Vidispine Server Agent¶
The Vidispine Server Agent, VSA, is a daemon process running on servers connecting to a Vidispine Server, VS. VSA is composed of a Vidispine Transcoder and the VSA supervisor.
How to install VSA¶
Prerequisites¶
- A running VS instance, version 4.4 or newer
- A server running Ubuntu 14.04 or higher, 64-bit, or CentOS 6.5 or higher, 64-bit
Installation¶
Add the Vidispine repository according to the documentation on repository. Then you can install and start VSA. With Ubuntu/Debian:
$ sudo apt-get install vidispine-agent vidispine-agent-tools
With CentOS/RedHat:
$ sudo yum install vidispine-agent vidispine-agent-tools
After that, the agent can be connected to Vidispine server.
Connecting to Vidispine¶
The agent can then be connected either with or without establishing an SSH tunnel to Vidispine server. The latter should be used if an encrypted network connection has already been established to Vidispine server, or if the server and the agent runs within the same network.
Connecting with SSH tunnel¶
The configuration files are located in /etc/vidispine/
.
Configuration can be stored in either the file agent.conf
in this directory, or in files in the subdirectory agent.conf.d
.
It is recommended that a file is created in the agent.conf.d
directory.
Specifically, there are two setting that has to be set: the connection to VS, and the unique name of the VSA server. The first one you will get from the Vidispine instance.
Enable the Vidispine VSA port, by adding this to the
server.yaml
file (change the port number as necessary). The server will need to restart for any changes to take effect.vsaconnection: bindPort: 8183
Note
This step is new in Vidispine 4.6.
On the Vidispine instance, install the
vidispine-tools
package and run$ sudo vidispine-admin vsa-add-node
Note
In Vidispine 4.6, the command has changed to
vsa-add-node
. With the new vsa-add-node command, one VSA can connect to multiple vidispine-servers.Fill in the user name, password and IP address. Enter the unique name, but you can leave the UUID empty.
Now, on the VSA server, add this information to
/etc/vidispine/agent.conf.d/connection
.Start VSA:
$ sudo service vidispine-agent start $ sudo service transcoder start
Wait 30 seconds. Now verify that it is connected:
$ sudo vidispine-agent-admin status
Agent, transcoder and Vidispine should all be ONLINE.
Connecting without SSH tunnel¶
Create a file
/etc/vidispine/agent.conf.d/custom.conf
with content like:userName=admin password=KioqYWRtaW4= directVSURI=http://172.17.0.7:8080/ vsaURI=http://172.17.0.8:8090/
userName
: Vidispine user name.password
: Base64 encoded value of a***
prefixed password. For example, the value should be the result ofecho -n ***admin | base64
, if the password isadmin
.directVSURI
: the address VSA uses to connect to Vidispine server.vsaURI
: the address that can be used by Vidispine server to connect to VSA
Restart VSA:
$ sudo service vidispine-agent restart
Wait 30 seconds. Now verify that it is connected:
$ sudo vidispine-agent-admin status
Agent, transcoder and Vidispine should all be ONLINE.
Also, the VSA should listed under the server:
$ curl -X GET -uadmin:admin http://localhost:8080/API/vxa
VSA and S3 credentials¶
A VSA transcoder can be given direct access to S3 storages,
meaning the agent will access the files directly without them being proxied by the main server. If the configuration
property useS3Proxy
is set to true
, pre-signed URLs will be used for agents to read S3 objects.
If it is set to false
, or if it is a WRITE
operation, AWS credentials will be sent to agents.
The type of AWS credentials being sent to the agents can be controlled by the configuration property s3CredentialType
:
secretkey
: The access key and the secret access key configured in the S3 storage URI will be sent to the agent.temporary
: The AWS Security Token Service (STS) will be used to generate temporary credentials to send to the agents. The duration of the credentials is controlled bystsCredentialDuration
. You can setstsRegion
to control in which region Vidispine server will call the AWS Security Token Service (STS) API.none
: No credentials will be sent to the agent. The agent then needs to rely on a localAwsCredentials.properties
file, or an IAM role on the instance to access S3 objects.
There is also a configuration entry called s3CredentialType
available in the agent.conf
, that can be used to configure this behavior on a per-agent basis.
The final effective credential type will be the min of Server s3CredentialType and Agent s3CredentialType. And the order of the values is secretkey > temporary > none
.
For example, no credentials will be sent to the agent, if an agent has the following configuration:
s3CredentialType=none
and the server has:
<property lastChange="2014-07-14T14:55:15.432+02:00">
<key>s3CredentialType</key>
<value>temporary</value>
</property>
Note
For an older agent to work with 4.14 server, the credential type on the server side has to be set to either secretkey
or none
.
Agent properties¶
Configuration properties that can be used in the agent configuration file.
Upon start, configuration is read from /etc/vidispine/agent.conf
and any files
in the directory /etc/vidispine/agent.conf.d
.
Basic¶
vxaName
- The name the VSA is using to register itself. Optional but recommended. With a name set, the name
can be used instead of UUID in
vxa://
URIs. operationMode
- Should always be
VSA-VS
. uuid
- The UUID of the VSA. Must be unique and follow the UUID syntax.
Connection¶
agentGroup
- String that is used to signal to Vidispine server that all agents in the same group can reach each other.
bindAddressV4
/bindAddressV6
- The network address that the agent should accept connections on. If not set,
127.0.0.1
is used. vxaPort
- The network port that the agent should listen on. Default 8090.
externalUri
- URI that the agent can be reached at. For example:
http://10.0.0.20:8090/
,https://vsa.example.com/
. connectionString
,connectionString1
,connectionString2
...- How the VSA should connect VidiCore. Generated by
vidispine-agent-admin
. directVSURI
,directVSURI1
,directVSURI2
- If VSA can connect directly to VidiCore (without secure tunnel), this is the URI to VidiCore (from VSA).
vsaURI
- If VidiCore can connect directly to VSA (without secure tunnel), this is the URI to VSA (from VidiCore).
Please note that you must use
https://
as scheme if you have enabled HTTPS usingtls=true
. userName
- User name used to connect to VidiCore. Not recommended.
Use
vidispine-agent-admin
to create a secure connection instead. password
- Password used to connect to VidiCore. Not recommended.
Use
vidispine-agent-admin
to create a secure connection instead. sshProxy
- Proxy (http, socks4, socks5) used for SSH connection. Not required for new connections created by
vidispine-agent-admin
. fingerPrint
- SSH fingerprint of SSH server on VidiCore side. Connection will fail if fingerPrint is set and no matching. Default is that connection is allowed, but a warning is emitted in the log file.
pingInterval
- How often the VSA should contact VidiCore. Default is
4
seconds, but can be increased to lower traffic. Recommended:60
. restSelectorRunners
The number of threads that will be available to serve incoming requests. The selector runner will delegate the actual work that should be done to a worker thread.
New in version 5.3.
restWorkerThreads
The number of worker threads that are available. These threads carry out the actual work in the VSA. For example they handle transfer jobs performed by the VSA. They typically also deliver results of requests sent to the VSA. However, see also transfer section below.
New in version 5.3.
tls
Set to
true
to enable HTTPS for the VSA. This will require a PKCS12 keystore file containing a certificate associated with the domain used to access VSA. Example: (CN=the-domainname)New in version 21.4.
pkcs12File
The location of the PKCS12 file to use for enabling HTTPS. For example,
/directory/of/keystore.p12
This must be set iftls
is set to true.New in version 21.4.
pkcs12Password
The password for the PKCS12 keystore. This must be set if
tls
is set to true.New in version 21.4.
pkcs12CertificateAlias
(Optional) The alias of the certificate to use for the VSA. If this is not defined the VSA will try to use the first found certificate in the PKCS12 keystore file. Example:
pkcs12CertificateAlias=TheAlias
New in version 21.4.
Logging¶
logLevel
- Overall log level. Accepted values are
ALL
,TRACE
,DEBUG
,INFO
(default),WARN
,ERROR
,FATAL
,OFF
. logLevel
.(class or package)- Class or package-specific logging.
Transfer jobs¶
transferThreadCount
Use multiple threads for a single transfer. Can speed up S3 transfers significantly. Default is 1 (single thread).
New in version 5.4.
transferBufferSize
Size of transfer chunk used in transfer jobs. Default is 10000000 (10 MB).
New in version 5.4.
checkTransferDestination
- If set, VSA will wait up to given number of seconds to appear in file listings before reporting the transfer as complete.
readTransferDestination
- If set to true (which is the default), VSA verify a transfer by reading the first byte of the destination before reporting the transfer as complete.
Hash compute jobs¶
hashThreadCount
Use multiple threads for reading a file during hash computation. The actual computation is still done in one thread. Default is 1 (single thread).
New in version 5.4.
Transcoder jobs¶
transcoder.maxJob
- The sets the maximum transcoder jobs the VSA will process. This is done by setting the maxJob element of the transcoder resource in VidiCore.
transcoder.directAccess
- Controls if the VSA can access the input files directly. Note that there are two level of media access proxying for transcode jobs. VidiCore will proxy all access for the VSA which does not fit the directAccess filter, if the directAccess is set. VSA will proxy media access for the VidiCoder for URIs that are not http or file.
transcoder.port
- How the VSA reaches the transcoder. Should be
8888
unless the transcoder listens to another port.
Storage access¶
s3
...- All S3 configurations listed in Storage and file are available as VSA configuration.
ftppool.maxtotal
- Maximum number of entries in FTP connection pool. Default is -1 (unlimited).
ftppool.maxtotalperkey
- Maximum number of entries in FTP connection pool per key (scheme/host/port). Default is -1 (unlimited).
ftppool.minidleperkey
- Keep at least this number of connections idle. Default is 0.
ftppool.timebetweenevictionrunsmillis
- Time between when idle connections are checked for closing, in milliseconds. Default is 30000 (30 seconds).
ftppool.minevictableidletimemillis
- The minimum time an connection is idle before it can be closed, in milliseconds. Default is 60000 (60 seconds).
Resource tags¶
resourceTag.<name> = <value>
Resource tags can be configured on a VSA, which then will be available on the VSA entity in VidiCore API.
<name>
must match the following regex pattern:[A-Za-z][A-Za-z-]*[A-Za-z]
.Example:
resourceTag.location = Stockholm
New in version 22.2.
Direct transfers between VSAs¶
New in version 5.0.
When Vidispine server copies or moves a file between two agent storages, the default is for Vidispine server to read the file from one agent and then write it to the other agent. In the case where the agents actually are able to reach each other, this is obviously quite inefficient, since the data is streamed through Vidispine server.
To let Vidispine server send a transfer job to the agent which hosts the source file, which then sends the file directly to
the receiving agent. To enable this you configure both agents with the same value of the agent property agentGroup
.
The destination URI, where the agent will try to send its file, will as default be the uri of the receiving agent, as
seen at GET /vxa/(uuid)
. For example:
<VXADocument xmlns="http://xml.vidispine.com/schema/vidispine">
<uuid>aa4a7ef6-087c-4003-82fb-983c0e91d9c3</uuid>
<name>Test agent</name>
<uri>http://localhost:57893/</uri>
<agentGroup>office-vsa-group</agentGroup>
...
</VXADocument>
However, in many cases that URI might not be a URI that the first agent can reach, for example if the agent is connected
through SSH (then the URI typically is something like: http://localhost:5678/). To overcome this the agents can set the
agent property externalUri
to an URI that the agent can be reached at. This may be used in conjunction with
the property: bindAddressV4
and/or bindAddressV6
.
Examples¶
Two agents are one the same network and connect directly to Vidispine server, we only need to set agentGroup
in each
agents configuration file to the same value:
uuid=aa4a7ef6-087c-4003-82fb-983c0e91d9c3
agentGroup=office-vsa-group
...
uuid=e5db8d36-470c-44fa-8499-967537ddae6a
agentGroup=office-vsa-group
...
One agent is connecting to Vidispine server using SSH, we then need to set the externalUri
property for that agent:
uuid=aa4a7ef6-087c-4003-82fb-983c0e91d9c3
agentGroup=office-vsa-group
...
uuid=e5db8d36-470c-44fa-8499-967537ddae6a
agentGroup=office-vsa-group
externalUri=http://10.0.0.23:8090/
...
Port forwarding service¶
New in version 5.1.
It is possible to set up a port forward service, using the already existing connection to Vidispine, for the VSA. This
will create a secure channel using remote forwarding. This is done by specifying an ID for the service and the URL and port
that this service will try to reach. The agent needs to be configured as such; port.forward.<id>=<scheme>://<host>:<port>
where <id> needs to be an integer. It is possible for a single VSA to have multiple port forwarding services enabled.
For example:
port.forward.1=ldap://someldapserver.com:389
port.forward.2=ldaps://anotherldapserver.com:636
after the VSA have connected to Vidispine, the vxa resource will report:
GET /vxa HTTP/1.1
<VXAListDocument xmlns="http://xml.vidispine.com/schema/vidispine">
..
<vxa>
<uuid>e5817fdb-9deb-4f25-a689-72349a78407a</uuid>
..
<forwardService>
<id>1</id>
<uri>ldap://examplevshost:40275</uri>
</forwardService>
<forwardService>
<id>2</id>
<uri>ldaps://examplevshost:43741</uri>
</forwardService>
</vxa>
..
</VXAListDocument>
The example above would be port forwarding for LDAP authentication.
New in version 21.3.
For a HTTP connection via VSA, it is recommended to use the VSA as a HTTP proxy instead of forwarding individual ports. For more information about this, see Proxying HTTP connection via a VSA.
Setting up VSA to use HTTPS¶
New in version 21.4.
It is possible to make VSA use HTTPS instead of HTTP by enabling tls=true
in its configuration. When this is enabled
The VSA will try to load the PKCS12 keystore/archive file definied using pkcs12File
and the password definied using
pkcs12Password
. When VSA is loading the PKCS12 there is an option to select which certificate to use by setting the
pkcs12CertificateAlias
to the alias of that certificate. Also worth noting is that if your VSA is configured for
direct access using vsaURI
this must also be updated to use https://
as scheme.
tls=true
pkcs12File=/directory/of/keystore.p12
pkcs12Password=thekeystorepassword
pkcs12CertificateAlias=thealiasofthecertificate
Example of creating a pkcs12 keystore/archive:
openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt -days 3650 -nodes
openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt```