Production readiness and best practices
Alternatively, check out topics under Create video applications in the service.
Note
Azure Video Analyzer has been retired and is no longer available.
Azure Video Analyzer for Media is not affected by this retirement. It is now rebranded to Azure Video Indexer. Click here to read more.
This article provides guidance on how to configure and deploy the Azure Video Analyzer edge module and cloud service in production environments. You should also review Prepare to deploy your IoT Edge solution in production article on preparing your IoT Edge solution.
You should consult your organization's IT department on aspects related to security.
Create the Video Analyzer account
When you create a Video Analyzer account, the following is recommended:
- The subscription owner should create a resource group under which all resources needed by Video Analyzer are to be created.
- Then, the owner should grant you Contributor and User Access Administrator roles to that resource group.
- You can then create the relevant resources: Storage account, IoT Hub, user-assigned managed identity, and Video Analyzer account under that resource group.
Run the module as a local user
When you deploy the Video Analyzer edge module to an IoT Edge device, by default it runs with elevated privileges. You can check this using the logs from the module (sudo iotedge logs {name-of-module}
) which would show:
!! production readiness: user accounts – Warning
LOCAL_USER_ID and LOCAL_GROUP_ID environment variables are not set. The program will run as root!
For optimum security, make sure to set LOCAL_USER_ID and LOCAL_GROUP_ID environment variables to a non-root user and group.
The sections below discuss how you can address the above warning.
Create and use a local user account
You can and should run the Video Analyzer edge module in production using an account with as few privileges as possible. The following commands, for example, show how you can create a local user account on a Linux VM:
sudo groupadd -g 1010 localedgegroup
sudo useradd --home-dir /home/localedgeuser --uid 1010 --gid 1010 localedgeuser
Next, in the deployment manifest, you can set the LOCAL_USER_ID and LOCAL_GROUP_ID environment variables to that non-root user and group:
"avaedge": {
"version": "1.0",
…
"env": {
"LOCAL_USER_ID": {
"value": "1010"
},
"LOCAL_GROUP_ID": {
"value": "1010"
}
}
},
…
Grant permissions to device storage
The Video Analyzer edge module requires the ability to write files to the local file system when:
- Using a module twin property
applicationDataDirectory
, where you should specify a directory on the local file system for storing configuration data. - Using a pipeline to record video to the cloud, the module requires the use of a directory on the edge device as a cache (see Continuous video recording article for more information).
- Recording to a local file, where you specify a file path for the recorded video.
If you intend to make use of any of the above, you should ensure that the above user account has access to the relevant directory. Consider applicationDataDirectory
for example. You can create a directory on the edge device and link device storage to module storage.
sudo mkdir /var/lib/videoanalyzer
sudo chown -R localedgeuser:localedgegroup /var/lib/videoanalyzer
Next, in the create options for the edge module in the deployment manifest, you can add a binds
setting mapping the directory ("/var/lib/videoanalyzer") above to a directory in the module (such as "/var/lib/videoanalyzer"). And you would use the latter directory as the value for applicationDataDirectory
.
"modules": {
"avaedge": {
"version": "1.1",
"type": "docker",
"status": "running",
"restartPolicy": "always",
"settings": {
"image": "mcr.microsoft.com/media/video-analyzer:1",
"createOptions": "{ \"HostConfig\": { \"LogConfig\": { \"Type\": \"\", \"Config\": { \"max-size\": \"10m\", \"max-file\": \"10\" } }, \"Binds\": [ \"/var/media/:/var/media/\", \"/var/lib/videoanalyzer/:/var/lib/videoanalyzer\" ], \"IpcMode\": \"host\", \"ShmSize\": 1536870912 } }"
},
"env": {
"LOCAL_USER_ID": {
"value": "1010"
},
"LOCAL_GROUP_ID": {
"value": "1010"
}
}
},
…
},
…
"avaedge": {
"properties.desired": {
"applicationDataDirectory": "/var/lib/videoanalyzer",
"ProvisioningToken": "{your-token}",
"diagnosticsEventsOutputName": "diagnostics",
"operationalEventsOutputName": "operational",
"logLevel": "information",
"LogCategories": "Application,Events",
"allowUnsecuredEndpoints": false,
"telemetryOptOut": false
}
}
If you look at the sample pipelines for the quickstart, and tutorials such as continuous video recording, you will note that the media cache directory (localMediaCachePath
) uses a subdirectory under applicationDataDirectory
. This is the recommended approach, since the cache contains transient data.
Also note that allowedUnsecuredEndpoints
is set to false
, as recommended for production environments where you will use TLS encryption to secure traffic.
Tips about maintaining your edge device
The tips below are not an exhaustive list but should help with commonly known issues we have encountered.
The Linux VM that you are using as an IoT Edge device can become unresponsive if it is not managed on a periodic basis. It is essential to keep the caches clean, eliminate unnecessary packages and remove unused containers from the VM as well. To do this here is a set of recommended commands, you can use on your edge VM.
sudo apt-get clean
The apt-get clean command clears the local repository of retrieved package files that are left in /var/cache. The directories it cleans out are /var/cache/apt/archives/ and /var/cache/apt/archives/partial/. The only files it leaves in /var/cache/apt/archives are the lock file and the partial subdirectory. The apt-get clean command is generally used to clear disk space as needed, generally as part of regularly scheduled maintenance. For more information, see Cleaning up with apt-get.
sudo apt-get autoclean
The apt-get autoclean option, like apt-get clean, clears the local repository of retrieved package files, but it only removes files that can no longer be downloaded and are not useful. It helps to keep your cache from growing too large.
sudo apt-get autoremove
The auto remove option removes packages that were automatically installed because some other package required them but, with those other packages removed, they are no longer needed
sudo docker image ls
– Provides a list of Docker images on your edge systemsudo docker system prune
Docker takes a conservative approach to cleaning up unused objects (often referred to as “garbage collection”), such as images, containers, volumes, and networks: these objects are generally not removed unless you explicitly ask Docker to do so. This can cause Docker to use extra disk space. For each type of object, Docker provides a prune command. In addition, you can use docker system prune
to clean up multiple types of objects at once. For more information, see Prune unused Docker objects.
sudo docker rmi REPOSITORY:TAG
As updates happen on the edge module, your docker can have older versions of the edge module still present. In such a case, it is advisable to use the docker rmi
command to remove specific images identified by the image version tag.