End of support notice: On October 7th, 2026, AWS will discontinue support for AWS IoT Greengrass Version 1. After October 7th, 2026, you will no longer be able to access the AWS IoT Greengrass V1 resources. For more information, please visit [Migrate from AWS IoT Greengrass Version 1](https://docs.aws.amazon.com/greengrass/v2/developerguide/migrate-from-v1.html).
# What is AWS IoT Greengrass?
AWS IoT Greengrass is software that extends cloud capabilities to local devices. This enables devices to collect and analyze data closer to the source of information, react autonomously to local events, and communicate securely with each other on local networks. Local devices can also communicate securely with AWS IoT Core and export IoT data to the AWS Cloud. AWS IoT Greengrass developers can use AWS Lambda functions and prebuilt [connectors](connectors.md) to create serverless applications that are deployed to devices for local execution.
The following diagram shows the basic architecture of AWS IoT Greengrass.
![\[Greengrass core enables local execution of Lambda, messaging, device shadows, and security. Greengrass core interacts with the AWS Cloud and works locally with intermittent connectivity.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/greengrass.png)
AWS IoT Greengrass makes it possible for customers to build IoT devices and application logic. Specifically, AWS IoT Greengrass provides cloud-based management of application logic that runs on devices. Locally deployed Lambda functions and connectors are triggered by local events, messages from the cloud, or other sources.
In AWS IoT Greengrass, devices securely communicate on a local network and exchange messages with each other without having to connect to the cloud. AWS IoT Greengrass provides a local pub/sub message manager that can intelligently buffer messages if connectivity is lost so that inbound and outbound messages to the cloud are preserved.
AWS IoT Greengrass protects user data:
+ Through the secure authentication and authorization of devices.
+ Through secure connectivity in the local network.
+ Between local devices and the cloud.
Device security credentials function in a group until they are revoked, even if connectivity to the cloud is disrupted, so that the devices can continue to securely communicate locally.
AWS IoT Greengrass provides secure, over-the-air updates of Lambda functions.
AWS IoT Greengrass consists of:
+ Software distributions
+ AWS IoT Greengrass Core software
+ AWS IoT Greengrass Core SDK
+ Cloud service
+ AWS IoT Greengrass API
+ Features
+ Lambda runtime
+ Shadows implementation
+ Message manager
+ Group management
+ Discovery service
+ Over-the-air update agent
+ Stream manager
+ Local resource access
+ Local machine learning inference
+ Local secrets manager
+ Connectors with built-in integration with services, protocols, and software
**Topics**
+ [AWS IoT Greengrass Core software](#gg-core-software)
+ [AWS IoT Greengrass groups](#gg-group)
+ [Devices in AWS IoT Greengrass](#devices)
+ [SDKs](#gg-sdks)
+ [Supported platforms and requirements](#gg-platforms)
+ [AWS IoT Greengrass downloads](#gg-downloads)
+ [We want to hear from you](#contact-us)
+ [Install the AWS IoT Greengrass Core software](install-ggc.md)
+ [Configure the AWS IoT Greengrass core](gg-core.md)
## AWS IoT Greengrass Core software
The AWS IoT Greengrass Core software provides the following functionality:
+ Deployment and the local running of connectors and Lambda functions.
+ Process data streams locally with automatic exports to the AWS Cloud.
+ MQTT messaging over the local network between devices, connectors, and Lambda functions using managed subscriptions.
+ MQTT messaging between AWS IoT and devices, connectors, and Lambda functions using managed subscriptions.
+ Secure connections between devices and the AWS Cloud using device authentication and authorization.
+ Local shadow synchronization of devices. Shadows can be configured to sync with the AWS Cloud.
+ Controlled access to local device and volume resources.
+ Deployment of cloud-trained machine learning models for running local inference.
+ Automatic IP address detection that enables devices to discover the Greengrass core device.
+ Central deployment of new or updated group configuration. After the configuration data is downloaded, the core device is restarted automatically.
+ Secure, over-the-air (OTA) software updates of user-defined Lambda functions.
+ Secure, encrypted storage of local secrets and controlled access by connectors and Lambda functions.
AWS IoT Greengrass core instances are configured through AWS IoT Greengrass APIs that create and update AWS IoT Greengrass group definitions stored in the cloud.
### AWS IoT Greengrass Core software versions
AWS IoT Greengrass provides several options for installing the AWS IoT Greengrass Core software, including tar.gz download files, a quick start script, and `apt` installations on supported Debian platforms. For more information, see [Install the AWS IoT Greengrass Core software](install-ggc.md).
The following tabs describe what's new and changed in AWS IoT Greengrass Core software versions.
------
#### [ GGC v1.11 ]
1.11.6
Bug fixes and improvements:
+ Improved resilience if sudden power loss occurs during a deployment.
+ Fixed an issue where stream manager data corruption could prevent the AWS IoT Greengrass Core software from starting.
+ Fixed an issue where new client devices couldn't connect to the core in certain scenarios.
+ Fixed an issue where stream manager stream names couldn't contain `.log`.
1.11.5
Bug fixes and improvements:
+ General performance improvements and bug fixes.
1.11.4
Bug fixes and improvements:
+ Fixed an issue with stream manager that prevented upgrades to AWS IoT Greengrass Core software v1.11.3. If you are using stream manager to export data to the cloud, you can now use an OTA update to upgrade an earlier v1.x version of the AWS IoT Greengrass Core software to v1.11.4.
+ General performance improvements and bug fixes.
1.11.3
Bug fixes and improvements:
+ Fixed an issue that caused AWS IoT Greengrass Core software running in a snap on an Ubuntu device to stop responding after a sudden power loss to the device.
+ Fixed an issue that caused delayed delivery of MQTT messages to long-lived Lambda functions.
+ Fixed an issue that caused MQTT messages to not be sent correctly when the `maxWorkItemCount` value was set to a value greater than `1024`.
+ Fixed an issue that caused the OTA update agent to ignore the MQTT `KeepAlive` period specified in the `keepAlive` property in [`config.json`](gg-core.md#config-json).
+ General performance improvements and bug fixes.
If you are using stream manager to export data to the cloud, do *not* upgrade to AWS IoT Greengrass Core software v1.11.3 from an earlier v1.x version. If you are enabling stream manager for the first time, we strongly recommend that you first install the latest version of the AWS IoT Greengrass Core software.
1.11.1
Bug fixes and improvements:
+ Fixed an issue that caused increased memory use for stream manager.
+ Fixed an issue that caused stream manager to reset the sequence number of the stream to `0` if the Greengrass core device was turned off for longer than the specified time-to-live (TTL) period of the stream data.
+ Fixed an issue that prevented stream manager from correctly stopping retry attempts to export data to the AWS Cloud.
1.11.0
New features:
+ A telemetry agent on the Greengrass core collects local telemetry data and publishes it to AWS Cloud. To retrieve the telemetry data for further processing, customers can create an Amazon EventBridge rule and subscribe to a target. For more information, see [Gathering system health telemetry data from AWS IoT Greengrass core devices](https://docs.aws.amazon.com/greengrass/v1/developerguide/telemetry.html).
+ A local HTTP API returns a snapshot of the current state of local worker processes started by AWS IoT Greengrass. For more information, see [Calling the local health check API](https://docs.aws.amazon.com/greengrass/v1/developerguide/health-check.html).
+ A [stream manager](stream-manager.md) automatically exports data to Amazon S3 and AWS IoT SiteWise.
New [stream manager parameters](configure-stream-manager.md) let you update existing streams and pause or resume data export.
+ Support for running Python 3.8.x Lambda functions on the core.
+ A new `ggDaemonPort` property in [`config.json`](gg-core.md#config-json) that use to configure the Greengrass core IPC port number. The default port number is 8000.
A new `systemComponentAuthTimeout` property in [`config.json`](gg-core.md#config-json) that you use to configure the timeout for Greengrass core IPC authentication. The default timeout is 5000 milliseconds.
+ Increased the maximum number of AWS IoT devices per AWS IoT Greengrass group from 200 to 2500.
Increased the maximum number of subscriptions per group from 1000 to 10000.
For more information, see [AWS IoT Greengrass endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/greengrass.html).
Bug fixes and improvements:
+ General optimization that can reduce the memory utilization of the Greengrass service processes.
+ A new runtime configuration parameter (`mountAllBlockDevices`) lets Greengrass use bind mounts to mount all block devices into a container after setting up the OverlayFS. This feature resolved an issue that caused Greengrass deployment failure if `/usr` isn't under the `/` hierarchy.
+ Fixed an issue that caused AWS IoT Greengrass core failure if `/tmp` is a symlink.
+ Fixed an issue to let the Greengrass deployment agent remove unused machine learning model artifacts from the `mlmodel_public` folder.
+ General performance improvements and bug fixes.
------
#### [ Extended life versions ]
1.10.5
Bug fixes and improvements:
+ General performance improvements and bug fixes.
1.10.4
Bug fixes and improvements:
+ Fixed an issue that caused AWS IoT Greengrass Core software running in a snap on an Ubuntu device to stop responding after a sudden power loss to the device.
+ Fixed an issue that caused delayed delivery of MQTT messages to long-lived Lambda functions.
+ Fixed an issue that caused MQTT messages to not be sent correctly when the `maxWorkItemCount` value was set to a value greater than `1024`.
+ Fixed an issue that caused the OTA update agent to ignore the MQTT `KeepAlive` period specified in the `keepAlive` property in [`config.json`](gg-core.md#config-json).
+ General performance improvements and bug fixes.
1.10.3
Bug fixes and improvements:
+ A new `systemComponentAuthTimeout` property in [`config.json`](gg-core.md#config-json) that you use to configure the timeout for Greengrass core IPC authentication. The default timeout is 5000 milliseconds.
+ Fixed an issue that caused increased memory use for stream manager.
1.10.2
Bug fixes and improvements:
+ A new `mqttOperationTimeout` property in [config.json](gg-core.md#config-json) that you use to set the timeout for publish, subscribe, and unsubscribe operations in MQTT connections with AWS IoT Core.
+ General performance improvements and bug fixes.
1.10.1
Bug fixes and improvements:
+ [Stream manager](stream-manager.md) is more resilient to file data corruption.
+ Fixed an issue that causes a sysfs mount failure on devices using Linux kernel 5.1 and later.
+ General performance improvements and bug fixes.
1.10.0
New features:
+ A stream manager that processes data streams locally and exports them to the AWS Cloud automatically. This feature requires Java 8 on the Greengrass core device. For more information, see [Manage data streams on the AWS IoT Greengrass core](stream-manager.md).
+ A new Greengrass Docker application deployment connector that runs a Docker application on a core device. For more information, see [Docker application deployment connector](docker-app-connector.md).
+ A new IoT SiteWise connector that sends industrial device data from OPC-UA servers to asset properties in AWS IoT SiteWise. For more information, see [IoT SiteWise connector](iot-sitewise-connector.md).
+ Lambda functions that run without containerization can access machine learning resources in the Greengrass group. For more information, see [Access machine learning resources from Lambda functions](access-ml-resources.md).
+ Support for MQTT persistent sessions with AWS IoT. For more information, see [MQTT persistent sessions with AWS IoT Core](gg-core.md#mqtt-persistent-sessions).
+ Local MQTT traffic can travel over a port other than the default port 8883. For more information, see [Configure the MQTT port for local messaging](gg-core.md#config-local-mqtt-port).
+ New `queueFullPolicy` options in the [AWS IoT Greengrass Core SDK](lambda-functions.md#lambda-sdks-core) for reliable message publishing from Lambda functions.
+ Support for running Node.js 12.x Lambda functions on the core.
+ Over-the-air (OTA) updates with hardware security integration can be configured with OpenSSL 1.1.
+ General performance improvements and bug fixes.
1.9.4
Bug fixes and improvements:
+ General performance improvements and bug fixes.
1.9.3
New features:
+ Support for Armv6l. AWS IoT Greengrass Core software v1.9.3 or later can be installed on Raspbian distributions on Armv6l architectures (for example, on Raspberry Pi Zero devices).
+ OTA updates on port 443 with ALPN. Greengrass cores that use port 443 for MQTT traffic now support over-the-air (OTA) software updates. AWS IoT Greengrass uses the Application Layer Protocol Network (ALPN) TLS extension to enable these connections. For more information, see [OTA updates of AWS IoT Greengrass Core software](core-ota-update.md) and [Connect on port 443 or through a network proxy](gg-core.md#alpn-network-proxy).
Bug fixes and improvements:
+ Fixes a bug introduced in v1.9.0 that prevented Python 2.7 Lambda functions from sending binary payloads to other Lambda functions.
+ General performance improvements and bug fixes.
1.9.2
New features:
+ Support for [OpenWrt](https://openwrt.org/). AWS IoT Greengrass Core software v1.9.2 or later can be installed on OpenWrt distributions with Armv8 (AArch64) and Armv7l architectures. Currently, OpenWrt does not support ML inference.
1.9.1
Bug fixes and improvements:
+ Fixes a bug introduced in v1.9.0 that drops messages from the `cloud` that contain wildcard characters in the topic.
1.9.0
New features:
+ Support for Python 3.7 and Node.js 8.10 Lambda runtimes. Lambda functions that use Python 3.7 and Node.js 8.10 runtimes can now run on an AWS IoT Greengrass core. (AWS IoT Greengrass continues to support the Python 2.7 and Node.js 6.10 runtimes.)
+ Optimized MQTT connections. The Greengrass core establishes fewer connections with the AWS IoT Core. This change can reduce operational costs for charges that are based on the number of connections.
+ Elliptic Curve (EC) key for the local MQTT server. The local MQTT server supports EC keys in addition to RSA keys. (The MQTT server certificate has an SHA-256 RSA signature, regardless of the key type.) For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals).
Bug fixes and improvements:
+ General performance improvements and bug fixes.
1.8.4
Fixed an issue with shadow synchronization and device certificate manager reconnection.
General performance improvements and bug fixes.
1.8.3
General performance improvements and bug fixes.
1.8.2
General performance improvements and bug fixes.
1.8.1
General performance improvements and bug fixes.
1.8.0
New features:
+ Configurable default access identity for Lambda functions in the group. This group-level setting determines the default permissions that are used to run Lambda functions. You can set the user ID, group ID, or both. Individual Lambda functions can override the default access identity of their group. For more information, see [Setting the default access identity for Lambda functions in a group](lambda-group-config.md#lambda-access-identity-groupsettings).
+ HTTPS traffic over port 443. HTTPS communication can be configured to travel over port 443 instead of the default port 8443. This complements AWS IoT Greengrass support for the Application Layer Protocol Network (ALPN) TLS extension and allows all Greengrass messaging traffic—both MQTT and HTTPS—to use port 443. For more information, see [Connect on port 443 or through a network proxy](gg-core.md#alpn-network-proxy).
+ Predictably named client IDs for AWS IoT connections. This change enables support for AWS IoT Device Defender and [AWS IoT lifecycle events](https://docs.aws.amazon.com/iot/latest/developerguide/life-cycle-events.html), so you can receive notifications for connect, disconnect, subscribe, and unsubscribe events. Predictable naming also makes it easier to create logic around connection IDs (for example, to create [subscribe policy](https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cert) templates based on certificate attributes). For more information, see [Client IDs for MQTT connections with AWS IoT](gg-core.md#connection-client-id).
Bug fixes and improvements:
+ Fixed an issue with shadow synchronization and device certificate manager reconnection.
+ General performance improvements and bug fixes.
1.7.1
New features:
+ Greengrass connectors provide built-in integration with local infrastructure, device protocols, AWS, and other cloud services. For more information, see [Integrate with services and protocols using Greengrass connectors](connectors.md).
+ AWS IoT Greengrass extends AWS Secrets Manager to core devices, which makes your passwords, tokens, and other secrets available to connectors and Lambda functions. Secrets are encrypted in transit and at rest. For more information, see [Deploy secrets to the AWS IoT Greengrass core](secrets.md).
+ Support for a hardware root of trust security option. For more information, see [Hardware security integration](hardware-security.md).
+ Isolation and permission settings that allow Lambda functions to run without Greengrass containers and to use the permissions of a specified user and group. For more information, see [Controlling execution of Greengrass Lambda functions by using group-specific configuration](lambda-group-config.md).
+ You can run AWS IoT Greengrass in a Docker container (on Windows, macOS, or Linux) by configuring your Greengrass group to run with no containerization. For more information, see [Running AWS IoT Greengrass in a Docker container](run-gg-in-docker-container.md).
+ MQTT messaging on port 443 with Application Layer Protocol Negotiation (ALPN) or connection through a network proxy. For more information, see [Connect on port 443 or through a network proxy](gg-core.md#alpn-network-proxy).
+ The SageMaker AI Neo deep learning runtime, which supports machine learning models that have been optimized by the SageMaker AI Neo deep learning compiler. For information about the Neo deep learning runtime, see [Runtimes and libraries for ML inference](ml-inference.md#ml-libraries).
+ Support for Raspbian Stretch (2018-06-27) on Raspberry Pi core devices.
Bug fixes and improvements:
+ General performance improvements and bug fixes.
In addition, the following features are available with this release:
+ The AWS IoT Device Tester for AWS IoT Greengrass, which you can use to verify that your CPU architecture, kernel configuration, and drivers work with AWS IoT Greengrass. For more information, see [Using AWS IoT Device Tester for AWS IoT Greengrass V1](device-tester-for-greengrass-ug.md).
+ The AWS IoT Greengrass Core software, AWS IoT Greengrass Core SDK, and AWS IoT Greengrass Machine Learning SDK packages are available for download through Amazon CloudFront. For more information, see [AWS IoT Greengrass downloads](#gg-downloads).
1.6.1
New features:
+ Lambda executables that run binary code on the Greengrass core. Use the new AWS IoT Greengrass Core SDK for C to write Lambda executables in C and C\$1\$1. For more information, see [Lambda executables](lambda-functions.md#lambda-executables).
+ Optional local storage message cache that can persist across restarts. You can configure the storage settings for MQTT messages that are queued for processing. For more information, see [MQTT message queue for cloud targets](gg-core.md#mqtt-message-queue).
+ Configurable maximum reconnect retry interval for when the core device is disconnected. For more information, see the `mqttMaxConnectionRetryInterval` property in [AWS IoT Greengrass core configuration file](gg-core.md#config-json).
+ Local resource access to the host /proc directory. For more information, see [Access local resources with Lambda functions and connectors](access-local-resources.md).
+ Configurable write directory. The AWS IoT Greengrass Core software can be deployed to read-only and read-write locations. For more information, see [Configure a write directory for AWS IoT Greengrass](gg-core.md#write-directory).
Bug fixes and improvements:
+ Performance improvement for publishing messages in the Greengrass core and between devices and the core.
+ Reduced the compute resources required to process logs generated by user-defined Lambda functions.
1.5.0
New features:
+ AWS IoT Greengrass Machine Learning (ML) Inference is generally available. You can perform ML inference locally on AWS IoT Greengrass devices using models that are built and trained in the cloud. For more information, see [Perform machine learning inference](ml-inference.md).
+ Greengrass Lambda functions now support binary data as input payload, in addition to JSON. To use this feature, you must upgrade to AWS IoT Greengrass Core SDK version 1.1.0, which you can download from the [AWS IoT Greengrass Core SDK](#gg-core-sdk-download) downloads page.
Bug fixes and improvements:
+ Reduced the overall memory footprint.
+ Performance improvements for sending messages to the cloud.
+ Performance and stability improvements for the download agent, Device Certificate Manager, and OTA update agent.
+ Minor bug fixes.
1.3.0
New features:
+ Over-the-air (OTA) update agent capable of handling cloud-deployed, Greengrass update jobs. The agent is found under the new `/greengrass/ota` directory. For more information, see [OTA updates of AWS IoT Greengrass Core software](core-ota-update.md).
+ Local resource access feature allows Greengrass Lambda functions to access local resources, such as peripheral devices and volumes. For more information, see [Access local resources with Lambda functions and connectors](access-local-resources.md).
1.1.0
New features:
+ Deployed AWS IoT Greengrass groups can be reset by deleting Lambda functions, subscriptions, and configurations. For more information, see [Reset deployments](reset-deployments-scenario.md).
+ Support for Node.js 6.10 and Java 8 Lambda runtimes, in addition to Python 2.7.
To migrate from the previous version of the AWS IoT Greengrass core:
+ Copy certificates from the `/greengrass/configuration/certs` folder to `/greengrass/certs`.
+ Copy `/greengrass/configuration/config.json` to `/greengrass/config/config.json`.
+ Run `/greengrass/ggc/core/greengrassd` instead of `/greengrass/greengrassd`.
+ Deploy the group to the new core.
1.0.0
Initial version
------
## AWS IoT Greengrass groups
A Greengrass group is a collection of settings and components, such as a Greengrass core, devices, and subscriptions. Groups are used to define a scope of interaction. For example, a group might represent one floor of a building, one truck, or an entire mining site. The following diagram shows the components that can make up a Greengrass group.
![\[AWS IoT Core, Greengrass, and Lambda components, with interconnected Core, Settings, Lambda functions, Subscriptions, Connectors, Devices, and Resources elements.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/gg-group.png)
In the preceding diagram:
A: Greengrass group definition
Information about group settings and components.
B: Greengrass group settings
These include:
+ Greengrass group role.
+ Certificate authority and local connection configuration.
+ Greengrass core connectivity information.
+ Default Lambda runtime environment. For more information, see [Setting default containerization for Lambda functions in a group](lambda-group-config.md#lambda-containerization-groupsettings).
+ CloudWatch and local logs configuration. For more information, see [Monitoring with AWS IoT Greengrass logs](greengrass-logs-overview.md).
C: Greengrass core
The AWS IoT thing (device) that represents the Greengrass core. For more information, see [Configure the AWS IoT Greengrass core](gg-core.md).
D: Lambda function definition
A list of Lambda functions that run locally on the core, with associated configuration data. For more information, see [Run Lambda functions on the AWS IoT Greengrass core](lambda-functions.md).
E: Subscription definition
A list of subscriptions that enable communication using MQTT messages. A subscription defines:
+ A message source and message target. These can be client devices, Lambda functions, connectors, AWS IoT Core, and the local shadow service.
+ A topic or subject that's used to filter messages.
For more information, see [Managed subscriptions in the MQTT messaging workflow](gg-sec.md#gg-msg-workflow).
F: Connector definition
A list of connectors that run locally on the core, with associated configuration data. For more information, see [Integrate with services and protocols using Greengrass connectors](connectors.md).
G: Device definition
A list of AWS IoT things (known as client devices or devices) that are members of the Greengrass group, with associated configuration data. For more information, see [Devices in AWS IoT Greengrass](#devices).
H: Resource definition
A list of local resources, machine learning resources, and secret resources on the Greengrass core, with associated configuration data. For more information, see [Access local resources with Lambda functions and connectors](access-local-resources.md), [Perform machine learning inference](ml-inference.md), and [Deploy secrets to the AWS IoT Greengrass core](secrets.md).
When deployed, the Greengrass group definition, Lambda functions, connectors, resources, and subscription table are copied to the core device. For more information, see [Deploy AWS IoT Greengrass groups to an AWS IoT Greengrass core](deployments.md).
## Devices in AWS IoT Greengrass
A Greengrass group can contain two types of AWS IoT device:
Greengrass core
A Greengrass core is a device that runs the AWS IoT Greengrass Core software, which allows it to communicate directly with AWS IoT Core and the AWS IoT Greengrass service. A core has its own device certificate used for authenticating with AWS IoT Core. It has a device shadow and an entry in the AWS IoT Core registry. Greengrass cores run a local Lambda runtime, deployment agent, and IP address tracker that sends IP address information to the AWS IoT Greengrass service to allow client devices to automatically discover their group and core connection information. For more information, see [Configure the AWS IoT Greengrass core](gg-core.md).
A Greengrass group must contain exactly one core.
Client device
Client devices (also called *connected devices*, *Greengrass devices*, or *devices*) are devices that connect to a Greengrass core over MQTT. They have their own device certificate for AWS IoT Core authentication, a device shadow, and an entry in the AWS IoT Core registry. Client devices can run [FreeRTOS](https://docs.aws.amazon.com/freertos/latest/userguide/freertos-lib-gg-connectivity.html) or use the [AWS IoT Device SDK](#iot-device-sdk) or [AWS IoT Greengrass Discovery API](gg-discover-api.md) to get discovery information used to connect and authenticate with the core in the same Greengrass group. To learn how to use the AWS IoT console to create and configure a client device for AWS IoT Greengrass, see [Module 4: Interacting with client devices in an AWS IoT Greengrass group](module4.md). Or, for examples that show you how to use the AWS CLI to create and configure a client device for AWS IoT Greengrass, see [create-device-definition](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-device-definition.html) in the *AWS CLI Command Reference*.
In a Greengrass group, you can create subscriptions that allow client devices to communicate over MQTT with Lambda functions, connectors, and other client devices in the group, and with AWS IoT Core or the local shadow service. MQTT messages are routed through the core. If the core device loses connectivity to the cloud, client devices can continue to communicate over the local network. Client devices can vary in size, from smaller microcontroller-based devices to large appliances. Currently, a Greengrass group can contain up to 2,500 client devices. A client device can be a member of up to 10 groups.
OPC-UA is an information exchange standard for industrial communication. To implement support for OPC-UA on the Greengrass core, you can use the [IoT SiteWise connector](iot-sitewise-connector.md). The connector sends industrial device data from OPC-UA servers to asset properties in AWS IoT SiteWise.
The following table shows how these device types are related.
![\[AWS IoT Core and Device capabilities matrix showing configurations like Certificate, IoT Policy, IoT Thing supported on both Core and Device sides, with Device Gateway, Sensor/Actuator software, and Functions outside Greengrass Group permissions marked.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/devices.png)
The AWS IoT Greengrass core device stores certificates in two locations:
+ Core device certificate in `/greengrass-root/certs`. Typically, the core device certificate is named `hash.cert.pem` (for example, `86c84488a5.cert.pem`). This certificate is used by the AWS IoT client for mutual authentication when the core connects to the AWS IoT Core and AWS IoT Greengrass services.
+ MQTT server certificate in `/greengrass-root/ggc/var/state/server`. The MQTT server certificate is named `server.crt`. This certificate is used for mutual authentication between the local MQTT server (on the Greengrass core) and Greengrass devices.
**Note**
*greengrass-root* represents the path where the AWS IoT Greengrass Core software is installed on your device. Typically, this is the `/greengrass` directory.
## SDKs
The following AWS-provided SDKs are used to work with AWS IoT Greengrass:
AWS SDK
Use the AWS SDK to build applications that interact with any AWS service, including Amazon S3, Amazon DynamoDB, AWS IoT, AWS IoT Greengrass, and more. In the context of AWS IoT Greengrass, you can use the AWS SDK in deployed Lambda functions to make direct calls to any AWS service. For more information, see [AWS SDKs](lambda-functions.md#lambda-sdks-aws).
The operations specific to Greengrass that are available in the AWS SDKs are also available in the [AWS IoT Greengrass API](https://docs.aws.amazon.com/greengrass/v1/apireference/) and [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/greengrass).
AWS IoT Device SDK
The AWS IoT Device SDK helps devices connect to AWS IoT Core and AWS IoT Greengrass. For more information, see [AWS IoT Device SDKs](https://docs.aws.amazon.com/iot/latest/developerguide/iot-sdks.html) in the *AWS IoT Developer Guide*.
Client devices can use any of the AWS IoT Device SDK v2 platforms to discover connectivity information for a Greengrass core. Connectivity information includes:
+ The IDs of the Greengrass groups that the client device belongs to.
+ The IP addresses of the Greengrass core in each group. These are also called *core endpoints*.
+ The group CA certificate, which devices use for mutual authentication with the core. For more information, see [Device connection workflow](gg-sec.md#gg-sec-connection).
In v1 of the AWS IoT Device SDKs, only the C\$1\$1 and Python platforms provide built-in discovery support.
AWS IoT Greengrass Core SDK
The AWS IoT Greengrass Core SDK enables Lambda functions to interact with the Greengrass core, publish messages to AWS IoT, interact with the local shadow service, invoke other deployed Lambda functions, and access secret resources. This SDK is used by Lambda functions that run on an AWS IoT Greengrass core. For more information, see [AWS IoT Greengrass Core SDK](lambda-functions.md#lambda-sdks-core).
AWS IoT Greengrass Machine Learning SDK
The AWS IoT Greengrass Machine Learning SDK enables Lambda functions to consume machine learning models that are deployed to the Greengrass core as machine learning resources. This SDK is used by Lambda functions that run on an AWS IoT Greengrass core and interact with a local inference service. For more information, see [AWS IoT Greengrass Machine Learning SDK](lambda-functions.md#lambda-sdks-ml).
## Supported platforms and requirements
The following tabs list supported platforms and requirements for the AWS IoT Greengrass Core software.
**Note**
You can download the AWS IoT Greengrass Core software from the [AWS IoT Greengrass Core Software](#gg-core-download-tab) downloads.
------
#### [ GGC v1.11 ]
Supported platforms:
+ Architecture: Armv7l
+ OS: Linux
+ OS: Linux ([OpenWrt](https://openwrt.org/))
+ Architecture: Armv8 (AArch64)
+ OS: Linux
+ OS: Linux ([OpenWrt](https://openwrt.org/))
+ Architecture: Armv6l
+ OS: Linux
+ Architecture: x86\$164
+ OS: Linux
+ Windows, macOS, and Linux platforms can run AWS IoT Greengrass in a Docker container. For more information, see [Running AWS IoT Greengrass in a Docker container](run-gg-in-docker-container.md).
Requirements:
+ Minimum 128 MB disk space available for the AWS IoT Greengrass Core software. If you use the [OTA update agent](core-ota-update.md), the minimum is 400 MB.
+ Minimum 128 MB RAM allocated to the AWS IoT Greengrass Core software. With [stream manager](stream-manager.md) enabled, the minimum is 198 MB RAM.
**Note**
Stream manager is enabled by default if you use the **Default Group creation** option on the AWS IoT console to create your Greengrass group.
+ Linux kernel version:
+ Linux kernel version 4.4 or later is required to support running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-considerations).
+ Linux kernel version 3.17 or later is required to support running AWS IoT Greengrass without containers. In this configuration, the default Lambda function containerization for the Greengrass group must be set to **No container**. For instructions, see [Setting default containerization for Lambda functions in a group](lambda-group-config.md#lambda-containerization-groupsettings).
+ [GNU C Library](https://www.gnu.org/software/libc/) (glibc) version 2.14 or later. OpenWrt distributions require [musl C Library](https://www.musl-libc.org/download.html) version 1.1.16 or later.
+ The `/var/run` directory must be present on the device.
+ The `/dev/stdin`, `/dev/stdout`, and `/dev/stderr` files must be available.
+ Hardlink and softlink protection must be enabled on the device. Otherwise, AWS IoT Greengrass can only be run in insecure mode, using the `-i` flag.
+ The following Linux kernel configurations must be enabled on the device:
+ Namespace:
+ CONFIG\$1IPC\$1NS
+ CONFIG\$1UTS\$1NS
+ CONFIG\$1USER\$1NS
+ CONFIG\$1PID\$1NS
+ Cgroups:
+ CONFIG\$1CGROUP\$1DEVICE
+ CONFIG\$1CGROUPS
+ CONFIG\$1MEMCG
The kernel must support [cgroups](https://en.wikipedia.org/wiki/Cgroups). The following requirements apply when running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-groupsettings):
+ The *memory* cgroup must be enabled and mounted to allow AWS IoT Greengrass to set the memory limit for Lambda functions.
+ The *devices* cgroup must be enabled and mounted if Lambda functions with [local resource access](access-local-resources.md) are used to open files on the AWS IoT Greengrass core device.
+ Others:
+ CONFIG\$1POSIX\$1MQUEUE
+ CONFIG\$1OVERLAY\$1FS
+ CONFIG\$1HAVE\$1ARCH\$1SECCOMP\$1FILTER
+ CONFIG\$1SECCOMP\$1FILTER
+ CONFIG\$1KEYS
+ CONFIG\$1SECCOMP
+ CONFIG\$1SHMEM
+ The root certificate for Amazon S3 and AWS IoT must be present in the system trust store.
+ [Stream manager](stream-manager.md) requires the Java 8 runtime and a minimum of 70 MB RAM in addition to the base AWS IoT Greengrass Core software memory requirement. Stream manager is enabled by default when you use the **Default Group creation** option on the AWS IoT console. Stream manager is not supported on OpenWrt distributions.
+ Libraries that support the [AWS Lambda runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) required by the Lambda functions you want to run locally. Required libraries must be installed on the core and added to the `PATH` environment variable. Multiple libraries can be installed on the same core.
+ [Python](https://www.python.org/) version 3.8 for functions that use the Python 3.8 runtime.
+ [Python](https://www.python.org/) version 3.7 for functions that use the Python 3.7 runtime.
+ [Python](https://www.python.org/) version 2.7 for functions that use the Python 2.7 runtime.
+ [Node.js](https://www.nodejs.org/) version 12.x for functions that use the Node.js 12.x runtime.
+ [Java](http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html) version 8 or later for functions that use the Java 8 runtime.
**Note**
Running Java on an OpenWrt distribution isn't officially supported. However, if your OpenWrt build has Java support, you might be able to run Lambda functions authored in Java on your OpenWrt devices.
For more information about AWS IoT Greengrass support for Lambda runtimes, see [Run Lambda functions on the AWS IoT Greengrass core](lambda-functions.md).
+ The following shell commands (not the BusyBox variants) are required by the [over-the-air (OTA) update agent](core-ota-update.md#ota-agent):
+ `wget`
+ `realpath`
+ `tar`
+ `readlink`
+ `basename`
+ `dirname`
+ `pidof`
+ `df`
+ `grep`
+ `umount`
+ `mv`
+ `gzip`
+ `mkdir`
+ `rm`
+ `ln`
+ `cut`
+ `cat`
+ `/bin/bash`
------
#### [ GGC v1.10 ]
Supported platforms:
+ Architecture: Armv7l
+ OS: Linux
+ OS: Linux ([OpenWrt](https://openwrt.org/))
+ Architecture: Armv8 (AArch64)
+ OS: Linux
+ OS: Linux ([OpenWrt](https://openwrt.org/))
+ Architecture: Armv6l
+ OS: Linux
+ Architecture: x86\$164
+ OS: Linux
+ Windows, macOS, and Linux platforms can run AWS IoT Greengrass in a Docker container. For more information, see [Running AWS IoT Greengrass in a Docker container](run-gg-in-docker-container.md).
Requirements:
+ Minimum 128 MB disk space available for the AWS IoT Greengrass Core software. If you use the [OTA update agent](core-ota-update.md), the minimum is 400 MB.
+ Minimum 128 MB RAM allocated to the AWS IoT Greengrass Core software. With [stream manager](stream-manager.md) enabled, the minimum is 198 MB RAM.
**Note**
Stream manager is enabled by default if you use the **Default Group creation** option on the AWS IoT console to create your Greengrass group.
+ Linux kernel version:
+ Linux kernel version 4.4 or later is required to support running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-considerations).
+ Linux kernel version 3.17 or later is required to support running AWS IoT Greengrass without containers. In this configuration, the default Lambda function containerization for the Greengrass group must be set to **No container**. For instructions, see [Setting default containerization for Lambda functions in a group](lambda-group-config.md#lambda-containerization-groupsettings).
+ [GNU C Library](https://www.gnu.org/software/libc/) (glibc) version 2.14 or later. OpenWrt distributions require [musl C Library](https://www.musl-libc.org/download.html) version 1.1.16 or later.
+ The `/var/run` directory must be present on the device.
+ The `/dev/stdin`, `/dev/stdout`, and `/dev/stderr` files must be available.
+ Hardlink and softlink protection must be enabled on the device. Otherwise, AWS IoT Greengrass can only be run in insecure mode, using the `-i` flag.
+ The following Linux kernel configurations must be enabled on the device:
+ Namespace:
+ CONFIG\$1IPC\$1NS
+ CONFIG\$1UTS\$1NS
+ CONFIG\$1USER\$1NS
+ CONFIG\$1PID\$1NS
+ Cgroups:
+ CONFIG\$1CGROUP\$1DEVICE
+ CONFIG\$1CGROUPS
+ CONFIG\$1MEMCG
The kernel must support [cgroups](https://en.wikipedia.org/wiki/Cgroups). The following requirements apply when running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-groupsettings):
+ The *memory* cgroup must be enabled and mounted to allow AWS IoT Greengrass to set the memory limit for Lambda functions.
+ The *devices* cgroup must be enabled and mounted if Lambda functions with [local resource access](access-local-resources.md) are used to open files on the AWS IoT Greengrass core device.
+ Others:
+ CONFIG\$1POSIX\$1MQUEUE
+ CONFIG\$1OVERLAY\$1FS
+ CONFIG\$1HAVE\$1ARCH\$1SECCOMP\$1FILTER
+ CONFIG\$1SECCOMP\$1FILTER
+ CONFIG\$1KEYS
+ CONFIG\$1SECCOMP
+ CONFIG\$1SHMEM
+ The root certificate for Amazon S3 and AWS IoT must be present in the system trust store.
+ [Stream manager](stream-manager.md) requires the Java 8 runtime and a minimum of 70 MB RAM in addition to the base AWS IoT Greengrass Core software memory requirement. Stream manager is enabled by default when you use the **Default Group creation** option on the AWS IoT console. Stream manager is not supported on OpenWrt distributions.
+ Libraries that support the [AWS Lambda runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) required by the Lambda functions you want to run locally. Required libraries must be installed on the core and added to the `PATH` environment variable. Multiple libraries can be installed on the same core.
+ [Python](https://www.python.org/) version 3.7 for functions that use the Python 3.7 runtime.
+ [Python](https://www.python.org/) version 2.7 for functions that use the Python 2.7 runtime.
+ [Node.js](https://www.nodejs.org/) version 12.x for functions that use the Node.js 12.x runtime.
+ [Java](http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html) version 8 or later for functions that use the Java 8 runtime.
**Note**
Running Java on an OpenWrt distribution isn't officially supported. However, if your OpenWrt build has Java support, you might be able to run Lambda functions authored in Java on your OpenWrt devices.
For more information about AWS IoT Greengrass support for Lambda runtimes, see [Run Lambda functions on the AWS IoT Greengrass core](lambda-functions.md).
+ The following shell commands (not the BusyBox variants) are required by the [over-the-air (OTA) update agent](core-ota-update.md#ota-agent):
+ `wget`
+ `realpath`
+ `tar`
+ `readlink`
+ `basename`
+ `dirname`
+ `pidof`
+ `df`
+ `grep`
+ `umount`
+ `mv`
+ `gzip`
+ `mkdir`
+ `rm`
+ `ln`
+ `cut`
+ `cat`
+ `/bin/bash`
------
#### [ GGC v1.9 ]
Supported platforms:
+ Architecture: Armv7l
+ OS: Linux
+ OS: Linux ([OpenWrt](https://openwrt.org/))
+ Architecture: Armv8 (AArch64)
+ OS: Linux
+ OS: Linux ([OpenWrt](https://openwrt.org/))
+ Architecture: Armv6l
+ OS: Linux
+ Architecture: x86\$164
+ OS: Linux
+ Windows, macOS, and Linux platforms can run AWS IoT Greengrass in a Docker container. For more information, see [Running AWS IoT Greengrass in a Docker container](run-gg-in-docker-container.md).
Requirements:
+ Minimum 128 MB disk space available for the AWS IoT Greengrass Core software. If you use the [OTA update agent](core-ota-update.md), the minimum is 400 MB.
+ Minimum 128 MB RAM allocated to the AWS IoT Greengrass Core software.
+ Linux kernel version:
+ Linux kernel version 4.4 or later is required to support running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-considerations).
+ Linux kernel version 3.17 or later is required to support running AWS IoT Greengrass without containers. In this configuration, the default Lambda function containerization for the Greengrass group must be set to **No container**. For instructions, see [Setting default containerization for Lambda functions in a group](lambda-group-config.md#lambda-containerization-groupsettings).
+ [GNU C Library](https://www.gnu.org/software/libc/) (glibc) version 2.14 or later. OpenWrt distributions require [musl C Library](https://www.musl-libc.org/download.html) version 1.1.16 or later.
+ The `/var/run` directory must be present on the device.
+ The `/dev/stdin`, `/dev/stdout`, and `/dev/stderr` files must be available.
+ Hardlink and softlink protection must be enabled on the device. Otherwise, AWS IoT Greengrass can only be run in insecure mode, using the `-i` flag.
+ The following Linux kernel configurations must be enabled on the device:
+ Namespace:
+ CONFIG\$1IPC\$1NS
+ CONFIG\$1UTS\$1NS
+ CONFIG\$1USER\$1NS
+ CONFIG\$1PID\$1NS
+ Cgroups:
+ CONFIG\$1CGROUP\$1DEVICE
+ CONFIG\$1CGROUPS
+ CONFIG\$1MEMCG
The kernel must support [cgroups](https://en.wikipedia.org/wiki/Cgroups). The following requirements apply when running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-groupsettings):
+ The *memory* cgroup must be enabled and mounted to allow AWS IoT Greengrass to set the memory limit for Lambda functions.
+ The *devices* cgroup must be enabled and mounted if Lambda functions with [local resource access](access-local-resources.md) are used to open files on the AWS IoT Greengrass core device.
+ Others:
+ CONFIG\$1POSIX\$1MQUEUE
+ CONFIG\$1OVERLAY\$1FS
+ CONFIG\$1HAVE\$1ARCH\$1SECCOMP\$1FILTER
+ CONFIG\$1SECCOMP\$1FILTER
+ CONFIG\$1KEYS
+ CONFIG\$1SECCOMP
+ CONFIG\$1SHMEM
+ The root certificate for Amazon S3 and AWS IoT must be present in the system trust store.
+ Libraries that support the [AWS Lambda runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) required by the Lambda functions you want to run locally. Required libraries must be installed on the core and added to the `PATH` environment variable. Multiple libraries can be installed on the same core.
+ [Python](https://www.python.org/) version 2.7 for functions that use the Python 2.7 runtime.
+ [Python](https://www.python.org/) version 3.7 for functions that use the Python 3.7 runtime.
+ [Node.js](https://www.nodejs.org/) version 6.10 or later for functions that use the Node.js 6.10 runtime.
+ [Node.js](https://www.nodejs.org/) version 8.10 or later for functions that use the Node.js 8.10 runtime.
+ [Java](http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html) version 8 or later for functions that use the Java 8 runtime.
**Note**
Running Java on an OpenWrt distribution isn't officially supported. However, if your OpenWrt build has Java support, you might be able to run Lambda functions authored in Java on your OpenWrt devices.
For more information about AWS IoT Greengrass support for Lambda runtimes, see [Run Lambda functions on the AWS IoT Greengrass core](lambda-functions.md).
+ The following shell commands (not the BusyBox variants) are required by the [over-the-air (OTA) update agent](core-ota-update.md#ota-agent):
+ `wget`
+ `realpath`
+ `tar`
+ `readlink`
+ `basename`
+ `dirname`
+ `pidof`
+ `df`
+ `grep`
+ `umount`
+ `mv`
+ `gzip`
+ `mkdir`
+ `rm`
+ `ln`
+ `cut`
+ `cat`
------
#### [ GGC v1.8 ]
+ Supported platforms:
+ Architecture: Armv7l; OS: Linux
+ Architecture: x86\$164; OS: Linux
+ Architecture: Armv8 (AArch64); OS: Linux
+ Windows, macOS, and Linux platforms can run AWS IoT Greengrass in a Docker container. For more information, see [Running AWS IoT Greengrass in a Docker container](run-gg-in-docker-container.md).
+ Linux platforms can run a version of AWS IoT Greengrass with limited functionality using the Greengrass snap, which is available through [Snapcraft](https://snapcraft.io/aws-iot-greengrass). For more information, see [AWS IoT Greengrass snap software](#gg-snapstore-download).
+ The following items are required:
+ Minimum 128 MB disk space available for the AWS IoT Greengrass Core software. If you use the [OTA update agent](core-ota-update.md), the minimum is 400 MB.
+ Minimum 128 MB RAM allocated to the AWS IoT Greengrass Core software.
+ Linux kernel version:
+ Linux kernel version 4.4 or later is required to support running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-considerations).
+ Linux kernel version 3.17 or later is required to support running AWS IoT Greengrass without containers. In this configuration, the default Lambda function containerization for the Greengrass group must be set to **No container**. For instructions, see [Setting default containerization for Lambda functions in a group](lambda-group-config.md#lambda-containerization-groupsettings).
+ [GNU C Library](https://www.gnu.org/software/libc/) (glibc) version 2.14 or later.
+ The `/var/run` directory must be present on the device.
+ The `/dev/stdin`, `/dev/stdout`, and `/dev/stderr` files must be available.
+ Hardlink and softlink protection must be enabled on the device. Otherwise, AWS IoT Greengrass can only be run in insecure mode, using the `-i` flag.
+ The following Linux kernel configurations must be enabled on the device:
+ Namespace:
+ CONFIG\$1IPC\$1NS
+ CONFIG\$1UTS\$1NS
+ CONFIG\$1USER\$1NS
+ CONFIG\$1PID\$1NS
+ Cgroups:
+ CONFIG\$1CGROUP\$1DEVICE
+ CONFIG\$1CGROUPS
+ CONFIG\$1MEMCG
The kernel must support [cgroups](https://en.wikipedia.org/wiki/Cgroups). The following requirements apply when running AWS IoT Greengrass with [containers](lambda-group-config.md#lambda-containerization-groupsettings):
+ The *memory* cgroup must be enabled and mounted to allow AWS IoT Greengrass to set the memory limit for Lambda functions.
+ The *devices* cgroup must be enabled and mounted if Lambda functions with [local resource access](access-local-resources.md) are used to open files on the AWS IoT Greengrass core device.
+ Others:
+ CONFIG\$1POSIX\$1MQUEUE
+ CONFIG\$1OVERLAY\$1FS
+ CONFIG\$1HAVE\$1ARCH\$1SECCOMP\$1FILTER
+ CONFIG\$1SECCOMP\$1FILTER
+ CONFIG\$1KEYS
+ CONFIG\$1SECCOMP
+ CONFIG\$1SHMEM
+ The root certificate for Amazon S3 and AWS IoT must be present in the system trust store.
+ The following items are conditionally required:
+ Libraries that support the [AWS Lambda runtime](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html) required by the Lambda functions you want to run locally. Required libraries must be installed on the core and added to the `PATH` environment variable. Multiple libraries can be installed on the same core.
+ [Python](https://www.python.org/) version 2.7 for functions that use the Python 2.7 runtime.
+ [Node.js](https://www.nodejs.org/) version 6.10 or later for functions that use the Node.js 6.10 runtime.
+ [Java](http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html) version 8 or later for functions that use the Java 8 runtime.
+ The following shell commands (not the BusyBox variants) are required by the [over-the-air (OTA) update agent](core-ota-update.md#ota-agent):
+ `wget`
+ `realpath`
+ `tar`
+ `readlink`
+ `basename`
+ `dirname`
+ `pidof`
+ `df`
+ `grep`
+ `umount`
+ `mv`
+ `gzip`
+ `mkdir`
+ `rm`
+ `ln`
+ `cut`
+ `cat`
------
For information about AWS IoT Greengrass quotas (limits), see [Service Quotas](https://docs.aws.amazon.com/general/latest/gr/greengrass.html#limits_greengrass) in the *Amazon Web Services General Reference*.
For pricing information, see [AWS IoT Greengrass pricing](https://aws.amazon.com/greengrass/pricing) and [AWS IoT Core pricing](https://aws.amazon.com/iot-core/pricing).
## AWS IoT Greengrass downloads
You can use the following information to find and download software for use with AWS IoT Greengrass.
**Topics**
+ [AWS IoT Greengrass Core software](#gg-core-download-tab)
+ [AWS IoT Greengrass snap software](#gg-snapstore-download)
+ [AWS IoT Greengrass Docker software](#gg-docker-download)
+ [AWS IoT Greengrass Core SDK](#gg-core-sdk-download)
+ [Supported machine learning runtimes and libraries](#ml-runtimes-libs)
+ [AWS IoT Greengrass ML SDK software](#gg-ml-sdk-download)
### AWS IoT Greengrass Core software
The AWS IoT Greengrass Core software extends AWS functionality onto an AWS IoT Greengrass core device, making it possible for local devices to act locally on the data they generate.
------
#### [ v1.11 ]
1.11.6
Bug fixes and improvements:
+ Improved resilience if sudden power loss occurs during a deployment.
+ Fixed an issue where stream manager data corruption could prevent the AWS IoT Greengrass Core software from starting.
+ Fixed an issue where new client devices couldn't connect to the core in certain scenarios.
+ Fixed an issue where stream manager stream names couldn't contain `.log`.
1.11.5
Bug fixes and improvements:
+ General performance improvements and bug fixes.
1.11.4
Bug fixes and improvements:
+ Fixed an issue with stream manager that prevented upgrades to AWS IoT Greengrass Core software v1.11.3. If you are using stream manager to export data to the cloud, you can now use an OTA update to upgrade an earlier v1.x version of the AWS IoT Greengrass Core software to v1.11.4.
+ General performance improvements and bug fixes.
1.11.3
Bug fixes and improvements:
+ Fixed an issue that caused AWS IoT Greengrass Core software running in a snap on an Ubuntu device to stop responding after a sudden power loss to the device.
+ Fixed an issue that caused delayed delivery of MQTT messages to long-lived Lambda functions.
+ Fixed an issue that caused MQTT messages to not be sent correctly when the `maxWorkItemCount` value was set to a value greater than `1024`.
+ Fixed an issue that caused the OTA update agent to ignore the MQTT `KeepAlive` period specified in the `keepAlive` property in [`config.json`](gg-core.md#config-json).
+ General performance improvements and bug fixes.
If you are using stream manager to export data to the cloud, do *not* upgrade to AWS IoT Greengrass Core software v1.11.3 from an earlier v1.x version. If you are enabling stream manager for the first time, we strongly recommend that you first install the latest version of the AWS IoT Greengrass Core software.
1.11.1
Bug fixes and improvements:
+ Fixed an issue that caused increased memory use for stream manager.
+ Fixed an issue that caused stream manager to reset the sequence number of the stream to `0` if the Greengrass core device was turned off for longer than the specified time-to-live (TTL) period of the stream data.
+ Fixed an issue that prevented stream manager from correctly stopping retry attempts to export data to the AWS Cloud.
1.11.0
New features:
+ A telemetry agent on the Greengrass core collects local telemetry data and publishes it to AWS Cloud. To retrieve the telemetry data for further processing, customers can create an Amazon EventBridge rule and subscribe to a target. For more information, see [Gathering system health telemetry data from AWS IoT Greengrass core devices](https://docs.aws.amazon.com/greengrass/v1/developerguide/telemetry.html).
+ A local HTTP API returns a snapshot of the current state of local worker processes started by AWS IoT Greengrass. For more information, see [Calling the local health check API](https://docs.aws.amazon.com/greengrass/v1/developerguide/health-check.html).
+ A [stream manager](stream-manager.md) automatically exports data to Amazon S3 and AWS IoT SiteWise.
New [stream manager parameters](configure-stream-manager.md) let you update existing streams and pause or resume data export.
+ Support for running Python 3.8.x Lambda functions on the core.
+ A new `ggDaemonPort` property in [`config.json`](gg-core.md#config-json) that use to configure the Greengrass core IPC port number. The default port number is 8000.
A new `systemComponentAuthTimeout` property in [`config.json`](gg-core.md#config-json) that you use to configure the timeout for Greengrass core IPC authentication. The default timeout is 5000 milliseconds.
+ Increased the maximum number of AWS IoT devices per AWS IoT Greengrass group from 200 to 2500.
Increased the maximum number of subscriptions per group from 1000 to 10000.
For more information, see [AWS IoT Greengrass endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/greengrass.html).
Bug fixes and improvements:
+ General optimization that can reduce the memory utilization of the Greengrass service processes.
+ A new runtime configuration parameter (`mountAllBlockDevices`) lets Greengrass use bind mounts to mount all block devices into a container after setting up the OverlayFS. This feature resolved an issue that caused Greengrass deployment failure if `/usr` isn't under the `/` hierarchy.
+ Fixed an issue that caused AWS IoT Greengrass core failure if `/tmp` is a symlink.
+ Fixed an issue to let the Greengrass deployment agent remove unused machine learning model artifacts from the `mlmodel_public` folder.
+ General performance improvements and bug fixes.
To install the AWS IoT Greengrass Core software on your core device, download the package for your architecture and operating system (OS), and then follow the steps in the [Getting Started Guide](gg-gs.md).
**Tip**
AWS IoT Greengrass also provides other options for installing the AWS IoT Greengrass Core software. For example, you can use [Greengrass device setup](quick-start.md) to configure your environment and install the latest version of the AWS IoT Greengrass Core software. Or, on supported Debian platforms, you can use the [APT package manager](install-ggc.md#ggc-package-manager) to install or upgrade the AWS IoT Greengrass Core software. For more information, see [Install the AWS IoT Greengrass Core software](install-ggc.md).
| Architecture | Operating system | Link |
| --- | --- | --- |
| Armv8 (AArch64) | Linux | [Download](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/greengrass-linux-aarch64-1.11.6.tar.gz) |
| Armv8 (AArch64) | Linux (OpenWrt) | [Download](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/greengrass-openwrt-aarch64-1.11.6.tar.gz) |
| Armv7l | Linux | [Download](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/greengrass-linux-armv7l-1.11.6.tar.gz) |
| Armv7l | Linux (OpenWrt) | [Download](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/greengrass-openwrt-armv7l-1.11.6.tar.gz) |
| Armv6l | Linux | [Download](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/greengrass-linux-armv6l-1.11.6.tar.gz) |
| x86\$164 | Linux | [Download](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/greengrass-linux-x86-64-1.11.6.tar.gz) |
------
#### [ Extended life versions ]
1.10.5
New features in v1.10:
+ A stream manager that processes data streams locally and exports them to the AWS Cloud automatically. This feature requires Java 8 on the Greengrass core device. For more information, see [Manage data streams on the AWS IoT Greengrass core](stream-manager.md).
+ A new Greengrass Docker application deployment connector that runs a Docker application on a core device. For more information, see [Docker application deployment connector](docker-app-connector.md).
+ A new IoT SiteWise connector that sends industrial device data from OPC-UA servers to asset properties in AWS IoT SiteWise. For more information, see [IoT SiteWise connector](iot-sitewise-connector.md).
+ Lambda functions that run without containerization can access machine learning resources in the Greengrass group. For more information, see [Access machine learning resources from Lambda functions](access-ml-resources.md).
+ Support for MQTT persistent sessions with AWS IoT. For more information, see [MQTT persistent sessions with AWS IoT Core](gg-core.md#mqtt-persistent-sessions).
+ Local MQTT traffic can travel over a port other than the default port 8883. For more information, see [Configure the MQTT port for local messaging](gg-core.md#config-local-mqtt-port).
+ New `queueFullPolicy` options in the [AWS IoT Greengrass Core SDK](lambda-functions.md#lambda-sdks-core) for reliable message publishing from Lambda functions.
+ Support for running Node.js 12.x Lambda functions on the core.
Bug fixes and improvements:
+ Over-the-air (OTA) updates with hardware security integration can be configured with OpenSSL 1.1.
+ [Stream manager](stream-manager.md) is more resilient to file data corruption.
+ Fixed an issue that causes a sysfs mount failure on devices using Linux kernel 5.1 and later.
+ A new `mqttOperationTimeout` property in [config.json](gg-core.md#config-json) that you use to set the timeout for publish, subscribe, and unsubscribe operations in MQTT connections with AWS IoT Core.
+ Fixed an issue that caused increased memory use for stream manager.
+ A new `systemComponentAuthTimeout` property in [`config.json`](gg-core.md#config-json) that you use to configure the timeout for Greengrass core IPC authentication. The default timeout is 5000 milliseconds.
+ Fixed an issue that caused the OTA update agent to ignore the MQTT `KeepAlive` period specified in the `keepAlive` property in [`config.json`](gg-core.md#config-json).
+ Fixed an issue that caused MQTT messages to not be sent correctly when the `maxWorkItemCount` value was set to a value greater than `1024`.
+ Fixed an issue that caused delayed delivery of MQTT messages to long-lived Lambda functions.
+ Fixed an issue that caused AWS IoT Greengrass Core software running in a snap on an Ubuntu device to stop responding after a sudden power loss to the device.
+ General performance improvements and bug fixes.
To install the AWS IoT Greengrass Core software on your core device, download the package for your architecture and operating system (OS), and then follow the steps in the [Getting Started Guide](gg-gs.md).
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html)
1.9.4
New features in v1.9:
+ Support for Python 3.7 and Node.js 8.10 Lambda runtimes. Lambda functions that use Python 3.7 and Node.js 8.10 runtimes can now run on an AWS IoT Greengrass core. (AWS IoT Greengrass continues to support the Python 2.7 and Node.js 6.10 runtimes.)
+ Optimized MQTT connections. The Greengrass core establishes fewer connections with the AWS IoT Core. This change can reduce operational costs for charges that are based on the number of connections.
+ Elliptic Curve (EC) key for the local MQTT server. The local MQTT server supports EC keys in addition to RSA keys. (The MQTT server certificate has an SHA-256 RSA signature, regardless of the key type.) For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals).
+ Support for [OpenWrt](https://openwrt.org/). AWS IoT Greengrass Core software v1.9.2 or later can be installed on OpenWrt distributions with Armv8 (AArch64) and Armv7l architectures. Currently, OpenWrt does not support ML inference.
+ Support for Armv6l. AWS IoT Greengrass Core software v1.9.3 or later can be installed on Raspbian distributions on Armv6l architectures (for example, on Raspberry Pi Zero devices).
+ OTA updates on port 443 with ALPN. Greengrass cores that use port 443 for MQTT traffic now support over-the-air (OTA) software updates. AWS IoT Greengrass uses the Application Layer Protocol Network (ALPN) TLS extension to enable these connections. For more information, see [OTA updates of AWS IoT Greengrass Core software](core-ota-update.md) and [Connect on port 443 or through a network proxy](gg-core.md#alpn-network-proxy).
To install the AWS IoT Greengrass Core software on your core device, download the package for your architecture and operating system (OS), and then follow the steps in the [Getting Started Guide](gg-gs.md).
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html)
1.8.4
+ New features:
+ Configurable default access identity for Lambda functions in the group. This group-level setting determines the default permissions that are used to run Lambda functions. You can set the user ID, group ID, or both. Individual Lambda functions can override the default access identity of their group. For more information, see [Setting the default access identity for Lambda functions in a group](lambda-group-config.md#lambda-access-identity-groupsettings).
+ HTTPS traffic over port 443. HTTPS communication can be configured to travel over port 443 instead of the default port 8443. This complements AWS IoT Greengrass support for the Application Layer Protocol Network (ALPN) TLS extension and allows all Greengrass messaging traffic—both MQTT and HTTPS—to use port 443. For more information, see [Connect on port 443 or through a network proxy](gg-core.md#alpn-network-proxy).
+ Predictably named client IDs for AWS IoT connections. This change enables support for AWS IoT Device Defender and [AWS IoT lifecycle events](https://docs.aws.amazon.com/iot/latest/developerguide/life-cycle-events.html), so you can receive notifications for connect, disconnect, subscribe, and unsubscribe events. Predictable naming also makes it easier to create logic around connection IDs (for example, to create [subscribe policy](https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cert) templates based on certificate attributes). For more information, see [Client IDs for MQTT connections with AWS IoT](gg-core.md#connection-client-id).
Bug fixes and improvements:
+ Fixed an issue with shadow synchronization and device certificate manager reconnection.
+ General performance improvements and bug fixes.
To install the AWS IoT Greengrass Core software on your core device, download the package for your architecture and operating system (OS), and then follow the steps in the [Getting Started Guide](gg-gs.md).
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/what-is-gg.html)
------
By downloading this software, you agree to the [ Greengrass Core Software License Agreement](https://greengrass-release-license.s3.us-west-2.amazonaws.com/greengrass-license-v1.pdf).
For information about other options for installing the AWS IoT Greengrass Core software on your device, see [Install the AWS IoT Greengrass Core software](install-ggc.md).
### AWS IoT Greengrass snap software
AWS IoT Greengrass snap 1.11.x enables you to run a limited version of AWS IoT Greengrass through convenient software packages, along with all necessary dependencies, in a containerized environment.
**Note**
The AWS IoT Greengrass snap is available for AWS IoT Greengrass Core software v1.11.x. AWS IoT Greengrass doesn’t provide a snap for v1.10.x. Unsupported versions don't receive bug fixes or updates.
The AWS IoT Greengrass snap doesn't support connectors and machine learning (ML) inference.
For more information, see [Run AWS IoT Greengrass in a snap](install-ggc.md#gg-snap-support).
### AWS IoT Greengrass Docker software
AWS provides a Dockerfile and Docker images that make it easier for you to run AWS IoT Greengrass in a Docker container.
Dockerfile
Dockerfiles contain source code for building custom AWS IoT Greengrass container images. Images can be modified to run on different platform architectures or to reduce the image size. For instructions, see the README file.
Download your target AWS IoT Greengrass Core software version.
+ [Dockerfile for AWS IoT Greengrass v1.11.6](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.11.6/aws-greengrass-docker-1.11.6.tar.gz).
v1.10
[ Dockerfile for AWS IoT Greengrass v1.10.5](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.10.5/aws-greengrass-docker-1.10.5.tar.gz).
v1.9
[ Dockerfile for AWS IoT Greengrass v1.9.4](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.9.4/aws-greengrass-docker-1.9.4.tar.gz).
v1.8
[ Dockerfile for AWS IoT Greengrass v1.8.1](https://d1onfpft10uf5o.cloudfront.net/greengrass-core/downloads/1.8.1/aws-greengrass-docker-1.8.1.tar.gz).
Docker image
Docker images have the AWS IoT Greengrass Core software and dependencies installed on Amazon Linux 2 (x86\$164) and Alpine Linux (x86\$164, Armv7l, or AArch64) base images. You can use prebuilt images to start experimenting with AWS IoT Greengrass.
On June 30, 2022, AWS IoT Greengrass ended maintenance for AWS IoT Greengrass Core software v1.x Docker images that are published to Amazon Elastic Container Registry (Amazon ECR) and Docker Hub. You can continue to download these Docker images from Amazon ECR and Docker Hub until June 30, 2023, which is 1 year after maintenance ended. However, the AWS IoT Greengrass Core software v1.x Docker images no longer receive security patches or bug fixes after maintenance ended on June 30, 2022. If you run a production workload that depends on these Docker images, we recommend that you build your own Docker images using the Dockerfiles that AWS IoT Greengrass provides. For more information, see [AWS IoT Greengrass Version 1 maintenance policy](maintenance-policy.md).
Download a prebuilt image from [ Docker Hub](https://hub.docker.com/r/amazon/aws-iot-greengrass) or Amazon Elastic Container Registry (Amazon ECR).
+ For Docker Hub, use the *version* tag to download a specific version of the Greengrass Docker image. To find tags for all available images, check the **Tags** page on Docker Hub.
+ For Amazon ECR, use the `latest` tag to download the latest available version of the Greengrass Docker image. For more information about listing available image versions and downloading images from Amazon ECR, see [Running AWS IoT Greengrass in a Docker container](run-gg-in-docker-container.md).
Starting with v1.11.6 of the AWS IoT Greengrass Core software, the Greengrass Docker images no longer include Python 2.7, because Python 2.7 reached end-of-life in 2020 and no longer receives security updates. If you choose to update to these Docker images, we recommend that you validate that your applications work with the new Docker images before you deploy the updates to production devices. If you require Python 2.7 for your application that uses a Greengrass Docker image, you can modify the Greengrass Dockerfile to include Python 2.7 for your application.
AWS IoT Greengrass doesn’t provide Docker images for AWS IoT Greengrass Core software v1.11.1.
By default, `alpine-aarch64` and `alpine-armv7l` images can run only on Arm-based hosts. To run these images on an x86 host, you can install [QEMU](https://www.qemu.org/) and mount the QEMU libraries on the host. For example:
```
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
```
### AWS IoT Greengrass Core SDK
Lambda functions use the AWS IoT Greengrass Core SDK to interact with the AWS IoT Greengrass core locally. This allows deployed Lambda functions to:
+ Exchange MQTT messages with AWS IoT Core.
+ Exchange MQTT messages with connectors, client devices, and other Lambda functions in the Greengrass group.
+ Interact with the local shadow service.
+ Invoke other local Lambda functions.
+ Access [secret resources](secrets.md).
+ Interact with [stream manager](stream-manager.md).
Download the AWS IoT Greengrass Core SDK for your language or platform from GitHub.
+ [AWS IoT Greengrass Core SDK for Java](https://github.com/aws/aws-greengrass-core-sdk-java/)
+ [AWS IoT Greengrass Core SDK for Node.js](https://github.com/aws/aws-greengrass-core-sdk-js/)
+ [AWS IoT Greengrass Core SDK for Python](https://github.com/aws/aws-greengrass-core-sdk-python/)
+ [AWS IoT Greengrass Core SDK for C](https://github.com/aws/aws-greengrass-core-sdk-c/)
For more information, see [AWS IoT Greengrass Core SDK](lambda-functions.md#lambda-sdks-core).
### Supported machine learning runtimes and libraries
To [perform inference](ml-inference.md) on a Greengrass core, you must install the machine learning runtime or library for your ML model type.
AWS IoT Greengrass supports the following ML model types. Use these links to find information about how to install the runtime or library for your model type and device platform.
+ [Deep Learning Runtime (DLR)](https://neo-ai-dlr.readthedocs.io/en/latest/install.html)
+ [MXNet](https://mxnet.apache.org/get_started/?)
+ [TensorFlow](https://www.tensorflow.org/install)
#### Machine learning samples
AWS IoT Greengrass provides samples that you can use with supported ML runtimes and libraries. These samples are released under the [Greengrass Core Software License Agreement](https://greengrass-release-license.s3.us-west-2.amazonaws.com/greengrass-license-v1.pdf).
------
#### [ Deep learning runtime (DLR) ]
Download the sample for your device platform:
+ DLR sample for [ Raspberry Pi](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/dlr/dlr-py3-armv7l.tar.gz)
+ DLR sample for [ NVIDIA Jetson TX2](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/dlr/dlr-py3-aarch64.tar.gz)
+ DLR sample for [ Intel Atom](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/dlr/dlr-py3-x86_64.tar.gz)
For a tutorial that uses the DLR sample, see [How to configure optimized machine learning inference using the AWS Management Console](ml-dlc-console.md).
------
#### [ MXNet ]
Download the sample for your device platform:
+ MXNet sample for [ Raspberry Pi](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/mxnet/mxnet-py3-armv7l.tar.gz)
+ MXNet sample for [ NVIDIA Jetson TX2](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/mxnet/mxnet-py3-aarch64.tar.gz)
+ MXNet sample for [ Intel Atom](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/mxnet/mxnet-py3-x86_64.tar.gz)
For a tutorial that uses the MXNet sample, see [How to configure machine learning inference using the AWS Management Console](ml-console.md).
------
#### [ TensorFlow ]
Download the [Tensorflow sample](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-samples/tf/tf-py3.tar.gz) for your device platform. This sample works with Raspberry Pi, NVIDIA Jetson TX2, and Intel Atom.
------
### AWS IoT Greengrass ML SDK software
The [AWS IoT Greengrass Machine Learning SDK](lambda-functions.md#lambda-sdks-ml) enables the Lambda functions you author to consume a local machine learning model and send data to the [ML Feedback](ml-feedback-connector.md) connector for uploading and publishing.
------
#### [ v1.1.0 ]
+ [ Python 3.7](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-sdk/downloads/python/3.7/greengrass-machine-learning-python-sdk-1.1.0.tar.gz).
------
#### [ v1.0.0 ]
+ [ Python 2.7](https://d1onfpft10uf5o.cloudfront.net/greengrass-ml-sdk/downloads/python/2.7/greengrass-machine-learning-python-sdk-1.0.0.tar.gz).
------
## We want to hear from you
We welcome your feedback. To contact us, visit [AWS re:Post](https://repost.aws/) and use the [AWS IoT Greengrass tag](https://repost.aws/tags/TA4ckIed1sR4enZBey29rKTg/aws-io-t-greengrass).
# Install the AWS IoT Greengrass Core software
The AWS IoT Greengrass Core software extends AWS functionality onto an AWS IoT Greengrass core device, making it possible for local devices to act locally on the data they generate.
AWS IoT Greengrass provides several options for installing the AWS IoT Greengrass Core software:
+ [Download and extract a tar.gz file](#download-and-extract-tarball).
+ [Run the Greengrass Device Setup script](#run-device-setup-script).
+ [Install from an APT repository](#ggc-package-manager).
AWS IoT Greengrass also provides containerized environments that run the AWS IoT Greengrass Core software.
+ [Run AWS IoT Greengrass in a Docker container](#gg-docker-support).
+ [Run AWS IoT Greengrass in a snap](#gg-snap-support).
## Download and extract the AWS IoT Greengrass Core software package
Choose the AWS IoT Greengrass Core software for your platform to download as a tar.gz file and extract on your device. You can download recent versions of the software. For more information, see [AWS IoT Greengrass Core software](what-is-gg.md#gg-core-download-tab).
## Run the Greengrass device setup script
Run Greengrass device setup to configure your device, install the latest AWS IoT Greengrass Core software version, and deploy a Hello World Lambda function in minutes. For more information, see [Quick start: Greengrass device setup](quick-start.md).
## Install the AWS IoT Greengrass Core software from an APT repository
**Important**
As of February 11, 2022, you can no longer install or update the AWS IoT Greengrass Core software from an APT repository. On devices where you added the AWS IoT Greengrass repository, you must [remove the repository from the sources list](#ggc-package-manager-remove-sources). Devices that run the software from the APT repository will continue to operate normally. We recommend that you update the AWS IoT Greengrass Core software using [tar files](#download-and-extract-tarball).
The APT repository provided by AWS IoT Greengrass includes the following packages:
+ `aws-iot-greengrass-core`. Installs the AWS IoT Greengrass Core software.
+ `aws-iot-greengrass-keyring`. Installs the GnuPG (GPG) keys used to sign the AWS IoT Greengrass package repository.
By downloading this software, you agree to the [ Greengrass Core Software License Agreement](https://greengrass-release-license.s3.us-west-2.amazonaws.com/greengrass-license-v1.pdf).
**Topics**
+ [Use systemd scripts to manage the Greengrass daemon lifecycle](#ggc-package-manager-systemd)
+ [Uninstall the AWS IoT Greengrass core software using the APT repository](#ggc-package-manager-uninstall)
+ [Remove the AWS IoT Greengrass core software repository sources](#ggc-package-manager-remove-sources)
### Use systemd scripts to manage the Greengrass daemon lifecycle
The `aws-iot-greengrass-core` package also installs `systemd` scripts that you can use to manage the AWS IoT Greengrass Core software (daemon) lifecycle.
+ To start the Greengrass daemon during boot:
```
systemctl enable greengrass.service
```
+ To start the Greengrass daemon:
```
systemctl start greengrass.service
```
+ To stop the Greengrass daemon:
```
systemctl stop greengrass.service
```
+ To check the status of the Greengrass daemon:
```
systemctl status greengrass.service
```
### Uninstall the AWS IoT Greengrass core software using the APT repository
When you uninstall the AWS IoT Greengrass core software, you can choose whether to preserve or remove the AWS IoT Greengrass core software's configuration information, such as device certificates, group information, and log files.
**To uninstall the AWS IoT Greengrass core software and preserve configuration information**
+ Run the following command to remove the AWS IoT Greengrass core software packages and preserve configuration information in the `/greengrass` folder.
```
sudo apt remove aws-iot-greengrass-core aws-iot-greengrass-keyring
```
**To uninstall the AWS IoT Greengrass core software and remove configuration information**
1. Run the following command to remove the AWS IoT Greengrass core software packages and remove configuration information from the `/greengrass folder`.
```
sudo apt purge aws-iot-greengrass-core aws-iot-greengrass-keyring
```
1. Remove the AWS IoT Greengrass core software repository from your sources list. For more information, see [Remove the AWS IoT Greengrass core software repository sources](#ggc-package-manager-remove-sources).
### Remove the AWS IoT Greengrass core software repository sources
You can remove the AWS IoT Greengrass core software repository sources when you no longer need to install or update the AWS IoT Greengrass core software from the APT repository. After February 11, 2022, you must remove the repository from your sources list to avoid an error when you run `apt update`.
**To remove the APT repository from the sources list**
+ Run the following commands to remove the AWS IoT Greengrass core software repository from the sources list.
```
sudo rm /etc/apt/sources.list.d/greengrass.list
sudo apt update
```
## Run AWS IoT Greengrass in a Docker container
AWS IoT Greengrass provides a Dockerfile and Docker images that make it easier for you to run the AWS IoT Greengrass Core software in a Docker container. For more information, see [AWS IoT Greengrass Docker software](what-is-gg.md#gg-docker-download).
**Note**
You can also run a Docker application on a Greengrass core device. To do so, use the [Greengrass Docker application deployment connector](docker-app-connector.md).
## Run AWS IoT Greengrass in a snap
AWS IoT Greengrass snap 1.11.x enables you to run a limited version of AWS IoT Greengrass through convenient software packages, along with all necessary dependencies, in a containerized environment.
On December 31, 2023, AWS IoT Greengrass will end maintenance for the AWS IoT Greengrass core software version 1.11.x Snap that is published on [ snapcraft.io ](https://snapcraft.io/aws-iot-greengrass). Devices currently running the Snap will continue to work until further notice. However, the AWS IoT Greengrass core Snap will no longer receive security patches or bug fixes after maintenance ends.
### Snap concepts
The following are essential snap concepts to help you understand how to use the AWS IoT Greengrass snap:
**[Channel](https://snapcraft.io/docs/channels)**
A snap component that defines which version of a snap is installed and tracked for updates. Snaps are automatically updated to the latest version of the current channel.
**[Interface](https://snapcraft.io/docs/interface-management)**
A snap component that grants access to resources, such as networks and user files.
To run the AWS IoT Greengrass snap, the following interfaces must be connected. Note that `greengrass-support-no-container` must be connected first and never disconnected.
```
- greengrass-support-no-container
- hardware-observe
- home-for-hooks
- hugepages-control
- log-observe
- mount-observe
- network
- network-bind
- network-control
- process-control
- system-observe
```
The other interfaces are optional. If your Lambda functions require access to specific resources, you might need to connect to the appropriate interfaces.
**[Refresh](https://snapcraft.io/docs/managing-updates)**
Snaps are automatically updated. The `snapd` daemon is the snap package manager that checks for updates four times a day by default. Each update check is called a refresh. When a refresh occurs, the daemon stops, the snap gets updated, and then the daemon restarts.
For more information, see the [Snapcraft](https://snapcraft.io/) website.
### What's new with AWS IoT Greengrass snap v1.11.x
The following describes what's new and changed with the version 1.11.x of the AWS IoT Greengrass snap.
+ This version supports only the `snap_daemon` user, exposed as user ID (UID) and group (GID) `584788`.
+ This version supports only noncontainerized Lambda functions.
**Important**
Because noncontainerized Lambda functions must share the same user (`snap_daemon`), the Lambda functions have no isolation from each other. For more information, see [Controlling execution of Greengrass Lambda functions by using group-specific configuration](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html).
+ This version supports C, C\$1\$1, Java 8, Node.js 12.x, Python 2.7, Python 3.7, and Python 3.8 runtimes.
**Note**
To avoid redundant Python runtimes, Python 3.7 Lambda functions actually run the Python 3.8 runtime.
### Getting started with AWS IoT Greengrass snap
The following procedure helps you install and configure the AWS IoT Greengrass snap on your device.
#### Requirements
To run the AWS IoT Greengrass snap, you must do the following:
+ Run the AWS IoT Greengrass snap on a supported Linux distribution, such as Ubuntu, Linux Mint, Debian, and Fedora.
+ Install the `snapd` daemon on your device. The `snapd` daemon including the `snap` tool manages the snap environment on your device.
For the list of supported Linux distributions and installation instructions, see [Installing snapd](https://snapcraft.io/docs/installing-snapd) in the *Snap documentation*.
#### Install and configure the AWS IoT Greengrass snap
The following tutorial shows you how to install and configure the AWS IoT Greengrass snap on your device.
**Note**
Although this tutorial uses an Amazon EC2 instance (x86 t2.micro Ubuntu 20.04), you can run the AWS IoT Greengrass snap with physical hardware, such as a Raspberry Pi.
The `snapd` daemon is preinstalled on Ubuntu.
1. Install the `core18` snap by running the following command in your device's terminal:
```
sudo snap install core18
```
The `core18` snap is a [base snap](https://snapcraft.io/docs/base-snaps) that provides a runtime environment with commonly used libraries. This snap is built from [Ubuntu 18.04 LTS](http://releases.ubuntu.com/18.04/).
1. Upgrade `snapd` by running the following command:
```
sudo snap install --channel=edge snapd; sudo snap refresh --channel=edge snapd
```
1. Run the `snap list` command to check if you have the AWS IoT Greengrass snap installed.
The following example response shows that `snapd` is installed, but `aws-iot-greengrass` isn't.
```
Name Version Rev Tracking Publisher Notes
amazon-ssm-agent 3.0.161.0 2996 latest/stable/… aws✓ classic
core 16-2.48 10444 latest/stable canonical✓ core
core18 20200929 1932 latest/stable canonical✓ base
lxd 4.0.4 18150 4.0/stable/… canonical✓ -
snapd 2.48+git548.g929ccfb 10526 latest/edge canonical✓ snapd
```
1. Choose one of the following options to install AWS IoT Greengrass snap 1.11.x.
+ To install the AWS IoT Greengrass snap, run the following command:
```
sudo snap install aws-iot-greengrass
```
Example response:
```
aws-iot-greengrass 1.11.5 from Amazon Web Services (aws) installed
```
+ To migrate from an earlier version to v1.11.x or update to the latest available patch version, run the following command:
```
sudo snap refresh --channel=1.11.x aws-iot-greengrass
```
Like other snaps, the AWS IoT Greengrass snap uses channels to manage minor versions. Snaps are automatically updated to the latest available version of the current channel. For examples, if you specify `--channel=1.11.x`, your AWS IoT Greengrass snap is updated to v1.11.5.
You can run the `snap info aws-iot-greengrass` command to get the list of available channels for AWS IoT Greengrass.
Example response:
```
name: aws-iot-greengrass
summary: AWS supported software that extends cloud capabilities to local devices.
publisher: Amazon Web Services (aws✓)
store-url: https://snapcraft.io/aws-iot-greengrass
contact: https://repost.aws/tags/TA4ckIed1sR4enZBey29rKTg/aws-io-t-greengrass
license: Proprietary
description: |
AWS IoT Greengrass seamlessly extends AWS onto edge devices so they can act locally on the data
they generate, while still using the cloud for management, analytics, and durable storage.
AWS IoT Greenrgrass snap v1.11.0 enables you to run a limited version of AWS IoT Greengrass with
all necessary dependencies in a containerized environment.
The AWS IoT Greengrass snap doesn't support connectors and machine learning (ML) inference.
By downloading this software you agree to the Greengrass Core Software License Agreement
(https://s3-us-west-2.amazonaws.com/greengrass-release-license/greengrass-license-v1.pdf).
For more information, see Run AWS IoT Greengrass in a snap
(https://docs.aws.amazon.com/greengrass/latest/developerguide/install-ggc.html#gg-snap-support) in
the AWS IoT Greengrass Developer.
If you need help, try the AWS IoT Greengrass tag on AWS re:Post
(https://repost.aws/tags/TA4ckIed1sR4enZBey29rKTg/aws-io-t-greengrass) or connect with an AWS IQ expert
(https://iq.aws.amazon.com/services/aws/greengrass).
snap-id: SRDuhPJGj4XPxFNNZQKOTvURAp0wxKnd
channels:
latest/stable: 1.11.3 2021-06-15 (59) 111MB -
latest/candidate: 1.11.3 2021-06-14 (59) 111MB -
latest/beta: 1.11.3 2021-06-14 (59) 111MB -
latest/edge: 1.11.3 2021-06-14 (59) 111MB -
1.11.x/stable: 1.11.3 2021-06-15 (59) 111MB -
1.11.x/candidate: 1.11.3 2021-06-15 (59) 111MB -
1.11.x/beta: 1.11.3 2021-06-15 (59) 111MB -
1.11.x/edge: 1.11.3 2021-06-15 (59) 111MB -
```
1. To access specific resources that your Lambda functions need, you can connect to additional interfaces.
Run the following command to get the list of AWS IoT Greengrass snap supported interfaces:
```
snap connections aws-iot-greengrass
```
Example response:
```
Interface Plug Slot Notes
camera aws-iot-greengrass:camera - -
dvb aws-iot-greengrass:dvb - -
gpio aws-iot-greengrass:gpio - -
gpio-memory-control aws-iot-greengrass:gpio-memory-control - -
greengrass-support aws-iot-greengrass:greengrass-support-no-container :greengrass-support -
hardware-observe aws-iot-greengrass:hardware-observe :hardware-observe manual
hardware-random-control aws-iot-greengrass:hardware-random-control - -
home aws-iot-greengrass:home-for-greengrassd - -
home aws-iot-greengrass:home-for-hooks :home manual
hugepages-control aws-iot-greengrass:hugepages-control :hugepages-control manual
i2c aws-iot-greengrass:i2c - -
iio aws-iot-greengrass:iio - -
joystick aws-iot-greengrass:joystick - -
log-observe aws-iot-greengrass:log-observe :log-observe manual
mount-observe aws-iot-greengrass:mount-observe :mount-observe manual
network aws-iot-greengrass:network :network -
network-bind aws-iot-greengrass:network-bind :network-bind -
network-control aws-iot-greengrass:network-control :network-control -
opengl aws-iot-greengrass:opengl :opengl -
optical-drive aws-iot-greengrass:optical-drive :optical-drive -
process-control aws-iot-greengrass:process-control :process-control -
raw-usb aws-iot-greengrass:raw-usb - -
removable-media aws-iot-greengrass:removable-media - -
serial-port aws-iot-greengrass:serial-port - -
spi aws-iot-greengrass:spi - -
system-observe aws-iot-greengrass:system-observe :system-observe -
```
If you see a hyphen (-) in the Slot column, the corresponding interface isn't connected.
1. Follow [Installing the AWS IoT Greengrass Core software](module2.md) to create an AWS IoT thing, a Greengrass group, security resources that enable secure communications with AWS IoT, and the AWS IoT Greengrass Core software configuration file. The configuration file, `config.json`, contains configuration specific to your Greengrass core, such as the location of certificate files and the AWS IoT device data endpoint.
**Note**
If you downloaded the file to a different device, follow this [step](start-greengrass.md#transfer-files-to-device) to transfer the files to the AWS IoT Greengrass core device.
1. For the AWS IoT Greengrass snap, make sure that you update the [config.json](gg-core.md#config-json) file, as shown in the following:
+ Replace each instance of *certificateId* with the certificate ID in the name of the certificate and key files.
+ If you downloaded a different Amazon root CA certificate than Amazon Root CA 1, replace each instance of *AmazonRootCA1.pem* with the name of the Amazon root CA file.
```
{
...
"crypto" : {
"principals" : {
"SecretsManager" : {
"privateKeyPath" : "file:///snap/aws-iot-greengrass/current/greengrass/certs/certificateId-private.pem.keyy"
},
"IoTCertificate" : {
"privateKeyPath" : "file:///snap/aws-iot-greengrass/current/greengrass/certs/certificateId-private.pem.key",
"certificatePath" : "file:///snap/aws-iot-greengrass/current/greengrass/certs/certificateId-certificate.pem.crt"
}
},
"caPath" : "file:///snap/aws-iot-greengrass/current/greengrass/certs/AmazonRootCA1.pem"
},
"writeDirectory": "/var/snap/aws-iot-greengrass/current/ggc-write-directory",
"pidFileDirectory": "/var/snap/aws-iot-greengrass/current/pidFileDirectory"
}
```
1. Run the following command to add your AWS IoT Greengrass certificate and configuration files:
```
sudo snap set aws-iot-greengrass gg-certs=/home/ubuntu/my-certs
```
### Deploying a Lambda function
This section shows you how to deploy a customer managed Lambda function on the AWS IoT Greengrass snap.
**Important**
AWS IoT Greengrass snap v1.11 only supports noncontainerized Lambda functions.
1. Run the following command to start the AWS IoT Greengrass daemon:
```
sudo snap start aws-iot-greengrass
```
Example response:
```
Started.
```
**Note**
If you get an error, you can use the `snap run` command for a detailed error message. For more troubleshooting information, see [error: cannot perform the following tasks: - Run service command "start" for services ["greengrassd"] of snap "aws-iot-greengrass" ([start snap.aws-iot-greengrass.greengrassd.service] failed with exit status 1: Job for snap.aws-iot-greengrass.greengrassd.service failed because the control process exited with error code. See "systemctl status snap.aws-iot-greengrass.greengrassd.service" and "journalctl -xe" for details.)](#gg-snap-troubleshoot-snaprun).
1. Run the following command to confirm that the daemon is running:
```
snap services aws-iot-greengrass.greengrassd
```
Example response:
```
Service Startup Current Notes
aws-iot-greengrass.greengrassd disabled active -
```
1. Follow [Module 3 (part 1): Lambda functions on AWS IoT Greengrass](https://docs.aws.amazon.com/greengrass/v1/developerguide/module3-I.html) to create and deploy a Hello World Lambda function. However, before you deploy the Lambda function, complete the next step.
1. Make sure that your Lambda function run as the `snap_daemon` user and in the no container mode. To update the settings of your Greengrass group, do the following in the AWS IoT Greengrass console:
1. Sign in to the AWS IoT Greengrass console.
1. In the AWS IoT console navigation pane, under **Manage**, expand **Greengrass devices**, and then choose **Groups (V1)**.
1. Under **Greengrass groups**, choose the target group.
1. On the group configuration page, in the navigation pane, choose the **Lambda functions** tab.
1. Under **Default Lambda function runtime environment**, choose **Edit**, and do the following:
1. For **Default system user and group**, choose **Another user ID/group ID**, and then enter **584788** for both **System user ID (number)** and **System group ID (number)**.
1. For **Default Lambda function containerization**, choose **No container**.
1. Choose **Save**.
### Stopping the AWS IoT Greengrass daemon
You can use the `snap stop` command to stop a service.
To stop the AWS IoT Greengrass daemon, run the following command:
```
sudo snap stop aws-iot-greengrass
```
The command should return `Stopped.`.
To check if you successfully stopped the snap, run the following command:
```
snap services aws-iot-greengrass.greengrassd
```
Example response:
```
Service Startup Current Notes
aws-iot-greengrass.greengrassd disabled inactive -
```
### Uninstalling the AWS IoT Greengrass snap
To uninstall the AWS IoT Greengrass snap, run the following command:
```
sudo snap remove aws-iot-greengrass
```
Example response:
```
aws-iot-greengrass removed
```
### Troubleshooting the AWS IoT Greengrass snap
Use the following information to help troubleshoot issues with the AWS IoT Greengrass snap.
#### Got permission denied errors.
**Solution**: Permission denied errors are often because of missing interfaces. For the list of missing interfaces and detailed troubleshooting information, you can use the `snappy-debug` tool.
Run the following command to install the tool.
```
sudo snap install snappy-debug
```
Example response:
```
snappy-debug 0.36-snapd2.45.1 from Canonical✓ installed
```
Run the `sudo snappy-debug` command in a separate terminal session. The operation continues until a permission denied error occurs.
For example, if your Lambda function tries to read a file in the `$HOME` directory, you may get the following response:
```
INFO: Following '/var/log/syslog'. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo snappy-debug
kernel.printk_ratelimit = 0
= AppArmor =
Time: Dec 6 04:48:26
Log: apparmor="DENIED" operation="mknod" profile="snap.aws-iot-greengrass.greengrassd" name="/home/ubuntu/my-file.txt" pid=12345 comm="touch" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
File: /home/ubuntu/my-file.txt (write)
Suggestion:
* add 'home' to 'plugs'
```
This example shows that creating the `/home/ubuntu/my-file.txt` file caused the permission error. It also suggests that you add `home` to `plugs`. However, this sugguestion is not applicable. The `home-for-greengrassd` and `home-for-hooks` plugs are only given the read-only access.
For more information, see [The snappy-debug snap](https://snapcraft.io/docs/debug-snaps#heading--snappy-debug) in the *Snap documentation*.
#### error: cannot perform the following tasks: - Run service command "start" for services ["greengrassd"] of snap "aws-iot-greengrass" ([start snap.aws-iot-greengrass.greengrassd.service] failed with exit status 1: Job for snap.aws-iot-greengrass.greengrassd.service failed because the control process exited with error code. See "systemctl status snap.aws-iot-greengrass.greengrassd.service" and "journalctl -xe" for details.)
**Solution**: You might see this error when the `snap start aws-iot-greengrass` command fails to start the AWS IoT Greengrass Core software.
For more troubleshooting information, run the following command:
```
sudo snap run aws-iot-greengrass.greengrassd
```
Example response:
```
Couldn't find /snap/aws-iot-greengrass/44/greengrass/config/config.json.
```
This examples shows that AWS IoT Greengrass couldn't find the `config.json` file. You might check the configuration and certificate files.
#### /var/snap/aws-iot-greengrass/current/ggc-write-directory/packages/1.11.5/rootfs/merged is not an absolute path or is a symlink.
**Solution**: The AWS IoT Greengrass snap supports only noncontainerized Lambda functions. Make sure that you run your Lambda functions in the no container mode. For more information, see [Considerations when choosing Lambda function containerization](https://docs.aws.amazon.com/greengrass/v1/developerguide/lambda-group-config.html#no-container-mode) in the *AWS IoT Greengrass Version 1 Developer Guide*.
#### The snapd daemon failed to restart after you ran the sudo snap refresh snapd command.
**Solution**: Follow steps 6 through 8 in [Install and configure the AWS IoT Greengrass snap](#gg-snap-install-config) to add the AWS IoT Greengrass certificate and configuration files to the AWS IoT Greengrass snap.
## Archive an AWS IoT Greengrass Core software installation
When you upgrade to a new version of the AWS IoT Greengrass Core software, you can archive the currently installed version. This preserves your current installation environment so you can test a new software version on the same hardware. This also makes it easy to roll back to your archived version for any reason.
**To archive the current installation and install a new version**
1. Download the [AWS IoT Greengrass Core software](what-is-gg.md#gg-core-download-tab) installation package that you want to upgrade to.
1. Copy the package to the destination core device. For instructions that show how to transfer files, see this [step](start-greengrass.md#transfer-files-to-device).
**Note**
You copy your current certificates, keys, and configuration file to the new installation later.
Run the commands in the following steps in your core device terminal.
1. Make sure that the Greengrass daemon is stopped on the core device.
1. To check whether the daemon is running:
```
ps aux | grep -E 'greengrass.*daemon'
```
If the output contains a `root` entry for `/greengrass/ggc/packages/ggc-version/bin/daemon`, then the daemon is running.
**Note**
This procedure is written with the assumption that the AWS IoT Greengrass Core software is installed in the `/greengrass` directory.
1. To stop the daemon:
```
cd /greengrass/ggc/core/
sudo ./greengrassd stop
```
1. Move the current Greengrass root directory to a different directory.
```
sudo mv /greengrass /greengrass_backup
```
1. Untar the new software on the core device. Replace the *os-architecture* and *version* placeholders in the command.
```
sudo tar –zxvf greengrass-os-architecture-version.tar.gz –C /
```
1. Copy the archived certificates, keys, and configuration file to the new installation.
```
sudo cp /greengrass_backup/certs/* /greengrass/certs
sudo cp /greengrass_backup/config/* /greengrass/config
```
1. Start the daemon:
```
cd /greengrass/ggc/core/
sudo ./greengrassd start
```
Now, you can make a group deployment to test the new installation. If something fails, you can restore the archived installation.
**To restore the archived installation**
1. Stop the daemon.
1. Delete the new `/greengrass` directory.
1. Move the `/greengrass_backup` directory back to `/greengrass`.
1. Start the daemon.
# Configure the AWS IoT Greengrass core
An AWS IoT Greengrass core is an AWS IoT thing (device) that acts as a hub or gateway in edge environments. Like other AWS IoT devices, a core exists in the registry, has a device shadow, and uses a device certificate to authenticate with AWS IoT Core and AWS IoT Greengrass. The core device runs the AWS IoT Greengrass Core software, which enables it to manage local processes for Greengrass groups, such as communication, shadow sync, and token exchange.
The AWS IoT Greengrass Core software provides the following functionality:
+ Deployment and the local running of connectors and Lambda functions.
+ Process data streams locally with automatic exports to the AWS Cloud.
+ MQTT messaging over the local network between devices, connectors, and Lambda functions using managed subscriptions.
+ MQTT messaging between AWS IoT and devices, connectors, and Lambda functions using managed subscriptions.
+ Secure connections between devices and the AWS Cloud using device authentication and authorization.
+ Local shadow synchronization of devices. Shadows can be configured to sync with the AWS Cloud.
+ Controlled access to local device and volume resources.
+ Deployment of cloud-trained machine learning models for running local inference.
+ Automatic IP address detection that enables devices to discover the Greengrass core device.
+ Central deployment of new or updated group configuration. After the configuration data is downloaded, the core device is restarted automatically.
+ Secure, over-the-air (OTA) software updates of user-defined Lambda functions.
+ Secure, encrypted storage of local secrets and controlled access by connectors and Lambda functions.
## AWS IoT Greengrass core configuration file
The configuration file for the AWS IoT Greengrass Core software is `config.json`. It is located in the `/greengrass-root/config` directory.
**Note**
*greengrass-root* represents the path where the AWS IoT Greengrass Core software is installed on your device. Typically, this is the `/greengrass` directory.
If you use the **Default Group creation** option from the AWS IoT Greengrass console, then the `config.json` file is deployed to the core device in a working state.
You can review the contents of this file by running the following command:
```
cat /greengrass-root/config/config.json
```
The following is an example `config.json` file. This is the version that's generated when you create the core from the AWS IoT Greengrass console.
------
#### [ GGC v1.11 ]
```
{
"coreThing": {
"caPath": "root.ca.pem",
"certPath": "hash.cert.pem",
"keyPath": "hash.private.key",
"thingArn": "arn:partition:iot:region:account-id:thing/core-thing-name",
"iotHost": "host-prefix-ats.iot.region.amazonaws.com",
"ggHost": "greengrass-ats.iot.region.amazonaws.com",
"keepAlive": 600,
"ggDaemonPort": 8000,
"systemComponentAuthTimeout": 5000
},
"runtime": {
"maxWorkItemCount": 1024,
"maxConcurrentLimit": 25,
"lruSize": 25,
"mountAllBlockDevices": "no",
"cgroup": {
"useSystemd": "yes"
}
},
"managedRespawn": false,
"crypto": {
"principals": {
"SecretsManager": {
"privateKeyPath": "file:///greengrass/certs/hash.private.key"
},
"IoTCertificate": {
"privateKeyPath": "file:///greengrass/certs/hash.private.key",
"certificatePath": "file:///greengrass/certs/hash.cert.pem"
}
},
"caPath": "file:///greengrass/certs/root.ca.pem"
},
"writeDirectory": "/var/snap/aws-iot-greengrass/current/ggc-write-directory",
"pidFileDirectory": "/var/snap/aws-iot-greengrass/current/pidFileDirectory"
}
```
The `config.json` file supports the following properties:
**coreThing**
| Field | Description | Notes |
| --- | --- | --- |
| caPath | The path to the AWS IoT root CA relative to the `/greengrass-root/certs` directory. | For backward compatibility with versions earlier than 1.7.0. This property is ignored when the `crypto` object is present. Make sure that your [endpoints correspond to your certificate type](#certificate-endpoints). |
| certPath | The path to the core device certificate relative to the `/greengrass-root/certs` directory. | For backward compatibility with versions earlier than 1.7.0. This property is ignored when the crypto object is present. |
| keyPath | The path to the core private key relative to /greengrass-root/certs directory. | For backward compatibility with versions earlier than 1.7.0. This property is ignored when the crypto object is present. |
| thingArn | The Amazon Resource Name (ARN) of the AWS IoT thing that represents the AWS IoT Greengrass core device. | Find the ARN for your core in the AWS IoT Greengrass console under Cores, or by running the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-core-definition-version.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-core-definition-version.html) CLI command. |
| iotHost | Your AWS IoT endpoint. | Find the endpoint in the AWS IoT console under **Settings**, or by running the [https://docs.aws.amazon.com/cli/latest/reference/iot/describe-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/iot/describe-endpoint.html) CLI command. This command returns the Amazon Trust Services (ATS) endpoint. For more information, see the [Server authentication](https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html) documentation. Make sure that your [endpoints correspond to your certificate type](#certificate-endpoints). Make sure that your [ endpoints correspond to your AWS Region](https://docs.aws.amazon.com/general/latest/gr/greengrass.html). |
| ggHost | Your AWS IoT Greengrass endpoint. | This is your `iotHost` endpoint with the host prefix replaced by *greengrass* (for example, `greengrass-ats.iot.region.amazonaws.com`). Use the same AWS Region as `iotHost`. Make sure that your [endpoints correspond to your certificate type](#certificate-endpoints). Make sure that your [ endpoints correspond to your AWS Region](https://docs.aws.amazon.com/general/latest/gr/greengrass.html). |
| iotMqttPort | Optional. The port number to use for MQTT communication with AWS IoT. | Valid values are 8883 or 443. The default value is 8883. For more information, see [Connect on port 443 or through a network proxy](#alpn-network-proxy). |
| iotHttpPort | Optional. The port number used to create HTTPS connections to AWS IoT. | Valid values are 8443 or 443. The default value is 8443. For more information, see [Connect on port 443 or through a network proxy](#alpn-network-proxy). |
| ggMqttPort | Optional. The port number to use for MQTT communication over the local network. | Valid values are 1024 through 65535. The default value is 8883. For more information, see [Configure the MQTT port for local messaging](#config-local-mqtt-port). |
| ggHttpPort | Optional. The port number used to create HTTPS connections to the AWS IoT Greengrass service. | Valid values are 8443 or 443. The default value is 8443. For more information, see [Connect on port 443 or through a network proxy](#alpn-network-proxy). |
| keepAlive | Optional. The MQTT KeepAlive period, in seconds. | Valid range is between 30 and 1200 seconds. The default value is 600. |
| networkProxy | Optional. An object that defines a proxy server to connect to. | The proxy server can be HTTP or HTTPS. For more information, see [Connect on port 443 or through a network proxy](#alpn-network-proxy). |
| mqttOperationTimeout | Optional. The amount of time (in seconds) to allow the Greengrass core to complete a publish, subscribe, or unsubscribe operation in MQTT connections to AWS IoT Core. | The default value is 5. The minimum value is 5. |
| ggDaemonPort | Optional. The Greengrass core IPC port number. | This property is available in AWS IoT Greengrass v1.11.0 or later. Valid values are between 1024 and 65535. The default value is 8000. |
| systemComponentAuthTimeout | Optional. The time (in milliseconds) to allow the Greengrass core IPC to complete authentication. | This property is available in AWS IoT Greengrass v1.11.0 or later. Valid values are between 500 and 5000. The default value is 5000. |
**runtime**
| Field | Description | Notes |
| --- |--- |--- |
| maxWorkItemCount | Optional. The maximum number of work items that the Greengrass daemon can process at a time. Work items that exceed this limit are ignored. The work item queue is shared by system components, user-defined Lambda functions, and connectors. | The default value is 1024. The maximum value is limited by your device hardware. Increasing this value increases the memory that AWS IoT Greengrass uses. You can increase this value if you expect your core to receive heavy MQTT message traffic. |
| maxConcurrentLimit | Optional. The maximum number of concurrent unpinned Lambda workers that the Greengrass daemon can have. You can specify a different integer to override this parameter. | The default value is 25. The minimum value is defined by `lruSize`. |
| lruSize | Optional. Defines the minimum value for maxConcurrentLimit. | The default value is 25. |
| mountAllBlockDevices | Optional. Enables AWS IoT Greengrass to use bind mounts to mount all block devices into a container after setting up the OverlayFS. | This property is available in AWS IoT Greengrass v1.11.0 or later. Valid values are `yes` and `no`. The default value is `no`. Set this value to `yes` if your `/usr` directory isn't under the `/` hierarchy. |
| postStartHealthCheckTimeout | Optional. The time (in milliseconds) after starting that the Greengrass daemon waits for the health check to finish. | The default timeout is 30 seconds (30000 ms). |
| `cgroup` |
| --- |
| useSystemd | Indicates whether your device uses [https://en.wikipedia.org/wiki/Systemd](https://en.wikipedia.org/wiki/Systemd). | Valid values are yes or no. Run the check\$1ggc\$1dependencies script in [Module 1](module1.md) to see if your device uses systemd. |
**crypto**
The `crypto` contains properties that support private key storage on a hardware security module (HSM) through PKCS\$111 and local secret storage. For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals), [Hardware security integration](hardware-security.md), and [Deploy secrets to the AWS IoT Greengrass core](secrets.md). Configurations for private key storage on HSMs or in the file system are supported.
| Field | Description | Notes |
| --- |--- |--- |
| caPath | The absolute path to the AWS IoT root CA. | Must be a file URI of the form: `file:///absolute/path/to/file`. Make sure that your [endpoints correspond to your certificate type](#certificate-endpoints). |
| `PKCS11` |
| --- |
| OpenSSLEngine | Optional. The absolute path to the OpenSSL engine `.so` file to enable PKCS\$111 support on OpenSSL. | Must be a path to a file on the file system. This property is required if you're using the Greengrass OTA update agent with hardware security. For more information, see [Configure support for over-the-air updates](hardware-security.md#hardware-security-ota-updates). |
| P11Provider | The absolute path to the PKCS\$111 implementation's libdl-loadable library. | Must be a path to a file on the file system. |
| slotLabel | The slot label that's used to identify the hardware module. | Must conform to PKCS\$111 label specifications. |
| slotUserPin | The user PIN that's used to authenticate the Greengrass core to the module. | Must have sufficient permissions to perform C\$1Sign with the configured private keys. |
| `principals` |
| --- |
| IoTCertificate | The certificate and private key that the core uses to make requests to AWS IoT. |
| IoTCertificate .privateKeyPath | The path to the core private key. | For file system storage, must be a file URI of the form: `file:///absolute/path/to/file`. For HSM storage, must be an [RFC 7512 PKCS\$111](https://tools.ietf.org/html/rfc7512) path that specifies the object label. |
| IoTCertificate .certificatePath | The absolute path to the core device certificate. | Must be a file URI of the form: `file:///absolute/path/to/file`. |
| MQTTServerCertificate | Optional. The private key that the core uses in combination with the certificate to act as an MQTT server or gateway. |
| MQTTServerCertificate .privateKeyPath | The path to the local MQTT server private key. | Use this value to specify your own private key for the local MQTT server. For file system storage, must be a file URI of the form: `file:///absolute/path/to/file`. For HSM storage, must be an [RFC 7512 PKCS\$111](https://tools.ietf.org/html/rfc7512) path that specifies the object label. If this property is omitted, AWS IoT Greengrass rotates the key based your rotation settings. If specified, the customer is responsible for rotating the key. |
| SecretsManager | The private key that secures the data key used for encryption. For more information, see [Deploy secrets to the AWS IoT Greengrass core](secrets.md). |
| SecretsManager .privateKeyPath | The path to the local secrets manager private key. | Only an RSA key is supported. For file system storage, must be a file URI of the form: `file:///absolute/path/to/file`. For HSM storage, must be an [RFC 7512 PKCS\$111](https://tools.ietf.org/html/rfc7512) path that specifies the object label. The private key must be generated using the [PKCS\$11 v1.5](https://tools.ietf.org/html/rfc2313) padding mechanism. |
The following configuration properties are also supported:
****
| Field | Description | Notes |
| --- | --- | --- |
| mqttMaxConnectionRetryInterval | Optional. The maximum interval (in seconds) between MQTT connection retries if the connection is dropped. | Specify this value as an unsigned integer. The default is `60`. |
| managedRespawn | Optional. Indicates that the OTA agent needs to run custom code before an update. | Valid values are `true` or `false`. For more information, see [OTA updates of AWS IoT Greengrass Core software](core-ota-update.md). |
| writeDirectory | Optional. The write directory where AWS IoT Greengrass creates all read/write resources. | For more information, see [Configure a write directory for AWS IoT Greengrass](#write-directory). |
| pidFileDirectory | Optional. AWS IoT Greengrass stores its process ID (PID) under this directory. | The default value is `/var/run`. |
------
#### [ Extended life versions ]
The following versions of the AWS IoT Greengrass Core software are in the [extended life phase](maintenance-policy.md). This information is included for reference purposes only.
GGC v1.10
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "hash.cert.pem",
"keyPath" : "hash.private.key",
"thingArn" : "arn:partition:iot:region:account-id:thing/core-thing-name",
"iotHost" : "host-prefix-ats.iot.region.amazonaws.com",
"ggHost" : "greengrass-ats.iot.region.amazonaws.com",
"keepAlive" : 600,
"systemComponentAuthTimeout": 5000
},
"runtime" : {
"maxWorkItemCount" : 1024,
"maxConcurrentLimit" : 25,
"lruSize": 25,
"cgroup" : {
"useSystemd" : "yes"
}
},
"managedRespawn" : false,
"crypto" : {
"principals" : {
"SecretsManager" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key"
},
"IoTCertificate" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key",
"certificatePath" : "file:///greengrass/certs/hash.cert.pem"
}
},
"caPath" : "file:///greengrass/certs/root.ca.pem"
}
}
```
The `config.json` file supports the following properties:
**coreThing**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**runtime**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**crypto**
The `crypto` contains properties that support private key storage on a hardware security module (HSM) through PKCS\$111 and local secret storage. For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals), [Hardware security integration](hardware-security.md), and [Deploy secrets to the AWS IoT Greengrass core](secrets.md). Configurations for private key storage on HSMs or in the file system are supported.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
The following configuration properties are also supported:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
GGC v1.9
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "hash.cert.pem",
"keyPath" : "hash.private.key",
"thingArn" : "arn:partition:iot:region:account-id:thing/core-thing-name",
"iotHost" : "host-prefix-ats.iot.region.amazonaws.com",
"ggHost" : "greengrass-ats.iot.region.amazonaws.com",
"keepAlive" : 600
},
"runtime" : {
"cgroup" : {
"useSystemd" : "yes"
}
},
"managedRespawn" : false,
"crypto" : {
"principals" : {
"SecretsManager" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key"
},
"IoTCertificate" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key",
"certificatePath" : "file:///greengrass/certs/hash.cert.pem"
}
},
"caPath" : "file:///greengrass/certs/root.ca.pem"
}
}
```
The `config.json` file supports the following properties:
**coreThing**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**runtime**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**crypto**
The `crypto` object is added in v1.7.0. It introduces properties that support private key storage on a hardware security module (HSM) through PKCS\$111 and local secret storage. For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals), [Hardware security integration](hardware-security.md), and [Deploy secrets to the AWS IoT Greengrass core](secrets.md). Configurations for private key storage on HSMs or in the file system are supported.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
The following configuration properties are also supported.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.8**
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "hash.cert.pem",
"keyPath" : "hash.private.key",
"thingArn" : "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost" : "host-prefix-ats.iot.region.amazonaws.com",
"ggHost" : "greengrass-ats.iot.region.amazonaws.com",
"keepAlive" : 600
},
"runtime" : {
"cgroup" : {
"useSystemd" : "yes"
}
},
"managedRespawn" : false,
"crypto" : {
"principals" : {
"SecretsManager" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key"
},
"IoTCertificate" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key",
"certificatePath" : "file:///greengrass/certs/hash.cert.pem"
}
},
"caPath" : "file:///greengrass/certs/root.ca.pem"
}
}
```
The `config.json` file supports the following properties.
**coreThing**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**runtime**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**crypto**
The `crypto` object is added in v1.7.0. It introduces properties that support private key storage on a hardware security module (HSM) through PKCS\$111 and local secret storage. For more information, see [AWS IoT Greengrass core security principals](gg-sec.md#gg-principals), [Hardware security integration](hardware-security.md), and [Deploy secrets to the AWS IoT Greengrass core](secrets.md). Configurations for private key storage on HSMs or in the file system are supported.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
The following configuration properties are also supported:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.7**
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "hash.cert.pem",
"keyPath" : "hash.private.key",
"thingArn" : "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost" : "host-prefix-ats.iot.region.amazonaws.com",
"ggHost" : "greengrass-ats.iot.region.amazonaws.com",
"keepAlive" : 600
},
"runtime" : {
"cgroup" : {
"useSystemd" : "yes"
}
},
"managedRespawn" : false,
"crypto" : {
"principals" : {
"SecretsManager" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key"
},
"IoTCertificate" : {
"privateKeyPath" : "file:///greengrass/certs/hash.private.key",
"certificatePath" : "file:///greengrass/certs/hash.cert.pem"
}
},
"caPath" : "file:///greengrass/certs/root.ca.pem"
}
}
```
The `config.json` file supports the following properties:
**coreThing**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**runtime**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**crypto**
The `crypto` object, added in v1.7.0, introduces properties that support private key storage on a hardware security module (HSM) through PKCS\$111 and local secret storage. For more information, see [Hardware security integration](hardware-security.md) and [Deploy secrets to the AWS IoT Greengrass core](secrets.md). Configurations for private key storage on HSMs or in the file system are supported.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
The following configuration properties are also supported:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.6**
```
{
"coreThing": {
"caPath": "root-ca-pem",
"certPath": "cloud-pem-crt",
"keyPath": "cloud-pem-key",
"thingArn": "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost": "host-prefix.iot.region.amazonaws.com",
"ggHost": "greengrass.iot.region.amazonaws.com",
"keepAlive": 600,
"mqttMaxConnectionRetryInterval": 60
},
"runtime": {
"cgroup": {
"useSystemd": "yes|no"
}
},
"managedRespawn": true,
"writeDirectory": "/write-directory"
}
```
If you use the **Default Group creation** option from the AWS IoT Greengrass console, then the `config.json` file is deployed to the core device in a working state that specifies the default configuration.
The `config.json` file supports the following properties:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.5**
```
{
"coreThing": {
"caPath": "root-ca-pem",
"certPath": "cloud-pem-crt",
"keyPath": "cloud-pem-key",
"thingArn": "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost": "host-prefix.iot.region.amazonaws.com",
"ggHost": "greengrass.iot.region.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "yes|no"
}
},
"managedRespawn": true
}
```
The `config.json` file exists in `/greengrass-root/config` and contains the following parameters:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.3**
```
{
"coreThing": {
"caPath": "root-ca-pem",
"certPath": "cloud-pem-crt",
"keyPath": "cloud-pem-key",
"thingArn": "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost": "host-prefix.iot.region.amazonaws.com",
"ggHost": "greengrass.iot.region.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "yes|no"
}
},
"managedRespawn": true
}
```
The `config.json` file exists in `/greengrass-root/config` and contains the following parameters:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.1**
```
{
"coreThing": {
"caPath": "root-ca-pem",
"certPath": "cloud-pem-crt",
"keyPath": "cloud-pem-key",
"thingArn": "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost": "host-prefix.iot.region.amazonaws.com",
"ggHost": "greengrass.iot.region.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "yes|no"
}
}
}
```
The `config.json` file exists in `/greengrass-root/config` and contains the following parameters:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
**GGC v1.0**
In AWS IoT Greengrass Core v1.0, `config.json` is deployed to `greengrass-root/configuration`.
```
{
"coreThing": {
"caPath": "root-ca-pem",
"certPath": "cloud-pem-crt",
"keyPath": "cloud-pem-key",
"thingArn": "arn:aws:iot:region:account-id:thing/core-thing-name",
"iotHost": "host-prefix.iot.region.amazonaws.com",
"ggHost": "greengrass.iot.region.amazonaws.com",
"keepAlive": 600
},
"runtime": {
"cgroup": {
"useSystemd": "yes|no"
}
}
}
```
The `config.json` file exists in `/greengrass-root/configuration` and contains the following parameters:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html)
------
## Service endpoints must match the root CA certificate type
Your AWS IoT Core and AWS IoT Greengrass endpoints must correspond to the certificate type of the root CA certificate on your device. If the endpoints and certificate type do not match, authentication attempts fail between the device and AWS IoT Core or AWS IoT Greengrass. For more information, see [Server authentication](https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html) in the *AWS IoT Developer Guide*.
If your device uses an Amazon Trust Services (ATS) root CA certificate, which is the preferred method, it must also use ATS endpoints for device management and discovery data plane operations. ATS endpoints include the `ats` segment, as shown in the following syntax for the AWS IoT Core endpoint.
```
prefix-ats.iot.region.amazonaws.com
```
**Note**
For backward compatibility, AWS IoT Greengrass currently supports legacy VeriSign root CA certificates and endpoints in some AWS Regions. If you're using a legacy VeriSign root CA certificate, we recommend that you create an ATS endpoint and use an ATS root CA certificate instead. Otherwise, make sure to use the corresponding legacy endpoints. For more information, see [Supported legacy endpoints](https://docs.aws.amazon.com/general/latest/gr/greengrass.html#greengrass-legacy-endpoints) in the *Amazon Web Services General Reference*.
### Endpoints in config.json
On a Greengrass core device, endpoints are specified in the `coreThing` object in the [`config.json`](#config-json) file. The `iotHost` property represents the AWS IoT Core endpoint. The `ggHost` property represents the AWS IoT Greengrass endpoint. In the following example snippet, these properties specify ATS endpoints.
```
{
"coreThing" : {
...
"iotHost" : "abcde1234uwxyz-ats.iot.us-west-2.amazonaws.com",
"ggHost" : "greengrass-ats.iot.us-west-2.amazonaws.com",
...
},
```
**AWS IoT Core endpoint**
You can get your AWS IoT Core endpoint by running the [https://docs.aws.amazon.com/cli/latest/reference/iot/describe-endpoint.html](https://docs.aws.amazon.com/cli/latest/reference/iot/describe-endpoint.html) CLI command with the appropriate `--endpoint-type` parameter.
+ To return an ATS signed endpoint, run:
```
aws iot describe-endpoint --endpoint-type iot:Data-ATS
```
+ To return a legacy VeriSign signed endpoint, run:
```
aws iot describe-endpoint --endpoint-type iot:Data
```
**AWS IoT Greengrass endpoint**
Your AWS IoT Greengrass endpoint is your `iotHost` endpoint with the host prefix replaced by *greengrass*. For example, the ATS signed endpoint is `greengrass-ats.iot.region.amazonaws.com`. This uses the same Region as your AWS IoT Core endpoint.
## Connect on port 443 or through a network proxy
This feature is available for AWS IoT Greengrass Core v1.7 and later.
Greengrass cores communicate with AWS IoT Core using the MQTT messaging protocol with TLS client authentication. By convention, MQTT over TLS uses port 8883. However, as a security measure, restrictive environments might limit inbound and outbound traffic to a small range of TCP ports. For example, a corporate firewall might open port 443 for HTTPS traffic, but close other ports that are used for less common protocols, such as port 8883 for MQTT traffic. Other restrictive environments might require all traffic to go through an HTTP proxy before connecting to the internet.
To enable communication in these scenarios, AWS IoT Greengrass allows the following configurations:
+ **MQTT with TLS client authentication over port 443**. If your network allows connections to port 443, you can configure the core to use port 443 for MQTT traffic instead of the default port 8883. This can be a direct connection to port 443 or a connection through a network proxy server.
AWS IoT Greengrass uses the [ Application Layer Protocol Network](https://tools.ietf.org/html/rfc7301) (ALPN) TLS extension to enable this connection. As with the default configuration, MQTT over TLS on port 443 uses certificate-based client authentication.
When configured to use a direct connection to port 443, the core supports [over-the-air (OTA) updates](core-ota-update.md) for AWS IoT Greengrass software. This support requires AWS IoT Greengrass Core v1.9.3 or later.
+ **HTTPS communication over port 443**. AWS IoT Greengrass sends HTTPS traffic over port 8443 by default, but you can configure it to use port 443.
+ **Connection through a network proxy**. You can configure a network proxy server to act as an intermediary for connecting to the Greengrass core. Only basic authentication and HTTP and HTTPS proxies are supported.
The proxy configuration is passed to user-defined Lambda functions through the `http_proxy`, `https_proxy`, and `no_proxy` environment variables. User-defined Lambda functions must use these passed-in settings to connect through the proxy. Common libraries used by Lambda functions to make connections (such as boto3 or cURL and python `requests` packages) typically use these environment variables by default. If a Lambda function also specifies these same environment variables, AWS IoT Greengrass doesn't override them.
**Important**
Greengrass cores that are configured to use a network proxy don't support [OTA updates](core-ota-update.md).
**To configure MQTT over port 443**
This feature requires AWS IoT Greengrass Core v1.7 or later.
This procedure allows the Greengrass core to use port 443 for MQTT messaging with AWS IoT Core.
1. Run the following command to stop the Greengrass daemon:
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd stop
```
1. Open `greengrass-root/config/config.json` for editing as the su user.
1. In the `coreThing` object, add the `iotMqttPort` property and set the value to **443**, as shown in the following example.
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "12345abcde.cert.pem",
"keyPath" : "12345abcde.private.key",
"thingArn" : "arn:aws:iot:us-west-2:123456789012:thing/core-thing-name",
"iotHost" : "abcd123456wxyz-ats.iot.us-west-2.amazonaws.com",
"iotMqttPort" : 443,
"ggHost" : "greengrass-ats.iot.us-west-2.amazonaws.com",
"keepAlive" : 600
},
...
}
```
1. Start the daemon.
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd start
```
**To configure HTTPS over port 443**
This feature requires AWS IoT Greengrass Core v1.8 or later.
This procedure configures the core to use port 443 for HTTPS communication.
1. Run the following command to stop the Greengrass daemon:
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd stop
```
1. Open `greengrass-root/config/config.json` for editing as the su user.
1. In the `coreThing` object, add the `iotHttpPort` and `ggHttpPort` properties, as shown in the following example.
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "12345abcde.cert.pem",
"keyPath" : "12345abcde.private.key",
"thingArn" : "arn:aws:iot:us-west-2:123456789012:thing/core-thing-name",
"iotHost" : "abcd123456wxyz-ats.iot.us-west-2.amazonaws.com",
"iotHttpPort" : 443,
"ggHost" : "greengrass-ats.iot.us-west-2.amazonaws.com",
"ggHttpPort" : 443,
"keepAlive" : 600
},
...
}
```
1. Start the daemon.
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd start
```
**To configure a network proxy**
This feature requires AWS IoT Greengrass Core v1.7 or later.
This procedure allows AWS IoT Greengrass to connect to the internet through an HTTP or HTTPS network proxy.
1. Run the following command to stop the Greengrass daemon:
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd stop
```
1. Open `greengrass-root/config/config.json` for editing as the su user.
1. In the `coreThing` object, add the [networkProxy](#networkProxy-object) object, as shown in the following example.
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "12345abcde.cert.pem",
"keyPath" : "12345abcde.private.key",
"thingArn" : "arn:aws:iot:us-west-2:123456789012:thing/core-thing-name",
"iotHost" : "abcd123456wxyz-ats.iot.us-west-2.amazonaws.com",
"ggHost" : "greengrass-ats.iot.us-west-2.amazonaws.com",
"keepAlive" : 600,
"networkProxy": {
"noProxyAddresses" : "http://128.12.34.56,www.mywebsite.com",
"proxy" : {
"url" : "https://my-proxy-server:1100",
"username" : "Mary_Major",
"password" : "pass@word1357"
}
}
},
...
}
```
1. Start the daemon.
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd start
```
**networkProxy object**
Use the `networkProxy` object to specify information about the network proxy. This object has the following properties.
| Field | Description |
| --- | --- |
| noProxyAddresses | Optional. A comma-separated list of IP addresses or host names that are exempt from the proxy. |
| proxy | The proxy to connect to. A proxy has the following properties. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/gg-core.html) |
### Allowing endpoints
Communication between Greengrass devices and AWS IoT Core or AWS IoT Greengrass must be authenticated. This authentication is based on registered X.509 device certificates and cryptographic keys. To allow authenticated requests to pass through proxies without additional encryption, allow the following endpoints.
| Endpoint | Port | Description |
| --- | --- | --- |
| greengrass.region.amazonaws.com | 443 | Used for control plane operations for group management. |
| `prefix-ats.iot.region.amazonaws.com` or `prefix.iot.region.amazonaws.com` | MQTT: 8883 or 443 HTTPS: 8443 or 443 | Used for data plane operations for device management, such as shadow sync. Allow the use of one or both endpoints, depending on whether your core and client devices use Amazon Trust Services (preferred) root CA certificates, legacy root CA certificates, or both. For more information, see [Service endpoints must match the root CA certificate type](#certificate-endpoints). |
| `greengrass-ats.iot.region.amazonaws.com` or `greengrass.iot.region.amazonaws.com` | 8443 or 443 | Used for device discovery operations. Allow the use of one or both endpoints, depending on whether your core and client devices use Amazon Trust Services (preferred) root CA certificates, legacy root CA certificates, or both. For more information, see [Service endpoints must match the root CA certificate type](#certificate-endpoints). Clients that connect on port 443 must implement the [ Application Layer Protocol Negotiation (ALPN)](https://tools.ietf.org/html/rfc7301) TLS extension and pass `x-amzn-http-ca` as the `ProtocolName` in the `ProtocolNameList`. For more information, see [Protocols](https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html) in the *AWS IoT Developer Guide*. |
| \$1.s3.amazonaws.com | 443 | Used for deployment operations and over-the-air updates. This format includes the `*` character because endpoint prefixes are controlled internally and might change at any time. |
| logs.region.amazonaws.com | 443 | Required if the Greengrass group is configured to write logs to CloudWatch. |
## Configure a write directory for AWS IoT Greengrass
This feature is available for AWS IoT Greengrass Core v1.6 and later.
By default, the AWS IoT Greengrass Core software is deployed under a single root directory where AWS IoT Greengrass performs all read and write operations. However, you can configure AWS IoT Greengrass to use a separate directory for all write operations, including creating directories and files. In this case, AWS IoT Greengrass uses two top-level directories:
+ The *greengrass-root* directory, which you can leave as read-write or optionally make read-only. This contains the AWS IoT Greengrass Core software and other critical components that should remain immutable during runtime, such as certificates and `config.json`.
+ The specified write directory. This contains writable content, such as logs, state information, and deployed user-defined Lambda functions.
This configuration results in the following directory structure.
**Greengrass root directory**
```
greengrass-root/
|-- certs/
| |-- root.ca.pem
| |-- hash.cert.pem
| |-- hash.private.key
| |-- hash.public.key
|-- config/
| |-- config.json
|-- ggc/
| |-- packages/
| |-- package-version/
| |-- bin/
| |-- daemon
| |-- greengrassd
| |-- lambda/
| |-- LICENSE/
| |-- release_notes_package-version.html
| |-- runtime/
| |-- java8/
| |-- nodejs8.10/
| |-- python3.8/
| |-- core/
```
**Write Directory**
```
write-directory/
|-- packages/
| |-- package-version/
| |-- ggc_root/
| |-- rootfs_nosys/
| |-- rootfs_sys/
| |-- var/
|-- deployment/
| |-- group/
| |-- group.json
| |-- lambda/
| |-- mlmodel/
|-- var/
| |-- log/
| |-- state/
```
**To configure a write directory**
1. Run the following command to stop the AWS IoT Greengrass daemon:
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd stop
```
1. Open `greengrass-root/config/config.json` for editing as the su user.
1. Add `writeDirectory` as a parameter and specify the path to the target directory, as shown in the following example.
```
{
"coreThing": {
"caPath": "root-CA.pem",
"certPath": "hash.pem.crt",
...
},
...
"writeDirectory" : "/write-directory"
}
```
**Note**
You can update the `writeDirectory` setting as often as you want. After the setting is updated, AWS IoT Greengrass uses the newly specified write directory at the next start, but doesn't migrate content from the previous write directory.
1. Now that your write directory is configured, you can optionally make the *greengrass-root* directory read-only. For instructions, see [To Make the Greengrass Root Directory Read-Only](#configure-ro-directory).
Otherwise, start the AWS IoT Greengrass daemon:
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd start
```
**To make the Greengrass root directory read-only**
Follow these steps only if you want to make the Greengrass root directory read-only. The write directory must be configured before you begin.
1. Grant access permissions to required directories:
1. Give read and write permissions to the `config.json` owner.
```
sudo chmod 0600 /greengrass-root/config/config.json
```
1. Make ggc\$1user the owner of the certs and system Lambda directories.
```
sudo chown -R ggc_user:ggc_group /greengrass-root/certs/
sudo chown -R ggc_user:ggc_group /greengrass-root/ggc/packages/1.11.6/lambda/
```
**Note**
The ggc\$1user and ggc\$1group accounts are used by default to run system Lambda functions. If you configured the group-level [default access identity](lambda-group-config.md#lambda-access-identity-groupsettings) to use different accounts, you should give permissions to that user (UID) and group (GID) instead.
1. Make the *greengrass-root* directory read-only by using your preferred mechanism.
**Note**
One way to make the *greengrass-root* directory read-only is to mount the directory as read-only. However, to apply over-the-air (OTA) updates to the AWS IoT Greengrass Core software in a mounted directory, the directory must first be unmounted, and then remounted after the update. You can add these `umount` and `mount` operations to the `ota_pre_update` and `ota_post_update` scripts. For more information about OTA updates, see [Greengrass OTA update agent](core-ota-update.md#ota-agent) and [Managed respawn with OTA updates](core-ota-update.md#ota-managed-respawn).
1. Start the daemon.
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd start
```
If the permissions from step 1 aren't set correctly, tthe daemon won't start.
## Configure MQTT settings
In the AWS IoT Greengrass environment, local client devices, Lambda functions, connectors, and system components can communicate with each other and with AWS IoT Core. All communication goes through the core, which manages the [subscriptions](gg-sec.md#gg-msg-workflow) that authorize MQTT communication between entities.
For information about MQTT settings you can configure for AWS IoT Greengrass, see the following sections:
+ [Message quality of service](#message-quality-of-service)
+ [MQTT message queue for cloud targets](#mqtt-message-queue)
+ [MQTT persistent sessions with AWS IoT Core](#mqtt-persistent-sessions)
+ [Client IDs for MQTT connections with AWS IoT](#connection-client-id)
+ [MQTT port for local messaging](#config-local-mqtt-port)
+ [Timeout for publish, subscribe, unsubscribe operations in MQTT connections with the AWS Cloud](#mqtt-operation-timeout)
**Note**
OPC-UA is an information exchange standard for industrial communication. To implement support for OPC-UA on the Greengrass core, you can use the [IoT SiteWise connector](iot-sitewise-connector.md). The connector sends industrial device data from OPC-UA servers to asset properties in AWS IoT SiteWise.
### Message quality of service
AWS IoT Greengrass supports quality of service (QoS) levels 0 or 1, depending on your configuration and the target and direction of the communication. The Greengrass core acts as a client for communication with AWS IoT Core and a message broker for communication on the local network.
![\[The core as client and local message broker.\]](http://docs.aws.amazon.com/greengrass/v1/developerguide/images/mqtt-qos.png)
For more information about MQTT and QoS, see [Getting Started](https://mqtt.org/getting-started/) on the MQTT website.
**Communication with the AWS Cloud**
+ **Outbound messages use QoS 1**
The core sends messages destined for AWS Cloud targets using QoS 1. AWS IoT Greengrass uses an MQTT message queue to process these messages. If message delivery isn't confirmed by AWS IoT, the message is spooled to be retried later. The message cannot be retried if the queue is full. The message delivery confirmation can help minimize data loss from intermittent connectivity.
Because outbound messages to AWS IoT use QoS 1, the maximum rate at which the Greengrass core can send messages depends on the latency between the core and AWS IoT. Each time the core sends a message, it waits until AWS IoT acknowledges the message before it sends the next message. For example, if the round-trip time between the core and its AWS Region is 50 milliseconds, the core can send up to 20 messages per second. Consider this behavior when you choose the AWS Region where your core connects. To ingest high-volume IoT data to the AWS Cloud, you can use [stream manager](stream-manager.md).
For more information about the MQTT message queue, including how to configure a local storage cache that can persist messages destined for AWS Cloud targets, see [MQTT message queue for cloud targets](#mqtt-message-queue).
+ **Inbound messages use QoS 0 (default) or QoS 1**
By default, the core subscribes with QoS 0 to messages from AWS Cloud sources. If you enable persistent sessions, the core subscribes with QoS 1. This can help minimize data loss from intermittent connectivity. To manage the QoS for these subscriptions, you configure persistence settings on the local spooler system component.
For more information, including how to enable the core to establish a persistent session with AWS Cloud targets, see [MQTT persistent sessions with AWS IoT Core](#mqtt-persistent-sessions).
**Communication with local targets**
All local communication uses QoS 0. The core makes one attempt to send a message to a local target, which can be a Greengrass Lambda function, connector, or [client device](what-is-gg.md#greengrass-devices). The core doesn't store messages or confirm delivery. Messages can be dropped anywhere between components.
Although direct communication between Lambda functions doesn't use MQTT messaging, the behavior is the same.
### MQTT message queue for cloud targets
MQTT messages that are destined for AWS Cloud targets are queued to await processing. Queued messages are processed in first in, first out (FIFO) order. After a message is processed and published to AWS IoT Core, the message is removed from the queue.
By default, the Greengrass core stores in memory unprocessed messages destined for AWS Cloud targets. You can configure the core to store unprocessed messages in a local storage cache instead. Unlike in-memory storage, the local storage cache has the ability to persist across core restarts (for example, after a group deployment or a device reboot), so AWS IoT Greengrass can continue to process the messages. You can also configure the storage size.
**Warning**
The Greengrass core might queue duplicate MQTT messages when it loses connection, because it retries a publish operation before the MQTT client detects that it's offline. To avoid duplicate MQTT messages for cloud targets, configure the core's `keepAlive` value to less than half of its `mqttOperationTimeout` value. For more information, see [AWS IoT Greengrass core configuration file](#config-json).
AWS IoT Greengrass uses the spooler system component (the `GGCloudSpooler` Lambda function) to manage the message queue. You can use the following `GGCloudSpooler` environment variables to configure storage settings.
+ **GG\$1CONFIG\$1STORAGE\$1TYPE**. The location of the message queue. The following are valid values:
+ `FileSystem`. Store unprocessed messages in the local storage cache on the disk of the physical core device. When the core restarts, queued messages are retained for processing. Messages are removed after they are processed.
+ `Memory` (default). Store unprocessed messages in memory. When the core restarts, queued messages are lost.
This option is optimized for devices with restricted hardware capabilities. When using this configuration, we recommend that you deploy groups or restart the device when the service disruption is the lowest.
+ **GG\$1CONFIG\$1MAX\$1SIZE\$1BYTES**. The storage size, in bytes. This value can be any non-negative integer **greater than or equal to 262144** (256 KB); a smaller size prevents the AWS IoT Greengrass Core software from starting. The default size is 2.5 MB. When the size limit is reached, the oldest queued messages are replaced by new messages.
**Note**
This feature is available for AWS IoT Greengrass Core v1.6 and later. Earlier versions use in-memory storage with a queue size of 2.5 MB. You cannot configure storage settings for earlier versions.
#### To cache messages in local storage
You can configure AWS IoT Greengrass to cache messages to the file system so they persist across core restarts. To do this, you deploy a function definition version where the `GGCloudSpooler` function sets the storage type to `FileSystem`. You must use the AWS IoT Greengrass API to configure the local storage cache. You can't do this in the console.
The following procedure uses the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition-version.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition-version.html) CLI command to configure the spooler to save queued messages to the file system. It also configures a 2.6 MB queue size.
1. Get the IDs of the target Greengrass group and group version. This procedure assumes that this is the latest group and group version. The following query returns the most recently created group.
```
aws greengrass list-groups --query "reverse(sort_by(Groups, &CreationTimestamp))[0]"
```
Or, you can query by name. Group names are not required to be unique, so multiple groups might be returned.
```
aws greengrass list-groups --query "Groups[?Name=='MyGroup']"
```
**Note**
You can also find these values in the AWS IoT console. The group ID is displayed on the group's **Settings** page. Group version IDs are displayed on the group's **Deployments** tab.
1. Copy the `Id` and `LatestVersion` values from the target group in the output.
1. Get the latest group version.
+ Replace *group-id* with the `Id` that you copied.
+ Replace *latest-group-version-id* with the `LatestVersion` that you copied.
```
aws greengrass get-group-version \
--group-id group-id \
--group-version-id latest-group-version-id
```
1. From the `Definition` object in the output, copy the `CoreDefinitionVersionArn` and the ARNs of all other group components except `FunctionDefinitionVersionArn`. You use these values when you create a new group version.
1. From the `FunctionDefinitionVersionArn` in the output, copy the ID of the function definition. The ID is the GUID that follows the `functions` segment in the ARN, as shown in the following example.
```
arn:aws:greengrass:us-west-2:123456789012:/greengrass/definition/functions/bcfc6b49-beb0-4396-b703-6dEXAMPLEcu5/versions/0f7337b4-922b-45c5-856f-1aEXAMPLEsf6
```
**Note**
Or, you can create a function definition by running the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition.html) command, and then copying the ID from the output.
1. Add a function definition version to the function definition.
+ Replace *function-definition-id* with the `Id` that you copied for the function definition.
+ Replace *arbitrary-function-id* with a name for the function, such as **spooler-function**.
+ Add any Lambda functions that you want to include in this version to the `functions` array. You can use the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-function-definition-version.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-function-definition-version.html) command to get the Greengrass Lambda functions from an existing function definition version.
**Warning**
Make sure that you specify a value for `GG_CONFIG_MAX_SIZE_BYTES` that's **greater than or equal to 262144**. A smaller size prevents the AWS IoT Greengrass Core software from starting.
```
aws greengrass create-function-definition-version \
--function-definition-id function-definition-id \
--functions '[{"FunctionArn": "arn:aws:lambda:::function:GGCloudSpooler:1","FunctionConfiguration": {"Environment": {"Variables":{"GG_CONFIG_MAX_SIZE_BYTES":"2621440","GG_CONFIG_STORAGE_TYPE":"FileSystem"}},"Executable": "spooler","MemorySize": 32768,"Pinned": true,"Timeout": 3},"Id": "arbitrary-function-id"}]'
```
**Note**
If you previously set the `GG_CONFIG_SUBSCRIPTION_QUALITY` environment variable to [support persistent sessions with AWS IoT Core](#mqtt-persistent-sessions), include it in this function instance.
1. Copy the `Arn` of the function definition version from the output.
1. Create a group version that contains the system Lambda function.
+ Replace *group-id* with the `Id` for the group.
+ Replace *core-definition-version-arn* with the `CoreDefinitionVersionArn` that you copied from the latest group version.
+ Replace *function-definition-version-arn* with the `Arn` that you copied for the new function definition version.
+ Replace the ARNs for other group components (for example, `SubscriptionDefinitionVersionArn` or `DeviceDefinitionVersionArn`) that you copied from the latest group version.
+ Remove any unused parameters. For example, remove the `--resource-definition-version-arn` if your group version doesn't contain any resources.
```
aws greengrass create-group-version \
--group-id group-id \
--core-definition-version-arn core-definition-version-arn \
--function-definition-version-arn function-definition-version-arn \
--device-definition-version-arn device-definition-version-arn \
--logger-definition-version-arn logger-definition-version-arn \
--resource-definition-version-arn resource-definition-version-arn \
--subscription-definition-version-arn subscription-definition-version-arn
```
1. Copy the `Version` from the output. This is the ID of the new group version.
1. Deploy the group with the new group version.
+ Replace *group-id* with the `Id` that you copied for the group.
+ Replace *group-version-id* with the `Version` that you copied for the new group version.
```
aws greengrass create-deployment \
--group-id group-id \
--group-version-id group-version-id \
--deployment-type NewDeployment
```
To update the storage settings, you use the AWS IoT Greengrass API to create a new function definition version that contains the `GGCloudSpooler` function with the updated configuration. Then add the function definition version to a new group version (along with your other group components) and deploy the group version. If you want to restore the default configuration, you can deploy a function definition version that doesn't include the `GGCloudSpooler` function.
This system Lambda function isn't visible in the console. However, after the function is added to the latest group version, it's included in deployments that you make from the console, unless you use the API to replace or remove it.
### MQTT persistent sessions with AWS IoT Core
This feature is available for AWS IoT Greengrass Core v1.10 and later.
A Greengrass core can establish a persistent session with the AWS IoT message broker. A persistent session is an ongoing connection that allows the core to receive messages sent while the core is offline. The core is the client in the connection.
In a persistent session, the AWS IoT message broker saves all subscriptions the core makes during the connection. If the core disconnects, the AWS IoT message broker stores unacknowledged and new messages published as QoS 1 and destined for local targets, such as Lambda functions and [client devices](what-is-gg.md#greengrass-devices). When the core reconnects, the persistent session is resumed and the AWS IoT message broker sends stored messages to the core at a maximum rate of 10 messages per second. Persistent sessions have a default expiry period of 1 hour, which begins when the message broker detects that the core disconnects. For more information, see [MQTT persistent sessions](https://docs.aws.amazon.com/iot/latest/developerguide/mqtt-persistent-sessions.html) in the *AWS IoT Developer Guide*.
AWS IoT Greengrass uses the spooler system component (the `GGCloudSpooler` Lambda function) to create subscriptions that have AWS IoT as the source. You can use the following `GGCloudSpooler` environment variable to configure persistent sessions.
+ **GG\$1CONFIG\$1SUBSCRIPTION\$1QUALITY**. The quality of subscriptions that have AWS IoT as the source. The following are valid values:
+ `AtMostOnce` (default). Disables persistent sessions. Subscriptions use QoS 0.
+ `AtLeastOncePersistent`. Enables persistent sessions. Sets the `cleanSession` flag to `0` in `CONNECT` messages and subscribes with QoS 1.
Messages published with QoS 1 that the core receives are guaranteed to reach the Greengrass daemon's in-memory work queue. The core acknowledges the message after it's added to the queue. Subsequent communication from the queue to the local target (for example, Greengrass Lambda function, connector, or device) is sent as QoS 0. AWS IoT Greengrass doesn't guarantee delivery to local targets.
**Note**
You can use the [maxWorkItemCount](#config-json-runtime) configuration property to control the size of the work item queue. For example, you can increase the queue size if your workload requires heavy MQTT traffic.
When persistent sessions are enabled, the core opens at least one additional connection for MQTT message exchange with AWS IoT. For more information, see [Client IDs for MQTT connections with AWS IoT](#connection-client-id).
#### To configure MQTT persistent sessions
You can configure AWS IoT Greengrass to use persistent sessions with AWS IoT Core. To do this, you deploy a function definition version where the `GGCloudSpooler` function sets the subscription quality to `AtLeastOncePersistent`. This setting applies to all your subscriptions that have AWS IoT Core (`cloud`) as the source. You must use the AWS IoT Greengrass API to configure persistent sessions. You can't do this in the console.
The following procedure uses the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition-version.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition-version.html) CLI command to configure the spooler to use persistent sessions. In this procedure, we assume that you're updating the configuration of the latest group version of an existing group.
1. Get the IDs of the target Greengrass group and group version. This procedure assumes that this is the latest group and group version. The following query returns the most recently created group.
```
aws greengrass list-groups --query "reverse(sort_by(Groups, &CreationTimestamp))[0]"
```
Or, you can query by name. Group names are not required to be unique, so multiple groups might be returned.
```
aws greengrass list-groups --query "Groups[?Name=='MyGroup']"
```
**Note**
You can also find these values in the AWS IoT console. The group ID is displayed on the group's **Settings** page. Group version IDs are displayed on the group's **Deployments** tab.
1. Copy the `Id` and `LatestVersion` values from the target group in the output.
1. Get the latest group version.
+ Replace *group-id* with the `Id` that you copied.
+ Replace *latest-group-version-id* with the `LatestVersion` that you copied.
```
aws greengrass get-group-version \
--group-id group-id \
--group-version-id latest-group-version-id
```
1. From the `Definition` object in the output, copy the `CoreDefinitionVersionArn` and the ARNs of all other group components except `FunctionDefinitionVersionArn`. You use these values when you create a new group version.
1. From the `FunctionDefinitionVersionArn` in the output, copy the ID of the function definition. The ID is the GUID that follows the `functions` segment in the ARN, as shown in the following example.
```
arn:aws:greengrass:us-west-2:123456789012:/greengrass/definition/functions/bcfc6b49-beb0-4396-b703-6dEXAMPLEcu5/versions/0f7337b4-922b-45c5-856f-1aEXAMPLEsf6
```
**Note**
Or, you can create a function definition by running the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition.html) command, and then copying the ID from the output.
1. Add a function definition version to the function definition.
+ Replace *function-definition-id* with the `Id` that you copied for the function definition.
+ Replace *arbitrary-function-id* with a name for the function, such as **spooler-function**.
+ Add any Lambda functions that you want to include in this version to the `functions` array. You can use the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-function-definition-version.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-function-definition-version.html) command to get the Greengrass Lambda functions from an existing function definition version.
```
aws greengrass create-function-definition-version \
--function-definition-id function-definition-id \
--functions '[{"FunctionArn": "arn:aws:lambda:::function:GGCloudSpooler:1","FunctionConfiguration": {"Environment": {"Variables":{"GG_CONFIG_SUBSCRIPTION_QUALITY":"AtLeastOncePersistent"}},"Executable": "spooler","MemorySize": 32768,"Pinned": true,"Timeout": 3},"Id": "arbitrary-function-id"}]'
```
**Note**
If you previously set the `GG_CONFIG_STORAGE_TYPE` or `GG_CONFIG_MAX_SIZE_BYTES` environment variables to [define storage settings](#mqtt-message-queue), include them in this function instance.
1. Copy the `Arn` of the function definition version from the output.
1. Create a group version that contains the system Lambda function.
+ Replace *group-id* with the `Id` for the group.
+ Replace *core-definition-version-arn* with the `CoreDefinitionVersionArn` that you copied from the latest group version.
+ Replace *function-definition-version-arn* with the `Arn` that you copied for the new function definition version.
+ Replace the ARNs for other group components (for example, `SubscriptionDefinitionVersionArn` or `DeviceDefinitionVersionArn`) that you copied from the latest group version.
+ Remove any unused parameters. For example, remove the `--resource-definition-version-arn` if your group version doesn't contain any resources.
```
aws greengrass create-group-version \
--group-id group-id \
--core-definition-version-arn core-definition-version-arn \
--function-definition-version-arn function-definition-version-arn \
--device-definition-version-arn device-definition-version-arn \
--logger-definition-version-arn logger-definition-version-arn \
--resource-definition-version-arn resource-definition-version-arn \
--subscription-definition-version-arn subscription-definition-version-arn
```
1. Copy the `Version` from the output. This is the ID of the new group version.
1. Deploy the group with the new group version.
+ Replace *group-id* with the `Id` that you copied for the group.
+ Replace *group-version-id* with the `Version` that you copied for the new group version.
```
aws greengrass create-deployment \
--group-id group-id \
--group-version-id group-version-id \
--deployment-type NewDeployment
```
1. (Optional) Increase the [maxWorkItemCount](#config-json-runtime) property in the core configuration file. This can help the core handle increased MQTT traffic and communication with local targets.
To update the core with these configuration changes, you use the AWS IoT Greengrass API to create a new function definition version that contains the `GGCloudSpooler` function with the updated configuration. Then add the function definition version to a new group version (along with your other group components) and deploy the group version. If you want to restore the default configuration, you can create a function definition version that doesn't include the `GGCloudSpooler` function.
This system Lambda function isn't visible in the console. However, after the function is added to the latest group version, it's included in deployments that you make from the console, unless you use the API to replace or remove it.
### Client IDs for MQTT connections with AWS IoT
This feature is available for AWS IoT Greengrass Core v1.8 and later.
The Greengrass core opens MQTT connections with AWS IoT Core for operations such as shadow sync and certificate management. For these connections, the core generates predictable client IDs based on the core thing name. Predictable client IDs can be used with monitoring, auditing, and pricing features, including AWS IoT Device Defender and [AWS IoT lifecycle events](https://docs.aws.amazon.com/iot/latest/developerguide/life-cycle-events.html). You can also create logic around predictable client IDs (for example, [subscribe policy](https://docs.aws.amazon.com/iot/latest/developerguide/pub-sub-policy.html#pub-sub-policy-cert) templates based on certificate attributes).
------
#### [ GGC v1.9 and later ]
Two Greengrass system components open MQTT connections with AWS IoT Core. These components use the following patterns to generate the client IDs for the connections.
| Operation | Client ID pattern |
| --- | --- |
| Deployments | `core-thing-name` Example: `MyCoreThing` Use this client ID for connect, disconnect, subscribe, and unsubscribe lifecycle event notifications. |
| Subscriptions | `core-thing-name-cn` Example: `MyCoreThing-c01` `n` is an integer that starts at 00 and increments with each new connection to a maximum number of 250. The number of connections is determined by the number of devices that sync their shadow state with AWS IoT Core (maximum 2,500 per group) and the number of subscriptions with `cloud` as their source in the group (maximum 10,000 per group). The spooler system component connects with AWS IoT Core to exchange messages for subscriptions with a cloud source or target. The spooler also acts as proxy for message exchange between AWS IoT Core and the local shadow service and device certificate manager. |
To calculate the number of MQTT connections per group, use the following formula:
`number of MQTT connections per group = number of connections for Deployment Agent + number of connections for Subscriptions`
Where,
+ number of connections for Deployment Agent = 1.
+ number of connections for Subscriptions = `(2 subscriptions for supporting certificate generation + number of MQTT topics in AWS IoT Core + number of device shadows synced) / 50`.
+ Where, `50` = the maximum number of subscriptions per connection that AWS IoT Core can support.
**Note**
If you enable [persistent sessions](#mqtt-persistent-sessions) for subscription with AWS IoT Core, the core opens at least one additional connection to use in a persistent session. The system components don't support persistent sessions, so they can't share that connection.
To reduce the number of MQTT connections and help reduce costs, you can use local Lambda functions to aggregate data at the edge. Then you send the aggregated data to the AWS Cloud. As a result, you use fewer MQTT topics in AWS IoT Core. For more information, see [AWS IoT Greengrass Pricing](https://aws.amazon.com/greengrass/pricing/).
------
#### [ GGC v1.8 ]
Several Greengrass system components open MQTT connections with AWS IoT Core. These components use the following patterns to generate the client IDs for the connections.
| Operation | Client ID pattern |
| --- | --- |
| Deployments | `core-thing-name` Example: `MyCoreThing` Use this client ID for connect, disconnect, subscribe, and unsubscribe lifecycle event notifications. |
| MQTT message exchange with AWS IoT Core | `core-thing-name-spr` Example: `MyCoreThing-spr` |
| Shadow sync | `core-thing-name-snn` Example: `MyCoreThing-s01` `nn` is an integer that starts at 00 and increments with each new connection to a maximum of 03. The number of connections is determined by the number of devices (maximum 200 devices per group) that sync their shadow state with AWS IoT Core (maximum 50 subscriptions per connection). |
| Device certificate management | `core-thing-name-dcm` Example: `MyCoreThing-dcm` |
------
**Note**
Duplicate client IDs used in simultaneous connections can cause an infinite connect-disconnect loop. This can happen if another device is hardcoded to use the core device name as the client ID in connections. For more information, see this [troubleshooting step](gg-troubleshooting.md#config-client-id).
Greengrass devices are also fully integrated with the Fleet Indexing service of AWS IoT Device Management. This allows you to index and search for devices based on device attributes, shadow state, and connection state in the cloud. For example, Greengrass devices establish at least one connection that uses the thing name as the client ID, so you can use device connectivity indexing to discover which Greengrass devices are currently connected or disconnected to AWS IoT Core. For more information, see [Fleet indexing service](https://docs.aws.amazon.com/iot/latest/developerguide/iot-indexing.html) in the *AWS IoT Developer Guide*.
### Configure the MQTT port for local messaging
This feature requires AWS IoT Greengrass Core v1.10 or later.
The Greengrass core acts as the local message broker for MQTT messaging between local Lambda functions, connectors, and [client devices](what-is-gg.md#greengrass-devices). By default, the core uses port 8883 for MQTT traffic on the local network. You might want to change the port to avoid a conflict with other software that runs on port 8883.
**To configure the port number that the core uses for local MQTT traffic**
1. Run the following command to stop the Greengrass daemon:
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd stop
```
1. Open `greengrass-root/config/config.json` for editing as the su user.
1. In the `coreThing` object, add the `ggMqttPort` property and set the value to the port number you want to use. Valid values are 1024 to 65535. The following example sets the port number to `9000`.
```
{
"coreThing" : {
"caPath" : "root.ca.pem",
"certPath" : "12345abcde.cert.pem",
"keyPath" : "12345abcde.private.key",
"thingArn" : "arn:aws:iot:us-west-2:123456789012:thing/core-thing-name",
"iotHost" : "abcd123456wxyz-ats.iot.us-west-2.amazonaws.com",
"ggHost" : "greengrass-ats.iot.us-west-2.amazonaws.com",
"ggMqttPort" : 9000,
"keepAlive" : 600
},
...
}
```
1. Start the daemon.
```
cd /greengrass-root/ggc/core/
sudo ./greengrassd start
```
1. If [automatic IP detection](#ip-auto-detect) is enabled for the core, the configuration is complete.
If automatic IP detection is not enabled, you must update the connectivity information for the core. This allows client devices to receive the correct port number during discovery operations to acquire core connectivity information. You can use the AWS IoT console or AWS IoT Greengrass API to update the core connectivity information. For this procedure, you update the port number only. The local IP address for the core remains the same.
**To update the connectivity information for the core (console)**
1. On the group configuration page, choose the Greengrass core.
1. On the core details page, choose the **MQTT broker endpoints** tab.
1. Choose **Manage endpoints** and then choose **Add endpoint**
1. Enter your current local IP address and the new port number. The following example sets the port number `9000` for the IP address `192.168.1.8`.
1. Remove the obsolete endpoint, and then choose **Update**
**To update the connectivity information for the core (API)**
+ Use the [UpdateConnectivityInfo](https://docs.aws.amazon.com/greengrass/v1/apireference/updateconnectivityinfo-put.html) action. The following example uses `update-connectivity-info` in the AWS CLI to set the port number `9000` for the IP address `192.168.1.8`.
```
aws greengrass update-connectivity-info \
--thing-name "MyGroup_Core" \
--connectivity-info "[{\"Metadata\":\"\",\"PortNumber\":9000,\"HostAddress\":\"192.168.1.8\",\"Id\":\"localIP_192.168.1.8\"},{\"Metadata\":\"\",\"PortNumber\":8883,\"HostAddress\":\"127.0.0.1\",\"Id\":\"localhost_127.0.0.1_0\"}]"
```
**Note**
You can also configure the port that the core uses for MQTT messaging with AWS IoT Core. For more information, see [Connect on port 443 or through a network proxy](#alpn-network-proxy).
### Timeout for publish, subscribe, unsubscribe operations in MQTT connections with the AWS Cloud
This feature is available in AWS IoT Greengrass v1.10.2 or later.
You can configure the amount of time (in seconds) to allow the Greengrass core to complete a publish, subscribe, or unsubscribe operation in MQTT connections to AWS IoT Core. You might want to adjust this setting if the operations time out because of bandwidth constraints or high latency. To configure this setting in the [config.json](#config-json) file, add or change the `mqttOperationTimeout` property in the `coreThing` object. For example:
```
{
"coreThing": {
"mqttOperationTimeout": 10,
"caPath": "root-ca.pem",
"certPath": "hash.cert.pem",
"keyPath": "hash.private.key",
...
},
...
}
```
The default timeout is 5 seconds. The minimum timeout is 5 seconds.
## Activate automatic IP detection
You can configure AWS IoT Greengrass to enable client devices in a Greengrass group to automatically discover the Greengrass core. When enabled, the core watches for changes to its IP addresses. If an address changes, the core publishes an updated list of addresses. These addresses are made available to client devices that are in the same Greengrass group as the core.
**Note**
The AWS IoT policy for client devices must grant the `greengrass:Discover` permission to allow devices to retrieve connectivity information for the core. For more information about the policy statement, see [Discovery authorization](gg-discover-api.md#gg-discover-auth).
To enable this feature from the AWS IoT Greengrass console, choose **Automatic detection** when you deploy your Greengrass group for the first time. You can also enable or disable this feature on the group configuration page by choosing the **Lambda functions** tab and selecting the **IP detector**. Automatic IP detection is enabled if **Automatically detect and override MQTT broker endpoints** is selected.
To manage automatic discovery with the AWS IoT Greengrass API, you must configure the `IPDetector` system Lambda function. The following procedure shows how to use the [ create-function-definition-version](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition-version.html) CLI command to configure automatic discovery of the Greengrass core.
1. Get the IDs of the target Greengrass group and group version. This procedure assumes that this is the latest group and group version. The following query returns the most recently created group.
```
aws greengrass list-groups --query "reverse(sort_by(Groups, &CreationTimestamp))[0]"
```
Or, you can query by name. Group names are not required to be unique, so multiple groups might be returned.
```
aws greengrass list-groups --query "Groups[?Name=='MyGroup']"
```
**Note**
You can also find these values in the AWS IoT console. The group ID is displayed on the group's **Settings** page. Group version IDs are displayed on the group's **Deployments** tab.
1. Copy the `Id` and `LatestVersion` values from the target group in the output.
1. Get the latest group version.
+ Replace *group-id* with the `Id` that you copied.
+ Replace *latest-group-version-id* with the `LatestVersion` that you copied.
```
aws greengrass get-group-version \
--group-id group-id \
--group-version-id latest-group-version-id
```
1. From the `Definition` object in the output, copy the `CoreDefinitionVersionArn` and the ARNs of all other group components except `FunctionDefinitionVersionArn`. You use these values when you create a new group version.
1. From the `FunctionDefinitionVersionArn` in the output, copy the ID of the function definition and the function definition version:
```
arn:aws:greengrass:region:account-id:/greengrass/groups/function-definition-id/versions/function-definition-version-id
```
**Note**
You can optionally create a function definition by running the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/create-function-definition.html) command, and then copy the ID from the output.
1. Use the [https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-function-definition-version.html](https://docs.aws.amazon.com/cli/latest/reference/greengrass/get-function-definition-version.html) command to get the current definition state. Use the *function-definition-id* you copied for the function definiton. For example, *4d941bc7-92a1-4f45-8d64-EXAMPLEf76c3*.
```
aws greengrass get-function-definition-version
--function-definition-id function-definition-id
--function-definition-version-id function-definition-version-id
```
Make a note of the listed function configurations. You will need to include these when creating a new function definition version in order to prevent loss of your current definition settings.
1. Add a function definition version to the function definition.
+ Replace *function-definition-id* with the `Id` that you copied for the function definition. For example, *4d941bc7-92a1-4f45-8d64-EXAMPLEf76c3*.
+ Replace *arbitrary-function-id* with a name for the function, such as **auto-detection-function**.
+ Add all Lambda functions that you want to include in this version to the `functions` array, such as any listed in the previous step.
```
aws greengrass create-function-definition-version \
--function-definition-id function-definition-id \
--functions '[{"FunctionArn":"arn:aws:lambda:::function:GGIPDetector:1","Id":"arbitrary-function-id","FunctionConfiguration":{"Pinned":true,"MemorySize":32768,"Timeout":3}}]'\
--region us-west-2
```
1. Copy the `Arn` of the function definition version from the output.
1. Create a group version that contains the system Lambda function.
+ Replace *group-id* with the `Id` for the group.
+ Replace *core-definition-version-arn* with the `CoreDefinitionVersionArn` that you copied from the latest group version.
+ Replace *function-definition-version-arn* with the `Arn` that you copied for the new function definition version.
+ Replace the ARNs for other group components (for example, `SubscriptionDefinitionVersionArn` or `DeviceDefinitionVersionArn`) that you copied from the latest group version.
+ Remove any unused parameters. For example, remove the `--resource-definition-version-arn` if your group version doesn't contain any resources.
```
aws greengrass create-group-version \
--group-id group-id \
--core-definition-version-arn core-definition-version-arn \
--function-definition-version-arn function-definition-version-arn \
--device-definition-version-arn device-definition-version-arn \
--logger-definition-version-arn logger-definition-version-arn \
--resource-definition-version-arn resource-definition-version-arn \
--subscription-definition-version-arn subscription-definition-version-arn
```
1. Copy the `Version` from the output. This is the ID of the new group version.
1. Deploy the group with the new group version.
+ Replace *group-id* with the `Id` that you copied for the group.
+ Replace *group-version-id* with the `Version` that you copied for the new group version.
```
aws greengrass create-deployment \
--group-id group-id \
--group-version-id group-version-id \
--deployment-type NewDeployment
```
If you want to manually input the IP address of your Greengrass core, you can complete this tutorial with a different function definition that does not include the `IPDetector` function. This will prevent the detection function from locating and automatically inputting your Greengrass core IP address.
This system Lambda function isn't visible in the Lambda console. After the function is added to the latest group version, it's included in deployments that you make from the console, unless you use the API to replace or remove it.
## Configure the init system to start the Greengrass daemon
It's a good practice to set up your init system to start the Greengrass daemon during boot, especially when managing large fleets of devices.
**Note**
If you used `apt` to install the AWS IoT Greengrass Core software, you can use the systemd scripts to enable start on boot. For more information, see [Use systemd scripts to manage the Greengrass daemon lifecycle](install-ggc.md#ggc-package-manager-systemd).
There are different types of init system, such as initd, systemd, and SystemV, and they use similar configuration parameters. The following example is a service file for systemd. The `Type` parameter is set to `forking` because greengrassd (which is used to start Greengrass) forks the Greengrass daemon process, and the `Restart` parameter is set to `on-failure` to direct systemd to restart Greengrass if Greengrass enters a failed state.
**Note**
To see if your device uses systemd, run the `check_ggc_dependencies` script as described in [Module 1](module1.md). Then to use systemd, make sure that the `useSystemd` parameter in [`config.json`](#config-json) is set to `yes`.
```
[Unit]
Description=Greengrass Daemon
[Service]
Type=forking
PIDFile=/var/run/greengrassd.pid
Restart=on-failure
ExecStart=/greengrass/ggc/core/greengrassd start
ExecReload=/greengrass/ggc/core/greengrassd restart
ExecStop=/greengrass/ggc/core/greengrassd stop
[Install]
WantedBy=multi-user.target
```
## See also
+ [What is AWS IoT Greengrass?](what-is-gg.md)
+ [Supported platforms and requirements](what-is-gg.md#gg-platforms)
+ [Getting started with AWS IoT Greengrass](gg-gs.md)
+ [Overview of the AWS IoT Greengrass group object model](deployments.md#api-overview)
+ [Hardware security integration](hardware-security.md)