Table_of_Contents
1.3 Further Reading
2.3 CPU Requirements
2.6.1 ONVIF Device Manager
3.1 Install Cameras
3.1.1 Isolate Cameras From Internet - Optional Security
3.1.2 Identify Camera MAC Addresses
3.1.3 Configure Static IP Address
3.1.4 Configure Individual Cameras
3.1.5 Configure ZoneMinder
3.1.6 Additional Configuration
3.1.7 Add Larger Image Storage Disk
List of Figures
Figure 1: ZoneMinder Console
Figure 2: ZoneMinder Montage
Figure 3: Event Timeline
Figure 4: ONVIF Device Manager Main
Figure 5: ZoneMinder Unconfigured Console
Figure 6: Camera DHCP Leases
Figure 7: ZoneMinder Add Camera General
Figure 8: ZoneMinder Configure Source
Figure 9: ZoneMinder Configuration File
ZoneMinder is a very popular opensource security camera monitoring, motion detection and recording system, with the following features:
Additional SecureOffice / ZoneMinder Features:
ZoneMinder is used for the following major applications:
Managing ZoneMinder Load - Hardware considerations, methods to reduce system load for ZoneMinder.
ZoneMinder Frequently Asked Questions
ZoneMinder Configuration Files
ZoneMinder Hardware Compatibility List - Cameras, capture devices, X10 Home Control
ZoneMinder Logging - for debug purposes
A very good, but slightly dated article pertaining to CPU, Memory and Disks is "Managing ZoneMinder Load", linked in the "Further Reading" section above.
Having read the above article, as in all things, requirements depend on what you want to do with ZoneMinder. In particular, the following questions need to be answered:
Note that high resolutions (greater than 720p) and frame rates (greater than 10 per second) are not useful for a security monitoring system and impose significant costs in terms of CPU, Memory, Storage and IP camera specs. So, if 4K resolution, 6o frames per second, many cameras are desired, this requires very expansive hardware with significant costs. "More" is not always "better". One requirement for very high end ZoneMinder installations is GPU (Graphics Processing Unit) support using high end video cards such as Nvidia. This is outside the scope of this document and SecureOffice. If interested, search the internet for "ZoneMinder GPU Support".
It is assumed SecureOffice is already installed and configured with an active domain, DNS and SSL certificates. Since ZoneMinder is a premium package, a subscription to the SecureOffice premium package repository is required.
Select or verify your existing (old PC's, laptops) hardware using the following sections.
Successful experience has shown that ZoneMinder with 4 IP cameras at 720p, 24 bit color, event detection and recording, also running a Sme-Server virtual machine (this website, in fact) and SecurePBX (phone system) can be successfully run with the following configuration, assuming moderate load such as a home, small business or SOHO installation. Four IP cameras is assumed adequate for any home or small business.
CPU: Quad Core Intel(R) Celeron(R) CPU J1900 @ 1.99GHz (also has MMX, SSE2, AVX2 instructions)
Memory: 8GB
Storage: 2TB Hard Disk
ZoneMinder is integrated with the Luci configuration interface for SecureOffice, so is privately accessible unless configured otherwise.
Figure 1 shows the ZoneMinder console / summary page (Services -> ZoneMinder). It displays configured cameras, camera mode, motion detect events and event storage.
Figure 2 shows the ZoneMinder "Montage" view which displays all configured cameras using a selectable layout.
Figure 3 shows the ZoneMinder "Event Timeline" view. It is accessed by Console, click on the event count for the camera of interest, select "Show Timeline. An events versus time graph is shown. Hover (mouse) any event on the graph and the event will show. Click the event image and the event will play. This is where ZoneMinder really excels: rapidly analyzing and locating events, such as when you were burgarlized.
The cameras are configured for 1280x720 - 720p, 24 bit color at 10 frames per second.
Figure 1: ZoneMinder Console
Figure 2: ZoneMinder Montage
Figure 3: Event Timeline
The load "top" is:
Mem: 5010476K used, 3041708K free, 1155960K shrd, 401264K buff, 3855028K cached
CPU: 44% usr 1% sys 0% nic 47% idle 2% io 0% irq 3% sirq
Load average: 3.31 4.50 4.79 2/191 19424
PID PPID USER STAT VSZ %VSZ %CPU COMMAND
9837 9303 nobody S 394m 5% 8% /usr/bin/zma -m 2
16454 9303 nobody S 388m 5% 7% /usr/bin/zma -m 3
16274 9303 nobody R 365m 5% 6% /usr/bin/zmc -m 3
15370 9303 nobody S 366m 5% 5% /usr/bin/zmc -m 4
9531 9303 nobody S 368m 5% 4% /usr/bin/zma -m 1
15573 9303 nobody S 371m 5% 3% /usr/bin/zma -m 4
9684 9303 nobody S 360m 5% 3% /usr/bin/zmc -m 2
9378 9303 nobody S 360m 5% 2% /usr/bin/zmc -m 1
17432 4183 root S 406m 5% 2% /usr/lib/zoneminder/cgi-bin/nph-zms
17433 4186 root S 406m 5% 2% /usr/lib/zoneminder/cgi-bin/nph-zms
17434 4185 root S 406m 5% 2% /usr/lib/zoneminder/cgi-bin/nph-zms
17435 4188 root S 406m 5% 2% /usr/lib/zoneminder/cgi-bin/nph-zms
The "zmc" process refers to "capture". There are four cameras, so four processes.
The "zma" process refers to "analysis". There are four cameras, so four processes.
What these numbers mean is that the CPU is running at 44% load (headroom for other functions) and adding more cameras or increasing resolution or frame rate may result in not all frames being processed fully and image degradation, plus the potential for interfering with router performance.
Note (Figure 1) that the disk storage consumed by events can become substantial..
This means that, if not carefully managed, ZoneMinder installed on your primary SecureOffice router may interfere with routing and server performance. To eliminate this possibility, ZoneMinder can be installed on another SecureOffice system on your local LAN.
Methods to deal with resource / load management are discussed in the following requirements sections.
ZoneMinder supports a wide range of camera types from analog (USB webcams, video capture devices) to IP cameras. The scope of this document is IP cameras, in particular ONVIF cameras (for ease of camera discovery / configuration) and compliance to standards. To use other camera types, internet research, extra configuration and perhaps installation of additional SecureOffice packages may be required.
The ZoneMinder Hardware Compatability List (Further Reading, above) contains information regarding various cameras, however, any cameras meeting the requirements below should suffice.
The following requirements are mandatory:
The following features are optional:
As previously noted, ZoneMinder is very busy and CPU intensive, mainly due to image decoding / encoding.
SecureOffice / ZoneMinder uses jpeg-turbo, as opposed to standard jpeg for image decoding / encoding. This is reported to increase performance by close to 2X compared to standard jpeg. This performance improvement depends on CPU support for MMX, SSE2, AVX2 instructions. CPUs without these instructions will still work, with reduced image processing performance.
When considering hardware for SecureOffice / ZoneMinder, it is essential to compare proposed CPU performance to confirm it performs at least as well as the J1900.
As an example, if considering i3-5010U as a CPU candidate, compare it to the J1900 at cpu.benchmark.net. This service can be used to compare up to three CPU's. Always use J1900 as the first one.
By the above comparison, the Intel i3-5010U is a good candidate for Secureoffice with Zoneminder.
Hint: First find PCs you are interested in for SecureOffice, then, filter by CPU and memory requirements. Storage can always be added via USB.
Memory consumption is dependent on image pixels (image width, image height), image buffer size (how many images buffered, configuration variable), color bits per pixel (8-greyscale, 24-color, 32-color) and number of cameras.
The ZoneMinder FAQ has an article regarding calculating memory requirements.
Using the example installation above (720p - 1280x720, buffer size = 100, 24bits color):
Memory bytes per camera = (1280x720 x 100 x 24) / 8 bits per byte = 276.48 megabytes
Total memory required = Bytes per camera * 4 = 1.106 GB
According to the above FAQ article, it is recommended to add 20% overhead and double the calculated memory requirement. The result is 2.65GB required from the system tmpfs (ramdisk) of which ZoneMinder can only use half before performance issues. This means the system must have at least double the memory calculated for Zoneminder. The result is ZoneMinder (for this configuration) requires a system with at least 5.3GB of Memory (round up to 8GB).
Image storage space is dependent upon image size (bytes), images per second (frame rate) from all cameras and desired recording time (before older images overwritten).
The ZoneMinder FAQ has an obsolete article regarding calculating storage requirements. The links within this page are bad, so use the calculations below.
Using the example installation above (720p - 1280x720, 24bits color, 10 frames per second):
Bytes per second per camera = (1280x720 (width, height) x 24 (bits per pixel) 10 (frames per second)) / 8 bits per byte = 27.7 megabytes per second.
Bytes per second = (Bytes per second per camera) x 4 cameras = 110.6 megabytes per second or 0.1106 gigabytes per second.
Recording time (before overwrite, seconds) = (disk size - gigabytes) / (gigabytes per second)
Disk size, gigabytes = (gigabytes per second) / (recording time - seconds)
One day = 24hours x 60 (minutes per hour) x 60 (seconds per minute) = 86400 seconds.
Change to days as time units, for above two equations.
Recording time (before overwrite, days) = (disk size - gigabytes) / (gigabytes per day)
Disk size, gigabytes = (gigabytes per day) / (recording time - days)
For the example system above (2000GB disk):
Recording time (days) = 2000 / (0.116 gigabytes per second * 86400 seconds per day) = 0.21 days = 5 hours before overwriting.
The above calculation assumes ZoneMinder is recording all cameras 24/7 (full Record mode) and indicates that substantial storage is required for any significant history duration. For this reason, ZoneMinder provides the "Modect" mode of operation where images are only stored before and after motion detect events, substantially reducing storage requirements.
This means that storage required is dependent on how busy the cameras are in terms of events per second. A "busy" camera with constant event stream will be 100% saving to disk. An "idle" camera with no events will not store any events / images. This fact means that, due to the unpredictability of events, in "Modect" mode, storage requirements and duration are unpredictable.
Bottom Line Recommendation: Use at least 1TB of external storage or calculate how many hours of 24/7 recording is required. Also consider reducing image and / or color resolution and / or frame rate.
The following utilities are useful for IP camera management.
ONVIF Device Manager is a Network Video Client (NVC) to manage Network Video Transmitters (NVT), Network Video Storage (NVS) and Network Video Analytics (NVA) devices. Implements Discovery, Device, Media, Imaging, Analytics, Events and PTZ services (Windows only). It is useful for the following functions:
To install ONVIF, download ONVIF, click on the downloaded file to install ONVIF, then start ONVIF.
Below is a screenshot of ONVIF showing four auto-discovered cameras, displaying video from one:
Figure 4: ONVIF Device Manager Main
Cameras must be connected to the same LAN as the PC running ONVIF.
ONVIF will be used to determine IP camera parameters in subsequent ZoneMinder configuration. It is also possible to manually add cameras to ONVIF.
From a SecureOffice command prompt, enter "opkg update; opkg install zoneminder". This will install ZoneMinder and all dependencies.
Edit the ZoneMinder configuration file ("/etc/config/zm") to enable ZoneMinder by setting "option enabled '1'". Note the single quotes.
Enter "/etc/init.d/zm enable; "/etc/init.d/zm start" from a command prompt. This configures ZoneMinder to start at boot and starts ZoneMinder.
Using a browser on a PC connected to SecureOffice LAN (wired or WiFi), navigate to <LAN address>/zoneminder. A SSL (site certificate) error will occur. Allow an exception for this site. You will see the ZoneMinder console interface (but not embedded in SecureOffice web GUI), like the figure below.
Navigate to <LAN address> -> (Luci configuration Interfaces) to Services -> ZoneMinder. You will see the unconfigured ZoneMinder console interface as shown below:
Figure 5: ZoneMinder Unconfigured Console
Hint: If ZoneMinder from within the SecureOffice web GUI has a SSL error and is not visible, navigate to <LAN address>/zoneminder and re-add the security exception.
Cameras must be installed before configuring ZoneMinder.
Allowing IP cameras (or IOT devices in general) to communicate directly with the internet is a security vulnerability due to the potential for these devices to open backdoors (for hackers) into your system.
It is becoming folklore (and a significant security problem) that our electronic devices do not respect our property or privacy rights - they are spying on us. The Chinese have a very bad rap for this, but truth is virtually all manufacturers of communication products are at least tempted to spy on us. Personally, as a communications engineer, I have run into this on several occasions.
When I worked for Nortel (RIP) - we (the entire corporation) were coerced to put backdoors in our equipment.
Second, an engineering friend was hacked and lost a substantial amount of bitcoin plus other malicious damage to files across his network. This was traced to an IP camera "calling home" and opening backdoors to his network. Identity thieves can also use these backdoors once aware of them.
An internet search for "IP cameras backdoor" yields many results such as this and this. Backdoors can be used for far more than spying; they can be used to get full access and compromise your entire network.
In general, to prevent IP cameras or IOT devices from "calling home" or sending data to the internet and opening backdoors, they must be denied internet access. This can be done on a per device-IP address basis (firewall rules) or assigning IOT devices to a dedicated LAN (create dedicated bridge) with no internet access. If access to a device is required from the internet, proxy it (access indirectly using another layer of security). Under no circumstances use manufacturer or any DDNS services to place your IOT devices / IP cameras directly on the internet.
TODO: Add link to Securing your site, Isolating IOT devices
Once your cameras and ZoneMinder are working, as a final step (security reasons), it is recommended to isolate them from the internet using one or more of the methods at the previous link.
Most IP cameras are, by default configured to use DHCP to get an IP address from your LAN. Consult the camera manual to confirm this or for instructions regarding initial access, configuration and setting camera DHCP mode. The following sections assumes all cameras are in DHCP mode.
The MAC addresses for all cameras are required to configure their IP addresses.
Connect all cameras to your LAN. The required IP and MAC addresses can be determined by ONVIF (select a camera, select "Identification") or by entering "cat /var/dhcp.leases" at a command prompt. Sample output from the previous command is shown below:
1581027122 e0:3c:5b:52:6a:55 192.168.10.49 IPCam_Dome2_Wired 01:e0:3c:5b:52:6a:55
1581027121 e0:3c:5b:52:6a:57 192.168.10.48 IPCam_Dome1_Wired 01:e0:3c:5b:52:6a:57
1581015940 c0:99:71:dd:d1:65 192.168.10.46 IPCam_Antenna_Wired 01:c0:99:71:dd:d1:65
1581016556 c0:99:26:cd:b4:c4 192.168.10.44 IPCam_Patio_Wired 01:c0:99:26:cd:b4:c4
Figure 6: Camera DHCP Leases
For the first entry, the MAC address is "e0:3c:5b:52:6a:55". The IP address is "192.168.10.49" and camera name is "IPCam_Dome2_Wired" are assigned using DHCP (next section).
Before assigning any static IP addresses to cameras, please review IP Address Numbering Plan to avoid IP address conflicts. The desired IP and MAC addresses for each camera are required before proceeding.
Cameras will be assigned pseudo-static IP addresses using dnsmasq, configured by file "/etc/config/dhcp" relating camera MAC address to IP address. This can be done using the SecureOffice web GUI or, by directly editing file "/etc/config/dhcp". See Assign Fixed IP Addresses To LAN Devices for instructions.
After making the DHCP assignments, enter "cat /var/dhcp.leases" to confirm camera IP and MAC addresses are what was configured, like the previous figure.
Cameras should now be at their assigned IP addresses. This can be confirmed by pinging ("ping <IP Address>"), initiating an ONVIF scan and viewing video for each camera. Debug any connectivity issues before proceeding.
Using a browser, enter "http://<camera IP>". If the camera is not accessible, check the camera documentation to see if it uses a non-standard web GUI access method or port. Do not proceed until the camera web GUI is accessible.
In a camera specific manner (consult camera documentation), configure and make note of the following settings for all cameras:
Using a web browser connect to the ZoneMinder GUI (as in Section 3). Click on the "Add" button to add a camera. Another window will pop up, as shown below:
Important: If camera parameters and ZoneMinder parameters do not match, video will fail to display.
Figure 7: ZoneMinder Add Camera General
On the above page:
Select and enter a unique camera name, it is suggested to contain location information such as "Front Door"as part of the nme. Enter name in the "Name Field"
On above page, select the "Source" tab. The window will change to the figure below:
Figure 8: ZoneMinder Configure Source
On the above page:
Select the "Storage" tab. Ensure that the "Save Jpegs" field is "Disabled" and the "Video Writer" filed is "H264 Camera Passthrough".
Select the "Buffers" tab. Insure the "Image Buffer Size" is between "50" and "100" frames.
Press "Save" to complete camera configuration.
Watch the ZoneMinder console (Figure 1). After a few minutes, the new camera should appear in green as in Figure 1. If not, verify the camera is accessible via ONVIF and check the ZoneMinder logs in (default) "/home/data/zm/log/" directory. To enable more verbose logs, read the "ZoneMinder Logging" article in the "Further Reading" section. Fix any errors before proceeding.
Check that the camera video is visable in the "Montage" section.
Repeat the above procedure for all cameras.
In the ZoneMinder console click on "Filters". You will see a "Use Filter" option. Select "PurgeWhenFull*", then "Save". This configures ZoneMinder to discard oldest event / recordings when ZoneMinder storage is nearly full. Failure to do this will result in a full disk which will interfere with ZoneMinder and other functions. Further information is available in the ZoneMinder FAQ: "How Can I Stop ZoneMinder From Filling My Disk".
In the ZoneMinder console click on "Options", select "System", scroll down to "TIMEZONE". Using the dropdown, select your timezone. Default is UTC.
The main SecureOffice configuration for ZoneMinder is in file "/etc/config/zm", shown below:
# ZM_* config variables correspond to zoneminder config variables of same name
config zoneminder config
option enabled '1'
option ZM_DIR_EVENTS '/home/data/zm/content/events'
option ZM_DIR_EXPORTS '/home/data/zm/uploads'
option ZM_PATH_LOGS '/home/data/zm/log'
option ZM_PATH_SWAP '/home/data/zm/uploads'
option ZM_WEB_USER 'nobody'
option ZM_WEB_GROUP 'nogroup'
option ZM_HAS_V4L2 '0'
option ZM_HAS_V4L1 '0'
option ZM_HAS_V4L '0'
Figure 9: ZoneMinder Configuration File
Further information regarding variables starting with "ZM_" is available in "ZoneMinder Configuration Files" in the "Further Reading" section.
The "ZM_" variables in the SecureOffice ZoneMinder configuration file replaces any variables of the same name in standard ZoneMinder configuration files.
Options "ZM_WEB_USER" and "ZM_WEB_GROUP" must be the same user and group that the SecureOffice nginx webserver runs under. Do not change them unless the user and group for nginx are also changed, which may affect other services.
Options "ZM_HAS_V4L*" are used to indicate "Video For Linux" support for ZoneMinder. This is used to support analog cameras. To use them will require internet / forum research and installing additional SecureOffice packages.
As outlined previously, ZoneMinder can require a substantial amount of storage. A minimum of 1TB is recommended.
The general approach to adding another disk for SecureOffice is in Installing An Additional Hard Disk.
Decide whether the disk is to be for general bulk storage, in which case it will be mounted at "/home/data" and any existing directories / files at "/home/data" must be moved to the new disk before changing the mount point or whether the new disk is dedicated for ZoneMinder only.
If the new disk is not USB, power off SecureOffice, install the disk and reboot. If the new disk is USB, connect it.
Follow the disk installation instructions linked above to identify, partition and format the new disk.
The following assumes that "/home/data" is according to standard SecureOffice installation and is partition "/dev/sda4", referenced by UUID in "/etc/config/fstab"
Stop ZoneMinder by entering "/etc/init.d/zm stop" at a command prompt.
If the disk is dedicated for ZoneMinder:
If the disk is for general bulk storage, shared by ZoneMinder:
Ensure the new disk is mounted at the correct location by entering "block mount; mount". Fix if not.
Start ZoneMinder ("/etc/init.d/zm start"). Confirm everything is working. In the console window, select "Logs" and look for any errors. Fix any issues.
Reboot and confirm that disks are mounted correctly and ZoneMinder is running and functional. Fix if not.
Enjoy this fine application.
|
Technologies Used: