simpler and more secure deployment in a container with an NCS stick (o…

…penvinotoolkit#1003) added udev rules to the image doc updates
ivikhrev · Nov 5, 2021 · 849bc4c · 849bc4c
1 parent fe4be89
commit 849bc4c
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 31 deletions.
diff --git a/DockerfileMakePackage b/DockerfileMakePackage
@@ -35,6 +35,7 @@ RUN mkdir -vp /ovms_release/lib/hddl/config
 RUN cp /ovms/metadata.json /ovms_release/
 RUN if [ "$ov_use_binary" == "0" ] ; then true ; else exit 0 ; fi ; cp -v /openvino/bin/intel64/Release/lib/plugins.xml /ovms_release/lib/
 RUN if [ "$ov_use_binary" == "1" ] ; then true ; else exit 0 ; fi ; cp -v /opt/intel/openvino/deployment_tools/inference_engine/external/hddl/config/* /ovms_release/lib/hddl/config/ || true
+RUN if [ "$ov_use_binary" == "1" ] ; then true ; else exit 0 ; fi ; cp -vr /opt/intel/openvino/deployment_tools/inference_engine/external/hddl/etc/* /ovms_release/lib/hddl/etc/ || true
 RUN if [ "$ov_use_binary" == "1" ] ; then true ; else exit 0 ; fi ; cp -v /opt/intel/openvino/deployment_tools/inference_engine/lib/intel64/plugins.xml /ovms_release/lib/ && cp /opt/intel/openvino/install_dependencies/* /ovms_release/deps/
 RUN if [ "$ov_use_binary" == "1" ] ; then true ; else exit 0 ; fi ; rm -vrf /ovms_release/deps/*-devel-*
 

diff --git a/docs/docker_container.md b/docs/docker_container.md
@@ -388,45 +388,23 @@ plugin](https://docs.openvinotoolkit.org/2021.4/openvino_docs_IE_DG_supported_pl
 
 The Intel® Movidius™ Neural Compute Stick must be visible and accessible on host machine. 
 
-Follow steps to update the udev rules if necessary</summary>
-</br>
-
-1. Create a file named `97-usbboot.rules` that includes the following content:
-
-```
-   SUBSYSTEM=="usb", ATTRS{idProduct}=="2150", ATTRS{idVendor}=="03e7", GROUP="users", MODE="0666", ENV{ID_MM_DEVICE_IGNORE}="1" 
-   SUBSYSTEM=="usb", ATTRS{idProduct}=="2485", ATTRS{idVendor}=="03e7", GROUP="users", MODE="0666", ENV{ID_MM_DEVICE_IGNORE}="1"
-   SUBSYSTEM=="usb", ATTRS{idProduct}=="f63b", ATTRS{idVendor}=="03e7", GROUP="users", MODE="0666", ENV{ID_MM_DEVICE_IGNORE}="1"
-```
-
-2. In the same directory execute these commands: 
-
-```
-   sudo cp 97-usbboot.rules /etc/udev/rules.d/
-   sudo udevadm control --reload-rules
-   sudo udevadm trigger
-   sudo ldconfig
-   rm 97-usbboot.rules
-```
 NCS devices should be reported by `lsusb` command, which should print out `ID 03e7:2485`.<br>
 
-</br>
 
 #### Start the server with an Intel® Movidius™ Neural Compute Stick
 
-To start server with Neural Compute Stick:
-
+To start server with Neural Compute Stick using one of the options below:
+1) More secure without docker privileged mode and mounting only the usb devices:
+```
+docker run --rm -it -u 0 --device-cgroup-rule='c 189:* rmw' -v /opt/model:/opt/model -v /dev/bus/usb:/dev/bus/usb -p 9001:9001 openvino/model_server \
+--model_path /opt/model --model_name my_model --port 9001 --target_device MYRIAD
+```
+2) less secure in docker privileged mode wth mounted all devices:
 ```
 docker run --rm -it --net=host -u root --privileged -v /opt/model:/opt/model -v /dev:/dev -p 9001:9001 openvino/model_server \
 --model_path /opt/model --model_name my_model --port 9001 --target_device MYRIAD
 ```
 
-`--net=host` and `--privileged` parameters are required for USB connection to work properly. 
-
-`-v /dev:/dev` mounts USB drives.
-
-A single stick can handle one model at a time. If there are multiple sticks plugged in, OpenVINO Toolkit 
-chooses to which one the model is loaded. 
 </details>
 
 <details><summary>Starting docker container with HDDL</summary>

diff --git a/release_files/Dockerfile.ubuntu b/release_files/Dockerfile.ubuntu
@@ -112,8 +112,10 @@ RUN	set -e ; \
         groupadd --gid 5000 ovms ; \
         useradd --home-dir /home/ovms --create-home --uid 5000 --gid 5000 --groups 39,44 --shell /bin/bash --skel /dev/null ovms
 
-COPY --from=base_build /usr/local/lib/ /ovms/lib/
 RUN apt-get update && apt-get install -y --no-install-recommends libxml2 && rm -rf /var/lib/apt/lists/* && rm -rf /tmp/*
+COPY --from=base_build /usr/local/lib/ /ovms/lib/
+COPY --from=base_build /ovms /ovms
+
 # for HDDL
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
@@ -126,8 +128,9 @@ RUN apt-get update && \
         libboost-atomic1.71.0 \
         libjson-c4 && \
     rm -rf /var/lib/apt/lists/* && rm -rf /tmp/*
+# for NCS
+RUN mkdir -p /etc/udev/rules.d/ && cp /ovms/lib/hddl/etc/rules.d/97-myriad-usbboot.rules /etc/udev/rules.d/ && ldconfig
 
-COPY --from=base_build /ovms /ovms
 RUN echo "The source code of added GPL components is stored in https://storage.openvinotoolkit.org/repositories/openvino/ci_dependencies/container_gpl_sources/ubuntu20/" > /ovms/thirdparty-licenses/GPL.txt
 USER ovms
 ENTRYPOINT ["/ovms/bin/ovms"]