Security Camera System
Requirements:
- To manage up to four security cameras.
- To record the video stream promptly on off-site storage. Motion
detection is much desired, i.e. not sending non-moving images.
- To see the video from off-site, i.e. while travelling.
- To aim the cameras from off-site (PTZ = Pan, Tilt, Zoom).
- To send an alert when a threatening image is seen.
- To resist denial of service attacks preventing image capture and
storage.
Issues:
- We want to avoid a big, expensive commercial solution.
- We have our own servers locally and off-site, and prefer them to
a cloud solution not under our control.
- Open source software is very much preferred.
- We want low maintenance plus high reliability.
- Retention period of the video must be at least 10 days. Over 30 days
is probably of little use. This is controlled by the expected maximum
length of our trips.
- Continuous transmission of high-rate video is not appreciated.
- I'm thinking of a slow frame rate, like 2 or 1 frame per second.
- Aggressive compression per frame will be used.
- Aggressive inter-frame compression is also desired (like MPEG-3).
- It would be really nice to omit long static periods.
- A wired connection to the camera is most resistant to DoS, is most
reliable, and uses less scarce bandwidth. We have the IP
infrastructure. But running the wires is likely impractical and we
will probably end up with Wi-Fi and a wall wart.
Picking the software.
-
Jason Antman's Blog: Motion Activated Recording (2018-05-12)
He reviews four software packages: ZoneMinder, Kerberos.io,
Shinobi, and Motion. His requirements have a lot in common with mine:
- GPL on Raspberry Pi or similar.
- At least 2 cameras, ideally up to 6.
- Access via a HTTP(s?) reverse proxy with certificate auth (of the
client?)
- Live streaming of the current video streams, with camera aiming
(referred to as PTZ = Pan, Tilt, Zoom).
- List, search and play back saved video from the UI.
- Mobile access, either a web GUI or a dedicated app are OK.
- Motion detection to trigger recording and notification scripts.
(And it should be possible to switch to always streaming,
temporarily).
- On demand manual recording.
- Detect a failed camera (accidental or nefarious) and notify.
- Notification when the software process dies or the server dies.
These features are bonuses
for Jason:
- Runs in Docker.
- Written in a language he knows: Python or Ruby.
- Only uses HTTP.
- Nice multi-camera view.
Jason had a lot of trouble with ZoneMinder, Kerberos.io, and
Shinobi. With Motion Project he had some good experience in the past,
and went with this package. But see his update…
-
Jason Antman's Blog, Continued (2018-07-02)
Motion Project didn't work out for him, but he was able to find a
Docker image of ZoneMinder that he could get to work. He's running it on
a HP Elite 8200 (desktop machine) with an Intel Core i7-2600, quad core
@3.4GHz, 16Gb RAM, 2Tb rotating disc. This machine has plenty of resources
for his task.
- ZoneMinder
A full-featured, open source, state-of-the-art video
surveillance software system.
Product hype: It's FOSS. You
control the data (i.e. provide your own server). Works with a huge
list of cameras. Easy to install. APIs for 3rd party integration.
zmNinja mobile app. Jimc says: what is their business model?
Resources required: image height*width * color bits/px * history
size * number of cameras. (Divide by 8 bits/byte.) You need history
to see the image sequence leading up to a threat being detected. Wiki
author suggests 50 frames (at what frame rate?) H.264 compression
requires its own history. There are ZM admin processes, plus whatever
else your server is doing. Author suggests 2x or 2.5x the basic
history storage.
Recommended to use a greyscale or RGB24 palette; others may take
extra CPU. Greyscale takes 1/3 the CPU of color, duh.
Sample disc space calculation: 4 cameras, 320x240px (what color
space? probably 8bit), 1fps except during alarms, stores 60Gb/week.
ZoneMinder can use its own password auth, or can be covered by
web server auth.
ZoneMinder originated around 2002 and is still actively maintained.
It has bits and pieces in Perl, PHP, C++, JavaScript (at least).
Jason Antman's comments: He started out inclined favorably to
ZoneMinder, but it had a very bad interaction with Docker, and he never
got it working enough to test the motion detection. (Later someone
pointed him at a more successful Docker image, and he switched to that
one, junking Motion Project.)
- Kerberos.io
Jason Antman's comments: It meets his criteria and the product
hype claims that it works in the areas he had trouble with, in
ZoneMinder. It's one negative aspect is that the free version only
handles one camera. Instructions are provided for running several
instances for several cameras. Installation and setup were mostly a
piece of cake. However, he had trouble setting up motion detection
because the GUI was non-intuitive. Once he got over that, it was very
sub-optimal about dealing with a disc that was close to filling up; in
a production situation it would have deleted the file with the initial
triggering event with the thief visible. So he gave up on Kerberos.io.
- Shinobi
Jason Antman's comments: The website and docs seem well
maintained. It's written in Node.js. There is a Community Edition
(updated for major changes or bugfixes) and the Pro Edition. The
latter is free (Creative Commons license) for non-commercial use.
It satisfies most of his requirements. Installation in Docker went
reasonably smoothly. It has its own user management.
Setup was OK though it helps to read the documentation :-) If your
web-enabled camera requires a query-string, Automatic URL Parsing
will trash it; turn that feature off. The web UI is reported as mobile
friendly (though he didn't test it). Streaming 2 cameras to the multi
view page required 5% of his desktop's CPU and 100Mb RAM.
As for motion detection: the docs are skimpy and have fallen behind
the real program. He finally found the Advanced Settings toggle,
Simple
by default, low contrast, in the lower right corner
of the Monitor Settings page. He got motion detection sort of working,
but with docs apparently for a different version, and with bugs in
the viewer. At this point he went on to the next software package.
- Motion Project
Jason Antman's comments: He has used this one in the past, including
on an original Raspberry Pi model B, and had good results. It has a
lot of good features; the one that jimc specifically notices is, it can
use any of MySQL, PostgreSQL, and SQLite3. The web interface is very
basic, but there are add-on web UIs. Jason ended up picking Motion,
and MotionEye as the web UI.
See his next blog post for a report on setup and testing.
ZoneMinder Installation
Web resources:
ZoneMinder is not officially supported on OpenSuSE; however, there are
community and experimental packages on the SuSE Build Service. URL of
ZoneMinder package index. I'm going to choose stability over the latest
bugfixes: in the community list, home:Monex:stable, version 1.30.4.
(1.32.3 is the latest, and is called stable in the list for Leap 15.1.)
I downloaded the RPM file directly, rather than adding the containing repo
(home:Monex:stable).
Oops, it wants perl-5.28.0 (we have 5.28.1). Version 1.32.3 is OK with
perl-5.28.1. But it wants perl-Class-Std-Fast which is not in the standard
distro. But it's in home:Monex:unstable.
How to add a sub-repo:
zypper addrepo https://download.opensuse.org/repositories/home:Monex:unstable/openSUSE_Tumbleweed/home:Monex:unstable.repo
The addition worked, including downloading the proprietor's GPG key for
metadata and package signing.
Now it wants perl-Number-Bytes-Human . This one is in home:Monex:stable.
Adding that repo.
Now installing 40 new packages. Guess what, one of them is mariadb
which I really would prefer to not have. A search on Google for
ZoneMinder postgresql
revealed that quite a number of people have asked
for it to be supported, but ZM uses a MySQL-ism in an essential way (the
responder doesn't say what the problem is), so it's not going to happen without
a lot of work. So I'm going to have to put up with MariaDB. 31Mb to download,
203Mb installed.
Product hype from the project website (mostly direct quotes):
- It's free and open source.
- You are in control of your data. That is, the videos are stored on
your own server.
- Works with a huge list of cameras.
- Easy to install.
- API's allow for third-party integration.
- zmNinja is the new mobile app.
Google's Play Store
has zmNinja-pro for $4.99,
The installation guide has sections for Docker, Ubuntu, Debian, and Red Hat
(but no prewritten guide for OpenSuSE). The Red Hat section tells (in reverse
order) how to check out the Git repo, how to build a source RPM from the Git
sources (most people download it from their repo), how to turn a source RPM
into a binary RPM (most people download it from their repo), and in the
earliest section, how to install the binary RPM (most people activate their
repo and just do sudo yum install zoneminder). See the preceeding
section, How To Avoid Known Installation Problems
, and read the README
file in the docs directory. This procedure should (and for me actually did)
carry over directly to OpenSuSE: zypper install ZoneMinder
(with the
proper repo activated). See /usr/share/doc/packages/ZoneMinder/README.md
and README.SuSE . The latter tells you to run their script to initialize
the database and the zm_admin user (in MariaDB). You will need to pre-create
that user's password; the script will ask for it.
The User Guide tells you how to set up your ZoneMinder for the first
time.
After a hiatus I'm coming back to the ZoneMinder project. SuSE Tumbleweed
has moved on to perl-5.30.1 (lurched is a better word) and the ZoneMinder
instance that required perl-5.28 was forced out. So I need to reinstall.
Issues:
- perl-Astro-Sunrise-0.97-1.9.noarch (required by cronj) is still at
5.28.1. Solution: break it. 96 packages to upgrade, mostly perl
modules. We're now at perl-5.30.1 on all hosts.
- zypper install ZoneMinder |& tee $j/errs #plus 4 new perl modules.
ZoneMinder-1.32.3-13.42.x86_64.rpm is now installed.
- Re-read /usr/share/doc/packages/ZoneMinder/README.{md,SuSE}
- ZoneMinder was installed from Monex <monex@liquid-co.de>
obs://build.opensuse.org/home:Monex . Per README.md, the current
preferred repo for OpenSuSE may have changed. See the
wiki page for SuSE. Good news: the above repo is the correct one.
- I'm using the SuSE OBS repo, baseURL
http://download.opensuse.org/repositories/home:/Monex:/stable/openSUSE_Tumbleweed/
- According to the wiki page there are two variants: plain ZoneMinder
and ZoneMinder-MP. The latter can serve streaming video using VLC and
ffmpeg. That's the one I want. However, the SuSE OBS repo I'm using
only has the non-MP version. The one on www.liquid-co.de does have the
MP version, but it's designated for Leap 15.1 (not Tumbleweed). And
it's back on Perl-5.26. Let's poke sleeping dragons in the tail later.
- It doesn't say this in README.* but it does in the wiki page:
generate a password for the MySQL root user,
start mysql and then exec mysql_secure_installation. The first time
it asks you for the current password (which is a zero length string),
and then wants the new password that you just generated. [Done, and
password changed from MythTV value.]
- README.SuSE: After installation, generate a strong password for
zm_admin. MariaDB being set up with the root password etc, exec
zm_database_init . It will ask for this password and will then create
or supplement (some file, not /root/.my.cnf) by adding an entry for zm_admin with that
password. [Done.]
- Starting ZoneMinder: systemctl start zm.service . (And enable it.)
It seems to have started.
User Guide: Initial Setup
Getting Started: what's the URL? See /etc/apache2/vhosts.d/zm.conf .
It would appear that out of the box, ZM kind of hijacks the default virtual
host on port 80. The master
alias is /zm giving a URL of
http://jacinth/zm . History of fixing this:
- Using zm.conf as provided: That URL is 404 Not Found.
- Renaming zm.conf to zm.conf.incl, hacking, and including from
00-jacinth-80.conf . 403 either no index or permission denied.
- Logs are written in /var/log/zm/apache-error.log . Is this all logs?
Probably all for this virtual host, hiss, boo. Message:
No matching DirectoryIndex … and server-generated directory
index forbidden by Options directive.
I think the CGI isn't
getting run. It has index.php, which is not on the directory index
list. Added DirectoryIndex index.php
.
- 403 permission denied. Option ExecCGI is not on. Added it.
Cross fingers that this doesn't turn into a security hole. Did they
assume I was going to have mod_php active? Not a chance in this vhost.
- 500 Server Error. End of script output before headers. Because
index.php is not executable. And no #! leader. Conclusion: I'm going
to need a separate vhost with mod_php turned on. Can it be included
in 1445+1446? Try 1445 first.
- 404 Not Found. Server cert does not certify zm.cft.ca.us. Duh.
Switching to ServerName zm.cft.ca.us:80
- URL http://zm.cft.ca.us/zm/ finally delivers something:
the privacy policy, and a request to allow telemetry. Then you go on
to the main page. Success!
- Remaining issue: What do we want to do with the log file?
Initial setup.
I immediately disloked the color choices in the Classic
theme. When I get to the skin swap option, I'll definitely try it.
Check or set the timezone: Options - System - Timezone. In v1.32
I don't see this option.
Authentication: turning it on. I made these changes (in
Options-System):
- OPT_USE_AUTH: turn on.
- AUTH_TYPE: change to Remote, meaning whichever of Apache's methods
is available.
- AUTH_RELAY: hashed (is the default).
- AUTH_HASH_SECRET: Generate a random password; I think they're
doing something like a HMAC. You won't have to type this in.
- AUTH_HASH_IPS: turn off. It includes the client's IP so only
that client can use the session token. This is a big loser if a
cellphone switches IPs unexpectedly.
- AUTH_HASH_TTL: 2 (hours, is the default.)
- AUTH_HASH_LOGINS: Turn on. Let third party apps use the session
cookie for access to the server. Like the mobile app.
- (Hit Save, then log in. The default user and password is
admin/admin. Note, giving a password over HTTP is a security
violation, and they'll nag you about it.
Adding a monitor: the little webcam.
- Hit the Add button; a popup pops up.
- From lsusb, it's a Logitech Webcam C250.
- Hit Presets (uper right corner), see if there's a preset for it.
There isn't.
- Let's see what
Probe
does. No cameras detected.
-
Using ZoneMinder with a Logitech C270 webcam by Major Hayden,
2015-02-08.
- wwwrun is already in the video group.
- What is the device path? I have two devices, /dev/video{0,1}.
They correspond to /sys/class/video4linux/video{0,1}.
looking at the device paths, both are the same physical device.
- General tab: Editing the name, source type local, function Modect
(motion detection), except I'm starting by picking Monitor.
all others at the defaults.
- Source tab: Device path is /dev/video0 (prefilled), capture method
V4L2 (prefilled), format PAL (prefilled), Palette (Major says
to use YVUV for the C270; I'm leaving it on Auto); geometry is
required (Major says 1280x960). A test with
cheese
produced a 640x480px geometry and this is what I set.
- Other tabs: Everything at the default values.
- Hit Save.
- Initially Eyeball was tagged red, but after about 30sec it changed
to green and claimed to be capturing 14fps.
- Click on the monitor's name. It seems to be refreshing the page,
but doesn't show an image.
Monitor is for live streaming,
which probably isn't what I want.
- I turned the function to None, stopping recording.
OK, so where is the log file? /var/log/debug.
- Capture bandwidth was up to 2.048e7 byte/sec but usually less.
- At one point one of the ZM sockets vanished. Either zms never
ran, or it exited unexpectedly.
- [zms_m1] [Unable to authenticate user] Maybe that's why the zms
socket vanished. Per a bug report, when he turned off OPT_USE_AUTH
this problem went away. Another user turned off AUTH_RELAY and
it started working. The problem seems to have appeared recently,
i.e. 2019-04-xx and after, with ZM 1.32. Warning, AUTH_RELAY=none
will break zmNinja. Brilliant call from Siggemada: mismatch
between system timezone and PHP date.timezone.
- In /etc/php5/cgi/php.ini
; http://php.net/date.timezone
date.timezone = "America/Los_Angeles"
- In /etc/php7 it's set to UTC or not set at all. Fixing it in all
SAPI php.ini files. The operative file is
/etc/php7/apache2/php.ini .
- For me, fixing the timezone did not help.
- Turning off USE_AUTH did fix it, hiss, boo.
- A developer mentioned that this is fixed in v1.33, and 1.34 is
coming out soon.
-
-
Setting Up the Wyze Cam Pan
Their procedure:
- Install the Wyze app. New account details: jimc@jfcarter.net;
password = WouldntYouLikeToKnow
- Customer service: https://support.wyzecam.com/ or support@wizecam.com
- Create an account.
- Read the terms of service and privacy policy (took about 1 hour).
- Stop at
Add a Device
.
- Connect USB power to the camera. The status light comes on yellow.
Takes 15sec to boot, after which it calibrates the panner. Light is
flashing yellow.
Wall wart: input 100-240V 0.35A max, output 5V 200mA max, made in China.
Cable length: about 2 meters.
- Hit the setup button. It will answer with a voice prompt,
Ready to Connect
. Over and over.
- Use the Wyze app to set it up. Select Wyse Cam Pan.
- Enter your Wi-Fi SSID and password. It generates a QR code.
- Hold the phone steady about 6in in front of the camera so it can
see the QR code. It will eventually respond
QR Code Scanned
.
Light will flash blue, then go solid blue.
- In the app, give the device a name (wyse1).
- You can share with your POSSLQ, by e-mail, an authorization to use
the device. They will need to download the app and set up an account.
- In the app, click on the icon of the camera. First item is to upgrade
the firmware. 4.10.3.61 to 4.10.5.34. Takes
up to 5min
, looks
like it might take longer. Actually about 3min.
-
-
A Quick 802.11 Signal Survey
(* = outside)
- -33db: Jim's chair 2 meters from the AP antenna.
- -43db: Office near Diamond.
- -43db*: Living room big door, outside.
- -44db*: Front door step.
- -52db: Studio, south end.
- -53db: Upstairs MBR bathroom, farthest inside house from AP.
- -54db*: Garbage cans corner.
- -70db*: Next door neighbor's AP.
- -75db to -90db*: Other neighbors, about 10 of them.