Security Camera System

Requirements:

• To manage up to four security cameras.
• To record the video stream promptly on off-site storage. Motion detection is much desired, i.e. not sending non-moving images.
• To see the video from off-site, i.e. while travelling.
• To aim the cameras from off-site (PTZ = Pan, Tilt, Zoom).
• To send an alert when a threatening image is seen.
• To resist denial of service attacks preventing image capture and storage.

Issues:

• We want to avoid a big, expensive commercial solution.
• We have our own servers locally and off-site, and prefer them to a cloud solution not under our control.
• Open source software is very much preferred.
• We want low maintenance plus high reliability.
• Retention period of the video must be at least 10 days. Over 30 days is probably of little use. This is controlled by the expected maximum length of our trips.
• Continuous transmission of high-rate video is not appreciated.
  • I'm thinking of a slow frame rate, like 2 or 1 frame per second.
  • Aggressive compression per frame will be used.
  • Aggressive inter-frame compression is also desired (like MPEG-3).
  • It would be really nice to omit long static periods.
• A wired connection to the camera is most resistant to DoS, is most reliable, and uses less scarce bandwidth. We have the IP infrastructure. But running the wires is likely impractical and we will probably end up with Wi-Fi and a wall wart.

Picking the software.

Jason Antman's Blog: Motion Activated Recording (2018-05-12)

He reviews four software packages: ZoneMinder, Kerberos.io, Shinobi, and Motion. His requirements have a lot in common with mine:

• GPL on Raspberry Pi or similar.
• At least 2 cameras, ideally up to 6.
• Access via a HTTP(s?) reverse proxy with certificate auth (of the client?)
• Live streaming of the current video streams, with camera aiming (referred to as PTZ = Pan, Tilt, Zoom).
• List, search and play back saved video from the UI.
• Mobile access, either a web GUI or a dedicated app are OK.
• Motion detection to trigger recording and notification scripts. (And it should be possible to switch to always streaming, temporarily).
• On demand manual recording.
• Detect a failed camera (accidental or nefarious) and notify.
• Notification when the software process dies or the server dies.

These features are bonuses for Jason:

Runs in Docker.

Written in a language he knows: Python or Ruby.

Only uses HTTP.

Nice multi-camera view.

Jason had a lot of trouble with ZoneMinder, Kerberos.io, and Shinobi. With Motion Project he had some good experience in the past, and went with this package. But see his update…

Jason Antman's Blog, Continued (2018-07-02)

Motion Project didn't work out for him, but he was able to find a Docker image of ZoneMinder that he could get to work. He's running it on a HP Elite 8200 (desktop machine) with an Intel Core i7-2600, quad core @3.4GHz, 16Gb RAM, 2Tb rotating disc. This machine has plenty of resources for his task.

ZoneMinder

A full-featured, open source, state-of-the-art video surveillance software system. Product hype: It's FOSS. You control the data (i.e. provide your own server). Works with a huge list of cameras. Easy to install. APIs for 3rd party integration. zmNinja mobile app. Jimc says: what is their business model?

Resources required: image height*width * color bits/px * history size * number of cameras. (Divide by 8 bits/byte.) You need history to see the image sequence leading up to a threat being detected. Wiki author suggests 50 frames (at what frame rate?) H.264 compression requires its own history. There are ZM admin processes, plus whatever else your server is doing. Author suggests 2x or 2.5x the basic history storage.

Recommended to use a greyscale or RGB24 palette; others may take extra CPU. Greyscale takes 1/3 the CPU of color, duh.

Sample disc space calculation: 4 cameras, 320x240px (what color space? probably 8bit), 1fps except during alarms, stores 60Gb/week.

ZoneMinder can use its own password auth, or can be covered by web server auth.

ZoneMinder originated around 2002 and is still actively maintained. It has bits and pieces in Perl, PHP, C++, JavaScript (at least).

Jason Antman's comments: He started out inclined favorably to ZoneMinder, but it had a very bad interaction with Docker, and he never got it working enough to test the motion detection. (Later someone pointed him at a more successful Docker image, and he switched to that one, junking Motion Project.)

Kerberos.io

Jason Antman's comments: It meets his criteria and the product hype claims that it works in the areas he had trouble with, in ZoneMinder. It's one negative aspect is that the free version only handles one camera. Instructions are provided for running several instances for several cameras. Installation and setup were mostly a piece of cake. However, he had trouble setting up motion detection because the GUI was non-intuitive. Once he got over that, it was very sub-optimal about dealing with a disc that was close to filling up; in a production situation it would have deleted the file with the initial triggering event with the thief visible. So he gave up on Kerberos.io.

Shinobi

Jason Antman's comments: The website and docs seem well maintained. It's written in Node.js. There is a Community Edition (updated for major changes or bugfixes) and the Pro Edition. The latter is free (Creative Commons license) for non-commercial use. It satisfies most of his requirements. Installation in Docker went reasonably smoothly. It has its own user management. Setup was OK though it helps to read the documentation :-) If your web-enabled camera requires a query-string, Automatic URL Parsing will trash it; turn that feature off. The web UI is reported as mobile friendly (though he didn't test it). Streaming 2 cameras to the multi view page required 5% of his desktop's CPU and 100Mb RAM.

As for motion detection: the docs are skimpy and have fallen behind the real program. He finally found the Advanced Settings toggle, Simple by default, low contrast, in the lower right corner of the Monitor Settings page. He got motion detection sort of working, but with docs apparently for a different version, and with bugs in the viewer. At this point he went on to the next software package.

Motion Project

Jason Antman's comments: He has used this one in the past, including on an original Raspberry Pi model B, and had good results. It has a lot of good features; the one that jimc specifically notices is, it can use any of MySQL, PostgreSQL, and SQLite3. The web interface is very basic, but there are add-on web UIs. Jason ended up picking Motion, and MotionEye as the web UI. See his next blog post for a report on setup and testing.

ZoneMinder Installation

Web resources:

• ZoneMinder project website
• Installation Guide for installing updated packages or compiling from source.
• Installing ZoneMinder RPMs on SuSE
• User Guide for initial setup and general use.

ZoneMinder is not officially supported on OpenSuSE; however, there are community and experimental packages on the SuSE Build Service. URL of ZoneMinder package index. I'm going to choose stability over the latest bugfixes: in the community list, home:Monex:stable, version 1.30.4. (1.32.3 is the latest, and is called stable in the list for Leap 15.1.) I downloaded the RPM file directly, rather than adding the containing repo (home:Monex:stable).

Oops, it wants perl-5.28.0 (we have 5.28.1). Version 1.32.3 is OK with perl-5.28.1. But it wants perl-Class-Std-Fast which is not in the standard distro. But it's in home:Monex:unstable.

How to add a sub-repo: zypper addrepo https://download.opensuse.org/repositories/home:Monex:unstable/openSUSE_Tumbleweed/home:Monex:unstable.repo
The addition worked, including downloading the proprietor's GPG key for metadata and package signing.

Now it wants perl-Number-Bytes-Human . This one is in home:Monex:stable. Adding that repo.

Now installing 40 new packages. Guess what, one of them is mariadb which I really would prefer to not have. A search on Google for ZoneMinder postgresql revealed that quite a number of people have asked for it to be supported, but ZM uses a MySQL-ism in an essential way (the responder doesn't say what the problem is), so it's not going to happen without a lot of work. So I'm going to have to put up with MariaDB. 31Mb to download, 203Mb installed.

Product hype from the project website (mostly direct quotes):

• It's free and open source.
• You are in control of your data. That is, the videos are stored on your own server.
• Works with a huge list of cameras.
• Easy to install.
• API's allow for third-party integration.
• zmNinja is the new mobile app.

Google's Play Store has zmNinja-pro for $4.99,

The installation guide has sections for Docker, Ubuntu, Debian, and Red Hat (but no prewritten guide for OpenSuSE). The Red Hat section tells (in reverse order) how to check out the Git repo, how to build a source RPM from the Git sources (most people download it from their repo), how to turn a source RPM into a binary RPM (most people download it from their repo), and in the earliest section, how to install the binary RPM (most people activate their repo and just do sudo yum install zoneminder). See the preceeding section, How To Avoid Known Installation Problems, and read the README file in the docs directory. This procedure should (and for me actually did) carry over directly to OpenSuSE: zypper install ZoneMinder (with the proper repo activated). See /usr/share/doc/packages/ZoneMinder/README.md and README.SuSE . The latter tells you to run their script to initialize the database and the zm_admin user (in MariaDB). You will need to pre-create that user's password; the script will ask for it.

The User Guide tells you how to set up your ZoneMinder for the first time.

After a hiatus I'm coming back to the ZoneMinder project. SuSE Tumbleweed has moved on to perl-5.30.1 (lurched is a better word) and the ZoneMinder instance that required perl-5.28 was forced out. So I need to reinstall. Issues:

• perl-Astro-Sunrise-0.97-1.9.noarch (required by cronj) is still at 5.28.1. Solution: break it. 96 packages to upgrade, mostly perl modules. We're now at perl-5.30.1 on all hosts.
• zypper install ZoneMinder |& tee $j/errs #plus 4 new perl modules. ZoneMinder-1.32.3-13.42.x86_64.rpm is now installed.
• Re-read /usr/share/doc/packages/ZoneMinder/README.{md,SuSE}
• ZoneMinder was installed from Monex <monex@liquid-co.de> obs://build.opensuse.org/home:Monex . Per README.md, the current preferred repo for OpenSuSE may have changed. See the wiki page for SuSE. Good news: the above repo is the correct one.
• I'm using the SuSE OBS repo, baseURL http://download.opensuse.org/repositories/home:/Monex:/stable/openSUSE_Tumbleweed/
• According to the wiki page there are two variants: plain ZoneMinder and ZoneMinder-MP. The latter can serve streaming video using VLC and ffmpeg. That's the one I want. However, the SuSE OBS repo I'm using only has the non-MP version. The one on www.liquid-co.de does have the MP version, but it's designated for Leap 15.1 (not Tumbleweed). And it's back on Perl-5.26. Let's poke sleeping dragons in the tail later.
• It doesn't say this in README.* but it does in the wiki page: generate a password for the MySQL root user, start mysql and then exec mysql_secure_installation. The first time it asks you for the current password (which is a zero length string), and then wants the new password that you just generated. [Done, and password changed from MythTV value.]
• README.SuSE: After installation, generate a strong password for zm_admin. MariaDB being set up with the root password etc, exec zm_database_init . It will ask for this password and will then create or supplement (some file, not /root/.my.cnf) by adding an entry for zm_admin with that password. [Done.]
• Starting ZoneMinder: systemctl start zm.service . (And enable it.) It seems to have started.

User Guide: Initial Setup

Getting Started: what's the URL? See /etc/apache2/vhosts.d/zm.conf . It would appear that out of the box, ZM kind of hijacks the default virtual host on port 80. The master alias is /zm giving a URL of http://jacinth/zm . History of fixing this:

• Using zm.conf as provided: That URL is 404 Not Found.
• Renaming zm.conf to zm.conf.incl, hacking, and including from 00-jacinth-80.conf . 403 either no index or permission denied.
• Logs are written in /var/log/zm/apache-error.log . Is this all logs? Probably all for this virtual host, hiss, boo. Message: No matching DirectoryIndex … and server-generated directory index forbidden by Options directive. I think the CGI isn't getting run. It has index.php, which is not on the directory index list. Added DirectoryIndex index.php.
• 403 permission denied. Option ExecCGI is not on. Added it. Cross fingers that this doesn't turn into a security hole. Did they assume I was going to have mod_php active? Not a chance in this vhost.
• 500 Server Error. End of script output before headers. Because index.php is not executable. And no #! leader. Conclusion: I'm going to need a separate vhost with mod_php turned on. Can it be included in 1445+1446? Try 1445 first.
• 404 Not Found. Server cert does not certify zm.cft.ca.us. Duh. Switching to ServerName zm.cft.ca.us:80
• URL http://zm.cft.ca.us/zm/ finally delivers something: the privacy policy, and a request to allow telemetry. Then you go on to the main page. Success!
• Remaining issue: What do we want to do with the log file?

Initial setup.

• I immediately disloked the color choices in the Classic theme. When I get to the skin swap option, I'll definitely try it.

• Check or set the timezone: Options - System - Timezone. In v1.32 I don't see this option.

• Authentication: turning it on. I made these changes (in Options-System):

  • OPT_USE_AUTH: turn on.
  • AUTH_TYPE: change to Remote, meaning whichever of Apache's methods is available.
  • AUTH_RELAY: hashed (is the default).
  • AUTH_HASH_SECRET: Generate a random password; I think they're doing something like a HMAC. You won't have to type this in.
  • AUTH_HASH_IPS: turn off. It includes the client's IP so only that client can use the session token. This is a big loser if a cellphone switches IPs unexpectedly.
  • AUTH_HASH_TTL: 2 (hours, is the default.)
  • AUTH_HASH_LOGINS: Turn on. Let third party apps use the session cookie for access to the server. Like the mobile app.
  • (Hit Save, then log in. The default user and password is admin/admin. Note, giving a password over HTTP is a security violation, and they'll nag you about it.

• Adding a monitor: the little webcam.

  • Hit the Add button; a popup pops up.
  • From lsusb, it's a Logitech Webcam C250.
  • Hit Presets (uper right corner), see if there's a preset for it. There isn't.
  • Let's see what Probe does. No cameras detected.
  • Using ZoneMinder with a Logitech C270 webcam by Major Hayden, 2015-02-08.
  • wwwrun is already in the video group.
  • What is the device path? I have two devices, /dev/video{0,1}. They correspond to /sys/class/video4linux/video{0,1}. looking at the device paths, both are the same physical device.
  • General tab: Editing the name, source type local, function Modect (motion detection), except I'm starting by picking Monitor. all others at the defaults.
  • Source tab: Device path is /dev/video0 (prefilled), capture method V4L2 (prefilled), format PAL (prefilled), Palette (Major says to use YVUV for the C270; I'm leaving it on Auto); geometry is required (Major says 1280x960). A test with cheese produced a 640x480px geometry and this is what I set.
  • Other tabs: Everything at the default values.
  • Hit Save.
  • Initially Eyeball was tagged red, but after about 30sec it changed to green and claimed to be capturing 14fps.
  • Click on the monitor's name. It seems to be refreshing the page, but doesn't show an image. Monitor is for live streaming, which probably isn't what I want.
  • I turned the function to None, stopping recording.

• OK, so where is the log file? /var/log/debug.

  • Capture bandwidth was up to 2.048e7 byte/sec but usually less.
  • At one point one of the ZM sockets vanished. Either zms never ran, or it exited unexpectedly.
  • [zms_m1] [Unable to authenticate user] Maybe that's why the zms socket vanished. Per a bug report, when he turned off OPT_USE_AUTH this problem went away. Another user turned off AUTH_RELAY and it started working. The problem seems to have appeared recently, i.e. 2019-04-xx and after, with ZM 1.32. Warning, AUTH_RELAY=none will break zmNinja. Brilliant call from Siggemada: mismatch between system timezone and PHP date.timezone.
  • In /etc/php5/cgi/php.ini
    ; http://php.net/date.timezone
    date.timezone = "America/Los_Angeles"
  • In /etc/php7 it's set to UTC or not set at all. Fixing it in all SAPI php.ini files. The operative file is /etc/php7/apache2/php.ini .
  • For me, fixing the timezone did not help.
  • Turning off USE_AUTH did fix it, hiss, boo.
  • A developer mentioned that this is fixed in v1.33, and 1.34 is coming out soon.

Setting Up the Wyze Cam Pan

Their procedure:

• Install the Wyze app. New account details: jimc@jfcarter.net; password = WouldntYouLikeToKnow
• Customer service: https://support.wyzecam.com/ or support@wizecam.com
• Create an account.
• Read the terms of service and privacy policy (took about 1 hour).
• Stop at Add a Device.
• Connect USB power to the camera. The status light comes on yellow. Takes 15sec to boot, after which it calibrates the panner. Light is flashing yellow. Wall wart: input 100-240V 0.35A max, output 5V 200mA max, made in China. Cable length: about 2 meters.
• Hit the setup button. It will answer with a voice prompt, Ready to Connect. Over and over.
• Use the Wyze app to set it up. Select Wyse Cam Pan.
• Enter your Wi-Fi SSID and password. It generates a QR code.
• Hold the phone steady about 6in in front of the camera so it can see the QR code. It will eventually respond QR Code Scanned. Light will flash blue, then go solid blue.
• In the app, give the device a name (wyse1).
• You can share with your POSSLQ, by e-mail, an authorization to use the device. They will need to download the app and set up an account.
• In the app, click on the icon of the camera. First item is to upgrade the firmware. 4.10.3.61 to 4.10.5.34. Takes up to 5min, looks like it might take longer. Actually about 3min.

A Quick 802.11 Signal Survey

(* = outside)

• -33db: Jim's chair 2 meters from the AP antenna.
• -43db: Office near Diamond.
• -43db*: Living room big door, outside.
• -44db*: Front door step.
• -52db: Studio, south end.
• -53db: Upstairs MBR bathroom, farthest inside house from AP.
• -54db*: Garbage cans corner.
• -70db*: Next door neighbor's AP.
• -75db to -90db*: Other neighbors, about 10 of them.