AWS IoT Greengrass can run in a Docker container. You can use the Dockerfile in this package to build a container image that runs on x86_64 platforms. The resulting Greengrass Docker image is 532 MB in size.
To build a Docker image that runs on other platforms supported by the AWS IoT Greengrass Core software (such as Armv7l or AArch64), edit the Dockerfile as described in the "Enable Multi-Platform Support for the AWS IoT Greengrass Docker Image" section.
To reduce the size of the Greengrass Docker image, see the "Reduce the Size of the AWS IoT Greengrass Docker Image" section.
Note: To learn how to run a Greengrass Docker image for x86_64 platform instead of building one, see the "Running AWS IoT Greengrass in a Docker Container" tutorial (https://docs.aws.amazon.com/greengrass/latest/developerguide/run-gg-in-docker-container.html).
This guide will show you how to:
x86_64.amazonlinux:2.docker-compose to build and run AWS IoT Greengrass (v1.7.0 or later) in the Docker container.init support is required.If you're using a Linux computer to run Docker, you must enable symlink and hardlink protection and IPv4 network forwarding. On Mac and Windows computers, these settings are already enabled in the virtual machine that Docker runs in.
Run the following commands in the host computer's terminal.
The symlink and hardlink protection settings must be enabled to run the AWS IoT Greengrass core software.
echo 1 > /proc/sys/fs/protected_hardlinks
echo 1 > /proc/sys/fs/protected_symlinksecho '# AWS Greengrass' >> /etc/sysctl.conf
echo 'fs.protected_hardlinks = 1' >> /etc/sysctl.conf
echo 'fs.protected_symlinks = 1' >> /etc/sysctl.conf
sysctl -pNote: You may need to use sudo to run these commands.
IPv4 network forwarding must be enabled for AWS IoT Greengrass cloud deployment and MQTT communications to work.
/etc/sysctl.conf file to set net.ipv4.ip_forward to 1 and then reload sysctls:sudo nano /etc/sysctl.conf
# set this net.ipv4.ip_forward = 1
sudo sysctl -pNote: You can use the editor of your choice in place of nano.
If you don't enable this setting, you receive an error message such as WARNING: IPv4 is disabled. Networking will not work. For more information, see "Configure namespaced kernel parameters (sysctls) at runtime" (https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime).
Currently, the Greengrass Docker image is about 532 MB. Most of this size is attributed to the heavy amazonlinux Docker base image that AWS IoT Greengrass runs on.
Use following techniques to reduce the size of your Greengrass Docker image. Otherwise, continue to the "Running AWS IoT Greengrass in a Docker Container" procedure.
| Base Image | Installed Dependencies | Platform | Size | Instructions | |---------------+------------------------+----------+-------+-------------------------------------| | AmazonLinux:2 | Python, Nodejs, Java | x86_64 | 532MB | Default Dockerfile | | AmazonLinux:2 | Python | x86_64 | 370MB | Reduce Lambda Runtime Installations | | Alpine:3.8 | Python | x86_64 | 95MB | Change the Base Docker Image |
The following steps show how to build the Docker image from the Dockerfile and configure AWS IoT Greengrass to run in a Docker container.
1- Download and decompress the aws-greengrass-docker-1.9.2 package.
2- In a terminal, run the following commands in the location where you decompressed the aws-greengrass-docker-1.9.2 package.
docker login
cd ~/Downloads/aws-greengrass-docker-1.9.2
docker build -t "x86_64/aws-iot-greengrass:1.9.2" ./Note: If you have docker-compose installed, you can run the following commands instead:
docker login
cd ~/Downloads/aws-greengrass-docker-1.9.2
docker-compose -f docker-compose.yml buildNote: If you want to use a smaller size docker image, run below command:
docker-compose -f docker-compose.alpine-x86-64.yml build3- Verify that the Greengrass Docker image was built.
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
x86-64/aws-iot-greengrass 1.9.2 3f152d6707c8 17 seconds ago 532MBIf you want to build docker images for armv7l platform, follow below steps on RaspberryPi with Docker and Docker-compose installed.
1- Download and decompress the aws-greengrass-docker-1.9.2 package.
2- In a terminal, run the following commands in the location where you decompressed the aws-greengrass-docker-1.9.2 package.
docker login
cd ~/Downloads/aws-greengrass-docker-1.9.2
docker build -t "armv7l/aws-iot-greengrass:1.9.2" -f Dockerfile.alpine-armv7l ./Note: If you have docker-compose installed, you can run the following commands instead:
docker login
cd ~/Downloads/aws-greengrass-docker-1.9.2
docker-compose -f docker-compose.alpine-armv7l.yml build3- Verify that the Greengrass Docker image was built.
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
armv7l/aws-iot-greengrass 1.9.2 3f152d6707c8 17 seconds ago 532MB1- Download and decompress the aws-greengrass-docker-1.9.2 package using a utility like WinZip or 7-Zip.
2- Using Notepad++, convert the greengrass-entrypoint.sh file to use Unix-style line endings. For more information, see "Converting from Windows-style to UNIX-style line endings" (https://support.nesi.org.nz/hc/en-gb/articles/218032857-Converting-from-Windows-style-to-UNIX-style-line-endings).
Otherwise, you will get this error while running the build Docker image: [FATAL tini (6)] exec /greengrass-entrypoint.sh failed: No such file or directory.
a. Open greengrass-entrypoint.sh in Notepad++.
b. In the "Edit" menu, choose "EOL Conversion", and then choose "UNIX (LF)".
c. Save the file.
3- In a command prompt, run the following command in the location where you decompressed the aws-greengrass-docker-1.9.2 package.
docker login
cd C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2
docker build -t "x86_64/aws-iot-greengrass:1.9.2" ./Note: If you have docker-compose installed, you can run the following commands instead:
docker login
cd C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2
docker-compose -f docker-compose.yml build4- Verify that the Greengrass Docker image was built.
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
x86-64/aws-iot-greengrass 1.9.2 3f152d6707c8 17 seconds ago 532MB1- Use the AWS IoT Greengrass console to create a Greengrass group. Follow the steps in "Configure AWS IoT Greengrass on AWS IoT" (https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-config.html). This process includes downloading certificates and the core configuration file.
Skip step 8b of the procedure because AWS IoT Greengrass core and its runtime dependencies are already set up in the Docker image.
2- Decompress the certificates and config file that you downloaded into your working directory where Dockerfile and docker-compose.yml are located. For example: (replace guid in your command)
cp ~/Downloads/guid-setup.tar.gz ~/Downloads/aws-greengrass-docker-1.9.2
cd ~/Downloads/aws-greengrass-docker-1.9.2
tar xvzf guid-setup.tar.gz3- Download the root CA certificate into the directory where you decompressed the certificates and configuration file. The certificates enable your device to communicate with AWS IoT using the MQTT messaging protocol over TLS. For more information, including how to choose the appropriate root CA certificate, see the documentation on "Server Authentication in AWS IoT Core" (https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html).
Important: Your root CA certificate must match your endpoint, which uses Amazon Trust Services (ATS) server authentication (preferred) or legacy server authentication. You can find your endpoint on the Settings page in the AWS IoT Core console.
ats segment (for example: <prefix>-ats.iot.us-west-2.amazonaws.com).AmazonRootCA1.pem root CA certificate.
cd ~/Downloads/aws-greengrass-docker-1.9.2/certs
sudo wget -O root.ca.pem https://www.amazontrust.com/repository/AmazonRootCA1.pemats segment (for example: <prefix>.iot.us-west-2.amazonaws.com).
Make sure the Docker host is connected to the internet, and run the following command.
cd ~/Downloads/aws-greengrass-docker-1.9.2/certs
sudo wget -O root.ca.pem https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem4- Run the following command to confirm that the root.ca.pem file is not empty.
cat ~/Downloads/aws-greengrass-docker-1.9.2/certs/root.ca.pem1- Use the AWS IoT Greengrass console to create a Greengrass group. Follow the steps in "Configure AWS IoT Greengrass on AWS IoT" (https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-config.html). This process includes downloading certificates and the core configuration file.
Skip step 8b of the procedure because AWS IoT Greengrass core and its runtime dependencies are already set up in the Docker image.
2- Decompress the certificates and config file that you downloaded into your working directory where Dockerfile and docker-compose.yml are located. Use a utility like WinZip or 7-Zip to decompress <guid>-setup.tar.gz to C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2\.
3- Download the root CA certificate into the directory where you decompressed the certificates and configuration file. The certificates enable your device to communicate with AWS IoT using the MQTT messaging protocol over TLS. For more information, including how to choose the appropriate root CA certificate, see the documentation on "Server Authentication in AWS IoT Core" (https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html).
Important: Your root CA certificate must match your endpoint, which uses Amazon Trust Services (ATS) server authentication (preferred) or legacy server authentication. You can find your endpoint on the Settings page in the AWS IoT Core console.
ats segment (for example: <prefix>-ats.iot.us-west-2.amazonaws.com).curl installed, run the following commands in your command prompt. This example uses the AmazonRootCA1.pem root CA certificate.
cd C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2\certs
curl https://www.amazontrust.com/repository/AmazonRootCA1.pem -o root.ca.pemats segment (for example: <prefix>.iot.us-west-2.amazonaws.com).curl installed, run the following commands in your command prompt.
cd C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2\certs
curl https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem -o root.ca.pemNote: If you don't have curl installed, follow these steps:
AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem).root.ca.pem in the C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2\certs directory, which contains the decompressed certificates. Depending on your browser, save the file directly from the browser or copy the displayed key to the clipboard and save it in Notepad.4- Run the following command to confirm that the root.ca.pem file is not empty.
type C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2\certs\root.ca.pem1- In the terminal, run the following command:
To run the container using the default x86_64 configuration
docker run --rm --init -it --name aws-iot-greengrass \
--entrypoint /greengrass-entrypoint.sh \
-v ~/Downloads/aws-greengrass-docker-1.9.2/certs:/greengrass/certs \
-v ~/Downloads/aws-greengrass-docker-1.9.2/config:/greengrass/config \
-p 8883:8883 \
x86_64/aws-iot-greengrass:1.9.2Note: If you have docker-compose installed, you can run the following commands instead:
cd ~/Downloads/aws-greengrass-docker-1.9.2
docker-compose -f docker-compose.yml down
docker-compose -f docker-compose.yml upThe output should look like this example:
Setting up greengrass daemon
Validating hardlink/softlink protection
Waiting for up to 30s for Daemon to start
Greengrass successfully started with PID: 10Note: This command starts AWS IoT Greengrass and bind-mounts the certificates and config file. This will keep the interactive shell open, so that the Greengrass container can be removed/released later. You can find "Debugging" steps below if the container doesn't open the shell and exits immediately.
1- In the terminal, run the following command:
To run the container using the armv7l platform such as RaspberryPi.
docker run --rm --init -it --name aws-iot-greengrass \
--entrypoint /greengrass-entrypoint.sh \
-v ~/Downloads/aws-greengrass-docker-1.9.2/certs:/greengrass/certs \
-v ~/Downloads/aws-greengrass-docker-1.9.2/config:/greengrass/config \
-p 8883:8883 \
armv7l/aws-iot-greengrass:1.9.2Note: If you have docker-compose installed, you can run the following commands instead:
cd ~/Downloads/aws-greengrass-docker-1.9.2
docker-compose -f docker-compose.alpine-armv7l.yml down
docker-compose -f docker-compose.alpine-armv7l.yml upThe output should look like this example:
Setting up greengrass daemon
Validating hardlink/softlink protection
Waiting for up to 30s for Daemon to start
Greengrass successfully started with PID: 10Note: This command starts AWS IoT Greengrass and bind-mounts the certificates and config file. This will keep the interactive shell open, so that the Greengrass container can be removed/released later. You can find "Debugging" steps below if the container doesn't open the shell and exits immediately.
1- In the command prompt, run the following command:
docker run --rm --init -it --name aws-iot-greengrass --entrypoint /greengrass-entrypoint.sh -v c:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2/certs:/greengrass/certs -v c:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2/config:/greengrass/config -p 8883:8883 x86-64/aws-iot-greengrass:1.9.2Note: If you have docker-compose installed, you can run the following commands instead:
cd C:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2
docker-compose -f docker-compose.yml down
docker-compose -f docker-compose.yml upDocker will prompt you to share your C:\ drive with the Docker daemon. Allow it to bind-mount the C:\ directory inside the Docker container. For more information, see "Shared drives" (https://docs.docker.com/docker-for-windows/#shared-drives) in the Docker documentation.
The output should look like this example:
Setting up greengrass daemon
Validating hardlink/softlink protection
Waiting for up to 30s for Daemon to start
Greengrass successfully started with PID: 10Note: This command starts AWS IoT Greengrass and bind-mounts the certificates and config file. This will keep the interactive shell open, so that the Greengrass container can be removed/released later. You can find "Debugging" steps below if the container doesn't open the shell and exits immediately.
When you run AWS IoT Greengrass in a Docker container, all Lambda functions must run without containerization. In this step, you set the the default containerization for the group to "No container". You must do this before you deploy the group for the first time.
1- In the AWS IoT console, choose "Greengrass", and then choose "Groups".
2- Choose the group whose settings you want to change.
3- Choose "Settings".
4- Under "Lambda runtime environment", choose "No container".
For more information, see "Setting Default Containerization for Lambda Functions in a Group" (https://docs.aws.amazon.com/greengrass/latest/developerguide/lambda-group-config.html#lambda-containerization-groupsettings).
Note: By default, Lambda functions use the group containerization setting. If you override the "No container" setting for any Lambda functions when AWS IoT Greengrass is running in a Docker container, the deployment fails.
You can deploy long-lived Lambda functions to the Greengrass Docker container.
1- Follow the steps in "Module 3 (Part 1): Lambda Functions on AWS IoT Greengrass" (https://docs.aws.amazon.com/greengrass/latest/developerguide/module3-I.html) to deploy a long-lived Hello-World Lambda function to the container.
To debug issues with the container, you can persist the runtime logs or attach an interactive shell.
You can run the AWS IoT Greengrass Docker container after bind-mounting the /greengrass/ggc/var/log directory to persist logs even after the container has exited or is removed.
Run the following command in the terminal.
docker run --rm --init -it --name aws-iot-greengrass \
--entrypoint /greengrass-entrypoint.sh \
-v ~/Downloads/aws-greengrass-docker-1.9.2/certs:/greengrass/certs \
-v ~/Downloads/aws-greengrass-docker-1.9.2/config:/greengrass/config \
-v ~/Downloads/aws-greengrass-docker-1.9.2/log:/greengrass/ggc/var/log \
-p 8883:8883 \
<platform>/aws-iot-greengrass:1.9.2You can then check your logs at ~/Downloads/aws-greengrass-docker-1.9.2/log on your host to see what happened while Greengrass was running inside the Docker container.
Run the following command in the command prompt.
cd C:\Users\%USERNAME%\Downloads\aws-greengrass-docker-1.9.2
mkdir log
docker run --rm --init -it --name aws-iot-greengrass --entrypoint /greengrass-entrypoint.sh -v c:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2/certs:/greengrass/certs -v c:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2/config:/greengrass/config -v c:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2/log:/greengrass/ggc/var/log -p 8883:8883 x86-64/aws-iot-greengrass:1.9.2You can then check your logs at c:/Users/%USERNAME%/Downloads/aws-greengrass-docker-1.9.2/log on your host to see what happened while Greengrass was running inside the Docker container.
You can attach an interactive shell to a running AWS IoT Greengrass Docker container. This can help you to investigate the state of the Greengrass Docker container.
Run the following command in the terminal.
docker exec -it $(docker ps -a -q -f "name=aws-iot-greengrass") /bin/bashRun the following commands in the command prompt.
docker ps -a -q -f "name=aws-iot-greengrass"Replace <GG_CONTAINER_ID> with the container_id result from the previous command.
docker exec -it <GG_CONTAINER_ID> /bin/bashTo stop the AWS IoT Greengrass Docker Container, press Ctrl+C in your terminal or command prompt.
This action will send SIGTERM to the Greengrass daemon process to tear down the Greengrass daemon process and all Lambda processes that were started by the daemon process. The Docker container is initialized with /dev/init process as PID 1, which helps in removing any leftover zombie processes. For more information, see the Docker run reference: https://docs.docker.com/engine/reference/commandline/run/#options.
Firewall Detected while Sharing Drives when running Docker on a Windows computer, see the following Docker article for troubleshooting help: https://success.docker.com/article/error-a-firewall-is-blocking-file-sharing-between-windows-and-the-containers. This error can also occur if you are logged in on a Virtual Private Network (VPN) and your network settings are preventing the shared drive from being mounted. In that situation, turn off VPN and re-run the Docker container.Cannot create container for the service greengrass: Conflict. The container name "/aws-iot-greengrass" is already in use. This is because the container name is used by the older run. To resolve this, remove the old Docker container by running: docker rm -f $(docker ps -a -q -f "name=aws-iot-greengrass")[FATAL]-Failed to reset thread's mount namespace due to an unexpected error: "operation not permitted". To maintain consistency, GGC will crash and need to be manually restarted. in /greengrass/ggc/var/log/system/runtime.log. This is most probably caused by deploying a GreengrassContainer lambda to GGC running in Docker Container as this use-case is not yet supported. All the lambdas should be deployed in NoContainer mode. To fix this, disregard the current deployment stuck In Progress. Start a new deployment and make sure that all the lambdas are deployed in NoContainer mode. After that, while starting the GGC Docker Container, do not bind-mount the existing deployment directory onto GGC Docker Container. Create a new empty deployment directory in its place and bind-mount that in the GGC Docker container instead. New GGC Docker Container should receive the latest deployment with lambdas running in NoContainer mode.