Skip to main content

Air-Gapped Licensing

Introduction

Many customers want to monitor their video feeds in a completely secure environment where communication with the Internet is not allowed. This is common especially in physical security or other business critical scenarios where digital security is critical. To support this need, EyesOnIt offers an alternate licensing model with downloadable license files and local license validation. This solution requires a bit of additional configuration, but provides the air-gapped operations that some customers need.

Install Keygen Relay

Air-gapped licensing is provided with the support of the Keygen Relay server. The Relay server runs locally and validates licenses without any Internet communication. You can find details about Relay here, including installation instructions. This command will quickly install Relay on Linux operating systems:

sudo curl -sSL https://raw.pkg.keygen.sh/keygen/relay/latest/install.sh | sh

Manual installations are also available for Windows and Linux systems.

Starting Relay

To start the relay server, make sure you are logged in to an account with proper permissions. On Linux, make sure the executable has the proper permissions set so that you can execute it.

Note: for this documentation, we are assuming that your executable is simply named “relay” on Linux or “relay.exe” on Windows.

To start the relay server, run this command from a command line:

relay serve --port 6349 &

Note: EyesOnIt requires relay to run on port 6349

Adding a License to Relay

EyesOnIt will provide a license file to you that matches the terms of your purchase agreement. You will need to copy this file to your server.

Note: for this documentation we will assume that your license file is named “license.lic”.

To add a license to your Relay server, you will need the following:

  • Your license file – provided by EyesOnIt
  • Your license key – available on your account page
  • The EyesOnIt public encryption key. The value of this key is: 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec

To add a license to relay, run this command from a command line:

relay add --file license.lic  --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key <your license key>

If this command succeeds, you will see "license added successfully"

Other relay server commands are available from the Keygen Relay web page here.

EyesOnIt Configuration

Running EyesOnIt with air-gapped licensing requires a small amount of additional configuration. You will need to update the eyesonit_config.yml file before running EyesOnIt.

The eyesonit_config.yml file needs to be placed on your host server. You will map a Docker volume to the location of the file, so make sure to put the file in a location where you can map a volume.

Create eyesonit_config.yml with these two lines:

run_air_gapped: True
air_gapped_license_host: <IP address of server where Relay is running>

To use air-gapped licensing set run_air_gapped to True. This value is case-sensitive, so please make sure to follow the capitalization in the example.

You also need to set air_gapped_license_host to the IP address of the server where relay is running. Note that for the Docker version of EyesOnIt, this address needs to be the IP of the host or another server. If relay is running on the Docker host (the EyesOnIt container is running on the server that is also running relay), you won't be able to access relay through "localhost" since localhost refers to the container and not the host. In that case, try these options:

  • the IP address of the host
  • if your container is unable to resolve IP addresses due to network limitations:
    • on Linux or non-Docker Desktop environments: 127.17.0.1
    • on Docker Desktop environments: host.docker.internal

When you run the Docker version of EyesOnIt, your docker run command should look something like this:

docker run 
   --name "<container friendly name>" 
   -d     
   -p 8000:8000 
   --gpus all 
   --restart unless-stopped     
   -e EOI_LICENSE_KEY=<EyesOnIt license key> 
   -e EOI_AUTHORIZATION_TOKEN=<EyesOnIt auth token>
   -v <host path>:/home/eyesonit_user/input 
   -v eyesonit_output:/home/eyesonit_user/output
    "<eyesonit docker image name>"

where:

container friendly name - an optional friendly name for your container for your convenience

EyesOnIt auth token - your EyesOnIt auth token which you can see on your account page

-v <host path>:/home/eyesonit_user/input – maps that path <host path> on the Docker host to the path /home/eyesonit_user/input within the EyesOnIt Docker container. Replace <host path> with the location on your host where you want to store EyesOnIt input files. You will need to store eyesonit_config.yml at <host path>/config/eyesonit_config.yml. So if you use this in your Docker run command:

-v /home/eyesonit/input:/home/eyesonit_user/input

You should place eyesonit_config.yml on the host at

/home/eyesonit/input/config/eyesonit_config.yml

-v eyesonit_output:/home/eyesonit_user/output – an optional named Docker volume which allows you to see output from EyesOnIt in a Docker named volume. Use “docker inspect <container friendly name> | grep volume” to find the location of this volume on your host. eyesonit docker image name – the name of the EyesOnIt Docker image to run (something like eyesonit/eyesonit_v3.2:latest).

With this configuration and run command, EyesOnIt will load eyesonit_config.yml from the host and will use the relay server for air-gapped licensing.

License Verification

To verify that the license is configured properly, open a browser and navigate to http://<EyesOnIt Host IP>:8080/dashboard. You should see:

Server Status:Connected

License Status:Valid

If you do not see this, please check your configuration, or contact us at support@eyesonit.us for help.

Conclusion

As a final comment, please note that SMS alerts will be disabled when air-gapped licensing is active, because SMS alerts require an Internal connection. RTSP and VMS notifications can still be used, but customers should take care to configure EyesOnIt to use internal URLs for these notifications to ensure that EyesOnIt does not try to connect to the Internet.