Iotedge: edgeHub System.Net.Sockets.SocketException (13): Permission denied

Created on 29 Dec 2018  路  7Comments  路  Source: Azure/iotedge

Context (Environment)

Device (Host) Operating System

TinkerOS v2.0.8 (Debian stretch based)

Architecture

armv7l

Runtime Versions

iotedged

iotedge 1.0.5

Edge Agent

Version - 1.0.5.19141174

Docker

Docker version 3.0.2

Logs

2018-12-29 06:10:47.175 +00:00 [FTL] - Unable to start Kestrel.
System.Net.Sockets.SocketException (13): Permission denied
   at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.SocketTransport.BindAsync()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.<>c__DisplayClass22_0`1.<<StartAsync>g__OnBind|0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindEndpointAsync(ListenOptions endpoint, AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.EndpointsStrategy.BindAsync(AddressBindContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.AddressBinder.BindAsync(IServerAddressesFeature addresses, KestrelServerOptions serverOptions, ILogger logger, Func`2 createBinding)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.StartAsync[TContext](IHttpApplication`1 application, CancellationToken cancellationToken)
2018-12-29 06:10:47.314 +00:00 [INF] - Stopping

Additional Information

Like #9

linaro@tinkerboard:~$ df -T
Filesystem     Type     1K-blocks    Used Available Use% Mounted on
/dev/root      ext4      15018488 5975044   8388200  42% /
devtmpfs       devtmpfs   1021496       0   1021496   0% /dev
tmpfs          tmpfs      1030200       0   1030200   0% /dev/shm
tmpfs          tmpfs      1030200   17128   1013072   2% /run
tmpfs          tmpfs         5120       4      5116   1% /run/lock
tmpfs          tmpfs      1030200       0   1030200   0% /sys/fs/cgroup
/dev/mmcblk1p1 vfat         64511    7856     56655  13% /boot
tmpfs          tmpfs       206040       8    206032   1% /run/user/1000
linaro@tinkerboard:~$ zcat /proc/config.gz | grep CONFIG_EXT
CONFIG_EXTRA_FIRMWARE=""
CONFIG_EXTCON=y
# CONFIG_EXTCON_ADC_JACK is not set
# CONFIG_EXTCON_GPIO is not set
# CONFIG_EXTCON_RT8973A is not set
# CONFIG_EXTCON_SM5502 is not set
# CONFIG_EXTCON_USB_GPIO is not set
# CONFIG_EXT2_FS is not set
# CONFIG_EXT3_FS is not set
CONFIG_EXT4_FS=y
CONFIG_EXT4_USE_FOR_EXT2=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
# CONFIG_EXT4_ENCRYPTION is not set
# CONFIG_EXT4_DEBUG is not set
linaro@tinkerboard:~$ zcat /proc/config.gz | grep CONFIG_SECURITY
# CONFIG_SECURITY_DMESG_RESTRICT is not set
# CONFIG_SECURITY_PERF_EVENTS_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_SECURITY_YAMA=y
linaro@tinkerboard:~$
customer-reported iotedge

Most helpful comment

If you don't need the https endpoint - would only be required to connect downstream devices via https - you could try to disable the endpoint.
Add this environment variable to the edgeHub settings:

httpSettings__enabled Value=false
Then you can also remove the exposed port for 443 from the creation options for the Edge Hub.

All 7 comments

This is most likely being caused by the Edge Hub attempting to bind to a port < 1024 (443 https). By default, the Edge Hub executable is setup with setcap CAP_NET_BIND_SERVICE so that it can bind to 443 as an unprivileged user.

It's possible that this error is being caused by a filesystem that doesn't support the capability bit or some other system such as SELinux or AppArmor is blocking binding.

If you don't need the https endpoint - would only be required to connect downstream devices via https - you could try to disable the endpoint.
Add this environment variable to the edgeHub settings:

httpSettings__enabled Value=false
Then you can also remove the exposed port for 443 from the creation options for the Edge Hub.

Thanks @myagley @sebader .

I really thank you for very useful conversation.
I also have same problem:)

This post is very helpful. Thank you so much for your sharing.
I aslo meeting same issue while I'm using 32bit edge-hub docker images (mcr.microsoft.com/azureiotedge-hub:1.0.6-linux-arm32v7) on one arm64bit platform. If I want to use https endpoint, may I know how can I fix the issue?

We're facing the same issue - https://github.com/Azure/iotedge/issues/9#issuecomment-404805920 provided a possible fix and we'll continue by checking the kernel compatibility in general (https://blog.hypriot.com/post/verify-kernel-container-compatibility/).

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rajatkumarsarma picture rajatkumarsarma  路  4Comments

alaendle picture alaendle  路  5Comments

prashbv picture prashbv  路  6Comments

shizn picture shizn  路  6Comments

josiahlaivins picture josiahlaivins  路  6Comments