Known issues: Azure IoT Operations Preview
Important
Azure IoT Operations Preview – enabled by Azure Arc is currently in PREVIEW. You shouldn't use this preview software in production environments.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
This article lists the known issues for Azure IoT Operations Preview.
Deploy and uninstall issues
You must use the Azure CLI interactive login
az login
when you deploy Azure IoT Operations. If you don't, you might see an error such as ERROR: AADSTS530003: Your device is required to be managed to access this resource.If your deployment fails with the
"code":"LinkedAuthorizationFailed"
error, it means that you don't have Microsoft.Authorization/roleAssignments/write permissions on the resource group that contains your cluster.To resolve this issue, either request the required permissions or make the following adjustments to your deployment steps:
- If deploying with an Azure Resource Manager template, set the
deployResourceSyncRules
parameter tofalse
. - If deploying with the Azure CLI, include the
--disable-rsync-rules
flag with the az iot ops init command.
- If deploying with an Azure Resource Manager template, set the
Uninstalling K3s: When you uninstall k3s on Ubuntu by using the
/usr/local/bin/k3s-uninstall.sh
script, you might encounter an issue where the script gets stuck on unmounting the NFS pod. A workaround for this issue is to run the following command before you run the uninstall script:sudo systemctl stop k3s
.
Azure IoT MQ Preview
You can only access the default deployment by using the cluster IP, TLS, and a service account token. Clients outside the cluster need extra configuration before they can connect.
You can't update the Broker custom resource after the initial deployment. You can't make configuration changes to cardinality, memory profile, or disk buffer.
You can't configure the size of a disk-backed buffer unless your chosen storage class supports it.
Even though IoT MQ's diagnostic service produces telemetry on its own topic, you might still get messages from the self-test when you subscribe to
#
topic.Some clusters that have slow Kubernetes API calls may result in selftest ping failures:
Status {Failed}. Probe failed: Ping: 1/2
from runningaz iot ops check
command.You might encounter an error in the KafkaConnector StatefulSet event logs such as
Invalid value: "mq-to-eventhub-connector-<token>--connectionstring": must be no more than 63 characters
. Ensure your KafkaConnector name is of maximum 5 characters.You may encounter timeout errors in the Kafka connector and Event Grid connector logs. Despite this, the connector will continue to function and forward messages.
Azure IoT Layered Network Management Preview
If the Layered Network Management service doesn't get an IP address while running K3S on Ubuntu host, reinstall K3S without trafeik ingress controller by using the
--disable=traefik
option.curl -sfL https://get.k3s.io | sh -s - --disable=traefik --write-kubeconfig-mode 644
For more information, see Networking | K3s.
If DNS queries don't resolve to the expected IP address while using CoreDNS service running on child network level, upgrade to Ubuntu 22.04 and reinstall K3S.
Azure IoT OPC UA Broker Preview
All
AssetEndpointProfiles
in the cluster must be configured with the same transport authentication certificate, otherwise the OPC UA Broker might exhibit random behavior. To avoid this issue when using transport authentication, configure all asset endpoints with the same thumbprint for the transport authentication certificate in the Azure IoT Operations (preview) portal.If you deploy an
AssetEndpointProfile
into the cluster and the OPC UA Broker can't connect to the configured endpoint on the first attempt, then the OPC UA Broker never retries to connect.As a workaround, first fix the connection problem. Then either restart all the pods in the cluster with pod names that start with "aio-opc-opc.tcp", or delete the
AssetEndpointProfile
and deploy it again.
OPC PLC simulator
If you create an asset endpoint for the OPC PLC simulator, but the OPC PLC simulator isn't sending data to the IoT MQ broker, run the following command to set autoAcceptUntrustedServerCertificates=true
for the asset endpoint:
ENDPOINT_NAME=<name-of-you-endpoint-here>
kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
-n azure-iot-operations \
--type=merge \
-p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
Caution
Don't use this configuration in production or pre-production environments. Exposing your cluster to the internet without proper authentication might lead to unauthorized access and even DDOS attacks.
You can patch all your asset endpoints with the following command:
ENDPOINTS=$(kubectl get AssetEndpointProfile -n azure-iot-operations --no-headers -o custom-columns=":metadata.name")
for ENDPOINT_NAME in `echo "$ENDPOINTS"`; do \
kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
-n azure-iot-operations \
--type=merge \
-p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'; \
done
If the OPC PLC simulator isn't sending data to the IoT MQ broker after you create a new asset, restart the OPC PLC simulator pod. The pod name looks like aio-opc-opc.tcp-1-f95d76c54-w9v9c
. To restart the pod, use the k9s
tool to kill the pod, or run the following command:
kubectl delete pod aio-opc-opc.tcp-1-f95d76c54-w9v9c -n azure-iot-operations
Azure IoT Data Processor Preview
If you see deployment errors with Data Processor pods, make sure that when you created your Azure Key Vault you chose Vault access policy as the Permission model.
If the data processor extension fails to uninstall, run the following commands and try the uninstall operation again:
kubectl delete pod aio-dp-reader-worker-0 --grace-period=0 --force -n azure-iot-operations kubectl delete pod aio-dp-runner-worker-0 --grace-period=0 --force -n azure-iot-operations
If edits you make to a pipeline aren't applied to messages, run the following commands to propagate the changes:
kubectl rollout restart deployment aio-dp-operator -n azure-iot-operations kubectl rollout restart statefulset aio-dp-runner-worker -n azure-iot-operations kubectl rollout restart statefulset aio-dp-reader-worker -n azure-iot-operations
It's possible a momentary loss of communication with IoT MQ broker pods can pause the processing of data pipelines. You might also see errors such as
service account token expired
. If you notice this happening, run the following commands:kubectl rollout restart statefulset aio-dp-runner-worker -n azure-iot-operations kubectl rollout restart statefulset aio-dp-reader-worker -n azure-iot-operations
If data is corrupted in the Microsoft Fabric lakehouse table that your Data Processor pipeline is writing to, make sure that no other processes are writing to the table. If you write to the Microsoft Fabric lakehouse table from multiple sources, you might see corrupted data in the table.
Azure IoT Akri Preview
A sporadic issue might cause the aio-opc-asset-discovery
pod to restart with the following error in the logs: opcua@311 exception="System.IO.IOException: Failed to bind to address http://unix:/var/lib/akri/opcua-asset.sock: address already in use.
.
To work around this issue, use the following steps to update the DaemonSet specification:
Locate the target custom resource provided by
orchestration.iotoperations.azure.com
with a name that ends with-ops-init-target
:kubectl get targets -n azure-iot-operations
Edit the target configuration and find the
spec.components.aio-opc-asset-discovery.properties.resource.spec.template.spec.containers.env
parameter. For example:kubectl edit target solid-zebra-97r6jr7rw43vqv-ops-init-target -n azure-iot-operations
Add the following environment variables to the
spec.components.aio-opc-asset-discovery.properties.resource.spec.template.spec.containers.env
configuration section:- name: ASPNETCORE_URLS value: http://+8443 - name: POD_IP valueFrom: fieldRef: fieldPath: "status.podIP"
Save your changes. The final specification looks like the following example:
apiVersion: orchestrator.iotoperations.azure.com/v1 kind: Target metadata: name: <cluster-name>-target namespace: azure-iot-operations spec: displayName: <cluster-name>-target scope: azure-iot-operations topologies: ... version: 1.0.0.0 components: ... - name: aio-opc-asset-discovery type: yaml.k8s properties: resource: apiVersion: apps/v1 kind: DaemonSet metadata: labels: app.kubernetes.io/part-of: aio name: aio-opc-asset-discovery spec: selector: matchLabels: name: aio-opc-asset-discovery template: metadata: labels: app.kubernetes.io/part-of: aio name: aio-opc-asset-discovery spec: containers: - env: - name: ASPNETCORE_URLS value: http://+8443 - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: DISCOVERY_HANDLERS_DIRECTORY value: /var/lib/akri - name: AKRI_AGENT_REGISTRATION value: 'true' image: >- edgeappmodel.azurecr.io/opcuabroker/discovery-handler:0.4.0-preview.3 imagePullPolicy: Always name: aio-opc-asset-discovery ports: ... resources: ... volumeMounts: ... volumes: ...
Azure IoT Operations Preview portal
To sign in to the Azure IoT Operations portal, you need a Microsoft Entra ID account with at least contributor permissions for the resource group that contains your Kubernetes - Azure Arc instance. You can't sign in with a Microsoft account (MSA). To create an account in your Azure tenant:
- Sign in to the Azure portal with the same tenant and user name that you used to deploy Azure IoT Operations.
- In the Azure portal, navigate to the Microsoft Entra ID section, select Users > +New user > Create new user. Create a new user and make a note of the password, you need it to sign in later.
- In the Azure portal, navigate to the resource group that contains your Kubernetes - Azure Arc instance. On the Access control (IAM) page, select +Add > Add role assignment.
- On the Add role assignment page, select Privileged administrator roles. Then select Contributor and then select Next.
- On the Members page, add your new user to the role.
- Select Review and assign to complete setting up the new user.
You can now use the new user account to sign in to the Azure IoT Operations portal.
Phản hồi
https://aka.ms/ContentUserFeedback.
Sắp ra mắt: Trong năm 2024, chúng tôi sẽ dần gỡ bỏ Sự cố với GitHub dưới dạng cơ chế phản hồi cho nội dung và thay thế bằng hệ thống phản hồi mới. Để biết thêm thông tin, hãy xem:Gửi và xem ý kiến phản hồi dành cho