NOTE: This feature is available only
in the Enterprise Edition
1.
Introduction
Starting from JumpServer
v3.0.0, the Video-Worker component was introduced. Its main
purpose is to process recordings created by Razor (RDP Client) and
Lion (Web RDP) and
convert them into MP4 format for more convenient auditing and reduced
disk space usage.
1.1. How It
Works
-
After startup, Video-Worker
registers itself as a component (similar to Koko) to obtain the
recording storage settings where the converted MP4 files will be
uploaded.
-
If Video-Worker is enabled in
the Lion and Razor configuration, they upload their recordings
directly to this component for transcoding.
-
After successful transcoding,
the MP4 file is uploaded to the configured storage.
If Lion or Razor cannot upload a
recording to Video-Worker, they fall back to uploading it to their
own storage.
When default storage is used, recordings are saved in
core/data/media/replay
Important
Notes
-
Video transcoding relies on
ffmpeg, which heavily loads the CPU.
-
CPU usage can reach
100%, which is
why Video-Worker should
NOT be deployed on the same machine as JumpServer.
-
Razor: the recording is first converted
into a series of images, and then ffmpeg compiles them into video —
this consumes all available CPU cores.
-
Lion (Web RDP): uses the official CLI tool
guacenc, which fully
loads a single CPU core during the entire process.
1.2. File Size Before and After Transcoding
| Test |
Duration |
Original
Size |
MP4
Size |
Space
Reduction |
| Test
1 |
8
hours |
4.1
GB |
0.80
GB |
80.5% |
| Test
2 |
1
hour |
2.4
GB |
0.37
GB |
84.6% |
1.3.
Parameters
| JumpServer
URL used for API registration |
Video-worker registers in core just like koko |
|
BOOTSTRAP_TOKEN |
none |
Pre-generated secret key; must match JumpServer config |
|
|
BIND_HOST |
0.0.0.0 |
Bind
IP |
|
|
HTTPD_PORT |
9000 |
HTTP/WS
port |
|
|
LOG_LEVEL |
INFO |
DEBUG /
INFO / WARN / ERROR |
|
|
VIDEO_WORKER_COUNT |
0 |
Number of
parallel workers; 0 = CPU cores + 1 |
If >0,
the specified value is used |
|
VIDEO_WORKER_SECRET_KEY |
'' |
Random
32-character key for encryption/decryption |
Must be
the same for multiple workers |
|
VIDEO_WORKER_CLEAN_PERIOD |
7 |
Log
retention period in days |
Cleanup
every 24 hours |
|
IGNORE_VERIFY_CERTS |
False |
Ignore
HTTPS certificate validation for CORE_HOST |
Supported
since v3.10.8+ |
2. Enabling Video-Worker on the Main JumpServer (Not
Recommended)
JumpServer configuration file:
/opt/jumpserver/config/config.txt
Add the following parameters to enable
Windows recording transcoding to MP4:
USE_VIDEO=1
ENABLE_VIDEO_WORKER=True
VIDEO_WORKER_HOST=http://jms_video:9000
Restart JumpServer:
jmsctl restart
Note:
Since ffmpeg heavily loads the CPU, running Video-Worker on the
same node as JumpServer is not recommended. Consult JumpServer
support for planning recommendations.
3. Deploying a Separate Transcoding Server
JumpServer version on the transcoding
server must match the core environment version.
3.1. Deployment Using Docker Compose
Example Environment
|
Service |
IP |
|
JumpServer |
192.168.10.10 |
|
Video-Worker |
192.168.10.11 |
Server Preparation
Unpack the JumpServer offline package
and prepare the environment:
tar -zxvf jumpserver-offline-release-v3.10.9-amd64.tar.gz
cd /opt/jumpserver-offline-release-v3.10.9-amd64/scripts
./2_install_docker.sh # установка Docker
docker load -i images/video-worker:v3.10.9.tar
Video-Worker Configuration
Edit:
vim /data/config.txt
Example config:
CORE_HOST=http://192.168.10.10:8080
BOOTSTRAP_TOKEN=YTc1NjNmNDItZjNlYS00NTMw # должен совпадать с конфигом JumpServer
IGNORE_VERIFY_CERTS=true # игнорировать сертификат HTTPS при подключении к CORE_HOST
VIDEO_WORKER_COUNT=6 # количество параллельных задач
VIDEO_WORKER_CLEAN_PERIOD=7 # период очистки логов (в днях)
HTTPD_PORT=9000
LOG_LEVEL=ERROR
Docker Compose file
vim /data/docker-compose-video.yml
(Full content preserved from
original)
version: '2.4'
services:
video:
image: registry.fit2cloud.com/jumpserver/video-worker:v3.10.9
container_name: jms_video
hostname: jms_video
cpus: 2
ulimits:
core: 0
restart: always
tty: true
ports:
- 9000:9000
env_file:
- /data/config.txt
volumes:
- /data/video/data:/opt/video/data
healthcheck:
test: "curl -fsL http://localhost:9000/video-worker/health/ > /dev/null"
interval: 10s
timeout: 5s
retries: 3
start_period: 10s
networks:
- video_net
JumpServer Configuration
vim /opt/jumpserver/config/config.txt
ENABLE_VIDEO_WORKER=true
VIDEO_WORKER_HOST=http://192.168.10.11:9000
Managing Video-Worker
docker-compose -f docker-compose-video.yml up -d # запуск
docker-compose -f docker-compose-video.yml down # остановка
3.2. Deployment Using Original JumpServer
Files
Edit:
vim /opt/jumpserver/config/config.txt
Disable unnecessary components:
CORE_ENABLED=0
CELERY_ENABLED=0
KOKO_ENABLED=0
LION_ENABLED=0
MAGNUS_ENABLED=0
CHEN_ENABLED=0
KAEL_ENABLED=0
PANDA_ENABLED=0
WEB_ENABLED=0
XRDP_ENABLED=0
USE_VIDEO=1
ENABLE_VIDEO_WORKER=True
CORE_HOST=http://192.168.10.10:8080
BOOTSTRAP_TOKEN=YTc1NjNmNDItZjNlYS00NTMw
Then update the corresponding YAML
files and restart:
cd /opt/jumpserver-offline-release-v3.10.9-amd64/compose/
jmsctl restart
JumpServer Side Configuration
vim /opt/jumpserver/config/config.txt
ENABLE_VIDEO_WORKER=true
VIDEO_WORKER_HOST=http://192.168.10.11:9000
Update YAML files:
cd /opt/jumpserver-offline-release-v3.10.9-amd64/compose/
And
restart:
jmsctl restart
Diagnostics
If transcoding fails, check two
possible areas:
1. Transcoding logs
Find the session log by session
ID:
video/data/tasks/{id}
2. Lion and Razor logs
If there is no corresponding task
entry, the issue may be related to file upload to Video-Worker.
Need help?
Support during the JumpServer PAM Enterprise Edition pilot
Have you started testing JumpServer PAM EE and encountered an
issue? Our process includes organizing email threads or Telegram
groups for prompt issue resolution. If you are sure you were not
added to such a group, please contact your supplier or reach out to
us at support@afi-d.ru
Training for your specialists on configuring and administering
JumpServer PAM
As part of an active technical support subscription, we will
train your specialists in installation, configuration,
administration of JumpServer PAM, as well as recovery from errors
and incidents.
Training is conducted online, according to a pre-agreed plan,
and includes mandatory practical knowledge verification with the
issuance of personalized certificates (upon successful exam
completion).
Video tutorials
Visit our channel on YouTube with video tutorials covering the
configuration of all JumpServer PAM sections. The videos are in
Russian and are updated with each new release.
Technical support for the free JumpServer PAM Community
Edition
The idea of implementing a complex but business-critical PAM
system can be intimidating due to the perceived complexity of
setup, administrator and security team training, and changes to
account management processes.
To make the deployment and configuration of JumpServer Community
Edition comfortable, and to ensure you can always rely on
professional assistance, AFI Distribution offers an annual
technical support subscription.
The support package priced at 1.5 million RUB per JumpServer
Community Edition instance (with no limits on the number of users
or target systems) includes everything required to use PAM:
- Russian-language documentation;
- usage scenarios and recommended deployment architectures;
- training for administrators and information security
specialists on working with JumpServer;
- tips and solutions for common questions;
- notifications about new releases with verified upgrade
instructions;
- integration with RADIUS and multi-factor authentication
“Multifactor” ;
- direct access to an engineer (no first-line support) with a
clear SLA.
Learn more and make a purchase on the
Technical support subscription page
