IoT Edge - DPS reprovisioning does not work

[fokkersim]

Our fleet of Debian 11 based IoT Edge devices successfully runs through the initial provisioing run with the
DPS endpoint and gets assigned to the target IoT Hub as expected. There it initializes and starts operation
as intended.

DPS Endpoint configuration

1. DPS -> Manage allocation policy -> Static configuration
2. symmetric_key authentication to the DPS endpoint configured in /etc/aziot/config.toml
3. DPS -> Manage enrollments -> Individual enrollments -> one entry per device

Individual enrollment configuration

1. Reprovision policy -> Reprovision device and migrate state
2. Symmetric key (according to the content of the config.toml) - this semms to work
3. Provision status -> Enable this enrollment
4. Target IoT hubs -> target selected (a single target hub)
5. Allocation policy -> Static

Used software versions

aziot-keyd 1.5.5
aziot-edged 1.5.16
aziot-identityd 1.5.5

Device configuration

config.toml

hostname = ""
[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net"
id_scope = "<id_scope>"
[provisioning.attestation]
method = "symmetric_key"
registration_id = "secret"
symmetric_key = { value = "evenMoreSecret" }
auto_reprovisioning_mode = "Dynamic"
[agent]
name = "edgeAgent"
type = "docker"
imagePullPolicy = "never"
[agent.config]
image = "ourRegistry/microsoft/azureiotedge-agent:1.5"
createOptions = { HostConfig = { Binds = ["/iotedge/storage:/iotedge/storage"] } }

With this the initial provisioning run after setting up a new device works.

Problem Description

Our workflow requires reprovisioning to different IoT Hubs during the device life cylce. This has to be a manual
assignment of the new IoT Hub. Therefore for reprovisioning the target IoT Hub (the new target hub) has to be selected
in the custom enrollment configuration according to our workflow.

Expected result

This is the expected result for reprovisioning of a device i.e. move it to a different IoT Hub in a different ressource group.

1. Change the Target IoT hub in the Enrollemnt configuration (details) in the DPS endpoint for the selected device
2. Save the enrollment configuration
3. Device gets assigned a new IoT Hub
   a. Assigned IoT hub <Changes to the configured one in step 1.>
   b. Last assigned
4. Device is deleted in the old IoT Hub
5. Device appears at the new IoT Hub and starts operation

Observed result

1. Change the Target IoT hub in the Enrollemnt configuration (details) in the DPS endpoint for the selected device
2. Save the enrollment configuration
3. Device stays at the old IoT Hub
   a. Assigned IoT hub
   b. Last assigned
4. Device stays in the old IoT Hub

Further details

• The same result (observed result) is obtained, when on the device in config.toml the provisioning mode is chagned to AlwaysOnStartup and the device is rebooted. The Observed result does not change.
• If the command sudo iotedge system reprovision is executed from the device bash, the reprovisioning process runs and gives the Expected result.
• sudo iotedge check does not give any relevant errors or warnings
• if /var/lib/aziot/identityd/device_info is deleted and a reboot done, or a sudo iotedge system restart executed after deleting, mostly but not always the Expected result is observed.
• Changes in the DPS enrollment configuration do not seem to trigger a reprovisioning of the device in "Dynamic" mode

Configuration issues

It seems that the intended configuration is not applied correctly

Configuration configured

The following configuraiton is set in config.toml

hostname = "example"
auto_reprovisioning_mode = "Dynamic"
[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net"

Observed cofiguration

According to the iotedge agent log the configuration is not applied as intended

<6> 2025-02-17 09:50:26.199 +00:00 [INF] [Microsoft.Azure.Devices.Edge.Agent.Service.Program] - Set metadata metrics: 1.5.15.108089335 (feed5f931393f5f50ad721e89c40f79cbfe140fb), {"Enabled":false,"DisableCloudSubscriptions":false}, {"OperatingSystemType":"Linux","Architecture":"arm","Version":"1.5.16","Provisioning":{"Type":"ProvisioningType","DynamicReprovisioning":false,"AlwaysReprovisionOnStartup":false},"ServerVersion":"27.5.1-1","KernelVersion":"#1 SMP PREEMPT Fri Feb 14 11:02:20 CET 2025","OperatingSystem":"debian","NumCpus":2,"TotalMemory":443269120,"Virtualized":"no"}, True

[fokkersim]

@vadim-kovalyov plesase let me know, if you need additional information for this issue.

[fokkersim]

Ist there any update for this issue? Even if a workaround is possible via a service script forsing a reprovisioning via bash script running

sudo iotedge system reprovision

after every reboot this remains relevant.

[jlian]

@arsing (on-call) can you help take a look?

[jlian]

@fokkersim did you do iotedge config apply after switching to AlwaysOnStartup?

[fokkersim]

@jlian Yes we tested with iotedge config apply also with reboots and complete reinstalls of iot edge with the new configuration including AlwaysOnStartup