $4 }')"
would theoretically work (e.g. if your app has just one instance).
As you seem to use Mesos DNS, there can be a problem because currently (v0.4.0) only internal IP addresses are advertised (see Issue). You might have to fall back to a "real" Mesos DNS client which can resolve SRV records to correctly map those to Mesos Slave IP adresses and ports.
Or, you can parse the dig results yourself and use this as an input for the CASSANDRA_SEEDS env parameter:
dig _cassandra-seed._tcp.marathon.mesos SRV
see Mesos DNS docs.
mesosdns-cli can handle this, but requires a Node.js runtime in the Docker container where it should be used. You'd therefore have to create your own derivate of the cassandra Docker image.