This is the ACAP packaging of the Docker Engine to be run on Axis devices with container support.
The Docker ACAP requires a container capable device. You may check the compatibility of your device by running:
ssh root@<axis_device_ip> 'command -v containerd >/dev/null 2>&1 && echo Compatible with Docker ACAP || echo Not compatible with Docker ACAP'The recommended way to install this acap is to use the pre-built docker hub image:
docker run --rm axisecp/docker-acap:latest-<ARCH> <camera ip> <rootpasswd> installWhere <ARCH> is either "armv7hf" or "aarch64" depending on camera architecture.
It's also possible to build and use a locally built image. See the Building the Docker ACAP section for more information.
The Docker ACAP can be run either unsecured or in TLS mode. The Docker ACAP uses
TLS as default. Use the "Use TLS" dropdown in the web interface to switch
between the two different modes. It's also possible to toggle this option by
calling the parameter management API in VAPIX
(accessing this documentation requires creating a free account) and setting the
root.dockerdwrapper.UseTLS parameter to "yes" or "no".
Note that the dockerd service will be restarted every time TLS is activated or deactivated. Running the ACAP using TLS requires some additional setup, see TLS Setup. Running the ACAP without TLS requires no further setup.
TLS requires a few keys and certificates to work, which are listed in the
subsections below. For more information on how to generate these files, please
consult the official docker documentation.
Most of these keys and certificates need to be moved to the camera. There are multiple ways to
achieve this, for example by using scp to copy the files from a remote machine onto the camera.
This can be done by running the following command on the remote machine:
scp ca.pem server-cert.pem server-key.pem root@<axis_device_ip>:/usr/local/packages/dockerdwrapper/This certificate needs to be present in the dockerdwrapper package folder on the camera and be named "ca.perm". The full path of the file should be "/usr/local/packages/dockerdwrapper/ca.pem".
This certificate needs to be present in the dockerdwrapper package folder on the camera and be named "server-cert.perm". The full path of the file should be "/usr/local/packages/dockerdwrapper/server-cert.pem".
This key needs to be present in the dockerdwrapper package folder on the camera and be named "server-key.perm". The full path of the file should be "/usr/local/packages/dockerdwrapper/server-key.pem".
All the clients also need to have their own private keys. Each client also needs a certificate which has been authorized by the CA. These keys and certificates shall be used when running docker against the dockerd daemon on the camera. See below for an example:
docker --tlsverify \
--tlscacert=ca.pem \
--tlscert=cert.pem \
--tlskey=key.pem \
-H=<axis_device_ip>:2376 \
versionAn SD card might be necessary to run the Docker ACAP correctly. Docker
containers and docker images can be quite large, and putting them on an SD card
gives more freedom in how many and how large images can be stored. Switching
between storage on the SD card or internal storage is done by toggling the "SD
card support" dropdown in the web interface. It's also possible to toggle this
option by calling the parameter management API in
VAPIX (accessing this documentation
requires creating a free account) and setting the
root.dockerdwrapper.SDCardSupport parameter to "yes" or "no".
Toggling this setting will automatically restart the docker daemon using the specified storage. The default setting is to use the internal storage on the camera.
Note that dockerdwrapper requires that Unix permissions are supported by the file system. Examples of file systems which support this are ext4, ext3 and xfs. It might be necessary to reformat the SD card to one of these file systems, for example if the original file system of the SD card is vfat.
The Docker ACAP does not contain the docker client binary. This means that all calls need to be done from a separate machine. This can be achieved by using the -H flag when running the docker command.
The port used will change depending on if the Docker ACAP runs using TLS or not. The Docker ACAP will be reachable on port 2375 when running unsecured, and on port 2376 when running secured using TLS. Please read section Securing the Docker ACAP using TLS for more information. Below is an example of how to remotely run a docker command on a camera running the Docker ACAP in unsecured mode:
docker -H=<axis_device_ip>:2375 versionSee Client keys and certificates for an example of how to remotely run docker commands on a camera running a secured Docker ACAP using TLS.
./build.sh armv7hf./build.sh aarch64Installation can be done in two ways. Either by using the locally built docker image:
docker run --rm docker-acap:1.0 <camera ip> <rootpasswd> installOr by manually navigating to device GUI by browsing to the following page (replace <axis_device_ip> with the IP number of your Axis video device)
http://<axis_device_ip>/#settings/appsGo to your device web page above > Click on the tab App in the device GUI > Add (+) sign and browse to the newly built Docker_Daemon_1_1_0_.eap > Click Install > Run the application by enabling the Start switch.