生产就绪情况和最佳做法Production readiness and best practices

本文提供如何在生产环境中配置和部署 IoT Edge 上的实时视频分析模块的指南。This article provides guidance on how to configure and deploy the Live Video Analytics on IoT Edge module in production environments. 在准备 IoT Edge 解决方案时,你还应该参阅准备在生产环境中部署 IoT Edge 解决方案一文。You should also review Prepare to deploy your IoT Edge solution in production article on preparing your IoT Edge solution.

备注

就安全性方面的相关问题,你应该咨询组织的 IT 部门。You should consult your organizations' IT departments on aspects related to security.

以本地用户的身份运行模块Running the module as a local user

将 IoT Edge 上的实时视频分析模块部署到边缘设备时,默认情况下,它将以提升的权限运行。When you deploy the Live Video Analytics on IoT Edge module to an edge device, by default it runs with elevated privileges. 执行此操作时,如果查看模块上的日志 (sudo iotedge logs {name-of-module}),你将看到以下内容:When you do this, if you check the logs on the module (sudo iotedge logs {name-of-module}), you will see the following:

!! production readiness: user accounts – Warning
       LOCAL_USER_ID and LOCAL_GROUP_ID environment variables are not set. The program will run as root!
       For optimum security, make sure to set LOCAL_USER_ID and LOCAL_GROUP_ID environment variables to a non-root user and group.
       See https://docs.azure.cn/media-services/live-video-analytics-edge/production-readiness for more information.

以下各部分讨论了如何处理上述警告。The sections below discuss how you can address the above warning.

创建和使用本地用户帐户Creating and using a local user account

你可以并且应该使用权限尽可能少的帐户在生产环境中运行 IoT Edge 上的实时视频分析模块。You can and should run the Live Video Analytics on IoT Edge module in production using an account with as few privileges as possible. 例如,以下命令展示了如何在 Linux VM 上创建本地用户帐户:The following commands, for example, show how you can create a local user account on a Linux VM:

sudo groupadd -g 1010 localuser
sudo adduser --home /home/edgeuser --uid 1010 -gid 1010 edgeuser

接下来,在部署清单中,可以将 LOCAL_USER_ID 和 LOCAL_GROUP_ID 环境变量设置为该非根用户和组:Next, in the deployment manifest, you can set the LOCAL_USER_ID and LOCAL_GROUP_ID environment variables to that non-root user and group:

"lvaEdge": {
"version": "1.0",
…
"env": {
    "LOCAL_USER_ID": 
    {
        "value": "1010"
    },
    "LOCAL_GROUP_ID": {
        "value": "1010"
    }
}
},
…

授予设备存储权限Granting permissions to device storage

IoT Edge 上的实时视频分析模块需要能在执行以下操作时将文件写入本地文件系统:The Live Video Analytics on IoT Edge module requires the ability to write files to the local file system when:

  • 使用模块孪生属性 [applicationDataDirectory] 时,你应通过此属性指定本地文件系统上用于存储配置数据的目录。Using a module twin property [applicationDataDirectory], where you should specify a directory on the local file system for storing configuration data.
  • 使用媒体图将视频录制到云中时,此模块需要将边缘设备上的目录用作缓存(有关详细信息,请参阅连续视频录制一文)。Using a media graph to record video to the cloud, the module requires the use of a directory on the edge device as a cache (see Continuous video recording article for more information).
  • 录制到本地文件,你应该为录制的视频指定文件路径。Recording to a local file,where you should specify a file path for the recorded video.

如果你打算使用上述任何操作,应确保上述用户帐户有权访问相关目录。If you intend to make use of any of the above, you should ensure that the above user account has access to the relevant directory. 例如 applicationDataDirectory。Consider applicationDataDirectory for example. 你可以在边缘设备上创建目录,并将设备存储链接到模块存储。You can create a directory on the edge device and link device storage to module storage.

sudo mkdir /var/local/mediaservices
sudo chown -R edgeuser /var/local/mediaservices

接下来,在部署清单中适用于边缘模块的创建选项中,你可以将上述映射目录 ("var/local/mediaservices/") 的绑定设置添加到模块中的目录(例如 "/var/lib/azuremediaservices/")。Next, in the create options for the edge module in the deployment manifest, you can add a binds setting mapping the directory ("var/local/mediaservices/") above to a directory in the module (such as "/var/lib/azuremediaservices/"). 并且将后一个目录用作 applicationDataDirectory 的值。And you would use the latter directory as the value for the applicationDataDirectory.

"lvaEdge": {
    "version": "1.0",
    "type": "docker",
    "status": "running",
    "restartPolicy": "always",
    "settings": {
        "image": "mcr.microsoft.com/media/live-video-analytics:1.0",
        "createOptions": "{\"HostConfig\":{\"LogConfig\":{\"Type\":\"\",\"Config\":{\"max-size\":\"10m\",\"max-file\":\"10\"}},\"Binds\":[\"/var/local/mediaservices/:/var/lib/azuremediaservices/\"]}}"
    },
    "env": {
        "LOCAL_USER_ID": 
        {
            "value": "1010"
        },
        "LOCAL_GROUP_ID": {
            "value": "1010"
        }
    }
    },
    …
    
    "lvaEdge": {
    "properties.desired": {
    "applicationDataDirectory": "/var/lib/azuremediaservices",
    …
    }
}

如果查看快速入门和教程的示例媒体图(例如连续视频录制),你会注意到媒体缓存目录 (localMediaCachePath) 使用了 applicationDataDirectory 下的子目录。If you look at the sample media graphs for the quickstart and tutorials, such as continuous video recording, you will note that the media cache directory (localMediaCachePath) uses a subdirectory under applicationDataDirectory. 这是建议的方法,因为缓存包含暂时性数据。This is the recommended approach, since the cache contains transient data.

命名视频资产或文件Naming video assets or files

通过媒体图,可以在云中创建资产或在边缘上创建 mp4 文件。Media graphs allows for creation of assets in the cloud or mp4 files on the edge. 媒体资产可以由连续视频录制基于事件的视频录制生成。Media assets can be generated by continuous video recording or by event-based video recording. 虽然可以根据需要对这些资产和文件命名,但对于基于连续视频录制的媒体资产,建议的命名结构是 "<anytext>-${System.GraphTopologyName}-${System.GraphInstanceName}"。While these assets and files can be named as you want, the recommended naming structure for continuous video recording-based media asset is "<anytext>-${System.GraphTopologyName}-${System.GraphInstanceName}". 例如,可以对资产接收器设置 assetNamePattern,如下所示:As an example, you can set the assetNamePattern on the asset sink as follows:

"assetNamePattern": "sampleAsset-${System.GraphTopologyName}-${System.GraphInstanceName}

对于基于事件的视频录制生成的资产,建议的命名模式是 "<anytext>-${System.DateTime}"。For event-based video recording-generated assets, the recommended naming pattern is "<anytext>-${System.DateTime}". 系统变量可确保当事件同时发生时,资产不会被覆盖。The system variable ensures that assets don not get overwritten if events happen at same time. 例如,可以对资产接收器设置 assetNamePattern,如下所示:As an example, you can set the assetNamePattern on the Asset Sink as follows:

"assetNamePattern": "sampleAssetFromEVR-LVAEdge-${System.DateTime}"

如果运行同一图形的多个实例,可以使用图形拓扑名称和实例名称来加起区分。If you are running multiple instances of the same graph, you can use the graph topology name and instance name to differentiate. 例如,可以对资产接收器设置 assetNamePattern,如下所示:As an example, you can set the assetNamePattern on the asset sink as follows:

"assetNamePattern": "sampleAssetFromEVR-${System.GraphTopologyName}-${System.GraphInstanceName} -${System.DateTime}"

对于边缘上基于事件的视频录制生成的 mp4 视频剪辑,建议的命名模式应包括 DateTime,对于同一图形的多个实例,建议使用系统变量 GraphTopologyName 和 GraphInstanceName。For event-based video recording-generated mp4 video clips on the edge, the recommended naming pattern should include DateTime and for multiple instances of the same graph recommend using the system variables GraphTopologyName and GraphInstanceName. 例如,可以对文件接收器设置 filePathPattern,如下所示:As an example, you can set filePathPattern on file sink as follows:

"filePathPattern": "/var/media/sampleFilesFromEVR-${fileSinkOutputName}-${System.DateTime}"

Or

"filePathPattern": "/var/media/sampleFilesFromEVR-${fileSinkOutputName}--${System.GraphTopologyName}-${System.GraphInstanceName} ${System.DateTime}"

保持 VM 清洁Keeping your VM clean

如果不定期对用作边缘设备的 Linux VM 进行管理,它可能会变得无响应。The Linux VM that you are using as an edge device can become unresponsive if it is not managed on a periodic basis. 因此,务必要保持缓存的清洁、清除不必要的包,并且从 VM 中删除未使用的容器。It is essential to keep the caches clean, eliminate unnecessary packages and remove unused containers from the VM as well. 为此,可以在边缘 VM 上使用下面一组建议的命令。To do this here is a set of recommended commands, you can use on your edge VM.

  1. sudo apt-get clean

    apt-get clean 命令清理留在 /var/cache 中的检索的包文件的本地存储库。The apt-get clean command clears the local repository of retrieved package files that are left in /var/cache. 它清理的目录是 /var/cache/apt/archives/ 和 /var/cache/apt/archives/partial/。The directories it cleans out are /var/cache/apt/archives/ and /var/cache/apt/archives/partial/. 它在 /var/cache/apt/archives 中保留的唯一文件是锁定文件和部分子目录。The only files it leaves in /var/cache/apt/archives are the lock file and the partial subdirectory. apt-get clean 命令通常用于根据需要清理磁盘空间,通常作为定期计划性维护的一部分。The apt-get clean command is generally used to clear disk space as needed, generally as part of regularly scheduled maintenance. 有关详细信息,请参阅使用 apt-get 进行清理For more information, refer to Cleaning up with apt-get.

  2. sudo apt-get autoclean

    与 apt-get clean 一样,apt-get autoclean 将清理检索的包文件的本地存储库,但它只会删除无法再下载且没有用的文件。The apt-get autoclean option, like apt-get clean, clears the local repository of retrieved package files, but it only removes files that can no longer be downloaded and are not useful. 它有助于防止缓存变得太大。It helps to keep your cache from growing too large.

  3. sudo apt-get autoremove1

    自动删除选项将删除自动安装的包,因为其他的一些包需要这些自动安装的包,但在那些需要它们的包被删除后,将不再需要它们了The auto remove option removes packages that were automatically installed because some other package required them but, with those other packages removed, they are no longer needed

  4. sudo docker image ls - 提供边缘系统上的 Docker 映像列表sudo docker image ls – Provides a list of Docker images on your edge system

  5. sudo docker system prune

    Docker 采用保守的方法来清理未使用的对象(通常称为“垃圾回收”),例如映像、容器、卷和网络:除非你明确要求 Docker 这样做,否则通常不会删除这些对象。Docker takes a conservative approach to cleaning up unused objects (often referred to as "garbage collection"), such as images, containers, volumes, and networks: these objects are generally not removed unless you explicitly ask Docker to do so. 这可能导致 Docker 会使用额外的磁盘空间。This can cause Docker to use extra disk space. 对于每种类型的对象,Docker 都提供了 prune 命令。For each type of object, Docker provides a prune command. 此外,还可以使用 docker system prune 一次性清理多种类型的对象。In addition, you can use docker system prune to clean up multiple types of objects at once. 有关详细信息,请参阅删除未使用的 Docker 对象For more information, refer to Prune unused Docker objects.

  6. sudo docker rmi REPOSITORY:TAG

    当边缘模块在进行更新时,docker 仍可有旧版本的边缘模块。As updates happen on the edge module, your docker can have older versions of the edge module still present. 在这种情况下,建议使用 docker rmi 命令删除映像版本标记标识的特定映像。In such a case, it is advisable to use the docker rmi command to remove specific images identified by the image version tag.

后续步骤Next steps

快速入门:入门 - IoT Edge 上的实时视频分析Quickstart: Get started - Live Video Analytics on IoT Edge