Wednesday, July 25, 2012

TrendNet TV-IP322P and ZoneMinder

A continuation of our homebrew security project, we visit enabling the camera in ZoneMinder. After a harrowing experience with compiling and installing Zoneminder (I'd almost go with the Linux "motion" application instead), I have the TrendNet TV-IP322P cameras working in ZoneMinder. Once Zoneminder is compiled and running, the next thing is to get the settings right to allow Zoneminder to watch the camera and record events.

This required the following settings for these cameras :
  • General Tab/Name: the name you wish Zoneminder to have for the camera
  • General Tab/Source Type: Remote
  • General Tab/Function: Modetect - this is to allow it to detect motion
  • Source Tab/Remote Protocol: HTTP
  • Source Tab/Remote Method: Simple
  • Source Tab/Remote Host Name: admin:password@ipaddress (example : "admin:mypass@"
  • Source Tab/Remote Host Port: 80 (unless you've changed the setting in the camera)
  • Source Tab/Remote Host Path: /cgi/jpg/image.cgi
  • Source Tab/Capture Width: 1280
  • Source Tab/Capture Height: 1024
Verifying brought success :
ideventmonitorcausetimedurationframesalarm framestotal scoreavg scoremax score
1NorthWest-1NorthWest Motion07/25 12:46:4213.24 5030206611
2NorthWest-2NorthWest Motion07/25 12:47:046.76244923
3NorthWest-3NorthWest Motion 07/25 12:47:23 11.434424226916
However, after attempting to get ZoneMinder to send immediate notifications to Nagios, and also after finding I was getting 3fps out of ZoneMinder, I opted to try a different method, Linux motion. That was simpler to set up, but two downsides :
  • ZoneMinder allows multiple "zones" or "sensitive areas" on an image stream, motion only allows one (but it can be more complex than the four sides of ZoneMinders).
  • motion doesn't work with multiple cameras very well - you'll have to set up separate motion instances with separate motion.conf files for each one.
So, next up : Linux motion.

Tuesday, July 24, 2012

ZoneMinder CentOS 6.2 64bit

A continuation of our project, homebrew security project, we need to tie in a security camera. I've started trying to install zoneminder in CentOS for the homesecurity project. So far, I haven't been able to locate an RPM for it, but I should be able to use the source. First, grab the source and prepare to compile it :

  1. wget
  2. tar xzvf ZoneMinder-1.25.0.tar.gz
  3. cd ZoneMinder-1.25.0
I kept having problems compiling, so I'll hold off on the configure line that I was using at the time (until after the errors are described). Those errors were :
zm_mpeg.h:63: error: use of enum ‘PixelFormat’ without previous declaration
zm_mpeg.h:64: error: ISO C++ forbids declaration of ‘AVOutputFormat’ with no type
zm_mpeg.h:64: error: expected ‘;’ before ‘*’ token
zm_mpeg.h:65: error: ISO C++ forbids declaration of ‘AVFormatContext’ with no type
zm_mpeg.h:65: error: expected ‘;’ before ‘*’ token
zm_mpeg.h:66: error: ISO C++ forbids declaration of ‘AVStream’ with no type
zm_mpeg.h:66: error: expected ‘;’ before ‘*’ token
zm_mpeg.h:67: error: ISO C++ forbids declaration of ‘AVFrame’ with no type
zm_mpeg.h:67: error: expected ‘;’ before ‘*’ token
zm_mpeg.h:68: error: ISO C++ forbids declaration of ‘AVFrame’ with no type
zm_mpeg.h:68: error: expected ‘;’ before ‘*’ token
zm_mpeg.h:69: error: ISO C++ forbids declaration of ‘uint8_t’ with no type
zm_mpeg.h:69: error: expected ‘;’ before ‘*’ token
zm_mpeg.h:85: error: ‘uint8_t’ has not been declared
In file included from zm_zone.h:27,
from zm_monitor.h:27,
from zmc.cpp:27:
Digging in, I found that my configure was also giving some errors :
checking libavutil/avutil.h usability... no
checking libavutil/avutil.h presence... no
checking for libavutil/avutil.h... no
checking libavcodec/avcodec.h usability... no
checking libavcodec/avcodec.h presence... no
checking for libavcodec/avcodec.h... no
checking libavformat/avformat.h usability... no
checking libavformat/avformat.h presence... no
checking for libavformat/avformat.h... no
checking libswscale/swscale.h usability... no
checking libswscale/swscale.h presence... no
checking for libswscale/swscale.h... no
Just as an FYI, I was using the ffmpeg-devel package from the repositories. For those, the include files are in your /usr/include/ffmpeg directory, not /usr/include. Digging into the configure script, I found a few things I could change to make it compile, so now I will provide the configure line :
CPPFLAGS=”-I/usr/include/ffmpeg -I/usr/include” CFLAGS=”-I/usr/include/ffmpeg -I/usr/include” CXXFLAGS=”-D__STDC_CONSTANT_MACROS -I/usr/include/ffmpeg -I/usr/include” ./configure –with-webdir=/var/www/html/zm –with-cgidir=/var/www/cgi-bin –with-libarch=lib64 –with-ffmpeg=/usr –with-webuser=apache –with-webgroup=apache ZM_DB_HOST=localhost ZM_DB_NAME=zm ZM_DB_USER=zmuser ZM_DB_PASS=zmpass –with-extralibs=”-L/usr/lib64 -L/usr/lib64/mysql” ZM_SSL_LIB=openssl
Then I ran into a segmentation fault. The backtrace looked like :
[root@cottonwoodheights ZoneMinder-1.25.0]# gdb zmc
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /usr/local/bin/zmc...(no debugging symbols found)...done.
(gdb) run -m 1
Starting program: /usr/local/bin/zmc -m 1
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff71f6700 (LWP 21926)]

Program received signal SIGABRT, Aborted.
0x00000039b0832885 in raise () from /lib64/
Missing separate debuginfos, use: debuginfo-install SDL-1.2.14-3.el6.x86_64 alsa-lib-1.0.22-3.el6.x86_64 bzip2-libs-1.0.5-7.el6_0.x86_64 dbus-libs-1.2.24-5.el6_1.x86_64 enca-1.13-1.el6.x86_64 expat-2.0.1-11.el6_2.x86_64 ffmpeg-libs-0.10.2-3.el6.x86_64 flac-1.2.1-6.1.el6.x86_64 fontconfig-2.8.0-3.el6.x86_64 freetype-2.3.11-6.el6_2.9.x86_64 fribidi-0.19.2-2.el6.x86_64 glibc-2.12-1.47.el6_2.12.x86_64 gnutls-2.8.5-4.el6_2.2.x86_64 gsm-1.0.13-4.el6.x86_64 keyutils-libs-1.4-3.el6.x86_64 krb5-libs-1.9-22.el6_2.1.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.1.0-7.1.el6.x86_64 libX11-1.3-2.el6.x86_64 libXau-1.0.5-1.el6.x86_64 libXext-1.1-3.el6.x86_64 libXfixes-4.0.4-1.el6.x86_64 libXi-1.3-3.el6.x86_64 libXtst- libass-0.10.0-1.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcdio-0.81-3.1.el6.x86_64 libcom_err-1.41.12-11.el6.x86_64 libdc1394-2.1.2-3.4.el6.x86_64 libgcc-4.4.6-4.el6.x86_64 libgcrypt-1.4.5-9.el6_2.2.x86_64 libgpg-error-1.7-4.el6.x86_64 libjpeg-6b-46.el6.x86_64 libogg-1.1.4-2.1.el6.x86_64 libraw1394-2.0.4-1.el6.x86_64 librtmp-2.3-3.el6.x86_64 libselinux-2.0.94-5.2.el6.x86_64 libsndfile-1.0.20-5.el6.x86_64 libstdc++-4.4.6-4.el6.x86_64 libtasn1-2.3-3.el6_2.1.x86_64 libtheora-1.1.0-2.el6.x86_64 libusb1-1.0.3-1.el6.x86_64 libuuid-2.17.2-12.4.el6.x86_64 libv4l-0.6.3-2.el6.x86_64 libvorbis-1.2.3-4.el6_2.1.x86_64 libxcb-1.5-1.el6.x86_64 mysql-libs-5.1.61-4.el6.x86_64 nss-softokn-freebl-3.12.9-11.el6.x86_64 openal-soft-1.12.854-1.el6.x86_64 openjpeg-libs-1.3-7.el6.x86_64 openssl-1.0.0-20.el6_2.5.x86_64 pcre-7.8-4.el6.x86_64 pulseaudio-libs-0.9.21-14.el6_3.x86_64 speex-1.2-0.12.rc1.1.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 x264-libs-0.120-5.20120303.el6.x86_64 xvidcore-1.3.2-3.el6.x86_64 zlib-1.2.3-27.el6.x86_64
(gdb) bt
#0 0x00000039b0832885 in raise () from /lib64/
#1 0x00000039b0834065 in abort () from /lib64/
#2 0x00000000004142be in Logger::logPrint(bool, char const*, int, int, char const*, ...) ()
#3 0x000000000046d675 in Zone::Load(Monitor*, Zone**&) ()
#4 0x000000000043c78c in Monitor::Load(int, bool, Monitor::Purpose) ()
#5 0x00000000004068a8 in main ()
Splashing a few fprintf(stderr,...) messages throughout the code, I got the zmc command down to the following error:
Zone 1/All for monitor camera-name extends outside of image dimensions, 0, 0, 1279, 1039
Aborted (core dumped)
I added another fprintf(stderr...) line right above the panic line with that error, and pow, I knew what the problem was: the monitor was set up at 1280x1024, and the "Zone" (the motion rectangle) is for 1280x1040. Looking in the DB, yes indeed, the Zone was set badly. I corrected the DB entry, restarted zoneminder, and the camera was STILL showing up in red, meaning it wasn't able to view the camera. So, off to /var/log/messages to see if anything is showing up in there :
Jul 23 12:40:39 security setroubleshoot: SELinux is preventing from write access on the sock_file zmdc.sock. For complete SELinux messages. run sealert -l 5dde3dda-0d7c-47db-8bfd-5ce7e48fb992 Jul 23 12:40:40 security setroubleshoot: SELinux is preventing uptime from read access on the file /var/run/utmp. For complete SELinux messages. run sealert -l 17270870-69b2-4101-9955-53415acf164f
Hmmm. SELinux again bites me. After a few runs of grabbing data from the audit log (again, the process is "append the AVC error into a separate log file, run audit2allow, enable the module, and try again. Repeat if necessary.") That got me suddenly into the mode where the source is in yellow, not red (meaning the camera is "operational"). But the camera image kept coming up blank. Back to /var/log/messages :
Jul 25 09:42:19 security zmc_m1[2544]: ERR [Error while decoding frame 0]
Jul 25 09:42:19 security zmc_m1[2544]: ERR [256: 00 00 01 b6 51 f4 18 08 85 f7 53 f8 bc 64 17 c1 68 13 c7 79 b1 9c 4d 8c 5c 31 e4 bd 78 38 80 35 18 27 87 60 3a da 9a 69 12 4e a6 db 6b 7b fc ea dd 6b 90 98 f0 8f 13 f3 6b 08 70 22 9a 0a d0 f8 61 dd 6b 84 20 b9 45 ba 06 2c 95 8d 82 41 2e 1c 07 61 42 c2 e7 05 3e 0d 8a eb 0b 86 e7 d2 a2 4c 8c fc 46 50 9b ab b2 26 07 0a 22 67 9c 11 ed a3 e8 d0 1d 45 99 44 36 ea 6b 05 a1 f0 0c 0c 82 be 20 03 8d f3 a0 e2 92 50 e8 59 43 86 87 22 f4 b8 0f 40 18 8e 5b e0 68 32 0a 79 08 23 26 d6 86 29 c9 01 35 c0 ba 43 dc 1e 8d 86 ec 1d 19 f8 44 f6 c1 70 d3 62 10 68 c9 38 38 84 28 f0 bd a0 72 41 9b 70 30 75 01 e1 4b b8 c0 38 ac 88 32 07 15 99 0a 7d d9 37 66 ec 4e 0b b0 70 b4 62 1e 14 8c 4a c2 63 a1 5b 07 42 d1 04 c4 3a 14 0d 7e 87 a0 91 07 06 81 c1 f8 c8 28 b4 20 e3 a1 f8 26 b8 32 08]
Next, I simply tried various configurations until I had one that worked. Next - the configuration for the camera.

Tuesday, July 17, 2012

SELinux/Nagios, and you

I tell ya, selinux almost had me convinced to throw in the towel. I'd find another solution, and then another problem. This went on for the weekend. I didn't throw in the towel, though, because I wanted the system locked down more than the "oh, just disable selinux" crowd would have.

selinux kept preventing nagios from starting up. Here's what I had to ultimately do :
  1. temporarily disable selinux : "setenforce 0"
  2. start nagios : "/etc/init.d/nagios start"
  3. let it run and do it's checks for ten minutes
  4. restart nagios : "/etc/init.d/nagios restart"
  5. stop nagios : "/etc/init.d/nagios stop"
  6. run sealert to build a policy : "sealert -a /var/log/audit/audit.log" - this gave a "catch all" way to create a new module for selinux.
  7. followed the instructions provided by sealert in the previous step on creating and enabling the module.
  8. re-enable selinux : "setenforce 1"
However, there was a problem I just couldn't fix. The disk_check plugin would only work on / - not on /home . I figured this was selinux, but I could never see a message in the usual /var/log/audit/audit.log - I couldn't do the normal "throw the audit log file at 'sealert -a' and build a policy, then use that". Thankfully, a nice website came to the rescue (I'll leave out's name to protect the guilty). Though the solution was NOT in the immediate results, tweaking the search request finally yielded something that wasn't NRPE related :

My hat is off to this guy. It's a one-line command that fixes the problem.

Finally, the How-To for forked-daapd on CentOS 6.2 64 Bit

FYI, I have superseded this post - I got very frustrated with recompiling the whole kit and caboodle every time I did an update just to have this running.  So, I opted for the mt-daapd server, and it was easier to install, less external dependencies, and still did everything I needed it to.  Try this post before continuing on!

Okay, I'm finally getting to the point of writing up how I finally got forked-daapd installed on my CentOS 6.2 64 Bit media server. It was a pain, but it works.

My process was : try to configure, compile, and install. If it failed, deal with the problem and repeat.

Simple process, but there was a LOT that was problematic.

First, the dependencies (you will need the rpmfusion repository configured) :

yum install gcc glibc-devel avahi-devel ffmpeg-devel libplist-devel taglib-devel flac-devel libunistring-devel java libgcrypt-devel mxml-devel libevent-devel alsa-lib-devel gettext-devel libconfuse-devel gperf zlib-devel ant ant-antlr ant-apache-bcel ant-junit ant-trax antlr tcl-devel git

You will note that we need a stringtemplate RPM as well (hard to find, so I slapped a copy at I needed to search a bit for one, as it's not in the regular distro, but grab that one.

This should get ALMOST everything. Note that sqlite has to be recompiled. In order to satisfy dependencies, I rebuilt that into an RPM to replace what was there (this one has the option required for forked-daapd). A few others were not found, so I slapped them together, building a number of these RPM's. Currently, the source RPM's are available here :

You will also want to install the -devel packages for each one once you've built good system packages. You can seamlessly replace any sqlite packages. Note that upgrades might not work with the custom sqlite, but it's easy to grab the source RPM for the upgraded sqlite, add the param, and then upgrade it manually, then the system should update again.

Once those dependencies are installed, you must toss in mxml (available from (after compiling and installing, copy the mxml.pc file into the appropriate location, mine was /usr/share/pkgconfig/), and then libavl (available from :

  1. Edit the make file, and Comment out "CFLAGS ?= -O2 -fomit-frame-pointer -pipe -mcpu=i686 -w"
  2. Add a new CFLAGS Line :
    CFLAGS = -fPIC -O2 -fomit-frame-pointer -pipe -Wall -g
  3. Replace all "$(LIBRARIES)" variables with "$(LIBRARY)" due to a bug.
  4. Save and Close
  5. Build and install :
    gmake -f GNUmakefile ; gmake -f GNUmakefile install
Now, open the forked-daapd source code, but grab a specific version (you might need to install git if you didn't get it installed earlier) specific for the iTunes 10.5.x functionality (otherwise it will time out) :
  1. mkdir tmp
  2. cd tmp/
  3. git clone
  4. cd forked-daapd
  5. git checkout itunes_v10_5
  6. autoreconf -i
  7. ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-flac --enable-musepack --enable-itunes
  8. make
  9. make install
To run the app, first modify your configuration (/etc/forked-daapd.conf), and then add a user :
useradd -s /sbin/nologin -M -r -d /var/cache/forked-daapd -c "iTunes service account" daapd