11th Central and Eastern European Software Engineering Conference in Russia - CEE-SECR 2015

October 22 - 24, Moscow

Andrey Konovalov

Experience of developing Cloud service for Video Surveillance

MERA Software Services

Starter

www.merasws.com

Agenda

www.merasws.com

Intro Architecture and decomposition Main problems solved

Communication barriers Media processing Public Cloudification

Cloud Recording Access control and grouping

Integration Video Analytics

Evolution, not revolution lessons learned

Beginning: MERA Watch Initial Requirements

www.merasws.com

Public service, Consumer market, iOS first, integrated Camera

Amazon AWS, Integrate with existing Home Automation service Functional:

Interact (HD! Intuitive! Secure! Everywhere! From any device! Minimal delay!)

Aware (Analyze this! Alert me! Pull the trigger!) Back in time (Action! Stop! Cut! Everything! No tape waste!)

Numbers: 720p30, H264, 2 Mbps, 10K+ cams, 5 seconds

Architecture - layers

www.merasws.com

Media Plane

Control/Signaling Plane

Storage Plane

Presentation Plane

Architecture players

www.merasws.com

Media Plane

IP camera/Soft Agent

Mobile/Desktop Client Web Client

Presentation Plane Control Plane

Video storage

Broker Web Portal

DB

Node

Architecture make it Cloud ready

www.merasws.com

Media Plane

Cloud Storage

Presentation Plane Control Plane

Node 1 Node N

Broker DB Web

Portal

IP camera/Soft Agent

Mobile/Desktop Client Web Client

Problems and Solutions

www.merasws.com

Communication barriers

Connectivity/Transport issues - Protocols Outer space

www.merasws.com

Service

IP camera

Mobile Client RTSP/RTP

SCP

REST API REST API

RTSP/RTP

HLS

Everywhere Everywhere and Intuitive

SCP (Smart Control Protocol): UDP, Duplex,

ICE-style NAT traversal (STUN, TURN ).

Because of integration!

iOS Smart TCP

bridges delay < 5 sec

FW Agent

RTSP server

Connectivity/Transport issues Control Security

www.merasws.com

Problem: How to secure UDP control protocol? DTLS

No support in the ICE libs (libnice, ice4j) , Cloud side - complicated

Encrypt payload of packets Inventing a wheel

Solution: HTTP, duplex, long-polling technique. Security TLS

Cons? - Yes, they are. Some delay and server resources Final? Web sockets? MQTT? Transport agnostic?

Problem: How to get media from Camera behind NAT/FW/ Push HTTP push, RTP Pull HTTP live streaming Solution: Mixed/Overlay RTSP/RTP over TCP NAT, FW, Proxy? - TCP bridge

Problem: Web client and real time media

Solution: WebRTC , RTMP Conclusion: No silver bullet, fallback approach

Media delivery

www.merasws.com

Problems and Solutions

www.merasws.com

Media manipulations

Option 1 for media processing - Media Servers

www.merasws.com

Wowza Kurento Darwin Erlyvideo Flumotio

n

Googling Wowza Kurento Erlyvideo

Capabilities

Protocols Poor API

No Embedded Not

complete coverag

e

Features

required

Kurento Licens

e or Open

Source

Do not use

Media Servers

Overall

Problem: what to use for the Media processing?

Option 2 for media processing - Media Frameworks

www.merasws.com

Googling Open Source

Stable

FFMPEG (no RTSP server)

Gstreamer

Target protocols

Gstreamer Ok

+ Codecs + NAT

and more

Matrix of Features

Gstreamer ~= Wowza

Performance

PoC Gstreamer is portable

Embedded

Gstreamer

iOS, Android

Mobile Gstreamer - Ok Trim

And the winner is .

Sample streaming difficulties

www.merasws.com

Problem: One camera several clients Same protocols, different protocols

Easy for RTSP, HLS, RTMP but not for WebRTC Solution: Gstreamer helped (tee elements/RTSP server).

Problem: Transcoding Incoming: H264/G.711;

Outgoing: VP8 or H264 (i.e. profile changed), audio - AAC Solution: Gstreamer Dynamically attached transcoding

Problem: Security for Webrtc DTLS-SRTP plugin from OpenWebRTC

Problems and solutions

www.merasws.com

Private Cloudification

Recording in Mera Watch in AWS

www.merasws.com

Media Core App

File system Video segment TS

Video segment

Video segment

Node Uploader

Boto Amazon

S3 Video segment

Video segment

Video segment

User/Camera/Time

Broker

Solution: Record in HLS (MPEG TS) format varying segment length Storage: Amazon S3

Private Storage problem and requirements

www.merasws.com

Problem: Substitute S3 to deploy in Private Cloud Requirements: Usual Cloud Storage

Scalable, Robust replication is a must have Fast enough for video recording of N cameras streams Regular hardware Easy to integrate with

No PoC time for evaluation so the decision was based on Features/API Recommendations and feedback, open source Community design activity

Private Storage decision

www.merasws.com

Options considered Distributed file system: GlusterFS, Ceph Object storage: Ceph, OpenStack Swift , Sheepdog, riak-cloud-storage

Decision: Ceph Why Ceph? (http://ceph.com/)

Ceph is open source and freely-available, and it always will be All three types of storage Object, Block and File System Production ready

2Gis, Yahoo, Redhat Cloud storage selection http://www.theplatform.net/2015/04/16/inside-the-ceph-exascale-storage-at-yahoo/

S3 API for Object storage

http://ceph.com/http://www.theplatform.net/2015/04/16/inside-the-ceph-exascale-storage-at-yahoo/

Media Node

OSD 1

Private Storage typical Ceph configuration for Mera Watch

www.merasws.com

SSD

Monitor HDD

HDD

OSD 3 SSD

HDD

HDD

RadosGW

Uploader

OSD 2 SSD

HDD

HDD

Admin Node

Crush algo

Scale up: - add HDDs; - add OSD Nodes; - add clusters;

Access control and grouping

www.merasws.com

Service

Group

User

Admin User Use

r

Group

Group

User

Group

Clips

Clips

Problems: Control permissions for users (1) and structure cameras (2)

Public service (Dropcam, Ivideon) hierarchy example

Private service example: Municipal VSaaS Schools

Service

Tenant: Dep. Of Education

School 1

Service Admin User

Org Admin

Classes

Interspaces Class 1A

School 2

Parent 1

School Admin Class 6B

Parent 2

School Guard Rooms

Room Math

Room English

www.merasws.com

www.merasws.com

Access Control and Grouping Access Control Decision details

Access Control Many approaches (RBAC, ACL, ABAC, Domains, Rules ) Solution: Hybrid (Core RBAC + Attributes) but RBAC first Roles

Assigned to Users and Groups (User can have several Roles) Role contains a list of permissions made of actions on resources

Why do we need attributes? Example: View in particular time (e.g. parent view a camera in particular

class room in particular lesson time) Grouping

Main point: Groups are used to include both Devices and Users!

Access Control and Grouping Access Control Decision details

www.merasws.com

Frameworks Apache Shiro

http://shiro.apache.org/index.html Complete security and permissions concept Integrated with Spring

Spring Security

Looks complicated

Code wise Need Role-Permissions evaluator procedures isPermitted(resource, action, attributes) getListofResourcesPermitted(action)

http://shiro.apache.org/index.html

Video analytics integration

www.merasws.com

Integration API Must have Examples: Home automation, Social services, SIP,

billing, etc.

Video analytics Regular feature of Video Surveillance services Service integration model as opposite to built-in

feature Loose coupling Win in scalability, loose in performance, a bit

Features: Motion detection, Face detection, Intrusion area

Video analytics integration - flows

www.merasws.com

Media Broker CV service Client

Media Node

Events REST API

Get stream from MW CV client

CV event

CV overlay

CV engine

Motion Face Detected Intrusion

Video analytics integration - example

www.merasws.com

Q&A time

www.merasws.com

Much more left to talk about

Contacts

www.merasws.com

Andrey Konovalov MERA Software Services Unified ommunication solutions architect aknv@mera.ru andrey.konovalov.nn@gmail.com

mailto:aknv@mera.rumailto:andrey.konovalov.nn@gmail.com

Experience of developing Cloud service for Video SurveillanceSlide Number 2Slide Number 3Slide Number 4Slide Number 5Slide Number 6Slide Number 7Communication barriersSlide Number 9Slide Number 10Slide Number 11Media manipulationsSlide Number 13Slide Number 14Slide Number 15Private Cloudification Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21Slide Number 22Slide Number 23Slide Number 24Slide Number 25Slide Number 26Slide Number 27Much more left to talk about Slide Number 29