Introduction

Earlier this month/week, we announced that you can now benefit from the combined power of Ubuntu Core and Azure IoT Edge to bring the computation, storage, and AI capabilities of the cloud closer to the edge of the network. Azure IoT Edge is a device-focused runtime that enables you to deploy, run, and monitor containerised Linux workloads. Ubuntu Core is a version of Ubuntu that has been specially optimised for IoT and embedded systems. The combination of the two is ideal for those looking for reduced latency, lower bandwidth, and more efficient data processing. 

This tutorial helps you get started using an Ubuntu Core device and managing it from the Azure IoT Hub. Azure IoT Hub is the cloud platform which allows you to connect to, configure and deploy Edge workloads directly to your device.

Setting up Ubuntu Core

Ubuntu Core is a minimal, immutable version of Ubuntu focused on providing a reliable and secure platform for connected devices. 

Create an Ubuntu SSO Account

Before you can create an Ubuntu Core device, you need to ensure you can connect to it after initial configuration. This will require an Ubuntu SSO account and an SSH keypair. 

You can skip this step if you already have an account. If you do not have an SSO account, you can sign up for one here:

https://login.ubuntu.com/

SSH Keys

In order to authenticate yourself when trying to connect to your Ubuntu Core device, you will need to upload a public SSH key to your SSO account. This will then be automatically downloaded to the Core device during initial configuration.

To generate and upload an SSH key pair, please follow the steps detailed in the link below:

Connect to Ubuntu Core with SSH

You may also want to come back to this information once you have configured your Core device in the next stage.

Obtaining and configuring an Ubuntu Core Device

For the next stage in the process you will need an IoT device running Ubuntu Core. This can either be a physical device, such as a raspberry pi, or  a virtual device on your desktop. 

You can find all the available Ubuntu Core images, ready to download at: https://ubuntu.com/certified/iot 

To set up a virtual device, you can use QEMU to emulate your desired hardware. Please follow these instructions to complete this phase:

Testing Ubuntu Core with QEMU

Independently of which option you chose, you should now have a fully working Ubuntu Core device that you can connect to via SSH. You are now ready to provision it for Microsoft Azure.

Installing Azure IoT Edge Snaps

Having created and connected to your Ubuntu Core device, the next step is to install the Azure snaps.

Microsoft provides four snaps for your Ubuntu Core device: 

• The Identity snap authenticates your device with the Azure cloud.
• The Device Agent snap ensures your device is up-to-date. 
• The Edge snap manages your cloud-deployed workloads on the device. 
• The Delivery Optimization agent manages downloads of payloads from the Azure cloud.

In addition, Azure’s workloads are distributed as Docker containers and you therefore need to install the Docker Snap to run these.

All five snaps can be installed from your SSH terminal using the following commands:

snap install azure-iot-identity

snap install azure-iot-edge

snap install deviceupdate-agent

snap install deliveryoptimization-agent

snap install docker

Note: if you are being asked to use sudo to run snap install, you may need to authenticate yourself with the snap store using sudo snap login <email address>. This will then allow you to perform all snap commands without root privileges.

Wiring up slots and plugs

By default, snaps are dependency-free, untrusted, and strictly confined hence they must be connected to other snaps and system resources once installed using interfaces. Each snap has a selection of plugs and slots that either request or provide certain access. For production deployments, they can be configured to automatically connect to reduce the provisioning workload but to get started you may need to manually configure some of them to ensure they have all the permissions they need.

If installing the snaps from the global snap store, most interfaces will already be connected for you, however there are a few you may need to manually configure.

From an SSH terminal, you can check which interfaces are already connected using the following commands for each snap:

undefined

snap connections azure-iot-identity

snap connections azure-iot-edge

snap connections deviceupdate-agent

snap connections deliveryoptimization

For each snap you will be presented with a list of the interfaces. If the slot is empty, it may need connecting. For example, if you get the following response from snap connections azure-iot-identity:

We can see that some interfaces have been connected but the identity snap can not access hostname information, log information, mount information, system information or the tpm. We need to manually connect them which we can do from our terminal:

undefined

snap connect azure-iot-identity:log-observe

snap connect azure-iot-identity:mount-observe

snap connect azure-iot-identity:system-observe

snap connect azure-iot-identity:tpm

snap connect azure-iot-identity:hostname-control

The format of this command is snap connect <plug> <slot> but as we are connecting to snapd system slots we do not need to specify them. 

IoT Edge

For the IoT Edge agent, we can go through a similar process but this time we also want to connect from one snap (Edge agent) to another (Docker). The following commands should cover all unconnected interfaces.

# Connect to logging and grant permission to query system info

snap connect azure-iot-edge:log-observe

snap connect azure-iot-edge:mount-observe

snap connect azure-iot-edge:system-observe

snap connect azure-iot-edge:hostname-control

# Connect IoT Edge to Docker

snap connect azure-iot-edge:docker docker:docker-daemon

IoT Device agent

undefined

# Connect to logging and grant permission to query system info

snap connect deviceupdate-agent:account-control

snap connect deviceupdate-agent:hardware-observe

#Connect to SnapD

snap connect deviceupdate-agent:snapd-control

#Connect to other Azure Snaps

snap connect deviceupdate-agent:identity-service azure-iot-identity:identity-service

With all the interfaces now connected, we are ready to move onto the connecting to the cloud. 

Setting up your Azure IoT Edge account

For the next step, you need to move to the cloud and the Azure IoT Edge portal. If you already have an Azure account, you can sign in here: 

Azure Portal

If you do not have an account, you can sign up for an account here:

Azure IoT Edge

You will be given the option to either create a free account (which includes a time-limited, preview credit) or a paid account with access to premium services. Both Azure IoT Hub and Azure IoT Edge are free services that can be used without charge provided you stay within Azure’s usage limitations. More information can be found on this here.

Once you have access to your Azure account and the Azure Portal, you will need to create your IoT Hub. From the Azure services section of the portal, click “More services” and select “IoT Hub” from the “Internet of Things” section.

Once in your IoT Hub, you need to create a Hub. Click the Create button and fill in the details. Once happy, click the ‘Create’ button.

After a brief pause, your Hub will have been deployed and we can now see it in the IoT Hub portal.

Select your Hub and, from the menu on the right hand side of the screen, select Devices. 

Click “Add Device”, choose a name for your device and select the “IoT Edge Device” checkbox. Choose any other settings you desire and click “Save”.

Again after a slight pause, your device will have been created and added to your Hub. 

Select your device from your Hub and you will be presented with the various options and information. For the moment, we are just interested in the “Primary connection string” as we will need this to provision the actual device. 

You can view the connection string by clicking on the small eye icon or copy it to your clipboard by clicking the icon to the right. 

Provisioning your Device

In order for your Core device to connect to your newly created IoT Hub, it needs to be

configured with the connection string we have just obtained. 

Returning to the SSH terminal of your Core device, create a file called config.toml.

At this point it may be useful to install a text editor onto your Core device. Follow the steps below to install the nano strictly confined snap and connect it to your home directory. Then open the config.toml file to edit

sudo snap install nano-strict

snap connect nano-strict:home :home

nano-strict config.toml

Copy and paste the following into your text editor but replace the connection string with the one you obtained from your IoT Hub Device. 

## Manual provisioning with connection string 

# 

[provisioning]

source = "manual" 

connection_string = "HostName=snaphub-free.azure-devices.net;DeviceId=iotvm;SharedAccessKey=XXXXXXXXX"

Apply that configuration file to your Azure Snap using the following command:

sudo snap set azure-iot-edge raw-config="$(cat config.toml)"

It is also possible to authenticate your device to the Azure IoT Hub using X.509 certificates. For information on how to use that method, please refer to this documentation from Microsoft. 

Your Device in Azure IoT Hub

Once configured, your device will download some containers to allow it to run Azure IoT Edge workloads. This may take some time depending on your network connection speed but once complete your device will be visible from your Azure portal and you can configure it with additional workloads from there as well as explore all the offerings Azure has for your device. 

Deploying Modules to your Device

Next Steps

You should now have a fully working and configured Ubuntu Core device which can be remotely managed with the Azure IoT Hub. From here you can explore the features Azure IoT has to offer. 

If you want to try and deploy your first module to your Edge device, this tutorial from Microsoft shows you how you can deploy a sensing module that will send simulated telemetry data from your device to the cloud. It is the perfect place to get started with your Ubuntu Core Azure IoT Edge device.  

For more information on what you can do with Azure IoT, please refer to the Microsoft documentation.

Azure IoT Edge documentation | Microsoft Learn 

For more information on the power and capabilities of Ubuntu Core please refer to Ubuntu Core.

London, 20 March 2024. Canonical has announced that Ubuntu Core, its operating system optimised for the Internet of Things (IoT) and edge, has received Microsoft Azure IoT Edge Tier 1 supported platform status from Microsoft.  This collaboration brings computation, storage, and artificial intelligence (AI) capabilities in the cloud closer to the edge of the network. 

The power of the cloud on the edge

Azure IoT Edge enables businesses to remotely and securely deploy and manage cloud-native workloads directly on their IoT devices, at scale, and with robust observability.

With the ability to deploy and manage containerised applications on devices, teams can process data, run machine learning models, perform analytics, and carry out other tasks right at the edge of the network. This approach helps reduce latency, conserve bandwidth, and it provides more immediate insights from data near to where it is generated. It is especially useful in scenarios where real-time decision-making is crucial, where network connectivity might be unreliable, or where data privacy and security concerns demand local data processing.

The security of Ubuntu Core

Ubuntu Core is an operating system designed specifically for the IoT and embedded devices. Its range of features make it ideal for secure, reliable, and scalable deployments. Built on the power of Snaps, Ubuntu Core provides a minimal core with support for multiple architectures and types of devices. Security is baked-in with secure boot and full disk encryption, and over-the-air (OTA) transactional updates to ensure that devices are always up to date. Coupled with Canonical’s Long Term Support, which offers up to 10 years of maintenance and security updates, Ubuntu Core provides long-term peace of mind for IoT implementations.

With the introduction of the Azure IoT Edge Snaps suite, the process of deploying edge workloads to the extensive array of devices and architectures supported by Ubuntu Core has become a streamlined, seamless, experience. Combined with the ability to remotely manage and configure both the processing and system components of fleets of devices directly from Azure, teams benefit from robust security and optimised performance. 

“With Microsoft committing their support for Ubuntu Core with the release of the Microsoft Azure IoT Edge Snaps we see another example of the industry’s enthusiasm to adopt the operating system to fulfil all of their IoT needs. We look forward to growing this relationship further with Microsoft in the future”.  – Michael Croft-White, Engineering Director.

“In collaboration with Canonical, we are making it simpler to reliably connect devices to Microsoft Azure IoT services. Snap support in Azure IoT Edge helps ensure consistent performance, enhanced security, and efficient updates across Linux distributions that support Snaps.” 

Kam VedBrat, GM, Azure IoT

Further reading

More information on Ubuntu Core can be found at ubuntu.com/core. Our “Intro to Ubuntu Core 22” webinar is a comprehensive resource for everything you need to know about Ubuntu Core. 

If you are not already familiar with Microsoft’s Azure IoT Edge, more information can be found here. 

Are you interested in running Ubuntu Core with Azure IoT on your devices and are working on a commercial project?

About Canonical 

Canonical, the publisher of Ubuntu, provides open-source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.

Landscape has been a member of the Canonical product list for almost as long as Canonical has existed. Landscape allows administrators to manage their desktop and server instances from a single centralised portal. With the latest release of Landscape Server (23.10), we’ve introduced the ability to manage snap packages from Landscape – and with a beta release of the Landscape Client snap package now available from our Snap Store, you can also add Ubuntu Core-based devices to your Landscape estate.

Landscape provides remote fleet management services across your entire Ubuntu estate. It allows you to manage software versions and configurations, control security patching, monitor your devices performance and compliance, access management and auditing.  

This blog will help you get started using Landscape to manage Ubuntu for IoT devices. We will show you how to install the Landscape Client snap on an Ubuntu Core device, how to configure it and then see the device in your Landscape web portal. Further blogs in this series will address Landscape’s snap management features, larger scale deployments and how to include the snap with your base Ubuntu Core device image.

Why manage your IoT devices with Landscape?

Before we explore configuring your device for management with Landscape, we should address the question of why you should manage your IoT device with Landscape. What benefits do you get and how will it make your life easier?

With a lot of IoT Devices being physically inaccessible, remote device management allows you to interact with your device from anywhere in the world. You can monitor its health, check it is running the latest versions of snaps, reconfigure its settings or just give it a good old reboot – all without leaving your desk. In addition, by grouping multiple devices together, you can perform these operations on numerous devices simultaneously, saving you both time and effort.

Requirements

To follow along with this blog, you will need a suitable account on a Landscape server instance. In order to manage the installed snaps on the device, you will need a self-hosted Landscape server running either the beta or 23.10 version. The functionality to manage snaps will be added to our Landscape SaaS versions shortly although you can still already register and monitor these devices.

Install the Landscape Client snap

First, your need to connect to your Ubuntu Core device using SSH and your Ubuntu One account credentials. You will be required to generate an SSH key pair and upload the public SSH key to your account.  During the configuration of Core, you were asked to provide your SSO login credentials to download this public key to your device and allow you to connect. For more information, see how to connect to Ubuntu Core with SSH.

Once you’ve connected to the device, we can install the Landscape Client snap from the snap store. As the snap is currently in beta, we will need to specify that we want the beta channel. 

> snap install landscape-client –channel=beta

The installation of the snap will also connect all the necessary interfaces for the client to the device, granting it permission to manage your configuration and installed snaps. 

Configure the client

Once you’ve installed the client, we need to configure it to talk to your Landscape Server instance. For this exercise, we will use the Landscape Configuration Wizard. As we will see at the end of this section, you can specify all the necessary settings directly from the command line, but by walking through the wizard, we can see the process more clearly.

Before we start this process, we need to ensure we have some information available. 

Computer Title

This is the name that will appear in Landscape when you have completed enrollment. It does not need to be unique but it should help you identify your device when working in the Landscape web portal.

Account Name

As the Landscape server is multi-tenanted, you will need the account to which you would like to enrol your device. For self-hosted Landscape accounts, the account name defaults to “standalone”. 

Landscape Domain 

The Fully Qualified Domain Name (FQDN) of your Landscape Server. This must be accessible from your device. 

Registration Key

The registration key configured for your Landscape account. This is optional but without it you will need to manually confirm all new device additions to your account. If you specify a registration key, you have the option to automatically accept the device provided the keys match. For more information on registration keys and enabling auto-registration, see how to auto-register new computers.

HTTP/HTTPS Proxy URL

These are only required if your network needs a proxy to connect to the Landscape server. 

Once this information is collated, run the configuration wizard using the following command:

> sudo landscape-client.config –computer-title “<computer title>” –account-name <account name>

This command will launch the configuration wizard as shown below with the user input between these two symbols <>.

Manage this machine with Landscape (https://ubuntu.com/landscape):

Will you be using your own Self-Hosted Landscape installation? [y/N]: y

Provide the fully qualified domain name of your Landscape Server e.g. landscape.yourdomain.com

Landscape Domain: <Landscape server FQDN>

A Registration Key prevents unauthorized registration attempts.

Provide the Registration Key found at:

https://<Landscape server FQDN>/account/<Account Name>

(Optional) Registration Key: _  <Registration Key>

If your network requires you to use a proxy, provide the address of

these proxies now.

HTTP proxy URL:  _  <Proxy URL or leave blank>

HTTPS proxy URL:  _  <Proxy URL or leave blank>

A summary of the provided information:

Computer’s Title: <Computer Title>

Account Name: <Account Name>

Landscape FQDN: <Landscape server FQDN>

Registration Key: Hidden

The landscape-config parameters to repeat this registration on another machine are:

sudo landscape-config –account-name snap-management-demo –url https://staging.landscape.canonical.com/message-system –ping-url http://staging.landscape.canonical.com/ping

Request a new registration for this computer now? [y/N]: y

This completes the registration and enrols your device with the Landscape server.

Accept the registration

If you didn’t specify a registration key and enable auto-registration in the previous steps, you’ll need to accept the registration in your Landscape account.

To accept the registration(s), log in to your Landscape account. You should see a notification telling you a computer needs authorising.

Click on this message, check that the device attempting to enrol is your device and then click accept. If this device has previously existed in Landscape (i.e. if you are reinstalling a device) you can select it during this stage of the registration if you want to reuse the instance. 

Your device will then appear in the Computers list and after a few minutes will start populating. 

Manage your device

That’s it – with your device enrolled, you can start managing it from the Landscape Server. Start by trying to install a new snap or fixing its version to prevent update? Maybe setup some graphs to monitor how your devices are performing or perhaps set up an automatic alert to email you if one of your devices stops responding? All from the comfort of your own desktop.

Learn more

For more information on the power and capabilities of Ubuntu Core check out: Ubuntu Core.

For more information on the features and functionality of Landscape check out: Landscape | Ubuntu.

Are you interested in running Ubuntu Core with Landscape management on your devices and are working on a commercial project? Get in touch with our team today.

Further reading

Ubuntu Core as an immutable Linux Desktop base

Managing software in complex network environments: the Snap Store Proxy

Manage FIPS-enabled Linux machines at scale with Landscape 23.03