Security
- Configure API keys
- Enable TLS/HTTPS
- Use IAM roles for S3 access
- Configure firewall rules
- Implement rate limiting
Deployment Guide
Deploy Mend Media Processing Engine to production environments.
Docker Deployment Recommended
Section titled “Docker Deployment ”Prerequisites
Section titled “Prerequisites”- Docker 20.10+
- Docker Compose 2.0+
- S3-compatible storage (AWS S3, MinIO, or Cloudflare R2)
Quick Start
Section titled “Quick Start”-
Clone and Configure
Terminal window cd /path/to/mendcp config.example.yaml config.yamlcp .env.example .env -
Edit Configuration
config.yaml server:port: 8080mode: releaseapi_keys:- "${API_KEY_1}"redis:addr: redis:6379password: ""db: 0s3:region: us-east-1access_key_id: "${AWS_ACCESS_KEY_ID}"secret_access_key: "${AWS_SECRET_ACCESS_KEY}"worker:concurrency: 10processing:temp_dir: /tmp/mendffmpeg_path: /usr/bin/ffmpeg.env AWS_ACCESS_KEY_ID=your_keyAWS_SECRET_ACCESS_KEY=your_secretAWS_REGION=us-east-1API_KEY_1=your_secure_api_key -
Start Services
Terminal window docker-compose up -dThis starts:
- Redis (job queue)
- API server (port 8080)
- Worker processes (2 replicas)
- MinIO (optional, port 9000)
- Prometheus (optional, port 9091)
-
Verify Deployment
Terminal window # Check healthcurl http://localhost:8080/health# View logsdocker-compose logs -f apidocker-compose logs -f worker
Scaling Workers
Section titled “Scaling Workers”Adjust worker replicas in docker-compose.yaml:
worker: deploy: replicas: 5 # Increase for more throughputThen scale:
docker-compose up -d --scale worker=5Kubernetes Deployment
Section titled “Kubernetes Deployment”Prerequisites
Section titled “Prerequisites”- Kubernetes 1.20+
- kubectl configured
- Helm 3+ (optional)
Basic Deployment
Section titled “Basic Deployment”-
Create Namespace
Terminal window kubectl create namespace mend -
Create Secrets
Terminal window kubectl create secret generic mend-secrets \--from-literal=aws-access-key-id=YOUR_KEY \--from-literal=aws-secret-access-key=YOUR_SECRET \--from-literal=api-key=$(openssl rand -hex 32) \-n mend -
Create ConfigMap
Terminal window kubectl create configmap mend-config \--from-file=config.yaml \-n mend -
Deploy Redis
Terminal window kubectl apply -f deployments/k8s/redis.yaml -n mend -
Deploy API and Worker
Terminal window kubectl apply -f deployments/k8s/api.yaml -n mendkubectl apply -f deployments/k8s/worker.yaml -n mend -
Expose API
Terminal window kubectl apply -f deployments/k8s/service.yaml -n mendkubectl apply -f deployments/k8s/ingress.yaml -n mend
Example Manifests
Section titled “Example Manifests”apiVersion: apps/v1kind: Deploymentmetadata: name: mend-apispec: replicas: 2 selector: matchLabels: app: mend-api template: metadata: labels: app: mend-api spec: containers: - name: api image: mend:latest command: ["/app/api"] ports: - containerPort: 8080 name: http - containerPort: 9090 name: metrics env: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: mend-secrets key: aws-access-key-id - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: mend-secrets key: aws-secret-access-key - name: API_KEY_1 valueFrom: secretKeyRef: name: mend-secrets key: api-key volumeMounts: - name: config mountPath: /app/config.yaml subPath: config.yaml livenessProbe: httpGet: path: /health/live port: 8080 initialDelaySeconds: 10 periodSeconds: 30 readinessProbe: httpGet: path: /health/ready port: 8080 initialDelaySeconds: 5 periodSeconds: 10 resources: requests: memory: "256Mi" cpu: "250m" limits: memory: "512Mi" cpu: "500m" volumes: - name: config configMap: name: mend-configapiVersion: apps/v1kind: Deploymentmetadata: name: mend-workerspec: replicas: 3 selector: matchLabels: app: mend-worker template: metadata: labels: app: mend-worker spec: containers: - name: worker image: mend:latest command: ["/app/worker"] env: - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: mend-secrets key: aws-access-key-id - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: mend-secrets key: aws-secret-access-key volumeMounts: - name: config mountPath: /app/config.yaml subPath: config.yaml - name: temp mountPath: /tmp/mend resources: requests: memory: "512Mi" cpu: "500m" limits: memory: "2Gi" cpu: "2000m" volumes: - name: config configMap: name: mend-config - name: temp emptyDir: {}apiVersion: v1kind: Servicemetadata: name: mend-apispec: selector: app: mend-api ports: - name: http port: 80 targetPort: 8080 - name: metrics port: 9090 targetPort: 9090 type: ClusterIP---apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: mend-api annotations: cert-manager.io/cluster-issuer: letsencrypt-prodspec: tls: - hosts: - api.yourdomain.com secretName: mend-tls rules: - host: api.yourdomain.com http: paths: - path: / pathType: Prefix backend: service: name: mend-api port: number: 80Horizontal Pod Autoscaling
Section titled “Horizontal Pod Autoscaling”apiVersion: autoscaling/v2kind: HorizontalPodAutoscalermetadata: name: mend-worker-hpaspec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: mend-worker minReplicas: 2 maxReplicas: 10 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 80Systemd Deployment
Section titled “Systemd Deployment”For running directly on a Linux server:
-
Build Binaries
Terminal window make build -
Install Binaries
Terminal window sudo cp bin/api /usr/local/bin/mend-apisudo cp bin/worker /usr/local/bin/mend-workersudo chmod +x /usr/local/bin/mend-* -
Create Service Files
/etc/systemd/system/mend-api.service [Unit]Description=Mend API ServerAfter=network.target redis.service[Service]Type=simpleUser=mendWorkingDirectory=/opt/mendExecStart=/usr/local/bin/mend-apiRestart=alwaysRestartSec=5Environment="AWS_ACCESS_KEY_ID=your_key"Environment="AWS_SECRET_ACCESS_KEY=your_secret"[Install]WantedBy=multi-user.target/etc/systemd/system/mend-worker.service [Unit]Description=Mend WorkerAfter=network.target redis.service[Service]Type=simpleUser=mendWorkingDirectory=/opt/mendExecStart=/usr/local/bin/mend-workerRestart=alwaysRestartSec=5Environment="AWS_ACCESS_KEY_ID=your_key"Environment="AWS_SECRET_ACCESS_KEY=your_secret"[Install]WantedBy=multi-user.target -
Enable and Start
Terminal window sudo systemctl daemon-reloadsudo systemctl enable mend-api mend-workersudo systemctl start mend-api mend-worker# Check statussudo systemctl status mend-apisudo systemctl status mend-worker
Production Checklist
Section titled “Production Checklist”Reliability
- Set up Redis persistence
- Configure health checks
- Enable auto-restart
- Set resource limits
- Configure backups
Monitoring
- Set up Prometheus
- Configure Grafana dashboards
- Enable log aggregation
- Set up alerting
- Track queue metrics
Scaling
- Configure auto-scaling
- Optimize worker count
- Use load balancer
- Enable caching
- Monitor performance
Monitoring
Section titled “Monitoring”Prometheus Metrics
Section titled “Prometheus Metrics”Available at http://localhost:9090/metrics
Key Metrics:
mend_jobs_total- Total jobs processedmend_queue_depth- Current queue depthmend_job_duration_seconds- Job processing timemend_worker_utilization- Worker utilization
Grafana Dashboard
Section titled “Grafana Dashboard”Import the provided dashboard for comprehensive monitoring:
Queue Metrics
- Queue depths by type
- Jobs per second
- Processing throughput
Performance
- Job duration histograms
- Success/failure rates
- Worker utilization
System Health
- CPU and memory usage
- Disk space
- Redis connection status
Log Aggregation
Section titled “Log Aggregation”Structured JSON logs to stdout. Use:
- ELK Stack (Elasticsearch, Logstash, Kibana)
- Loki + Grafana
- CloudWatch Logs (AWS)
- Datadog or New Relic
Performance Tuning
Section titled “Performance Tuning”worker: concurrency: 20 # Increase for more throughputGuidelines:
- CPU-bound: 1-2x CPU cores
- I/O-bound: 2-4x CPU cores
- Monitor and adjust based on metrics
worker: queues: image: 5 # Highest priority video: 3 # Medium priority audio: 2 # Low priority default: 1 # Lowest priority- Use SSD for temp directory
- Enable S3 Transfer Acceleration
- Use CloudFront for distribution
- Implement caching layer
processing: ffmpeg_path: /usr/bin/ffmpeg ffmpeg_args: - "-hwaccel" - "cuda" # or vaapi, qsvRequires GPU support in Docker container
Troubleshooting
Section titled “Troubleshooting”API Won’t Start
Section titled “API Won’t Start”# Check logsdocker-compose logs api
# Common issues:# - Redis not accessible# - Invalid config.yaml# - Port already in useWorker Not Processing
Section titled “Worker Not Processing”# Check worker logsdocker-compose logs worker
# Verify Redis connectionredis-cli -h localhost ping
# Check queue statusredis-cli LLEN asynq:queues:imageFFmpeg Errors
Section titled “FFmpeg Errors”# Verify FFmpeg is installeddocker-compose exec worker ffmpeg -version
# Check file permissionsdocker-compose exec worker ls -la /tmp/mendHigh Memory Usage
Section titled “High Memory Usage”- Reduce worker concurrency
- Increase worker replicas (distribute load)
- Monitor temp directory cleanup
- Check for memory leaks in logs
Next Steps
Section titled “Next Steps”Monitor Performance
Set up Metrics & Monitoring
Understand Architecture
Read the Architecture Guide
Configure Webhooks
Set up Webhooks