Privileges
Privileges grant a skill container access to hardware resources and OS capabilities on the device. When you create or edit a Docker Image skill version, the Privileges tab lets you enable the specific access your skill requires.
Only grant the privileges your skill actually needs. Unnecessary privileges increase the attack surface of your deployment.
Privileges apply to Docker Image skills only. Docker Compose skills support only the Web UI privilege.
Hardware privileges
Sound
Allows the skill to play and record audio through the device's sound hardware. Enable this if your skill needs to play audio output or capture microphone input.
HostConfig.Binds:/etc/asound.conf:/etc/asound.conf:ro(ALSA config),/dev:/dev:roHostConfig.Devices:/dev/sndmounted into the container with cgroup permissionsrwmHostConfig.DeviceCgroupRules:c 116:* rmw(r/w/mknod access to ALSA sound devices, Linux device major 116)
Connected Cameras
Allows the skill to use USB and CSI cameras attached to the device.
Enable this for any skill that uses a camera for image capture, video streaming, or computer vision inference.
HostConfig.Binds:/dev:/dev:ro; on vz5100 and vz6100 devices also/tmp/argus_socket:/tmp/argus_socket:rw(NVIDIA Argus camera IPC socket)HostConfig.DeviceCgroupRules:c 81:* rmw(r/w/mknod access to V4L2 video devices, Linux device major 81)
HDMI
Allows the skill to use the device's HDMI port to play video. Enable this for skills that need to display output on a connected screen.
Only applied on supported models (cx2000, vz1000, vz5000, vz5100, vz6000, vz6100):
HostConfig.Binds:/tmp/.X11-unix:/tmp/.X11-unix(X11 socket for display output)Env:DISPLAY=:0(points the container at the host X11 display)
GPIOs
Allows the skill to read from and write to the device's general-purpose I/O (GPIO) pins. Enable this for skills that interface with external sensors, actuators, or other hardware through GPIO.
Only applied on Vision-family devices:
HostConfig.Binds:/dev:/dev:roHostConfig.Devices:/dev/gpiochipUSRmounted into the container at the same path with cgroup permissionsrwm
Optra CX2000 IR Remote Control
Allows the skill to receive key codes from an IR (infrared) remote control. This privilege is specific to the Optra CX2000 hardware platform.
Only applied on cx2000 devices:
HostConfig.Binds:/dev:/dev:roHostConfig.DeviceCgroupRules:c 13:* r(read access to Linux input devices, device major 13)
USB Serial Converters
Allows the skill to use USB serial ACM and FTDI devices. Enable this if your skill communicates with external devices over USB serial connections such as industrial sensors or serial adapters.
HostConfig.Binds:/dev:/dev:roHostConfig.DeviceCgroupRules:c 166:* rmw(USB ACM/CDC devices, device major 166)c 167:* rmwc 188:* rmw(USB serial/FTDI devices, device major 188)c 189:* rmw
Optra CX2000 Host Video Libraries
Allows the skill to use the Optra CX2000's hardware video acceleration libraries. This privilege is specific to the Optra CX2000 hardware platform and enables hardware-accelerated video decoding and processing.
Only applied on cx2000 devices:
HostConfig.Binds:/dev:/dev:ro/usr/bin/gst-launch-1.0:/usr/local/bin/gst-launch-1.0(host GStreamer binary)/usr/libexec/gstreamer-1.0/:/usr/libexec/gstreamer-1.0/(GStreamer executables)/usr/lib:/host/usr/lib(host shared libraries)/lib:/host/lib(host base libraries)
Env:GST_PLUGIN_PATH=/host/usr/lib/gstreamer-1.0MPG123_MODDIR=/host/usr/lib/mpg123GST_MPP_VIDEODEC_DEFAULT_ARM_AFBC=1
HostConfig.DeviceCgroupRules:c 10:* rmw,c 29:* rmw,c 226:* rmw,c 242:* rmw,c 249:* rmw,c 252:* rmw(GPU/media device majors)
LED Control
Allows the skill to control hardware LEDs on the device. Enable this for skills that use indicator lights for status signaling.
Only applied on cx2000 devices. Mounts individual sysfs LED entries read-write:
HostConfig.Binds:/sys/devices/platform/leds/leds/player-red:/leds/player-red:rw/sys/devices/platform/leds/leds/player-green:/leds/player-green:rw/sys/devices/platform/leds/leds/player-blue:/leds/player-blue:rw/sys/devices/platform/leds/leds/status-red:/leds/status-red:rw/sys/devices/platform/leds/leds/status-green:/leds/status-green:rw/sys/devices/platform/leds/leds/status-blue:/leds/status-blue:rw/sys/devices/platform/leds/leds/setup-green:/leds/setup-green:rw
Storage privileges
Removable Media
Allows the skill to access removable storage devices such as USB drives and SD cards. Enable this if your skill needs to read from or write to removable media.
HostConfig.Binds:/run/removable_media:/media:shared(device's removable media mount point, shared bind propagation)
Volumes
Allows the skill to mount named persistent volumes from the device's filesystem. Each volume entry has two parts:
| Field | Description | Constraints |
|---|---|---|
| Volume Name | The name of the Docker volume to mount | Must be alphanumeric only |
| Mount Path | The path inside the container where the volume is mounted | Must be an absolute directory path (e.g. /data) |
Use volumes when your skill needs to persist data across container restarts — for example, a database, a local cache, or a model file.
HostConfig.Mounts: one entry per volume withtype: volume,Sourceset to the volume name, andTargetset to the container mount path. If a size limit is configured, it is passed viaVolumeOptions.DriverConfig.Options.size.
Networking privileges
Web UI
Exposes a web-based user interface from within the skill, accessible through the portal. When enabled, specify the Port Number the skill listens on internally.
Once deployed, team members can open the skill's Web UI directly from the device detail page in the portal without needing direct network access to the device.
HostConfig.PortBindings: maps{exposedPort}/tcpon the container to the assigned host port. If the skill is configured as localhost-only,HostIpis set to127.0.0.1.
Network Endpoint Alias
Assigns one or more DNS aliases to the skill on the internal Docker network. Other containers running on the same device can reach this skill using the alias as a hostname. Useful when multiple skills on a device need to communicate with each other over a local network.
Enter each alias as a separate entry. Aliases must be valid DNS hostnames.
NetworkingConfig.EndpointsConfig['azure-iot-edge'].Aliases: the list of DNS alias strings added to the Azure IoT Edge internal network.
Port Bindings
Binds a container port to a port on the device's external network interface, making the skill accessible from outside the container. Each binding maps a container port to a host port.
The following host ports are not allowed: 22, 53, 80, 443, and 8080.
Use port bindings when an external system (not running on the same device) needs to connect to the skill directly over the network.
HostConfig.PortBindings: each binding maps{containerPort}/{protocol}to aHostPortvalue on the host network interface.
Host Networking
Places the skill container on the device's host network stack instead of an isolated container network. The skill shares the device's IP address and can bind to any available host port directly.
Host Networking is available only on organizations with the feature enabled. Contact support if you need access to this privilege.
HostConfig.NetworkMode:hostNetworkingConfig.EndpointsConfig.host:{}(registers the container on the host network endpoint)
Memory privileges
Tmpfs
Creates one or more temporary in-memory filesystems inside the container. Each tmpfs entry specifies a container path and an optional size in bytes.
Use tmpfs for high-performance temporary storage that doesn't need to persist — for example, scratch space for image processing or buffering.
| Field | Constraints |
|---|---|
| Container path | Must be an absolute directory path (e.g. /tmp/cache) |
| Size (bytes) | Must be a positive integer; omit for half RAM |
HostConfig.Mounts: one entry per tmpfs withtype: tmpfsandTargetset to the container path. If a size is specified, it is set viaTmpfsOptions.SizeBytes.
SHM Size
Sets the size of the skill's Linux shared memory (/dev/shm). Enter the size in bytes. Shared memory is used by some frameworks (e.g., PyTorch multiprocessing) that require a larger-than-default shared memory region.
HostConfig.ShmSize: the size value in bytes passed directly to Docker.
Hostname
Sets a custom hostname for the skill container. By default, Docker assigns the container ID as the hostname. Use this when the skill or another container on the device expects a specific, predictable hostname.
- Top-level
Hostnamefield in the container create options (not underHostConfig).
NET_ADMIN
Adds the NET_ADMIN Linux capability to the skill container. This allows the skill to perform network administration tasks such as configuring network interfaces, setting routes, managing firewall rules, and controlling bandwidth.
NET_ADMIN is available only on organizations with the feature enabled. Contact support if you need access to this privilege.
HostConfig.CapAdd:["NET_ADMIN"]
Summary table
| Privilege | Category | Use case |
|---|---|---|
| Sound | Hardware | Audio playback / recording |
| Connected Cameras | Hardware | Camera-based inference or capture |
| HDMI | Hardware | Video output to a display |
| GPIOs | Hardware | External sensor / actuator control |
| Optra CX2000 IR Remote Control | Hardware | IR remote key input (Optra CX2000 only) |
| USB Serial Converters | Hardware | Serial device communication |
| Optra CX2000 Host Video Libraries | Hardware | Hardware video acceleration (Optra CX2000 only) |
| LED Control | Hardware | Status indicator LEDs |
| Removable Media | Storage | USB drives, SD cards |
| Volumes | Storage | Persistent named volume mounts |
| Web UI | Networking | In-portal browser access to skill UI |
| Network Endpoint Alias | Networking | DNS alias for inter-container communication |
| Port Bindings | Networking | External network access to a container port |
| Host Networking | Networking | Shared host network stack |
| Tmpfs | Memory | In-memory temporary filesystems |
| SHM Size | Memory | Shared memory region size |
| Hostname | Container | Custom container hostname |
| NET_ADMIN | Network capabilities | Network interface and routing control |