Documentation
Development BoardsTutorialsCommunity

Deploy Applications

Deploy Applications

ALPON X4 · ALPON X5 AI · Sixfab Connect · Container Deployment

Deploy and manage containerized workloads on ALPON edge AI computers from the Sixfab Connect platform. This guide covers two deployment paths (Docker Hub and the private Sixfab Container Registry), container access, lifecycle management, log streaming, and CI/CD patterns for production fleets.

How do I deploy an application to ALPON?

ALPON X4 and ALPON X5 AI run application workloads as Docker containers managed from the Sixfab Connect platform. Open the device's Applications tab, click + Deploy, then either pull an ARM64-compatible image from Docker Hub by typing its path (e.g. nginx:latest) or select a custom image you have pushed to your private Sixfab Container Registry at cr.sixfab.io. Configure ports in the 30000-32767 range, environment variables, and volumes, then deploy. The container starts on the device within seconds.

ARM64 Architecture

ALPON devices are built on ARM64. Every container image deployed must include a linux/arm64 variant. Most official images on Docker Hub (nginx, redis, postgres, node) ship multi-arch manifests with ARM64 included. Custom images must be built with docker buildx build --platform linux/arm64.

01Overview 02Deployment Methods 03Docker Hub Deploy 04Sixfab Container Registry 05Configuration Reference 06Access the Container 07Manage & Lifecycle 08Logs & Debugging 09CI/CD Integration 10Troubleshooting

Overview

ALPON treats every workload as an isolated Docker container. The runtime is preinstalled on the device and authenticated against the Sixfab Container Registry out of the box, so deployment is a one-click operation from the cloud dashboard. There is no SSH-based provisioning, no manual docker pull, and no per-device credential management.

What you can deploy

Web services
nginx, Caddy, Node.js APIs, dashboards, Grafana, n8n.
Edge AI workloads
Computer vision pipelines, ONNX/Hailo runtimes on ALPON X5 AI, on-device inference.
Data & messaging
MQTT brokers, Redis, PostgreSQL, time-series databases, message queues.
IoT gateways
Custom AI gateway applications, protocol bridges, BLE/Modbus/OPC-UA collectors.

How deployment works

Every ALPON device opens a persistent connection to the Sixfab Connect control plane. When a deploy is triggered from the dashboard, the platform sends a structured manifest to the device, which then pulls the image, applies port and volume mappings, and starts the container. Status is streamed back to the cloud in real time.

  • No SSH or VPN required for deployment. The device pulls images over its existing outbound TLS connection.
  • Tenant-isolated. Each device pulls only from its owner's repositories and from official Sixfab images.
  • Lifecycle from the cloud. Start, pause, restart, edit, delete, and stream logs without ever touching the device.
  • Multiple containers per device. Run as many workloads as the device's CPU, RAM, and storage allow.

Deployment Methods

ALPON supports two image sources. Both deploy through the same Applications tab on Connect; the difference is where the image lives.

Fastest path
Method 1
Docker Hub

Pull any ARM64-compatible public image directly from Docker Hub. Best for off-the-shelf services like nginx, redis, postgres, or Grafana when you do not need to ship custom code.

  • No build pipeline needed
  • Type the image path and deploy
  • Subject to Docker Hub rate limits
Recommended for production
Method 2
Sixfab Container Registry

Build, push, and deploy your own custom images from the private registry at cr.sixfab.io. Required for proprietary code, custom AI models, fleet-specific configurations, or any production deployment.

  • Private, tenant-isolated storage
  • Devices auto-authenticate, no Docker login per device
  • 10 GB / 100 tags default quota

Deploying from Docker Hub

The fastest way to run a container on ALPON. The example below deploys nginx; the same flow applies to any ARM64-compatible image.

1
Open the Applications tab

Log in to connect.sixfab.com, open Assets, select your registered ALPON device, then switch to the Applications tab. Click + Deploy to open the configuration panel.

2
Configure the container

Fill in the deployment form. The minimum required fields are Container Name, Image, and at least one Port mapping if the container exposes a service.

Container deployment configuration form on Sixfab Connect Click to enlarge
Deployment form on the Applications tab in Sixfab Connect
Port and environment variable configuration Click to enlarge
Ports and Environment variable fields
Volume and network configuration Click to enlarge
Volumes, Host Network, and Privileged toggles
  • Container Name: a descriptive identifier (e.g. my-nginx).
  • Image: check "I would like to use my own container path" and enter the Docker Hub image, e.g. nginx:latest or redis:7-alpine.
  • Ports: map device ports to container ports (e.g. host 30800 → container 80). Host ports must be in 30000-32767.
  • Environment, Volumes, Host Network, Privileged: see Configuration Reference for full semantics.
3
Deploy

Review the form and click + Deploy. The device pulls the image and starts the container; status flips to Running in the Applications list once the container is live.

Pre-deploy review screen Click to enlarge
Final review before deploy: confirm name, image, ports, and flags

Once deployed, the container appears in the Applications list with its status and resource usage.

Deployed container in Applications tab Click to enlarge
Running container shown on the Applications tab with status indicator
First pull may take a minute

Initial pulls over cellular links can be slow for large images. After the first pull the image is cached on the device; subsequent restarts are instant.

Sixfab Container Registry

The Sixfab Container Registry is a private system for securely storing and managing container images, hosted at cr.sixfab.io. Images are organized into repositories scoped to your account and pulled automatically by every ALPON device you own.

Registry overview

The Registry is accessible from Developer Tools → Registry in Sixfab Connect. It shows each repository with size, creation date, and quota usage.

Sixfab Container Registry overview page showing repositories, image quota, and storage quota Click to enlarge
Container Registry page: repository list with image quota (6/100) and storage quota (2.38 GB / 10 GB)
Default quotas

Each account has 10 GB total storage and 100 image tags. Pushes that exceed either limit are rejected. Contact Sixfab engineering to request a quota increase.

Push an image to the Registry

Run the following commands on your build machine (laptop, server, or CI runner) to push a local image to your registry namespace.

1
Set your registry password

Open Sixfab Registry in Connect. Your username is the 6-digit number visible at the top of the Registry page.

Registry username location at the top of the Registry page Click to enlarge
Your 6-digit registry username appears in the breadcrumb at the top of the Registry page

Click Reset Password on the Registry page. The password is shown once; copy and store it in a secrets manager.

Reset Password button on the Registry page Click to enlarge
Reset Password issues a new credential. The previous password is invalidated.
Save the password immediately

Registry credentials are independent from your Sixfab Connect account login. If lost, the only recovery is to issue a new password via Reset Password, which invalidates the previous one.

2
Log in to the registry

Authenticate Docker against cr.sixfab.io. Replace 719663 with your own 6-digit registry username.

bash
# Authenticate Docker to the Sixfab Container Registry
docker login cr.sixfab.io --username 719663
# Password: paste the registry password (input is hidden)
3
Build for ARM64

Build the image with Docker Buildx, targeting linux/arm64. The --load flag makes the resulting image available locally so you can tag and push it.

bash
# From the directory containing your Dockerfile
docker buildx build --load --platform linux/arm64   -t my-app:latest .
If you are on Windows or macOS with Docker Desktop, Buildx is preinstalled. On Linux, verify with docker buildx version.
4
Tag the image with the registry path

Tag the image so Docker knows where to push it. The path format is cr.sixfab.io/[username]/[image]:[tag].

bash
docker tag my-app:latest cr.sixfab.io/719663/my-app:latest
5
Push the image

Upload the image to your private repository. Layer caching means subsequent pushes only transfer changed layers.

bash
docker push cr.sixfab.io/719663/my-app:latest
Expected output OK 
The push refers to repository [cr.sixfab.io/719663/my-app]
2aeab3830f8e: Pushed
571fd9f78ac9: Pushed
latest: digest: sha256:2aeab3830f8eaf2775fd599fda6a516a95c1480239ba5e64a632a68c1f3bd53d
size: 29.31 MB
6
Verify in the Registry

Refresh the Registry page on Connect. The new image appears in the repository list with size, creation date, and last-update timestamp.

Image listed in Sixfab Container Registry after a successful push Click to enlarge
Pushed image visible in the Registry with size, creation date, and last-update timestamp

Click Details on a repository to inspect its tags, digests, and per-tag usage.

Tag details view showing image size, digest, and creation date Click to enlarge
Tag-level view: each tag shows size, digest, and "See Usage" to find which devices are running it

Drill into a tag to view the full manifest, architecture, and runtime Config (entrypoint, command, working directory, exposed ports).

Full image manifest with architecture, OS, config, and layer digests Click to enlarge
Manifest view: architecture (arm64), OS (linux), runtime config, and layer-level breakdown
7
Deploy from the Registry

Open the device's Applications tab and click + Deploy. In the Image field, leave the custom-path checkbox unchecked to pick from your registry dropdown. Select the image and tag, configure ports and environment, then deploy.

Selecting an image from the Sixfab Registry dropdown in the deploy form Click to enlarge
The Image dropdown lists every tag pushed to your registry namespace

Pick a port within 30000-32767 (e.g. 30900 if 30800 is already in use), review the configuration, and click + Deploy.

Deploy configuration review screen for a custom image from the Sixfab Registry Click to enlarge
Final review screen before launching a custom image deployment
Devices auto-authenticate

You do not need to run docker login on the ALPON device. Every ALPON is preconfigured with credentials scoped to its owner's registry namespace plus official Sixfab images. Cross-tenant pulls are rejected at the registry layer.

Configuration Reference

Every field exposed in the deployment form, with semantics and constraints.

Container Name Required
A descriptive identifier for the workload. Must be unique on the device. Use lowercase, hyphens, and digits (e.g. my-nginx, vision-pipeline-v2).
Image Required
Either the registry path (e.g. cr.sixfab.io/719663/my-app:latest) when picking from the dropdown, or a Docker Hub path (e.g. nginx:latest) when "I would like to use my own container path" is checked. Always ARM64.
Ports Optional
Maps device (host) ports to container ports. Host port range: 30000-32767. Each host port can be used by only one container at a time. Container ports are unrestricted (e.g. host 30800 → container 80).
Environment Optional
Key/value pairs injected into the container at runtime. Use this for runtime config and secrets (e.g. DATABASE_URL=postgres://..., API_KEY=...). Values are encrypted in transit and at rest on the platform.
Volumes Optional
Bind-mounts a directory or file from the device filesystem into the container for persistent storage. Container writes survive restart and redeploy. Source path must exist on the device.
Host Network Advanced
When enabled, the container shares the device's network stack directly (no port mapping needed). Useful for protocols requiring low-level network access (mDNS, broadcast, custom L2). Disables port isolation.
Privileged Advanced
Grants the container root-equivalent access to all host devices and kernel capabilities. Required for some hardware integrations (GPIO, /dev access). Significant security risk; enable only when necessary.

Port range explained

ALPON exposes container services on host ports in the 30000-32767 range. This range is firewalled to allow inbound traffic from the local network and from Sixfab Connect's remote access tunnels. Ports outside this range are reserved for the operating system, the Sixfab agent, and cellular telemetry.

Access the Container

Once a container is running, there are three ways to reach it depending on your network position relative to the device.

Local Network
Browse to the device IP from any machine on the same LAN. Fastest, lowest latency.
Remote Terminal
Connect's browser-based terminal tunnels through the device's outbound TLS connection. Works from anywhere.
Connected Display
Plug a monitor into the device's HDMI/DisplayPort and open a browser locally. Useful for kiosk and signage workloads.

Access from the local network

Find the device's IP on the Network tab of the Asset Detail page, then open a browser on any machine in the same network.

Device IP address visible on the Network tab of the platform Click to enlarge
Device IP shown on the Network tab. Copy it into your browser's URL bar
browser
# Replace [DEVICE_IP] with the value from the Network tab
http://[DEVICE_IP]:30800
nginx welcome page accessed via local network Click to enlarge
nginx welcome page served from the ALPON device confirms the deployment is reachable

Access via the remote terminal

If the device is offsite or behind NAT, open the Device tab and click Open Remote Terminal. The terminal session runs on the device itself, so 127.0.0.1 resolves to the device.

Open Remote Terminal button on the Device tab Click to enlarge
Remote terminal opens an in-browser shell tunneled through the Sixfab Connect control plane
remote-terminal
# Verify the container is reachable on the device itself
curl http://127.0.0.1:30800
# <!DOCTYPE html>
# <html>
# <head><title>Welcome to nginx!</title>...
curl output showing the container is running Click to enlarge
Successful curl response confirms the container is responding on the device's loopback interface

Access via a connected display

Connect a monitor to the device, open a browser locally, and navigate to http://127.0.0.1:30800. Suitable for digital signage, kiosk dashboards, and on-device debugging.

Manage & Lifecycle

Every running container exposes lifecycle controls in the Applications tab. Operations are issued from the cloud and applied on the device within seconds.

Container management panel with start, pause, restart, edit, delete, and terminal actions Click to enlarge
All lifecycle actions available per container in the Applications tab
Start / Run
Boot a stopped container without redeploying. The image is already cached.
Pause
Freeze the container's processes. State stays in memory; resume is instant.
Restart
Stop and immediately start the container. Useful after a config change or to clear runtime state.
Edit Deployment
Change image tag, ports, env, volumes, or flags. The container is recreated with the new spec.
Delete
Permanently remove the container. The image stays cached for fast redeployment.
Container Terminal
Open an interactive shell inside the running container directly from the dashboard.
View Status
Live CPU, memory, and network stats per container. Used to spot regressions and resource leaks.
Logs
Stream stdout/stderr live or download historical logs. See Logs & Debugging.

Updating to a new image version

Two patterns work, depending on how you tag releases:

  1. Mutable tag (:latest): push a new image with the same tag, then click Restart. The device pulls the new digest and recreates the container.
  2. Immutable tag (:v1.2.3): push a new tag, click Edit Deployment on the running container, change the image tag, and save. Recommended for production traceability.
Prefer immutable tags in production

Mutable tags like :latest make rollback impossible if a regression slips in. Tag every release with an immutable identifier (semver, git SHA, or build number) and update deployments explicitly.

Logs & Debugging

Containerized applications write to stdout and stderr; ALPON captures both streams and exposes them in the dashboard. For deeper inspection, use the in-container terminal.

Stream logs from the dashboard

On the Applications tab, click Logs next to the container. The view tails the last 1000 lines and streams new output in real time. Use it to confirm startup, watch request traffic, or catch crash loops.

Inspect a running container

Open the Container Terminal from the dashboard to drop into an interactive shell. The session uses the image's default shell (typically /bin/sh for Alpine, /bin/bash for Debian-based images).

container-terminal
# Inspect environment
env | grep -i DATABASE

# Tail application log files written inside the container
tail -f /var/log/app.log

# Check listening ports
netstat -tlnp 2>/dev/null || ss -tlnp

Use the device terminal for Docker-level operations

The container terminal runs inside the container. To inspect Docker itself (image cache, volumes, networks), open the Remote Terminal on the Device tab.

device-terminal
# List running containers on the device
docker ps

# Inspect a specific container's runtime config
docker inspect <container-name>

# View resource usage live
docker stats

CI/CD Integration

The Sixfab Container Registry is a standard OCI registry, so any CI system that can run Docker can build and push to it. Below is a complete GitHub Actions workflow that builds for ARM64 and pushes on every tagged release.

GitHub Actions: build & push to Sixfab Registry

Store the registry password in repository secrets as SIXFAB_REGISTRY_PASSWORD and your username as SIXFAB_REGISTRY_USERNAME.

.github/workflows/release.yml
name: Build and push to Sixfab Registry

on:
  push:
    tags: ['v*']

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Sixfab Registry
        uses: docker/login-action@v3
        with:
          registry: cr.sixfab.io
          username: ${{ secrets.SIXFAB_REGISTRY_USERNAME }}
          password: ${{ secrets.SIXFAB_REGISTRY_PASSWORD }}

      - name: Build and push (linux/arm64)
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/arm64
          push: true
          tags: |
            cr.sixfab.io/${{ secrets.SIXFAB_REGISTRY_USERNAME }}/my-app:${{ github.ref_name }}
            cr.sixfab.io/${{ secrets.SIXFAB_REGISTRY_USERNAME }}/my-app:latest

GitLab CI example

.gitlab-ci.yml
build_arm64:
  image: docker:24
  services: [docker:24-dind]
  variables:
    DOCKER_BUILDKIT: "1"
  before_script:
    - echo "$SIXFAB_REGISTRY_PASSWORD" | docker login cr.sixfab.io         -u "$SIXFAB_REGISTRY_USERNAME" --password-stdin
  script:
    - docker buildx create --use
    - docker buildx build --platform linux/arm64         -t cr.sixfab.io/$SIXFAB_REGISTRY_USERNAME/my-app:$CI_COMMIT_TAG         --push .

Triggering deployment from CI

Pushing a new tag does not automatically redeploy running containers. For automated rollout you have two choices:

  • Edit Deployment from the dashboard after CI publishes the new tag. Suitable for staged or manual rollouts.
  • Use mutable tags (:latest) plus the Restart action. CI overwrites :latest, then a separate step calls the Sixfab Connect API to restart the container, triggering a fresh pull. Sacrifices traceability for speed.

Troubleshooting

Common failure modes and their fixes.

Image fails to start with "exec format error"

Cause: the image was built for linux/amd64 instead of linux/arm64. ALPON cannot execute x86 binaries.

Fix: rebuild with docker buildx build --platform linux/arm64. Verify the resulting manifest with docker manifest inspect <image>; the architecture field must read arm64.

"unauthorized: authentication required" on push

Cause: the local Docker session is not authenticated against cr.sixfab.io, or the password has been reset since you last logged in.

Fix: run docker login cr.sixfab.io --username [your_username] and paste a current password. Use Reset Password on the Registry page if you have lost it.

Port already in use / cannot deploy on port 30800

Cause: another container on the device is bound to the same host port. Each host port can be used by only one container.

Fix: pick a different port within 30000-32767 (e.g. 30900), or stop/edit the conflicting container first.

Pull stuck or extremely slow over cellular

Cause: large images over cellular links (especially uncompressed AI model weights) can take many minutes per layer. The pull is not stuck; the Sixfab agent is throttled to avoid saturating the link.

Fix: minimize image size (multi-stage builds, .dockerignore, slim base images). For first-time provisioning of large images, attach the device to Wi-Fi or Ethernet temporarily; subsequent updates only transfer changed layers.

Quota exceeded on push (10 GB / 100 tags)

Cause: the registry account has hit the default quota.

Fix: delete unused tags or whole repositories from the Registry page. Images currently in use by a deployed device are protected and cannot be deleted; stop the deployment first. Contact Sixfab engineering to request a quota increase.

Container starts then exits immediately

Cause: the application crashed during startup or the entrypoint completed without keeping the process alive.

Fix: open Logs on the container to see the exit reason. Common cases: missing environment variable, invalid config file path, port already bound inside the container, missing volume source on the device. Fix and use Edit Deployment to relaunch.

Related guides

Platform reference
ALPON Cloud overview
Open in Connect
Sixfab Container Registry

Updated about 3 hours ago