Commit Graph

337 Commits

Author SHA1 Message Date
Scott Lamb c271cfa2b5 make Writer enforce maximum recording duration
My installation recently somehow ended up with a recording with a
duration of 503793844 90,000ths of a second, way over the maximum of 5
minutes. (Looks like the machine was pretty unresponsive at the time
and/or having network problems.)

When this happens, the system really spirals. Every flush afterward (12
per minute with my installation) fails with a CHECK constraint failure
on the recording table. It never gives up on that recording. /var/log
fills pretty quickly as this failure is extremely verbose (a stack
trace, and a line for each byte of video_index). Eventually the sample
file dirs fill up too as it continues writing video samples while GC is
stuck. The video samples are useless anyway; given that they're not
referenced in the database, they'll be deleted on next startup.

This ensures the offending recording is never added to the database, so
we don't get the same persistent problem. Instead, writing to the
recording will fail. The stream will drop and be retried. If the
underlying condition that caused a too-long recording (many
non-key-frames, or the camera returning a crazy duration, or the
monotonic clock jumping forward extremely, or something) has gone away,
the system should recover.
2019-01-29 08:26:36 -08:00
Scott Lamb 3ba3bf2b18 backend support for live stream (#59)
This is so far completely untested, for use by a new UI prototype.

It creates a new URL endpoint which sends one video/mp4 media segment
per key frame, with the dependent frames included. This means there will
be about one key frame interval of latency (typically about a second).
This seems hard to avoid, as mentioned in issue #59.
2019-01-21 15:58:52 -08:00
Scott Lamb 95a8c2e78d support .mp4 files > 13.25 hours
Use version 1 of the mvhd, tkhd, and mdhd boxes to support 64-bit
durations. 2^32 units / 90,000 units/sec / 60 sec/min / 60 min/hr ~=
13.25 hrs.

Compatibility: looks like Chrome, Firefox, VLC, and ffmepg all support
version 1 with no problem.
2019-01-07 00:59:32 -08:00
Scott Lamb b9e6a6461f fix streamer tests broken by 4cc796f
That commit rewrote the db/writer.rs tests. But the flush op they
used before was also used by src/streamer.rs tests. Reintroduce it.
2019-01-06 07:07:04 -08:00
Scott Lamb 4cc796f697 properly test fix for #64
I went with the third idea in 1ce52e3: have the tests run each iteration
of the syncer explicitly. These are messy tests that know tons of
internal details, but I think they're less confusing and racy than if I
had the syncer running in a separate thread.
2019-01-04 16:11:58 -08:00
Scott Lamb 1ce52e334c fix #64 (extraneous flushes)
Now each syncer has a binary heap of the times it plans to do a flush.
When one of those times arrives, it rechecks if there's something to do.
Seems more straightforward than rechecking each stream's first
uncommitted recording, especially with the logic to retry failed flushes
every minute.

Also improved the info! log for each flush to see the actual recordings
being flushed for better debuggability.

No new tests right now. :-( They're tricky to write. One problem is that
it's hard to get the timing right: a different flush has to happen
after Syncer::save's database operations and before Syncer::run calls
SimulatedClocks::recv_timeout with an empty channel[*], advancing the
time. I've thought of a few ways of doing this:

   * adding a new SyncerCommand to run something, but it's messy (have
     to add it from the mock of one of the actions done by the save),
     and Box<dyn FnOnce() + 'static> not working (see
     rust-lang/rust#28796) makes it especially annoying.

   * replacing SimulatedClocks with something more like MockClocks.
     Lots of boilerplate. Maybe I need to find a good general-purpose
     Rust mock library. (mockers sounds good but I want something that
     works on stable Rust.)

   * bypassing the Syncer::run loop, instead manually running iterations
     from the test.

Maybe the last way is the best for now. I'm likely to try it soon.

[*] actually, it's calling Receiver::recv_timeout directly;
Clocks::recv_timeout is dead code now? oops.
2019-01-04 13:47:44 -08:00
Scott Lamb 55fa458288 fix confusing variable name + comment 2019-01-04 06:16:25 -08:00
Scott Lamb de643f9f8d include segments in debug output 2018-12-29 13:15:01 -06:00
Scott Lamb eb8a51aecb add a url for getting debug info about a .mp4 file
and add a unit test of path decoding along the way
2018-12-29 13:09:16 -06:00
Scott Lamb 1123adec5d try upgrading travis-ci setup to xenial
This no longer requires installing ffmpeg manually, so there should be
significantly less data to cache (faster runs). The build step itself
should also be faster when the cache is unavailable/stale.

Also sneak in a change from "pkg-config" to "pkgconf" package in the
scripts and travis CI. They didn't match the manual instructions; make
them all consistent. They both seem to work fine, but I gather pkgconf
is the newer thing. Its roadmap is here and notes that distros are
moving toward it.

https://github.com/pkgconf/pkgconf/wiki/Roadmap
2018-12-29 12:21:57 -06:00
Scott Lamb b5387af3d4 lose "extern crate" everywhere (Rust 2018 edition) 2018-12-28 21:59:39 -06:00
Scott Lamb f5703b9968 introduce typed errors and use in mp4 code
Fixes #46. If there are no video_sample_entries, it returns
InvalidArgument, which gets mapped to a HTTP 400. Various other failures
turn into non-500s as well.

There are many places that can & should be using typed errors, but it's
a start.
2018-12-28 17:30:33 -06:00
Scott Lamb 0b0f4ec9ed NLL-inspired simplifications to db.rs
* remove intermediate bool from adjust_day.

* rewrite LockedDatabase::list_aggregate_recordings.
  I started by collapsing the flush into the first part of the if, in a
  similar way to adjust_day. But then I refactored more and ended up
  with a structure that probably would have been allowed with the old
  lexical borrow checker. I think it's more readable, and it does 1
  btree operation per row where before it did 2 or 3.
2018-12-28 15:10:12 -06:00
Scott Lamb 699ec87968 upgrade to 2018 Rust edition
This is mostly just "cargo fix --edition" + Cargo.toml changes.
There's one fix for upgrading to NLL in db/writer.rs:
Writer::previously_opened wouldn't build with NLL because of a
double-borrow the previous borrow checker somehow didn't catch.
Restructure to avoid it.

I'll put elective NLL changes in a following commit.
2018-12-28 14:59:06 -06:00
Scott Lamb ff58f24785 update deps 2018-12-28 10:13:03 -06:00
Scott Lamb 3644548018 fix some outdated comments in slices.rs 2018-12-28 10:04:47 -06:00
Scott Lamb 89fa35a2f7 be slightly more graceful on bad /view.mp4 (#46)
Before, this would panic from the reactor thread. After, it returns a
internal server error. Still not ideal, but better.

To return "bad request" as it should, mp4::FileBuilder::build() should
return a new error type that distinguishes "invalid argument" from
"internal" and the like. I'm thinking of using a ErrorKind enum
throughout the program that's similar to grpc::StatusCode.
2018-12-28 09:01:47 -06:00
Scott Lamb 4580038013 fix --require-auth flag
Apparently with docopt, --require-auth=false doesn't work, so booleans
with a default value of true can't be turned off. Toggle the default to
false to deal with this, for now. I'd prefer the default be true, but
I also would prefer to not use a negative --no-require-auth or
--allow-unauthenticated flag. I think I'll switch from docopt to clap
in the near future; it seems to be what the cool kids use.
2018-12-28 08:39:50 -06:00
Scott Lamb 54ebc6ec2f install the tzdata package from scripts
Fixes #53
2018-12-27 16:34:35 -06:00
Scott Lamb 278a87d5fd tweaks to guide/secure.md
after reading the rendered version online
2018-12-27 16:29:26 -06:00
Scott Lamb 24674f5b50 document proxy setup in guide/secure.md (for #26)
The guide is not as quick to follow and amateur-friendly as I'd like. A
few things that might improve matters:

   * complete #27 (built-in https+letsencrypt), so that when not sharing
     the port, users don't need to use nginx or certbot.
   * more ubiquitous IPv6 (out of my control but should happen over
     time) to reduce need to share the port
   * embed a dynamic DNS client
   * support UPnP Internet Gateway Device Control Protocol (if common
     routers have this enabled? probably not for security reasons.)

It's progress, though. Enough that I think I'll merge the auth branch
into master shortly.
2018-12-27 16:00:15 -06:00
Scott Lamb 3c1163dfe2 use SameSite=Strict (for #26)
I initially chose SameSite=Lax because I thought if a user followed a
link to the landing page, the landing page's ajax requests wouldn't send
the cookie. But I just did an experiment, and that's not true. Only the
initial page load (of a .html file) lacks the cookie. All of its
resources and ajax requests send the cookie. I'm not sure about
document.cookie accesses, but my cookie is HttpOnly anyway, so it's
irrelevant. So no reason to be lax.
2018-12-01 22:04:54 -08:00
Scott Lamb 3f76096a81 add Cache-Control: private hdr to non-static stuff
for #26
2018-12-01 16:55:10 -08:00
Scott Lamb 4f87c16c31 Merge branch 'master' into auth 2018-12-01 15:27:54 -08:00
Scott Lamb 35e6891221 update all Rust deps 2018-12-01 15:20:19 -08:00
Scott Lamb 087fdafc61 endpoint to debug --trust-forward-hdrs for #26 2018-12-01 00:44:19 -08:00
Scott Lamb d35a4592e3 Merge branch 'master' into auth 2018-12-01 00:06:43 -08:00
Scott Lamb b2bdccb507 Javascript fix for unauthenticated case
newTimeFormat didn't handle newTimeZone not having been called well.
Restore the prior behavior of having called newTimeZone(null), which was
apparently good enough.
2018-12-01 00:04:43 -08:00
Scott Lamb 131c5e0640 Fix "no garbage row for <id>" flush failure loops
Add some comments along the way.

Fixes #63.
2018-12-01 00:03:43 -08:00
Scott Lamb 7a81d36562 support proxy forwarded headers
I went with legacy headers (X-Real-IP, X-Forwarded-Proto) because they
appear to be more widely supported than the RFC 7239 Forwarded header.
2018-11-28 14:49:56 -08:00
Scott Lamb 4daf618c29 fix a couple compile errors in 422cd2a
I just ran a "cargo test" on this after a round of tweaks, not
"cargo test --all", so I missed compile errors in the db crate,
and a Javascript lint config error. travis-ci caught these.
2018-11-27 12:23:44 -08:00
Scott Lamb 422cd2a75e preliminary web support for auth (#26)
Some caveats:

  * it doesn't record the peer IP yet, which makes it harder to verify
    sessions are valid. This is a little annoying to do in hyper now
    (see hyperium/hyper#1410). The direct peer might not be what we want
    right now anyway because there's no TLS support yet (see #27).  In
    the meantime, the sane way to expose Moonfire NVR to the Internet is
    via a proxy server, and recording the proxy's IP is not useful.
    Maybe better to interpret a RFC 7239 Forwarded header (and/or
    the older X-Forwarded-{For,Proto} headers).

  * it doesn't ever use Secure (https-only) cookies, for a similar reason.
    It's not safe to use even with a tls proxy until this is fixed.

  * there's no "moonfire-nvr config" support for inspecting/invalidating
    sessions yet.

  * in debug builds, logging in is crazy slow. See libpasta/libpasta#9.

Some notes:

  * I removed the Javascript "no-use-before-defined" lint, as some of
    the functions form a cycle.

  * Fixed #20 along the way. I needed to add support for properly
    returning non-OK HTTP statuses to signal unauthorized and such.

  * I removed the Access-Control-Allow-Origin header support, which was
    at odds with the "SameSite=lax" in the cookie header. The "yarn
    start" method for running a local proxy server accomplishes the same
    thing as the Access-Control-Allow-Origin support in a more secure
    manner.
2018-11-27 11:08:33 -08:00
Scott Lamb 679370c77a Merge branch 'master' into auth 2018-11-20 11:26:26 -08:00
Scott Lamb 61af963a64 Merge branch 'master' into auth 2018-11-20 11:10:47 -08:00
Scott Lamb 496f7d7e3a upgrade some JS deps to work with node 11
Fixes #62

* added travis config for latest node as well as 8.

* ran "yarn upgrade -P webpack-dev-server", which caused the upath
  dependency to be upgraded. I arrived at this by inspecting yarn.lock
  for the things depending on upack, along with some trial and error.
  ("yarn upgrade -P chokidar" was less successful.)
2018-11-20 11:06:20 -08:00
Scott Lamb 071be03c6f update most deps, notably including reqwest
Fixes #60

The reqwest dependency is significant because the old version required
an old version of openssl, complicating compilation on newer platforms.
reqwest also pulled in old/duplicate versions of hyper, tokio, etc.
Nice to drop a lot of that cruft.

I left rusqlite and uuid alone because they had breaking changes I
didn't want to mess with at the moment.

Bumped the minimum Rust version to 1.30.0, as required by the
new encoding_rs crate (and perhaps other things).
2018-11-20 09:32:55 -08:00
Scott Lamb 8a5056b253 "moonfire-nvr config" support for users (for #26) 2018-11-02 07:15:48 -07:00
Scott Lamb f9d4b5bb8a fix accidental dependency on rust 1.30.0
travis-ci's 1.27.0 build failed with:

error[E0658]: access to extern crates through prelude is experimental (see issue #44660)
   --> db/auth.rs:159:6
    |
159 | impl rusqlite::types::FromSql for FromSqlIpAddr {
    |      ^^^^^^^^
2018-11-02 07:02:08 -07:00
Scott Lamb 75f233da79 initial db layer work for authentication (#26) 2018-11-01 23:25:06 -07:00
Scott Lamb aa81eae65a more robust timezone detection (fixes #12) 2018-08-31 17:19:24 -07:00
Scott Lamb fc0bc51bed build and lint the UI in travis-ci
This is a separate item in the matrix, so it doesn't go through this for
each of the three Rust versions.
2018-08-31 08:19:56 -07:00
Scott Lamb ee3da33470 fix trailing whitespace in Javascript
I want to make travis-ci enforce that everything passes lint.
Get it in a good state first.
2018-08-31 07:31:22 -07:00
Scott Lamb 8adf6f4bc7 extend cache timeout
300 is insufficient for nightly, perhaps due to the extra weight of
the optimized build for the benchmark.
2018-08-31 00:01:30 -07:00
Scott Lamb d7e0fcc3ba cache ffmpeg build in travis-ci
Hopefully this will significantly speed up builds.
2018-08-30 23:10:12 -07:00
Scott Lamb 955a0a8c15 upgrade to hyper 0.12.x
Just one (intentional) functional change---now the streamers start
shutting down while the webserver shuts down gracefully.
2018-08-29 22:26:19 -07:00
Scott Lamb 91ef07b9a7 bump required rust to 1.27
1.26 doesn't work with the updated rusqlite:

error[E0658]: use of unstable library feature 'duration_extras' (see issue #46507)
  --> /home/travis/.cargo/registry/src/github.com-1ecc6299db9ec823/rusqlite-0.14.0/src/busy.rs:26:49
   |
26 |             .and_then(|t| t.checked_add(timeout.subsec_millis().into()))
   |                                                 ^^^^^^^^^^^^^
2018-08-28 21:47:02 -07:00
Scott Lamb 0cc4d191c0 bump minimum Rust version to 1.26
1.25 also fails with the upgraded reffers because u128 isn't stable:

error[E0658]: 128-bit type is unstable (see issue #35118)
   --> /home/travis/.cargo/git/checkouts/reffers-rs-0d00fc7f893338b3/49a4d75/src/rc_bitmask.rs:194:34
    |
194 | rc_bit_mask_internal!(primitive, u128, 42, 42, 42);
    |                                  ^^^^
2018-08-27 21:32:51 -07:00
Scott Lamb 6ab416caed bump minimum Rust version
travis-ci pointed out that building with 1.21 broke with a recent dep
upgrade (8c52c36). reffers now uses nested groups of imports, which is a
feature introduced with Rust 1.25. Prior to 1.25, it fails as follows:

error: expected one of `,` or `as`, found `::`
 --> /home/travis/.cargo/git/checkouts/reffers-rs-0d00fc7f893338b3/49a4d75/src/arc.rs:6:46
  |
6 | use std::sync::atomic::{AtomicUsize, Ordering::SeqCst};
  |                                              ^^ expected one of `,` or `as` here
2018-08-25 06:33:50 -07:00
Scott Lamb a10e77d98e update cursive from 0.7 to 0.9 2018-08-24 22:14:03 -07:00
Scott Lamb 8c52c36b51 upgrade a few deps 2018-08-24 22:06:14 -07:00