Configuring Edge
Learn how to configure many different aspects of Cumulocity IoT Edge.
Learn how to configure many different aspects of Cumulocity IoT Edge.
Configuring the network enables you to access the Edge appliance using the domain name. If there are any changes in the network configuration due to an update or changes in the network protocols, you must reconfigure the network of your Edge appliance as described below. After reconfiguring the network, you must update the IP mapping for the domain name with the new IP address in the DNS servers, if you have added an entry in the DNS servers. If you are using an alias, you must update the IP address in the hosts file of your operating system.
Do not use the IP addresses from the below blocks in your network configuration. These IP addresses are reserved for Edge internal purpose.
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Network in the navigator.
The current network configuration for the Edge appliance appears.
Click Edit to reconfigure the network.
Provide the new IP address for you network. For example, 192.168.66.10
Provide the Netmask IP for your network. For example, 255.255.255.0
Provide the Gateway IP for your network. For example, 192.168.66.1
Provide the DNS for your network. For example, 8.8.8.8
For DNS, do not use the IP addresses 10.96.0.10 and 127.0.0.1.
Provide the Address range CIDR. For example, 172.18.0.0/16
The CIDR suffix must be between 0 and 27 inclusive. The default value is 172.16.0.0/15.
The Address range CIDR must not overlap with the reserved IP addresses. See Reserved IP addresses.
To configure the network using the REST APIs, see the /edge/configuration/network
API in the Cumulocity IoT Edge OpenAPI Specification.
The network CIDR fails in the following scenarios:
The network CIDR unavailable on boot time.
Description: The default network CIDR range is not available in the network. If the network range is already utilized, the network CIDR does not start properly and the Kubernetes cluster startup fails.
Invalid network CIDR provided during IP change.
Description: You tried to change the network CIDR of the properly running Edge appliance, but the range is not available in the network.
To troubleshoot these scenarios:
The default hostname of the Edge appliance is iot-edge-server. You can define a unique hostname for your Edge appliance as required. A unique hostname ensures seamless communication within the network, avoids any hostname conflicts with other network devices and improves the security of your Edge device.
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Hostname in the navigator.
Click Edit to change the hostname.
Provide the new hostname and click Save.
To configure the hostname using the REST APIs, see the /edge/configuration/hostname
API in the Cumulocity IoT Edge OpenAPI Specification.
For many use cases, and especially when using Apama, the time inside the Edge appliance must be synchronized with the network. Time synchronization helps in logging events accurately and compare the data from multiple devices.
By default, the chrony
service is responsible for time synchronization with the host operating system. For Hyper-V, the chronyd
service is disabled by default for accurate time synchronization.
Once the time synchronization is enabled, you can specify the NTP servers and the interval to trigger the time synchronization.
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Time synchronization in the navigator.
Use the toggle button to enable the time synchronization.
Click Edit to specify the NTP servers and the interval to trigger the time synchronization.
To configure the time synchronization using the REST APIs, see the /edge/configuration/time-sync
API in the Cumulocity IoT Edge OpenAPI Specification.
Microservices are server-side applications which may be used to extend the Edge platform with customer-specific functionality. For more information, see Microservice SDK. When you enable or disable the microservice feature, the Device simulator microservice also gets enabled or disabled. To use the Device simulator, add the Simulator permission. For more information, see Global roles.
For more information about Device simulator, see Working with simulators.
If you want to use the microservice hosting feature, ensure that you do not use these IP ranges in your local network where the Edge virtual machines are configured. When you enable the microservice hosting feature, the Kubernetes system reserves these IP ranges on the Edge instances.
Enabling the microservice hosting feature takes about 10 to 15 minutes to complete.
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Microservices in the navigator.
Use the toggle button to enable the microservice hosting feature.
To deploy a microservice, in the Administration application, navigate to Ecosystem > Microservices, and click Add microservice.
Upload the ZIP file for your microservice application. For more information about deploying a microservice, see Deploying the “Hello world” microservice.
After you have enabled the microservice hosting feature, ensure that the microservices are active and healthy before using them. For more information, see Microservice runtime.
Before disabling the microservice hosting feature, you should unsubscribe from all the microservices that have been uploaded. You can also delete the microservice if you are not planning to enable again and subscribe to the same microservice. For more information about developing and hosting a microservice, see Microservices SDK.
To enable or disable the microservice hosting feature using the REST APIs, see the /edge/configuration/microservices
API in the Cumulocity IoT Edge OpenAPI Specification.
A microservice specifies an API version in the microservice manifest. Depending on this API version, the microservice runs with all or only a restricted set of Linux kernel capabilities. More precisely, all capabilities are granted to microservices with API version 1 whereas only the capability CAP_NET_BIND_SERVICE
is granted to microservices with API version 2. For more information, see Microservice migration to API Version 2.
By default, only the Management tenant can upload and subscribe to the microservices with API version 1. To improve the security of the Edge appliance, the minimum API version has been configured to API version 2. Due to the minimum API version configuration, you cannot upload and subscribe to a microservice with API version 1 in the “edge” tenant.
To upload and subscribe to a microservice with API version 1 in the “edge” tenant:
The Edge appliance is security hardened by default. Furthermore, you can apply specific security configurations to enhance the security of your Edge appliance.
To apply the security configuration, follow the steps below:
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Security in the navigator.
Click Download configuration to download a sample JSON syntax for the current configuration. You can use the same JSON file in the POST operation using the REST API.
Click Edit configuration to edit the configuration.
You can either import a JSON file to prefill the values or enter the values manually.
Specify the following parameters:
Configuration |
Category | Parameter | Description |
---|---|---|---|
Operating system | SELinux | SELinux mode | SELinux secures the operating system from unprivileged actions of confined users. When enabled, SELinux has two modes: permissive and enforcing. permissive: In the permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements. Each AVC is logged only once in this case. enforcing: In the enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. Important
In the enforcing mode, you cannot access the Edge appliance remotely through VNC.
Default value: permissive |
SSH | SSH enabled | Enables or disables the SSH functionality of the Edge appliance. By default, the SSH functionality is enabled. Changing the value to false disables the SSH functionality. When disabled, you will not be able to SSH into the Edge appliance, locally or remotely. Default value: True |
|
Session inactivity | Login sessions inactivity timeout (seconds) | The idle duration before a user session is terminated. When configured, the user session terminates after the specified idle duration. Default value: 600 seconds Minimum value: 0 |
|
Linux Auditing System | Audit logging enabled | The Linux Auditing System helps system administrators create an audit trail, a log for every action on the server. You can track the security-relevant events, record the events in a log file, and detect misuse or unauthorized activities by inspecting the audit log files. Enables or disables Linux Auditing System. A value of true enables and creates an audit log file at Enabling auditing system increases the consumption of disk space. Important
Once enabled, you cannot disable the auditing system configuration.
Default value: False |
|
Remote logging | Audisp remote logging server | The centralized logging server to transfer the audit logs to. When configured, the operating system audit logs are transferred to the specified centralized logging server. |
|
Server | The IP address or the hostname of the destination server. | ||
Port | The port on the destination server. | ||
Remote logging | Rsyslog remote logging server | The centralized logging server to transfer the local logs to. When configured, the local logs are transferred to the specified centralized logging server. |
|
Server | The IP address or the hostname of the destination server. | ||
Port | The port on the destination server. | ||
Protocol | The protocol (TCP or UDP) used to transfer the logs. | ||
Login banner | Login banner | The login banner for your Edge appliance. | |
Kubernetes | Audit policy | Kubernetes audit policy defines the rules about what events should be recorded and what data they should include. | |
Level | The audit level controls what Kubernetes event data is recorded. When configured, the Kubernetes event data is logged to the specified level. Logging more data increases the consumption of disk space. None - do not log events. Metadata - log request metadata (requesting user, timestamp, resource, verb, and so on) but not request or response body. Request - log event metadata and request body but not response body. This does not apply for non-resource requests. RequestResponse - log event metadata, request and response bodies. This does not apply for non-resource requests. Default value: None |
||
Maximum age (days) | The maximum number of days to retain the old Kubernetes audit log files. A high value has more impact on the disk space. Default value: 30 days Minimum value: 0 |
||
Maximum numbers of log files to retain | The maximum number of Kubernetes audit log files to retain. Setting a value of 0 indicates that there is no restriction on the number of files to retain. A high value has more impact on the disk space. Default value: 10 files Minimum value: 0 |
||
Maximum size (megabytes) | The maximum size in megabytes of the Kubernetes audit log file before it gets rotated. A high value has more impact on the disk space. Default value: 100 MB Minimum value: 0 |
Click Save.
To configure security using the REST APIs, see the /edge/configuration/security
API in the Cumulocity IoT Edge OpenAPI Specification.
A key feature of Edge is the ability to operate the platform using a custom domain name. This means that you can configure the Edge appliance to serve you using a domain name of choice, for example *.iot.mycompany.com rather than the default URL of Edge. In addition, you can create subtenants using your domain. These will use <subtenantName>.iot.mycompany.com as their host names.
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Domain/Certificate in the navigator.
Review the domain name and the SSL certificate.
Click Edit below Domain name to edit the domain name.
Provide the new domain name.
If the existing license and SSL certificate files are compatible with the new domain name, you do not have to upload the license and certificate files.
Click Update.
If the existing license is not compatible with the new domain name, provide the license file for the new domain name.
If the existing license is compatible with the new domain name, you do not have to upload the license file.
If the existing certificate is not compatible with the new domain name, provide the SSL certificate and key files. If you do not have an SSL certificate, select Generate self signed SSL certificate.
If the existing certificate is compatible with the new domain name, you do not have to upload the SSL certificate and key files.
Click Save.
To change the domain name using the REST APIs, see the /edge/configuration/domain
API in the Cumulocity IoT Edge OpenAPI Specification.
The example below describes a scenario where an existing license or certificate is compatible with the new domain name:
If you have a license for the domain myown.iot.com, you can change the domain to myown.iot.com and any single level subdomain, for example sub.myown.iot.com
If you have a certificate for the domain myown.iot.com, then you can only set the domain to myown.iot.com. If you have a wildcard certificate like *.myown.iot.com, then you must set the domain name to any single level subdomain of myown.iot.com, that is sub.myown.iot.com, but not myown.iot.com itself.
You must always have a valid SSL certificate for your domain name that is configured. If the validity of the certificate expires or if you have changed your domain name, you must upload or generate a new SSL certificate. You can upload the certificate using the GUI and REST APIs.
Log in to the Management tenant using the Edge administrator credentials created during the installation.
Switch to the Administration application using the application switcher at the right of the top bar .
Click Edge > Domain/Certificate in the navigator.
Review the domain name and the SSL certificate.
Click Edit below SSL Certificate to upload the new SSL certificate file and the key file.
Provide the new SSL certificate file and the SSL certificate key file.
If you do not have an SSL certificate, select Generate self-signed certificate to generate one.
Click Save.
To update the SSL certificate using the REST APIs, see the /edge/configuration/certificate
API in the Cumulocity IoT Edge OpenAPI Specification.
For information about connecting your Edge appliance to the cloud tenant, see Connecting Edge to the cloud.
To enhance the performance and resource allocation for Karaf, you can change the environment variables for Karaf (such as JAVA_MAX_MEM
and the microservice proxy variables like MICROSERVICE_RUNTIME_PROXY_HTTP_HOST
, MICROSERVICE_RUNTIME_PROXY_HTTP_PORT
). To do so, you must update the file /usr/share/cumulocity-core-karaf/bin/setenv.:
Log in to the Edge appliance.
Open the file /usr/share/cumulocity-core-karaf/bin/setenv.
Edit the parameters.
If the parameter you want to change is present in the file, update its value; otherwise, add a new line:
export <PARAMETER_NAME>=<VALUE>
at the end of the file.
After changing the file, restart the cumulocity-core-karaf
service:
sudo service cumulocity-core-karaf stop
and
service cumulocity-core-karaf start
If the system performance is slow, you must increase the memory. Stop the Edge appliance and increase the memory of the Edge appliance using the hypervisor.
Increasing the memory of the Edge appliance must be followed by increasing the memory of the JVM. To increase the memory of the JVM, edit the value of the JAVA_MAX_MEM
parameter as desired by following the steps described above. The default value of this parameter is 2048 MB.
This section describes how to change the log level for Edge specific applications in the back-end. It does not explain how to change log settings for standard components like databases or other operating system related services.
The log level for Karaf is defined in the following file.
/usr/share/cumulocity-core-karaf/etc/org.ops4j.pax.logging.cfg
The file has the following structure:
# Root logger
log4j.rootLogger=INFO,out,osgi:*
log4j.throwableRenderer=org.apache.log4j.OsgiThrowableRenderer
# Error appender
log4j.appender.out=org.apache.log4j.rolling.RollingFileAppender
log4j.appender.out.rollingPolicy=org.apache.log4j.rolling.FixedWindowRollingPolicy
log4j.appender.out.rollingPolicy.maxIndex=10
log4j.appender.out.triggeringPolicy=org.apache.log4j.rolling.SizeBasedTriggeringPolicy
log4j.appender.out.triggeringPolicy.MaxFileSize=104857600
log4j.appender.out.rollingPolicy.FileNamePattern=${karaf.data}/log/error-%i.log.gz
log4j.appender.out.rollingPolicy.ActiveFileName=${karaf.data}/log/error.log
log4j.appender.out.layout=org.apache.log4j.PatternLayout
log4j.appender.out.layout.ConversionPattern=%d{yyyy-MM-dd} %d{HH:mm:ss} | %-5.5p | %-16.16t | %-32.32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n
log4j.appender.out.append=true
# CXF request and response info:
# * ERROR - none
# * INFO - just headers (default)
# * DEBUG - whole, with payloads
log4j.additivity.com.cumulocity.rest.interceptors=false
log4j.logger.com.cumulocity.rest.interceptors=INFO,access
# Access appender
log4j.appender.access=org.apache.log4j.rolling.RollingFileAppender
log4j.appender.access.rollingPolicy=org.apache.log4j.rolling.FixedWindowRollingPolicy
log4j.appender.access.rollingPolicy.maxIndex=10
log4j.appender.access.triggeringPolicy=org.apache.log4j.rolling.SizeBasedTriggeringPolicy
log4j.appender.access.triggeringPolicy.MaxFileSize=262144000
log4j.appender.access.rollingPolicy.FileNamePattern=${karaf.data}/log/access-%i.log.gz
log4j.appender.access.rollingPolicy.ActiveFileName=${karaf.data}/log/access.log
log4j.appender.access.layout=org.apache.log4j.PatternLayout
log4j.appender.access.layout.ConversionPattern=%d{yyyy-MM-dd} %d{HH:mm:ss} | %-5.5p | %-16.16t | %-32.32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n
log4j.appender.access.append=true
# Error response info:
# * INFO - just error message (default)
# * DEGUB - full stack trace
log4j.logger.com.cumulocity.rest.mediatypes=INFO
Change the following entries to adjust the log levels:
log4j.rootLogger=INFO,out,osgi:*
log4j.logger.com.cumulocity.rest.interceptors=INFO,access
log4j.logger.com.cumulocity.rest.mediatypes=INFO
Adjust the log levels by changing the level attribute according to the following values. The levels are inclusive - meaning a given level will also include all “lower” log levels, for example, when you set the level to WARN you will also get ERROR events.
Level | Description |
---|---|
ERROR | Log errors only |
WARN | Give information up to warnings |
INFO | Give information about normal operations |
DEBUG | Log all internal debug information |
Save the file. It is re-read by the application every few minutes so you do not have to restart the Java process.
The memory limit for OPC UA container is set to 2048 MB and the CPU limit is set to 256 as default values. For most use cases, these values are sufficient. You can change the values as per your requirements.
CTRL_DOCKER_OPTIONS="--memory 2048m --cpu-shares 256"
You can specify the CPU limit in --cpu-shares
or --cpus
.
--cpu-shares
specifies the share or percentage of the host machine’s CPU cycles allocated. For example, --cpu-shares 256
allocates a quarter of total CPUs available.--cpus
specifies how much of the available CPU resources the OPC UA container can use. For example, --cpus 2
allocates two CPUs out of the available CPUs from the host machine.For more information about CPU limits, see Docker documentation.
To change the memory and CPU limit:
CTRL_DOCKER_OPTIONS
to the required values.sudo service opcua-mgmt-service restart
sudo service opcua-device-gateway restart
The memory limit for Apama container is set to 2048 MB and the CPU limit is set to 256 as default values. For most use cases, these values are sufficient. You can change the values as per your requirements.
CTRL_DOCKER_OPTIONS="--memory 2048m --cpu-shares 256"
You can specify the CPU limit in --cpu-shares
or --cpus
.
--cpu-shares
specifies the share or percentage of the host machine’s CPU cycles allocated. For example, --cpu-shares 256
allocates a quarter of total CPUs available.--cpus
specifies how much of the available CPU resources the Apama container can use. For example, --cpus 2
allocates two CPUs out of the available CPUs from the host machine.For more information about CPU limits, see Docker documentation.
To change the memory and CPU limit:
CTRL_DOCKER_OPTIONS
to the required values.sudo service apama restart
Configuring an email server enables you to receive email notifications about events, alarms, and also to reset your password. In case you forget the password, the Edge appliance mails you the password reset link to reset your password.
To configure the “reset password” template and email server settings, perform the following steps:
Log into the Management tenant using https://<tenant-domain>/apps/administration/index.html#/configuration.
Update the email server details and templates as mentioned in Password reset and Email server.