diff --git a/guide/build.md b/guide/build.md index ec581e7..3deaeab 100644 --- a/guide/build.md +++ b/guide/build.md @@ -23,7 +23,7 @@ See the [github page](https://github.com/scottlamb/moonfire-nvr) (in case you're not reading this text there already). You can download the bleeding-edge version from the commandline via git: -``` +```console $ git clone https://github.com/scottlamb/moonfire-nvr.git $ cd moonfire-nvr ``` @@ -32,8 +32,8 @@ $ cd moonfire-nvr This command should prepare a deployment image for your local machine: -``` -$ docker buildx build --load --tag=moonfire-nvr -f docker/Dockerfile . +```console +$ sudo docker buildx build --load --tag=moonfire-nvr -f docker/Dockerfile . ```
@@ -47,8 +47,8 @@ $ docker buildx build --load --tag=moonfire-nvr -f docker/Dockerfile . due to an error in `libseccomp`, as described [in this askubuntu.com answer](https://askubuntu.com/a/1264921/1365248). Try running in a privileged builder. As described in [`docker buildx build` documentation](https://docs.docker.com/engine/reference/commandline/buildx_build/#allow), run this command once: - ``` - $ docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure' + ```console + $ sudo docker buildx create --use --name insecure-builder --buildkitd-flags '--allow-insecure-entitlement security.insecure' ``` then add `--allow security.insecure` to your `docker buildx build` commandlines.
@@ -59,11 +59,11 @@ helpful to use the `dev` target. This is a self-contained developer environment which you can use from its shell via `docker run` or via something like Visual Studio Code's Docker plugin. -``` -$ docker buildx build \ +```console +$ sudo docker buildx build \ --load --tag=moonfire-dev --target=dev -f docker/Dockerfile . ... -$ docker run \ +$ sudo docker run \ --rm --interactive=true --tty \ --mount=type=bind,source=$(pwd),destination=/var/lib/moonfire-nvr/src \ moonfire-dev @@ -86,8 +86,8 @@ architecture. On the author's macOS machine with Docker desktop 3.0.4, building for multiple platforms at once will initially fail with the following error: -``` -$ docker buildx build ... --platform=linux/arm64/v8,linux/arm/v7,linux/amd64 +```console +$ sudo docker buildx build ... --platform=linux/arm64/v8,linux/arm/v7,linux/amd64 [+] Building 0.0s (0/0) error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") ``` @@ -107,8 +107,8 @@ caveats: suggests a workaround of building all three then using caching to quickly load the one of immediate interest: ``` - $ docker buildx build --platform=linux/arm64/v8,linux/arm/v7,linux/amd64 ... - $ docker buildx build --load --platform=arm64/v8 ... + $ sudo docker buildx build --platform=linux/arm64/v8,linux/arm/v7,linux/amd64 ... + $ sudo docker buildx build --load --platform=arm64/v8 ... ``` On Linux hosts (as opposed to when using Docker Desktop on macOS/Windows), @@ -190,7 +190,7 @@ in "Maintenance LTS" or "Active LTS" status: currently v12 or v14. On recent Ubuntu or Raspbian Linux, the following command will install most non-Rust dependencies: -``` +```console $ sudo apt-get install \ build-essential \ libavcodec-dev \ @@ -212,7 +212,7 @@ manager](https://nodejs.org/en/download/package-manager/#debian-and-ubuntu-based On macOS with [Homebrew](https://brew.sh/) and Xcode installed, try the following command: -``` +```console $ brew install ffmpeg node ``` @@ -224,7 +224,7 @@ your Linux distribution's Rust packages, which tend to be too old. Once prerequisites are installed, you can build the server and find it in `target/release/moonfire-nvr`: -``` +```console $ cd server $ cargo test $ cargo build --release @@ -233,7 +233,7 @@ $ sudo install -m 755 target/release/moonfire-nvr /usr/local/bin You can build the UI via `npm` and find it in the `ui/build` directory: -``` +```console $ cd ui $ npm install $ npm run build @@ -246,7 +246,7 @@ $ sudo rsync --recursive --delete --chmod=D755,F644 ui/build/ /usr/local/lib/moo The author finds it convenient for local development to set up symlinks so that the binaries in the working copy will run via just `nvr`: -``` +```console $ sudo mkdir /usr/local/lib/moonfire-nvr $ sudo ln -s `pwd`/ui/build /usr/local/lib/moonfire-nvr/ui $ sudo mkdir /var/lib/moonfire-nvr @@ -308,7 +308,7 @@ Internet](secure.md). Some handy commands: -``` +```console $ sudo systemctl daemon-reload # reload configuration files $ sudo systemctl start moonfire-nvr # start the service now $ sudo systemctl stop moonfire-nvr # stop the service now (but don't wait for it finish stopping) diff --git a/guide/install.md b/guide/install.md index bc87f38..4fe4869 100644 --- a/guide/install.md +++ b/guide/install.md @@ -13,7 +13,16 @@ instead want to build Moonfire NVR yourself, see the [Build instructions](build.md). First, install [Docker](https://www.docker.com/) if you haven't already, -and verify `docker run --rm hello-world` works. +and verify `sudo docker run --rm hello-world` works. + +
+ sudo or not? + +If you prefer to save typing by not prefixing all `docker` and `nvr` commands +with `sudo`, see [Docker docs: Manage Docker as a non-root +user](https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user). +Note `docker` access is equivalent to root access security-wise. +
Next, you'll need to set up your filesystem and the Moonfire NVR user. @@ -30,7 +39,7 @@ Moonfire NVR keeps two kinds of state: On most Linux systems, you can create the user as follows: -``` +```console $ sudo useradd --user-group --create-home --home /var/lib/moonfire-nvr moonfire-nvr ``` @@ -41,19 +50,44 @@ and managing a long-lived Docker container for its web interface. As you set up this script, adjust the `tz` variable as appropriate for your time zone. +Use your favorite editor to create `/usr/local/bin/nvr`, starting from the +configuration below: + +```console +$ sudo nano /usr/local/bin/nvr +(see below for contents) +$ sudo chmod a+rx /usr/local/bin/nvr ``` -sudo sh -c 'cat > /usr/local/bin/nvr' <<'EOF' + +`/usr/local/bin/nvr`: +```bash #!/bin/bash -e +# Set your timezone here. tz="America/Los_Angeles" -container_name="moonfire-nvr" + +# or eg "scottlamb/moonfire-nvr:v0.6.5" to specify a particular version. image_name="scottlamb/moonfire-nvr:latest" +container_name="moonfire-nvr" common_docker_run_args=( --mount=type=bind,source=/var/lib/moonfire-nvr,destination=/var/lib/moonfire-nvr + + # Add additional mount lines here for each sample file directory + # outside of /var/lib/moonfire-nvr, eg: + # --mount=type=bind,source=/media/nvr/sample,destination=/media/nvr/sample + --user="$(id -u moonfire-nvr):$(id -g moonfire-nvr)" + + # This avoids errors with broken seccomp on Raspberry Pi OS. --security-opt=seccomp:unconfined + + # docker's default log driver won't rotate logs properly, and will throw + # away logs when you destroy and recreate the container. Using journald + # solves these problems. + # https://docs.docker.com/config/containers/logging/configure/ --log-driver=journald --log-opt="tag=moonfire-nvr" + --env=RUST_BACKTRACE=1 --env=TZ=":${tz}" ) @@ -65,11 +99,20 @@ run) --detach=true \ --restart=unless-stopped \ "${common_docker_run_args[@]}" \ + + # This is the simplest way of configuring networking, although + # you can use eg --publish=8080:8080 if you prefer. --network=host \ + --name="${container_name}" \ "${image_name}" \ run \ + + # Add any additional `moonfire-nvr run` arguments here, eg + # "--rtsp-library=ffmpeg" if the default "--rtsp-library=retina" + # isn't working. --allow-unauthenticated-permissions='view_video: true' \ + "$@" ;; start|stop|logs|rm) @@ -88,14 +131,12 @@ pull) "$@" ;; esac -EOF -sudo chmod a+rx /usr/local/bin/nvr ``` then try it out by initializing the database: -``` -$ nvr init +```console +$ sudo nvr init ``` This will create a directory `/var/lib/moonfire-nvr/db` with a SQLite3 database @@ -113,7 +154,7 @@ using UAS, as described there. UAS has been linked to filesystem corruption. Set up the mount point: -``` +```console $ sudo vim /etc/fstab $ sudo mkdir /media/nvr $ sudo mount /media/nvr @@ -126,12 +167,7 @@ In `/etc/fstab`, add a line similar to this: UUID=23d550bc-0e38-4825-acac-1cac8a7e091f /media/nvr ext4 nofail,noatime,lazytime,data=writeback,journal_async_commit 0 2 ``` -You'll have to lookup the correct uuid for your disk. One way to do that is -via the following command: - -``` -$ ls -l /dev/disk/by-uuid -``` +You can look up the correct uuid for your disk via `blkid`. If you use the `nofail` attribute in `/etc/fstab` as described above, your system will boot successfully even when the hard drive is unavailable (such as @@ -140,18 +176,14 @@ recovering from problems. Create the sample directory. -``` -sudo mkdir /media/nvr/sample -sudo chown -R moonfire-nvr:moonfire-nvr /media/nvr +```console +$ sudo mkdir /media/nvr/sample +$ sudo chown -R moonfire-nvr:moonfire-nvr /media/nvr ``` Add a new `--mount` line to your Docker wrapper script `/usr/local/bin/nvr` -to expose this new volume to the Docker container, directly below the other -mount lines. It will look similar to this: - -``` - --mount=type=bind,source=/media/nvr/sample,destination=/media/nvr/sample -``` +to expose this new volume to the Docker container, right where a comment +mentions "Additional mount lines". ### Completing configuration through the UI @@ -159,9 +191,18 @@ Once your system is set up, it's time to initialize an empty database and add the cameras and sample directories. You can do this by using the `moonfire-nvr` binary's text-based configuration tool. +```console +$ sudo nvr config 2>debug-log ``` -$ nvr config 2>debug-log -``` + +
+ Did it just return? + +If `nvr config` returns you to the console prompt right away, look in the +`debug-log` file for why. One common reason is that you have Moonfire NVR +running; you'll need to shut it down first. Try `nvr stop` before `nvr config` +and `nvr start` afterward. +
In the user interface, @@ -229,12 +270,12 @@ system](secure.md) first. This command will start a detached Docker container for the web interface. It will automatically restart when your system does. -``` -$ nvr run +```console +$ sudo nvr run ``` You can temporarily disable the service via `nvr stop` and restart it later via -`nvr start`. +`nvr start`. You'll need to do this before and after using `nvr config`. The HTTP interface is accessible on port 8080; if your web browser is running on the same machine, you can access it at diff --git a/guide/schema.md b/guide/schema.md index 23c2004..572bc55 100644 --- a/guide/schema.md +++ b/guide/schema.md @@ -64,14 +64,14 @@ Next ensure Moonfire NVR is not running and does not automatically restart if the system is rebooted during the upgrade. If you followed the Docker instructions, you can do this as follows: -``` -$ nvr stop +```console +$ sudo nvr stop ``` Then back up your SQLite database. If you are using the default path, you can do so as follows: -``` +```console $ sudo -u moonfire-nvr cp /var/lib/moonfire-nvr/db/db{,.pre-upgrade} ``` @@ -91,9 +91,9 @@ manual for write-ahead logging](https://www.sqlite.org/wal.html): Run the upgrade procedure using the new software binary. -``` -$ nvr pull # updates the docker image to the latest binary -$ nvr upgrade # runs the upgrade +```console +$ sudo nvr pull # updates the docker image to the latest binary +$ sudo nvr upgrade # runs the upgrade ``` As a rule of thumb, on a Raspberry Pi 4 with a 1 GiB database, an upgrade might @@ -102,9 +102,9 @@ take about four minutes for each schema version and for the final vacuum. Next, you can run the system in read-only mode, although you'll find this only works in the "insecure" setup. (Authorization requires writing the database.) -``` -$ nvr rm -$ nvr run --read-only +```console +$ sudo nvr rm +$ sudo nvr run --read-only ``` Go to the web interface and ensure the system is operating correctly. If @@ -115,10 +115,10 @@ more complicated. Once you're satisfied, restart the system in read-write mode: -``` -$ nvr stop -$ nvr rm -$ nvr run +```console +$ sudo nvr stop +$ sudo nvr rm +$ sudo nvr run ``` Hopefully your system is functioning correctly. If not, there are two options diff --git a/guide/secure.md b/guide/secure.md index d1933ab..dd2ea3e 100644 --- a/guide/secure.md +++ b/guide/secure.md @@ -190,10 +190,10 @@ effectively allowing them to lie about the client's IP and protocol. To make this take effect, you'll need to stop the running Docker container, delete it, and create/run a new one: -``` -$ nvr stop -$ nvr rm -$ nvr run +```console +$ sudo nvr stop +$ sudo nvr rm +$ sudo nvr run ``` ## 7. Configure the webserver diff --git a/guide/troubleshooting.md b/guide/troubleshooting.md index b7a9e1b..4900fdc 100644 --- a/guide/troubleshooting.md +++ b/guide/troubleshooting.md @@ -106,13 +106,13 @@ Moonfire NVR names a few important thread types as follows: You can use the following command to teach [`lnav`](http://lnav.org/) Moonfire NVR's log format: -``` +```console $ lnav -i misc/moonfire_log.json ``` `lnav` versions prior to 0.9.0 print a (harmless) warning message on startup: -``` +```console $ lnav -i git/moonfire-nvr/misc/moonfire_log.json warning:git/moonfire-nvr/misc/moonfire_log.json:line 2 warning: unexpected path -- @@ -151,7 +151,7 @@ This log message is packed with debugging information: file `/media/14tb/sample/00000003001c1ba6`. On-disk files are named by a fixed eight hexadecimal digits for the stream id and eight hexadecimal digits for the recording id. You can convert with `printf`: - ``` + ```console $ printf '%08x%08x\n' 3 1842086 00000003001c1ba6 ``` @@ -242,8 +242,8 @@ problem in more detail. The simplest solution is to add If you are using the recommended `/usr/local/bin/nvr` wrapper script, add this option to the `common_docker_run_args` section. -``` -$ docker run --rm -it moonfire-nvr:latest +```console +$ sudo docker run --rm -it moonfire-nvr:latest clock_gettime failed: EPERM: Operation not permitted This indicates a broken environment. See the troubleshooting guide. @@ -273,7 +273,7 @@ clean up the excess files. Moonfire NVR will start working again immediately. If Moonfire NVR's own files are too large, follow this procedure: 1. Shut it down via `SIGKILL`: - ``` + ```console $ sudo killall -KILL moonfire-nvr ``` (Be sure to use `-KILL`. It won't shut down properly on `SIGTERM` or `SIGINT`