experience of developing cloud service for video ...2015.secrus.org/2015/files/122_konovalov.pdf ·...
TRANSCRIPT
-
11th Central and Eastern European Software Engineering Conference in Russia - CEE-SECR 2015
October 22 - 24, Moscow
Andrey Konovalov
Experience of developing Cloud service for Video Surveillance
MERA Software Services
-
Starter
www.merasws.com
-
Agenda
www.merasws.com
Intro Architecture and decomposition Main problems solved
Communication barriers Media processing Public Cloudification
Cloud Recording Access control and grouping
Integration Video Analytics
Evolution, not revolution lessons learned
-
Beginning: MERA Watch Initial Requirements
www.merasws.com
Public service, Consumer market, iOS first, integrated Camera
Amazon AWS, Integrate with existing Home Automation service Functional:
Interact (HD! Intuitive! Secure! Everywhere! From any device! Minimal delay!)
Aware (Analyze this! Alert me! Pull the trigger!) Back in time (Action! Stop! Cut! Everything! No tape waste!)
Numbers: 720p30, H264, 2 Mbps, 10K+ cams, 5 seconds
-
Architecture - layers
www.merasws.com
Media Plane
Control/Signaling Plane
Storage Plane
Presentation Plane
-
Architecture players
www.merasws.com
Media Plane
IP camera/Soft Agent
Mobile/Desktop Client Web Client
Presentation Plane Control Plane
Video storage
Broker Web Portal
DB
Node
-
Architecture make it Cloud ready
www.merasws.com
Media Plane
Cloud Storage
Presentation Plane Control Plane
Node 1 Node N
Broker DB Web
Portal
IP camera/Soft Agent
Mobile/Desktop Client Web Client
-
Problems and Solutions
www.merasws.com
Communication barriers
-
Connectivity/Transport issues - Protocols Outer space
www.merasws.com
Service
IP camera
Mobile Client RTSP/RTP
SCP
REST API REST API
RTSP/RTP
HLS
Everywhere Everywhere and Intuitive
SCP (Smart Control Protocol): UDP, Duplex,
ICE-style NAT traversal (STUN, TURN ).
Because of integration!
iOS Smart TCP
bridges delay < 5 sec
FW Agent
RTSP server
-
Connectivity/Transport issues Control Security
www.merasws.com
Problem: How to secure UDP control protocol? DTLS
No support in the ICE libs (libnice, ice4j) , Cloud side - complicated
Encrypt payload of packets Inventing a wheel
Solution: HTTP, duplex, long-polling technique. Security TLS
Cons? - Yes, they are. Some delay and server resources Final? Web sockets? MQTT? Transport agnostic?
-
Problem: How to get media from Camera behind NAT/FW/ Push HTTP push, RTP Pull HTTP live streaming Solution: Mixed/Overlay RTSP/RTP over TCP NAT, FW, Proxy? - TCP bridge
Problem: Web client and real time media
Solution: WebRTC , RTMP Conclusion: No silver bullet, fallback approach
Media delivery
www.merasws.com
-
Problems and Solutions
www.merasws.com
Media manipulations
-
Option 1 for media processing - Media Servers
www.merasws.com
Wowza Kurento Darwin Erlyvideo Flumotio
n
Googling Wowza Kurento Erlyvideo
Capabilities
Protocols Poor API
No Embedded Not
complete coverag
e
Features
required
Kurento Licens
e or Open
Source
Do not use
Media Servers
Overall
Problem: what to use for the Media processing?
-
Option 2 for media processing - Media Frameworks
www.merasws.com
Googling Open Source
Stable
FFMPEG (no RTSP server)
Gstreamer
Target protocols
Gstreamer Ok
+ Codecs + NAT
and more
Matrix of Features
Gstreamer ~= Wowza
Performance
PoC Gstreamer is portable
Embedded
Gstreamer
iOS, Android
Mobile Gstreamer - Ok Trim
And the winner is .
-
Sample streaming difficulties
www.merasws.com
Problem: One camera several clients Same protocols, different protocols
Easy for RTSP, HLS, RTMP but not for WebRTC Solution: Gstreamer helped (tee elements/RTSP server).
Problem: Transcoding Incoming: H264/G.711;
Outgoing: VP8 or H264 (i.e. profile changed), audio - AAC Solution: Gstreamer Dynamically attached transcoding
Problem: Security for Webrtc DTLS-SRTP plugin from OpenWebRTC
-
Problems and solutions
www.merasws.com
Private Cloudification
-
Recording in Mera Watch in AWS
www.merasws.com
Media Core App
File system Video segment TS
Video segment
Video segment
Node Uploader
Boto Amazon
S3 Video segment
Video segment
Video segment
User/Camera/Time
Broker
Solution: Record in HLS (MPEG TS) format varying segment length Storage: Amazon S3
-
Private Storage problem and requirements
www.merasws.com
Problem: Substitute S3 to deploy in Private Cloud Requirements: Usual Cloud Storage
Scalable, Robust replication is a must have Fast enough for video recording of N cameras streams Regular hardware Easy to integrate with
No PoC time for evaluation so the decision was based on Features/API Recommendations and feedback, open source Community design activity
-
Private Storage decision
www.merasws.com
Options considered Distributed file system: GlusterFS, Ceph Object storage: Ceph, OpenStack Swift , Sheepdog, riak-cloud-storage
Decision: Ceph Why Ceph? (http://ceph.com/)
Ceph is open source and freely-available, and it always will be All three types of storage Object, Block and File System Production ready
2Gis, Yahoo, Redhat Cloud storage selection http://www.theplatform.net/2015/04/16/inside-the-ceph-exascale-storage-at-yahoo/
S3 API for Object storage
http://ceph.com/http://www.theplatform.net/2015/04/16/inside-the-ceph-exascale-storage-at-yahoo/
-
Media Node
OSD 1
Private Storage typical Ceph configuration for Mera Watch
www.merasws.com
SSD
Monitor HDD
HDD
OSD 3 SSD
HDD
HDD
RadosGW
Uploader
OSD 2 SSD
HDD
HDD
Admin Node
Crush algo
Scale up: - add HDDs; - add OSD Nodes; - add clusters;
-
Access control and grouping
www.merasws.com
Service
Group
User
Admin User Use
r
Group
Group
User
Group
Clips
Clips
Problems: Control permissions for users (1) and structure cameras (2)
Public service (Dropcam, Ivideon) hierarchy example
-
Private service example: Municipal VSaaS Schools
Service
Tenant: Dep. Of Education
School 1
Service Admin User
Org Admin
Classes
Interspaces Class 1A
School 2
Parent 1
School Admin Class 6B
Parent 2
School Guard Rooms
Room Math
Room English
www.merasws.com
-
www.merasws.com
Access Control and Grouping Access Control Decision details
Access Control Many approaches (RBAC, ACL, ABAC, Domains, Rules ) Solution: Hybrid (Core RBAC + Attributes) but RBAC first Roles
Assigned to Users and Groups (User can have several Roles) Role contains a list of permissions made of actions on resources
Why do we need attributes? Example: View in particular time (e.g. parent view a camera in particular
class room in particular lesson time) Grouping
Main point: Groups are used to include both Devices and Users!
-
Access Control and Grouping Access Control Decision details
www.merasws.com
Frameworks Apache Shiro
http://shiro.apache.org/index.html Complete security and permissions concept Integrated with Spring
Spring Security
Looks complicated
Code wise Need Role-Permissions evaluator procedures isPermitted(resource, action, attributes) getListofResourcesPermitted(action)
http://shiro.apache.org/index.html
-
Video analytics integration
www.merasws.com
Integration API Must have Examples: Home automation, Social services, SIP,
billing, etc.
Video analytics Regular feature of Video Surveillance services Service integration model as opposite to built-in
feature Loose coupling Win in scalability, loose in performance, a bit
Features: Motion detection, Face detection, Intrusion area
-
Video analytics integration - flows
www.merasws.com
Media Broker CV service Client
Media Node
Events REST API
Get stream from MW CV client
CV event
CV overlay
CV engine
Motion Face Detected Intrusion
-
Video analytics integration - example
www.merasws.com
-
Q&A time
www.merasws.com
Much more left to talk about
-
Contacts
www.merasws.com
Andrey Konovalov MERA Software Services Unified ommunication solutions architect [email protected] [email protected]
mailto:[email protected]:[email protected]
Experience of developing Cloud service for Video SurveillanceSlide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Communication barriersSlide Number 9Slide Number 10Slide Number 11Media manipulationsSlide Number 13Slide Number 14Slide Number 15Private Cloudification Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21Slide Number 22Slide Number 23Slide Number 24Slide Number 25Slide Number 26Slide Number 27Much more left to talk about Slide Number 29