Share via

How to check host device access though custom module and edge module ?

Thomas SIMON 0 Reputation points
2025-07-31T15:47:23.01+00:00

Hello,

I try to deploy image on one iot edge device, I double check using docker run equivalent.

I don't have the same behavior inside the module. I can't see all network devices of the hosts and all devices in /dev/ for example.

Is there a specific configuration to add to the edge agent or the configuration of the moby engine ?

Below is an example I try : 

{
  "image": "ubuntu:latest",
  "createOptions": {
    "HostConfig": {
      "Privileged": true,
      "NetworkMode": "host",
      "Devices": [
        {
          "PathOnHost": "/dev/",
          "PathInContainer": "/dev/",
          "CgroupPermissions": "mrw"
        }
      ],
      "CapAdd": [
        "NET_ADMIN",
        "SYS_ADMIN"
      ]
    },
    "Entrypoint": ["/bin/bash"],
    "Cmd": ["whoami", "lsblk", "lsusb", "ls -l /dev/"]
  }
}
Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerald Felix 4,450 Reputation points
    2025-07-31T16:11:18.3366667+00:00

    Hello Thomas SIMON!

    When running a custom module on Azure IoT Edge and you want your container to access host devices (like all network interfaces or everything under /dev/), you need both correct Edge deployment settings and support from the underlying container runtime (Moby/docker). Your sample createOptions look mostly correct for full device and network access, but there are a few specifics and caveats to be aware of:

    Key configuration requirements:

    • Privileged mode: "Privileged": true is needed for full host access. However, Azure IoT Edge has restricted privileged mode by default, as a security measure. You must explicitly enable privileged containers on your edge device.

    Host networking: "NetworkMode": "host" lets the container share the network stack with the host. This is correctly set in your example.

    Device mapping: The "Devices" option tries to map all from /dev/, which is a broad approach. While in a typical Docker run this gives access, Azure IoT Edge puts additional limitations for security.

    Important checks:

    Enable Privileged mode in Edge settings: On your edge device, you must update (or create) the config.yaml for IoT Edge and set:

    text
moby_runtime:
  allow_privileged_containers: true

    Then restart the iotedge service:

    text
sudo systemctl restart iotedge

    Linux security restrictions: Some devices may be hidden by default (AppArmor, SELinux, or system-specific Docker config). Check /etc/docker/daemon.json for device whitelists or additional runtime security modules.

    Edge module capabilities: Ensure your deployment manifest is not being overridden/filtered by Azure IoT Edge security policies or device twin settings.

    Moby Engine constraints: The underlying Moby engine can sometimes further restrict actual device mounting even with these options—especially on managed or cloud-provisioned edge setups.

    Practical advice:

    After applying the above settings and restarting, try simple test modules to see which devices appear within /dev/, and watch logs for errors.

    Note: Full host access in production environments is discouraged due to security risks; give only as much access as your application needs.

    Limit "Devices" to the required paths if possible, for example:

    json
"Devices": [
  {
    "PathOnHost": "/dev/ttyUSB0",
    "PathInContainer": "/dev/ttyUSB0",
    "CgroupPermissions": "mrw"
  }
]

    If you follow these steps and still can't see your devices, check the IoT Edge and Moby logs for any error or warning messages, and ensure no external security systems block access.

    Best regards,

    Jerald Felix

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.