Professional Documents
Culture Documents
Compact Deployment
PN: 10-00456-01-02
Encoding On-demand mS v12 ii
Compact Deployment
Contents
Chapter 1 1 Overview.................................................................................................................... 4
1.1 Deployment overview....................................................................................................................................5
Chapter 2 2 Prerequisites..............................................................................................................7
2.1 Browser Compatibility....................................................................................................................................8
2.2 Hosts prerequisites.......................................................................................................................................... 9
2.2.1 Minimal resources for MediaKind Controller server(s)........................................................9
2.2.2 Recommended resources for MediaKind applications servers........................................9
2.2.3 Minimal resources for MediaKind applications servers....................................................10
2.3 Operating System prerequisites...............................................................................................................11
2.3.1 Versions and compatibility......................................................................................................... 11
2.3.2 Linux update....................................................................................................................................11
2.3.3 Antivirus.............................................................................................................................................11
2.3.4 Security-Enhanced Linux.............................................................................................................11
2.3.5 Firewall............................................................................................................................................... 12
2.3.6 HTTP Proxy....................................................................................................................................... 12
2.3.7 Host Names...................................................................................................................................... 12
2.4 Network Configuration................................................................................................................................13
2.4.1 Improve network interfaces high availability (NIC teaming)..........................................13
2.5 MediaKind security model and zoning................................................................................................. 14
NOTE The distributed mode can also be deployed with 2 dedicated license management servers
(see Controller installation guide)
Chapter Encoding On-demand mS v12 6
1 Overview - 1.1 Deployment overview Compact Deployment
Available resources
Context Description
Deployment from An installation guide is available for the following deployment
scratch contexts:
• Standalone deployment Mode
• Compact deployment Mode
• Distributed Deployment Mode
Upgrade of existing An upgrade guide is available to upgrade from the version currently
deployed solution deployed to the latest version:
• Upgrade guide - all modes
2 Prerequisites
Chapter Encoding On-demand mS v12 8
2 Prerequisites - 2.1 Browser Compatibility Compact Deployment
IMPORTANT In order to guarantee server high availability, we recommend you to dedicate and team two
physical network interfaces for the management network via one logical network interface.
Refer to: Improve network interfaces high availability (NIC teaming) on page 13.
* The version to use depends on the MediaKind applications that need to be supported.
IMPORTANT • In standalone mode, the CentOS version deployed on the server must be compatible
with the recommended (or supported) versions of both MediaKind Controller and
MediaKind application to install.
• In compact mode, the CentOS version deployed on both controllers must be compatible
with the recommended (or supported) versions of both MediaKind Controller and
MediaKind application to install.
2.3.3 Antivirus
Uninstall all antivirus services from all the servers of the solution to avoid performance failures or
unexpected software behaviors.
NOTE The product setup script automatically configures the Security-Enhanced Linux settings.
Chapter Encoding On-demand mS v12 12
2 Prerequisites - 2.3 Operating System prerequisites Compact Deployment
2.3.5 Firewall
Activate the Linux Server Firewall if disabled in order to access ports required during installation. Ports:
8080 for the UI, or 80 for light SOAP bridge and 8443 for https.
NOTE The product setup script automatically configures the firewall settings.
ATTENTION During the deployment of the system, the last octet of the VIP is used as the Virtual Router
Redundancy Protocol (VRRP). Therefore the last octet used by the VIP MUST be unique,
and no other device in the network can use the same last octet.
For example, if VIP is 10.86.84.239, 239 must be excluded from the last digit of all the
devices in the network.
NOTE In case of distributed deployment, all the network interface names of all the servers must be
the same subnetwork.
• Untrusted zone is a public zone entirely open and includes public network such as the public
Internet. Restrictions and requirements are difficult or impossible to place or enforce in this zone
because it is generally outside the control of the customer. The untrusted zone is considered to be
extremely hostile.
• Semi-trusted zone is public access zone that mediates between the customer’s trusted zone and the
untrusted zone. Typically, this zone implements corporate Web/Proxy servers, Domain Name Service,
external Mail servers, remote access, and extranet gateways. It is often referred to as a demilitarized
zone (DMZ). The semi- trusted zone is considered to be hostile.
• Trusted zone is an operational zone, a standard environment for routine customer operations, and
where most corporate user systems and work group servers are installed. In general, with appropriate
security controls, this zone may be suitable for processing some sensitive data; however, this zone is
customarily unsuitable for large repositories of sensitive data or critical applications without adequate
strong trustworthy security controls.
• Restricted zone is a controlled zone suitable for business-critical services or large repositories of
sensitive data. It supports access from systems in the semi-trusted zone.
Each security zone is delimited by a trust boundary:
• Trust boundaries provides network interface across a zone to adjacent zone. Trust boundaries are the
logical construct describing the controlled interfaces connecting zones. Trust boundaries enforce zone
data communication policy through perimeter security measures. Trust boundaries control inbound
data communication; implement security policy of their respective zone; and all data communication
must be through a trust boundary. Trust boundaries can be accomplished using a single component
Chapter Encoding On-demand mS v12 15
2 Prerequisites - 2.5 MediaKind security model and zoning Compact Deployment
or a combination of components such as load balancer, firewall, intrusion detection system (IDS),
intrusion prevention system (IPS), access control list (ACL) and routers.
3 Quick Deployment Procedures
Chapter Encoding On-demand mS v12 17
3 Quick Deployment Procedures - 3.1 Quick Deployment Procedures Compact Deployment
• /mongo/mongodb.key: This key is used for internal authentication between both controllers and the
arbiter server.
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh
# rm -rf /tmp/<directory_name>
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh --mongoarbiter
# rm -rf /tmp/<directory_name>
3. Manage certificate and configure Log Manager depending on your deployment context:
• Deployment with custom certificates
a. Copy the trusted certificate files (.crt and .key) used available in your environment and generated
according to PEM (RFC 1421 to 1424) format standards, to controller 1 under /etc/ssl/certs .
b. Repeat on controller 2.
• Deployment with auto-generated certificates
RESTRICTION Certificates generated with the provided script “generate_certificate.sh” are self-
signed and are created with an expiration date set to "current date + 10 years".
3. Repeat on controller 2.
Chapter Encoding On-demand mS v12 21
3 Quick Deployment Procedures - 3.1 Quick Deployment Procedures Compact Deployment
5. Repeat on controller 2.
6. Carry out the following series of steps on server C:
7. Repeat on servers D to N.
4 Deployment Procedures
Chapter Encoding On-demand mS v12 23
4 Deployment Procedures - 4.1 Introduction to compact deployment Compact Deployment
This deployment mode installs both the controller and the licensing management system on the same
host. The Licensing control is based on locking codes generated on Controller host(s).
A locking code relies on hardware specific criteria, such as Mac address, hostname, or UUID. Any post
deployment change of one of these criteria will result in invalid licenses.
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh
Completed
NTP server. In a MediaKind solution, all the logs, alarms and status are written and timestamped by all
the different servers that cooperate for control.
1. Carry out the following steps only if running CentOS versions 7.3 and above.
NOTE Disable and stop chronyd to prevent unexpected behaviour (upon a reboot for example).
2. Update the NTP configuration file on the first server with the NTP IP address:
# vi /etc/ntp.conf
# server [ntp_ip_address]
3. Restart the NTP service on each server with the following commands:
5. Check the server synchronization with the NTP server with the following commands:
# ntpstat
6. Edit time zone Only if time is not currently set to the expected timezone, otherwise, skip to the
next step in this procedure.
NOTE Editing the time zone depends on your geographic location.
# cd /etc
# rm localtime
# ls /usr/share/zoneinfo/
# ln -s /usr/share/zoneinfo/[expected_time_zone] localtime
# date
Mandatory parameters
ntp is synchronized
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh
Completed
1. Carry out the following steps only if running CentOS versions 7.3 and above.
NOTE Disable and stop chronyd to prevent unexpected behaviour (upon a reboot for example).
2. Update the NTP configuration file on the first server with the NTP IP address:
# vi /etc/ntp.conf
# server [ntp_ip_address]
3. Restart the NTP service on each server with the following commands:
5. Check the server synchronization with the NTP server with the following commands:
# ntpstat
6. Edit time zone Only if time is not currently set to the expected timezone, otherwise, skip to the
next step in this procedure.
NOTE Editing the time zone depends on your geographic location.
# cd /etc
# rm localtime
# ls /usr/share/zoneinfo/
# ln -s /usr/share/zoneinfo/[expected_time_zone] localtime
# date
Mandatory parameters
ntp is synchronized
3. When the Login page displays: Enter your username and password.
# rm -rf /tmp/<directory_name>
Chapter Encoding On-demand mS v12 34
4 Deployment Procedures - 4.4 Deploying the arbiter server for Controller redundancy Compact Deployment
IMPORTANT If Controllers are deployed on separate hosts, then the arbiter must be on a different host
than controllerIP1 and controllerIP2.
The arbiter must be deployed on a server that also runs a processing application. In this
document, the arbiter is installed on Server C, but it could be located on any other server
that runs a Processing application
# mkdir -p /tmp/<directory_name>
# tar -xvf Eri-xx-xxxxxx-xx-xx-MFVP-controller-v.x.y.z.el7.x86_64.tar.gz -C /tmp/<directory_name>
# cd /tmp/<directory_name>
# ./install.sh --mongoarbiter
Complete!
2. Update the NTP configuration file on the first server with the NTP IP address:
# vi /etc/ntp.conf
# server [ntp_ip_address]
3. Restart the NTP service on each server with the following commands:
5. Check the server synchronization with the NTP server with the following commands:
# ntpstat
Chapter Encoding On-demand mS v12 36
4 Deployment Procedures - 4.4 Deploying the arbiter server for Controller redundancy Compact Deployment
6. Edit time zone Only if time is not currently set to the expected timezone, otherwise, skip to the
next step in this procedure.
NOTE Editing the time zone depends on your geographic location.
# cd /etc
# rm localtime
# ls /usr/share/zoneinfo/
# ln -s /usr/share/zoneinfo/[expected_time_zone] localtime
# date
Mandatory parameters
ntp is synchronized
# rm -rf /tmp/<directory_name>
Chapter Encoding On-demand mS v12 37
4 Deployment Procedures - 4.5 Deploying Log Manager on both Controller servers Compact Deployment
Optional
3. Enter the following command to check that the installation is completed and the docker service is
enabled:
enabled
IMPORTANT Expiration of the validity date of a certificate will not block the encoding processes but will
prevent jobs logs to be collected and displayed in the UI.
Mandatory Parameters
Optional Parameters
RESTRICTION Certificates generated with the provided script “generate_certificate.sh” are self-signed and
are created with an expiration date set to "current date + 10 years".
1. Enter the following command on Controller1:
Mandatory Parameters
Result: The following certificates are generated in the folder defined for --output:
• <controller_VIP>.csr
• <controller_VIP>.crt
• <controller_VIP>.key
• <controller_VIP>.pem
Mandatory Parameters
Optional Parameters
3. Repeat on Controller2.
Chapter Encoding On-demand mS v12 44
4 Deployment Procedures - 4.6 Deploying MediaKind Encoding On-Demand on both Compact Deployment
Controller servers
Mandatory Parameters
Optional Parameters
ericsson-on-demand-encoding-standalone-successful
2. Repeat on Controller2.
2. Update the NTP configuration file on the first server with the NTP IP address:
# vi /etc/ntp.conf
# server [ntp_ip_address]
3. Restart the NTP service on each server with the following commands:
5. Check the server synchronization with the NTP server with the following commands:
# ntpstat
6. Edit time zone Only if time is not currently set to the expected timezone, otherwise, skip to the
next step in this procedure.
NOTE Editing the time zone depends on your geographic location.
# cd /etc
# rm localtime
# ls /usr/share/zoneinfo/
# ln -s /usr/share/zoneinfo/[expected_time_zone] localtime
# date
2. Copy the MongoDB client authorization password from the controller to this server at the following
location:/etc/ericsson/secrets/mongo/secrets.ini (create directory if necessary).
3. Enter the following command:
Mandatory Parameters
Optional Parameters
The last command allows user change to take effect for MediaKind Encoding On-Demand.
1. Open an SSH session as a root user.
2. Enter the following command to create the directory where the remote server location is to be
mounted.
# mkdir -p /opt/mfvp/mnt/LocalDirectory/Storage
4. Retrieve the [uid_value] and [gid_value] of the Ericsson user with the following commands:
# id ericsson
5. Mount the remote server on the newly created local directory by editing the file /etc/fstab
# vi /etc/fstab
Chapter Encoding On-demand mS v12 51
5 Post deployment procedures - 5.1 Configure mount points Compact Deployment
8. Use the command lines (#) below to test the mount point by creating a mount.test file in /opt/mfvp/
mnt/LocalDirectory/Storage.
# cd /opt/mfvp/mnt/LocalDirectory/Storage
# ls /opt/mfvp/mnt/LocalDirectory/Storage
Chapter Encoding On-demand mS v12 52
5 Post deployment procedures - 5.1 Configure mount points Compact Deployment
9. Return to the application and create a job using settings for either option 1 or option 2.
Option 1: using remote location (URL beginning with file://)
a. Input: file://RemoteServer/Storage/CustomInputFileName.ts
b. Output: file://RemoteServer/Storage
Option 2: Using local directory (URL beginning with file:///)
a. Input: file:///opt/mfvp/mnt//LocalDirectory/Storage/CustomInputFileName.ts
b. Output: file:///opt/mfvp/mnt/LocalDirectory/Storage
Chapter Encoding On-demand mS v12 53
5 Post deployment procedures - 5.2 Allow LDAP users to access Controller user Compact Deployment
interface
[ldap]
server_uri = ldap://fr-my.companydomain.com:389
bind_dn = CN=apache,OU=COM,OU=Sites,DC=companydomain,DC=com
bind_pwd = ********
search_dn = OU=COM,OU=Sites,DC=companydomain,DC=com
username_field = sAMAccountName
firstname_field = givenName
lastname_field = sn
start_tls = False
ca_certificate_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
cipher_suite = kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES:-SSLv2:-SSLv3:-TLSv1:-TLSv1.1
ca_certificate_file Location of the CA certificate file used to verify the LDAP server’s
certificate when using TLS or LDAPS
cipher_suite Open SSL-format string defining the list of ciphers to use for TLS
communication
# update-ca-trust extract