From ac0e8c9b0b0b5bb5005fbbdc755aa937ad948c64 Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Sat, 17 Nov 2018 10:45:08 -0600 Subject: [PATCH 1/5] initial support for subpackages --- distros/redhat/CMakeLists.txt | 85 ++++---- .../com.zoneminder.systemctl.rules.apache.in | 7 + distros/redhat/apache/zm-apache.conf.in | 8 + ...nder.conf.in => zoneminder.apache.conf.in} | 0 .../zoneminder.apache.tmpfiles.in} | 0 distros/redhat/{misc => common}/redalert.wav | Bin .../zoneminder.logrotate.in | 0 .../{systemd => common}/zoneminder.service.in | 5 +- distros/redhat/misc/local_zoneminder.te | 125 ------------ .../com.zoneminder.systemctl.rules.nginx | 7 + distros/redhat/nginx/zm-nginx.conf | 9 + distros/redhat/nginx/zm-web-user.conf | 3 + ...inder.conf.in => zoneminder.nginx.conf.in} | 0 .../redhat/nginx/zoneminder.nginx.tmpfiles.in | 8 + distros/redhat/nginx/zoneminder.service.in | 22 -- distros/redhat/nginx/zoneminder.tmpfiles.in | 8 - distros/redhat/readme/README | 29 +++ .../README.Fedora => readme/README.nginx} | 0 distros/redhat/zoneminder.spec | 189 +++++++++++++----- 19 files changed, 261 insertions(+), 244 deletions(-) create mode 100644 distros/redhat/apache/com.zoneminder.systemctl.rules.apache.in create mode 100644 distros/redhat/apache/zm-apache.conf.in rename distros/redhat/apache/{zoneminder.conf.in => zoneminder.apache.conf.in} (100%) rename distros/redhat/{systemd/zoneminder.tmpfiles.in => apache/zoneminder.apache.tmpfiles.in} (100%) rename distros/redhat/{misc => common}/redalert.wav (100%) rename distros/redhat/{systemd => common}/zoneminder.logrotate.in (100%) rename distros/redhat/{systemd => common}/zoneminder.service.in (79%) delete mode 100644 distros/redhat/misc/local_zoneminder.te create mode 100644 distros/redhat/nginx/com.zoneminder.systemctl.rules.nginx create mode 100644 distros/redhat/nginx/zm-nginx.conf create mode 100644 distros/redhat/nginx/zm-web-user.conf rename distros/redhat/nginx/{zoneminder.conf.in => zoneminder.nginx.conf.in} (100%) create mode 100644 distros/redhat/nginx/zoneminder.nginx.tmpfiles.in delete mode 100644 distros/redhat/nginx/zoneminder.service.in delete mode 100644 distros/redhat/nginx/zoneminder.tmpfiles.in create mode 100644 distros/redhat/readme/README rename distros/redhat/{nginx/README.Fedora => readme/README.nginx} (100%) diff --git a/distros/redhat/CMakeLists.txt b/distros/redhat/CMakeLists.txt index 37643cd89..bf4e2b40d 100644 --- a/distros/redhat/CMakeLists.txt +++ b/distros/redhat/CMakeLists.txt @@ -1,5 +1,10 @@ # CMakeLists.txt for the Redhat Target Distros. +# +# General strategy is to configure and install all files specific to Apache and Nginx +# Then let the rpm specfile sort them into the appropriate sub-package +# + # Display a message to show the RHEL build options are being processed. if(ZM_TARGET_DISTRO MATCHES "^el") message([STATUS] "Starting RHEL Build Options" ...) @@ -9,33 +14,38 @@ else(ZM_TARGET_DISTRO MATCHES "^el") message([WARNING] "Unknown Build Option Detected" ...) endif(ZM_TARGET_DISTRO MATCHES "^el") -if((NOT ZM_TARGET_DISTRO MATCHES "^fc") AND (ZM_WEB_USER STREQUAL "nginx")) - message([FATAL_ERROR] "Experimental Nginx support is currently only supported on Fedora" ...) -endif((NOT ZM_TARGET_DISTRO MATCHES "^fc") AND (ZM_WEB_USER STREQUAL "nginx")) +# +# CONFIGURE STAGE +# -# Configure the zoneminder service files -configure_file(systemd/zoneminder.logrotate.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.logrotate @ONLY) -configure_file(nginx/zoneminder.php-fpm.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.php-fpm.conf @ONLY) -configure_file(nginx/zoneminder.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.nginx.conf @ONLY) -if(ZM_WEB_USER STREQUAL "nginx") - configure_file(nginx/zoneminder.service.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.service @ONLY) - configure_file(nginx/zoneminder.tmpfiles.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.tmpfiles @ONLY) - configure_file(nginx/README.Fedora ${CMAKE_CURRENT_SOURCE_DIR}/readme/README COPYONLY) -else(ZM_WEB_USER STREQUAL "nginx") - configure_file(systemd/zoneminder.service.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.service @ONLY) - configure_file(apache/zoneminder.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.conf @ONLY) - configure_file(systemd/zoneminder.tmpfiles.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.tmpfiles @ONLY) - if( ZM_TARGET_DISTRO MATCHES "^fc") - configure_file(readme/README.Fedora ${CMAKE_CURRENT_SOURCE_DIR}/readme/README COPYONLY) - else( ZM_TARGET_DISTRO MATCHES "^fc") - configure_file(readme/README.Redhat7 ${CMAKE_CURRENT_SOURCE_DIR}/readme/README COPYONLY) - endif( ZM_TARGET_DISTRO MATCHES "^fc") -endif(ZM_WEB_USER STREQUAL "nginx") - -# Create several empty folders +# Configure the common zoneminder files +configure_file(common/zoneminder.logrotate.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.logrotate @ONLY) +configure_file(common/zoneminder.service.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.service @ONLY) file(MAKE_DIRECTORY sock swap zoneminder zoneminder-upload events images temp) -# Install the empty folders +# Configure the Apache zoneminder files +configure_file(apache/zm-apache.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zm-apache.conf @ONLY) +configure_file(apache/zoneminder.apache.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.apache.conf @ONLY) +configure_file(apache/zoneminder.apache.tmpfiles.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.apache.tmpfiles.conf @ONLY) +configure_file(apache/com.zoneminder.systemctl.rules.apache.in ${CMAKE_CURRENT_SOURCE_DIR}/com.zoneminder.systemctl.rules.apache @ONLY) + +# Configure the Nginx zoneminder files +configure_file(nginx/zm-nginx.conf ${CMAKE_CURRENT_SOURCE_DIR}/zm-nginx.conf COPYONLY) +configure_file(nginx/zoneminder.nginx.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.nginx.conf @ONLY) +configure_file(nginx/zoneminder.nginx.tmpfiles.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.nginx.tmpfiles.conf @ONLY) +configure_file(nginx/zm-web-user.conf ${CMAKE_CURRENT_SOURCE_DIR}/zm-web-user.conf COPYONLY) +configure_file(nginx/zoneminder.php-fpm.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.php-fpm.conf @ONLY) +configure_file(nginx/com.zoneminder.systemctl.rules.nginx.in ${CMAKE_CURRENT_SOURCE_DIR}/com.zoneminder.systemctl.rules.nginx COPYONLY) + +# +# INSTALLATION STAGE +# + + +# Install the common zoneminder files +install(FILES zoneminder.logrotate DESTINATION /etc/logrotate.d RENAME zoneminder PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zoneminder.service DESTINATION /usr/lib/systemd/system PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) + install(DIRECTORY sock swap DESTINATION /var/lib/zoneminder DIRECTORY_PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) install(DIRECTORY zoneminder DESTINATION /var/log DIRECTORY_PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) install(DIRECTORY zoneminder DESTINATION /var/run DIRECTORY_PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) @@ -43,6 +53,22 @@ install(DIRECTORY zoneminder DESTINATION /var/cache DIRECTORY_PERMISSIONS OWNER_ install(DIRECTORY zoneminder-upload DESTINATION /var/spool DIRECTORY_PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) install(DIRECTORY events images temp DESTINATION /var/lib/zoneminder DIRECTORY_PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) +# Install the Apache zoneminder files +install(FILES zm-apache.conf DESTINATION /usr/lib/systemd/system/zoneminder.service.d PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zoneminder.apache.conf DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zoneminder.apache.tmpfiles.conf DESTINATION /usr/lib/tmpfiles.d PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES com.zoneminder.systemctl.rules.apache DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) + +# Install the Nginx zoneminder files +install(FILES zm-nginx.conf DESTINATION /usr/lib/systemd/system/zoneminder.service.d PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zoneminder.nginx.conf DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zoneminder.nginx.tmpfiles.conf DESTINATION /usr/lib/tmpfiles.d PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES com.zoneminder.systemctl.rules.nginx DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zm-web-user.conf DESTINATION /etc/zm/conf.d PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES zoneminder.php-fpm.conf DESTINATION /etc/php-fpm.d PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) + +# Miscellaneous + # Symlink the cake php temp folder to the ZoneMinder temp folder install(CODE "execute_process(COMMAND ln -sf ../../../../../../var/lib/zoneminder/temp \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/zoneminder/www/api/app/tmp\")") @@ -50,14 +76,5 @@ install(CODE "execute_process(COMMAND ln -sf ../../../../../../var/lib/zoneminde install(CODE "execute_process(COMMAND ln -sf ../../java/cambozola.jar \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/zoneminder/www/cambozola.jar\")") # Install auxiliary files -install(FILES misc/redalert.wav DESTINATION ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/zoneminder/www/sounds PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) - -# Install zoneminder service files -install(FILES zoneminder.logrotate DESTINATION /etc/logrotate.d RENAME zoneminder PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) -install(FILES zoneminder.conf DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) -install(FILES zoneminder.php-fpm.conf DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) -install(FILES zoneminder.nginx.conf DESTINATION /etc/zm/www PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) - -install(FILES zoneminder.service DESTINATION /usr/lib/systemd/system PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) -install(FILES zoneminder.tmpfiles DESTINATION /usr/lib/tmpfiles.d RENAME zoneminder.conf PERMISSIONS OWNER_WRITE OWNER_READ GROUP_READ WORLD_READ) +install(FILES common/redalert.wav DESTINATION ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/zoneminder/www/sounds PERMISSIONS OWNER_WRITE OWNER_READ OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) diff --git a/distros/redhat/apache/com.zoneminder.systemctl.rules.apache.in b/distros/redhat/apache/com.zoneminder.systemctl.rules.apache.in new file mode 100644 index 000000000..d101dad69 --- /dev/null +++ b/distros/redhat/apache/com.zoneminder.systemctl.rules.apache.in @@ -0,0 +1,7 @@ +polkit.addRule(function(action, subject) { + if (action.id == "com.zoneminder.policykit.pkexec.run-zmsystemctl" && + subject.user != "@WEB_USER@") { + return polkit.Result.NO; + } + +}); diff --git a/distros/redhat/apache/zm-apache.conf.in b/distros/redhat/apache/zm-apache.conf.in new file mode 100644 index 000000000..edf3a090d --- /dev/null +++ b/distros/redhat/apache/zm-apache.conf.in @@ -0,0 +1,8 @@ +# Additional config directions for ZoneMinder with Apache web server + +[Unit] +After=httpd.service + +[Service] +User=@WEB_USER@ +Group=@WEB_GROUP@ diff --git a/distros/redhat/apache/zoneminder.conf.in b/distros/redhat/apache/zoneminder.apache.conf.in similarity index 100% rename from distros/redhat/apache/zoneminder.conf.in rename to distros/redhat/apache/zoneminder.apache.conf.in diff --git a/distros/redhat/systemd/zoneminder.tmpfiles.in b/distros/redhat/apache/zoneminder.apache.tmpfiles.in similarity index 100% rename from distros/redhat/systemd/zoneminder.tmpfiles.in rename to distros/redhat/apache/zoneminder.apache.tmpfiles.in diff --git a/distros/redhat/misc/redalert.wav b/distros/redhat/common/redalert.wav similarity index 100% rename from distros/redhat/misc/redalert.wav rename to distros/redhat/common/redalert.wav diff --git a/distros/redhat/systemd/zoneminder.logrotate.in b/distros/redhat/common/zoneminder.logrotate.in similarity index 100% rename from distros/redhat/systemd/zoneminder.logrotate.in rename to distros/redhat/common/zoneminder.logrotate.in diff --git a/distros/redhat/systemd/zoneminder.service.in b/distros/redhat/common/zoneminder.service.in similarity index 79% rename from distros/redhat/systemd/zoneminder.service.in rename to distros/redhat/common/zoneminder.service.in index 68918ab9e..540c2f939 100644 --- a/distros/redhat/systemd/zoneminder.service.in +++ b/distros/redhat/common/zoneminder.service.in @@ -1,9 +1,10 @@ # ZoneMinder systemd unit file for RedHat distros and clones +# See drop-in folder for additional config directives [Unit] Description=ZoneMinder CCTV recording and security system -After=network.target mariadb.service httpd.service -Requires=mariadb.service httpd.service +After=network.target mariadb.service +Requires=mariadb.service [Service] User=@WEB_USER@ diff --git a/distros/redhat/misc/local_zoneminder.te b/distros/redhat/misc/local_zoneminder.te deleted file mode 100644 index c49505785..000000000 --- a/distros/redhat/misc/local_zoneminder.te +++ /dev/null @@ -1,125 +0,0 @@ -module local_zoneminder 1.2; - -require { - type afs_ka_port_t; - type netsupport_port_t; - type port_t; - type presence_port_t; - type postfix_master_t; - type postfix_qmgr_t; - type postfix_pickup_t; - type httpd_t; - type var_lib_t; - type ionixnetmon_port_t; - type glance_port_t; - type mmcc_port_t; - type postfix_master_t; - type commplex_port_t; - type syslogd_port_t; - type dcc_port_t; - type sip_port_t; - type amqp_port_t; - type condor_port_t; - type afs_fs_port_t; - type nodejs_debug_port_t; - type httpd_var_lib_t; - type websm_port_t; - type afs_pt_port_t; - type postfix_qmgr_t; - type git_port_t; - type ipp_port_t; - type aol_port_t; - type unconfined_t; - type kernel_t; - type init_t; - type auditd_t; - type mysqld_t; - type httpd_log_t; - type syslogd_t; - type httpd_t; - type initrc_state_t; - type initrc_t; - type var_lib_t; - type udev_t; - type mysqld_safe_t; - type sshd_t; - type crond_t; - type getty_t; - type httpd_var_lib_t; - type initrc_var_run_t; - type tmpfs_t; - type dhcpc_t; - type v4l_device_t; - type file_t; - class sock_file { write create unlink }; - class unix_stream_socket { read connectto }; - class lnk_file { write create getattr read lock unlink }; - class dir {search getattr }; - class udp_socket name_bind; - class file { write getattr read lock unlink open }; - class shm { unix_read unix_write associate read write getattr }; - class chr_file getattr; -} - -#============= httpd_t ============== -allow httpd_t auditd_t:dir { search getattr }; -allow httpd_t auditd_t:file { read getattr open }; -allow httpd_t crond_t:dir { search getattr }; -allow httpd_t crond_t:file { read getattr open }; -allow httpd_t dhcpc_t:dir { search getattr }; -allow httpd_t dhcpc_t:file { read getattr open }; -allow httpd_t getty_t:dir { search getattr }; -allow httpd_t getty_t:file { read getattr open }; -allow httpd_t httpd_log_t:file write; -allow httpd_t httpd_var_lib_t:lnk_file { write getattr read lock unlink }; -allow httpd_t init_t:dir { search getattr }; -allow httpd_t init_t:file { read getattr open }; -#!!!! The source type 'httpd_t' can write to a 'file' of the following types: -#squirrelmail_spool_t, mirrormanager_var_run_t, dirsrvadmin_config_t, httpd_lock_t, httpd_tmp_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_cache_t, httpd_tmpfs_t, httpd_squirrelmail_t, dirsrv_var_run_t, dirsrv_var_log_t, httpd_var_lib_t, httpd_var_run_t, zarafa_var_lib_t, httpd_prewikka_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, passenger_var_run_t, httpd_smokeping_cgi_rw_content_t, httpd_openshift_rw_content_t, httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_collectd_rw_content_t, cluster_var_lib_t, cluster_var_run_t, httpd_user_rw_content_t, httpd_awstats_rw_content_t, httpdcontent, root_t, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, cluster_conf_t, httpd_bugzilla_rw_content_t, passenger_tmp_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_dspam_rw_content_t - -allow httpd_t initrc_state_t:file { read write getattr unlink open }; -allow httpd_t initrc_t:unix_stream_socket connectto; -allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr }; -allow httpd_t initrc_var_run_t:file { write read lock open }; -allow httpd_t kernel_t:dir { search getattr }; -allow httpd_t kernel_t:file { read getattr open }; -allow httpd_t mysqld_safe_t:dir { search getattr }; -allow httpd_t mysqld_safe_t:file { read getattr open }; -allow httpd_t mysqld_t:dir { search getattr }; -allow httpd_t mysqld_t:file { read getattr open }; -allow httpd_t sshd_t:dir { search getattr }; -allow httpd_t sshd_t:file { read getattr open }; -allow httpd_t syslogd_t:dir { search getattr }; -allow httpd_t syslogd_t:file { read getattr open }; -allow httpd_t tmpfs_t:sock_file write; -allow httpd_t udev_t:dir { search getattr }; -allow httpd_t udev_t:file { read getattr open }; -allow httpd_t unconfined_t:dir { search getattr }; -allow httpd_t unconfined_t:file { read getattr open }; -allow httpd_t var_lib_t:lnk_file { write getattr read lock unlink }; -allow httpd_t var_lib_t:sock_file { write unlink }; -allow httpd_t v4l_device_t:chr_file getattr; -allow httpd_t afs_fs_port_t:udp_socket name_bind; -allow httpd_t afs_ka_port_t:udp_socket name_bind; -allow httpd_t afs_pt_port_t:udp_socket name_bind; -allow httpd_t amqp_port_t:udp_socket name_bind; -allow httpd_t aol_port_t:udp_socket name_bind; -allow httpd_t commplex_port_t:udp_socket name_bind; -allow httpd_t condor_port_t:udp_socket name_bind; -allow httpd_t dcc_port_t:udp_socket name_bind; -allow httpd_t git_port_t:udp_socket name_bind; -allow httpd_t glance_port_t:udp_socket name_bind; -allow httpd_t httpd_var_lib_t:lnk_file create; -allow httpd_t ionixnetmon_port_t:udp_socket name_bind; -allow httpd_t ipp_port_t:udp_socket name_bind; -allow httpd_t mmcc_port_t:udp_socket name_bind; -allow httpd_t netsupport_port_t:udp_socket name_bind; -allow httpd_t nodejs_debug_port_t:udp_socket name_bind; -allow httpd_t port_t:udp_socket name_bind; -allow httpd_t postfix_master_t:dir { search getattr }; -allow httpd_t postfix_master_t:file { read getattr open }; -allow httpd_t postfix_pickup_t:dir { search getattr }; -allow httpd_t postfix_pickup_t:file { read getattr open }; -allow httpd_t postfix_qmgr_t:dir { search getattr }; -allow httpd_t postfix_qmgr_t:file { read getattr open }; -allow httpd_t presence_port_t:udp_socket name_bind; diff --git a/distros/redhat/nginx/com.zoneminder.systemctl.rules.nginx b/distros/redhat/nginx/com.zoneminder.systemctl.rules.nginx new file mode 100644 index 000000000..8eaa78d5c --- /dev/null +++ b/distros/redhat/nginx/com.zoneminder.systemctl.rules.nginx @@ -0,0 +1,7 @@ +polkit.addRule(function(action, subject) { + if (action.id == "com.zoneminder.policykit.pkexec.run-zmsystemctl" && + subject.user != "nginx") { + return polkit.Result.NO; + } + +}); diff --git a/distros/redhat/nginx/zm-nginx.conf b/distros/redhat/nginx/zm-nginx.conf new file mode 100644 index 000000000..98ca1943a --- /dev/null +++ b/distros/redhat/nginx/zm-nginx.conf @@ -0,0 +1,9 @@ +# Additional config directives for ZoneMinder with Nginx web server + +[Unit] +After=nginx.service php-fpm.service fcgiwrap.service +Requires=php-fpm.service fcgiwrap.service + +[Service] +User=nginx +Group=nginx diff --git a/distros/redhat/nginx/zm-web-user.conf b/distros/redhat/nginx/zm-web-user.conf new file mode 100644 index 000000000..3146679fd --- /dev/null +++ b/distros/redhat/nginx/zm-web-user.conf @@ -0,0 +1,3 @@ +ZM_WEB_USER=nginx +ZM_WEB_GROUP=nginx + diff --git a/distros/redhat/nginx/zoneminder.conf.in b/distros/redhat/nginx/zoneminder.nginx.conf.in similarity index 100% rename from distros/redhat/nginx/zoneminder.conf.in rename to distros/redhat/nginx/zoneminder.nginx.conf.in diff --git a/distros/redhat/nginx/zoneminder.nginx.tmpfiles.in b/distros/redhat/nginx/zoneminder.nginx.tmpfiles.in new file mode 100644 index 000000000..46dbd99fe --- /dev/null +++ b/distros/redhat/nginx/zoneminder.nginx.tmpfiles.in @@ -0,0 +1,8 @@ +D @ZM_TMPDIR@ 0755 nginx nginx +D @ZM_SOCKDIR@ 0755 nginx nginx +D @ZM_CACHEDIR@ 0755 nginx nginx +d @ZM_DIR_EVENTS@ 0755 nginx nginx +D @ZM_DIR_IMAGES@ 0755 nginx nginx +D /var/lib/php/session 770 root nginx +D /var/lib/php/wsdlcache 770 root nginx + diff --git a/distros/redhat/nginx/zoneminder.service.in b/distros/redhat/nginx/zoneminder.service.in deleted file mode 100644 index 7e2e36585..000000000 --- a/distros/redhat/nginx/zoneminder.service.in +++ /dev/null @@ -1,22 +0,0 @@ -# ZoneMinder systemd unit file for Fedora -# Replace mariadb with community-mysql if using mysql service instead of mariadb - -[Unit] -Description=ZoneMinder CCTV recording and security system -After=network.target mariadb.service nginx.service php-fpm.service fcgiwrap.service -Requires=mariadb.service nginx.service php-fpm.service fcgiwrap.service - -[Service] -User=@WEB_USER@ -Group=@WEB_GROUP@ -Type=forking -ExecStart=@BINDIR@/zmpkg.pl start -ExecReload=@BINDIR@/zmpkg.pl restart -ExecStop=@BINDIR@/zmpkg.pl stop -PIDFile=@ZM_RUNDIR@/zm.pid -Environment=TZ=/etc/localtime -RuntimeDirectory=zoneminder -RuntimeDirectoryMode=0755 - -[Install] -WantedBy=multi-user.target diff --git a/distros/redhat/nginx/zoneminder.tmpfiles.in b/distros/redhat/nginx/zoneminder.tmpfiles.in deleted file mode 100644 index 07bae0900..000000000 --- a/distros/redhat/nginx/zoneminder.tmpfiles.in +++ /dev/null @@ -1,8 +0,0 @@ -D @ZM_TMPDIR@ 0755 @WEB_USER@ @WEB_GROUP@ -D @ZM_SOCKDIR@ 0755 @WEB_USER@ @WEB_GROUP@ -D @ZM_CACHEDIR@ 0755 @WEB_USER@ @WEB_GROUP@ -d @ZM_DIR_EVENTS@ 0755 @WEB_USER@ @WEB_GROUP@ -D @ZM_DIR_IMAGES@ 0755 @WEB_USER@ @WEB_GROUP@ -D /var/lib/php/session 770 root @WEB_GROUP@ -D /var/lib/php/wsdlcache 770 root @WEB_GROUP@ - diff --git a/distros/redhat/readme/README b/distros/redhat/readme/README new file mode 100644 index 000000000..e25001863 --- /dev/null +++ b/distros/redhat/readme/README @@ -0,0 +1,29 @@ +What's New +========== + +1. See the ZoneMinder release notes for a list of new features: + https://github.com/ZoneMinder/zoneminder/releases + +2. The contents of the ZoneMinder Apache config file have changed. In + addition, this ZoneMinder package now requires you to manually symlink the + ZoneMinder Apache config file. See new install step 6 and upgrade step 3 + below for details. + +3. This package has been split into sub-packages to allow compatibility with + other web servers. Here is a breakdown of the available packages: + + zoneminder - Meta-package installs zoneminder-common and zoneminder-httpd + This exists soley for backwards compaitilibty. + zoneminder-common - Common files that do not differ based on the web server + zoneminder-httpd - Files needed for compatibility with the Apache web server + zoneminder-nginx - Files needed for compatibility with the Nginx web server + + You can switch between different subpackages with dnf/yum. Be advised that, + if you modified any of the default config files supplied by the package, + rpm may not update the config file to the proper version. This is by design. + Use drop-in files instead, to avoid this issue. + +4. Continue on to the next README that corresponds to the chosen webserver: + + README.httpd - Follow these steps when using Apache + README.nginx - Follow these steps when using Nginx diff --git a/distros/redhat/nginx/README.Fedora b/distros/redhat/readme/README.nginx similarity index 100% rename from distros/redhat/nginx/README.Fedora rename to distros/redhat/readme/README.nginx diff --git a/distros/redhat/zoneminder.spec b/distros/redhat/zoneminder.spec index 27cc59ba9..839c9366f 100644 --- a/distros/redhat/zoneminder.spec +++ b/distros/redhat/zoneminder.spec @@ -1,3 +1,4 @@ +# Leaving this to allow one to build zoneminder-http subpackage using arbitrary user account %global zmuid_final apache %global zmgid_final apache @@ -7,10 +8,6 @@ # CakePHP-Enum-Behavior is configured as a git submodule %global ceb_version 1.0-zm -%if "%{zmuid_final}" == "nginx" -%global with_nginx 1 -%endif - %global sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt %global sslkey %{_sysconfdir}/pki/tls/private/localhost.key @@ -22,11 +19,12 @@ %global with_apcu_bc 1 %endif +# The default for everything but el7 these days %global _hardened_build 1 Name: zoneminder Version: 1.32.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A camera monitoring and analysis tool Group: System Environment/Daemons # Mootools is inder the MIT license: http://mootools.net/ @@ -74,6 +72,7 @@ BuildRequires: vlc-devel BuildRequires: libcurl-devel BuildRequires: libv4l-devel BuildRequires: desktop-file-utils +BuildRequires: gzip # ZoneMinder looks for and records the location of the ffmpeg binary during build BuildRequires: ffmpeg @@ -83,10 +82,25 @@ BuildRequires: ffmpeg-devel BuildRequires: libmp4v2-devel BuildRequires: x264-devel -%{?with_nginx:Requires: nginx} -%{?with_nginx:Requires: php-fpm} -%{!?with_nginx:Requires: httpd} -%{!?with_nginx:Requires: php} +# Allow existing user base to seamlessly transition to sub-packages +Requires: %{name}-common%{?_isa} = %{version}-%{release} +Requires: %{name}-httpd%{?_isa} = %{version}-%{release} + +%description +ZoneMinder is a set of applications which is intended to provide a complete +solution allowing you to capture, analyze, record and monitor any cameras you +have attached to a Linux based machine. It is designed to run on kernels which +support the Video For Linux (V4L) interface and has been tested with cameras +attached to BTTV cards, various USB cameras and IP network cameras. It is +designed to support as many cameras as you can attach to your computer without +too much degradation of performance. + +This is a meta package for backwards compatibility with the existing +ZoneMinder user base. + +%package common +Summary: Common files for ZoneMinder, not tied to a specific web server + Requires: php-mysqli Requires: php-common Requires: php-gd @@ -111,16 +125,12 @@ Requires: perl(Net::FTP) Requires: perl(LWP::Protocol::https) Requires: ca-certificates Requires: zip - -Requires(post): systemd -Requires(post): systemd-sysv -Requires(preun): systemd -Requires(postun): systemd +%{systemd_requires} Requires(post): %{_bindir}/gpasswd Requires(post): %{_bindir}/less -%description +%description common ZoneMinder is a set of applications which is intended to provide a complete solution allowing you to capture, analyze, record and monitor any cameras you have attached to a Linux based machine. It is designed to run on kernels which @@ -129,15 +139,56 @@ attached to BTTV cards, various USB cameras and IP network cameras. It is designed to support as many cameras as you can attach to your computer without too much degradation of performance. +This is a meta-package that exists solely to allow the existing user base to +seamlessly transition to sub-packages. + +%package httpd +Summary: ZoneMinder configuration for Apache web server +Requires: %{name}-common%{?_isa} = %{version}-%{release} +Requires: httpd +Requires: php + +Conflicts: %{name}-nginx + +%description httpd +ZoneMinder is a set of applications which is intended to provide a complete +solution allowing you to capture, analyze, record and monitor any cameras you +have attached to a Linux based machine. It is designed to run on kernels which +support the Video For Linux (V4L) interface and has been tested with cameras +attached to BTTV cards, various USB cameras and IP network cameras. It is +designed to support as many cameras as you can attach to your computer without +too much degradation of performance. + +This sub-package contains configuration specific to Apache web server + +%package nginx +Summary: ZoneMinder configuration for Nginx web server +Requires: %{name}-common%{?_isa} = %{version}-%{release} +Requires: nginx +Requires: php-fpm + +Conflicts: %{name}-httpd + +%description nginx +ZoneMinder is a set of applications which is intended to provide a complete +solution allowing you to capture, analyze, record and monitor any cameras you +have attached to a Linux based machine. It is designed to run on kernels which +support the Video For Linux (V4L) interface and has been tested with cameras +attached to BTTV cards, various USB cameras and IP network cameras. It is +designed to support as many cameras as you can attach to your computer without +too much degradation of performance. + +This sub-package contains support for ZoneMinder with the Nginx web server + %prep %autosetup -p 1 -a 1 -%{__rm} -rf ./web/api/app/Plugin/Crud -%{__mv} -f crud-%{crud_version} ./web/api/app/Plugin/Crud +rm -rf ./web/api/app/Plugin/Crud +mv -f crud-%{crud_version} ./web/api/app/Plugin/Crud # The all powerful autosetup macro does not work after the second source tarball -%{__gzip} -dc %{_sourcedir}/cakephp-enum-behavior-%{ceb_version}.tar.gz | tar -xvvf - -%{__rm} -rf ./web/api/app/Plugin/CakePHP-Enum-Behavior -%{__mv} -f CakePHP-Enum-Behavior-%{ceb_version} ./web/api/app/Plugin/CakePHP-Enum-Behavior +gzip -dc %{_sourcedir}/cakephp-enum-behavior-%{ceb_version}.tar.gz | tar -xvvf - +rm -rf ./web/api/app/Plugin/CakePHP-Enum-Behavior +mv -f CakePHP-Enum-Behavior-%{ceb_version} ./web/api/app/Plugin/CakePHP-Enum-Behavior # Change the following default values ./utils/zmeditconfigdata.sh ZM_OPT_CAMBOZOLA yes @@ -150,7 +201,7 @@ too much degradation of performance. %build %cmake \ -DZM_WEB_USER="%{zmuid_final}" \ - -DZM_WEB_GROUP="%{zmuid_final}" \ + -DZM_WEB_GROUP="%{zmgid_final}" \ -DZM_TARGET_DISTRO="%{zmtargetdistro}" \ . @@ -172,10 +223,13 @@ find %{buildroot} \( -name .htaccess -or -name .editorconfig -or -name .packlist find %{buildroot}%{_datadir}/zoneminder/www/api \( -name cake -or -name cake.php \) -type f -exec sed -i 's\^#!/usr/bin/env bash$\#!%{_buildshell}\' {} \; -exec %{__chmod} 755 {} \; # Use the system cacert file rather then the one bundled with CakePHP -%{__rm} -f %{buildroot}%{_datadir}/zoneminder/www/api/lib/Cake/Config/cacert.pem -%{__ln_s} ../../../../../../../..%{_sysconfdir}/pki/tls/certs/ca-bundle.crt %{buildroot}%{_datadir}/zoneminder/www/api/lib/Cake/Config/cacert.pem +rm -f %{buildroot}%{_datadir}/zoneminder/www/api/lib/Cake/Config/cacert.pem +ln -s ../../../../../../../..%{_sysconfdir}/pki/tls/certs/ca-bundle.crt %{buildroot}%{_datadir}/zoneminder/www/api/lib/Cake/Config/cacert.pem -%post +# Handle the polkit file differently for web server agnostic support (see post) +rm -f %{buildroot}%{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules + +%post common # Initial installation if [ $1 -eq 1 ] ; then %systemd_post %{name}.service @@ -183,28 +237,38 @@ fi # Upgrade from a previous version of zoneminder if [ $1 -eq 2 ] ; then - # Add any new PTZ control configurations to the database (will not overwrite) %{_bindir}/zmcamtool.pl --import >/dev/null 2>&1 || : # Freshen the database %{_bindir}/zmupdate.pl -f >/dev/null 2>&1 || : - - # We can't run this automatically when new sql account permissions need to - # be manually added first - # Run zmupdate non-interactively - # zmupdate.pl --nointeractive fi -# Allow zoneminder access to local video sources, serial ports, and x10 -%{_bindir}/gpasswd -a %{zmuid_final} video >/dev/null 2>&1 || : -%{_bindir}/gpasswd -a %{zmuid_final} dialout >/dev/null 2>&1 || : - # Warn the end user to read the README file echo -e "\nVERY IMPORTANT: Before starting ZoneMinder, you must read the README file\nto finish the installation or upgrade!" echo -e "\nThe README file is located here: %{_pkgdocdir}/README\n" -%if 0%{?with_nginx} +%post httpd +ln -s %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.apache %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules +# backwards compatibility +ln -s %{_sysconfdir}/zm/www/zoneminder.apache.conf %{_sysconfdir}/zm/www/zoneminder.conf + +# Allow zoneminder access to local video sources, serial ports, and x10 +%{_bindir}/gpasswd -a %{zmuid_final} video >/dev/null 2>&1 || : +%{_bindir}/gpasswd -a %{zmuid_final} dialout >/dev/null 2>&1 || : + +%post nginx + +ln -s %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.nginx %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules + +# +# TO-DO: configure the README's +# + +# Allow zoneminder access to local video sources, serial ports, and x10 +%{_bindir}/gpasswd -a nginx video >/dev/null 2>&1 || : +%{_bindir}/gpasswd -a nginx dialout >/dev/null 2>&1 || : + # Nginx does not create an SSL certificate like the apache package does so lets do that here if [ -f %{sslkey} -o -f %{sslcert} ]; then exit 0 @@ -230,7 +294,6 @@ SomeOrganizationalUnit ${FQDN} root@${FQDN} EOF -%endif %preun %systemd_preun %{name}.service @@ -238,17 +301,10 @@ EOF %postun %systemd_postun_with_restart %{name}.service -%triggerun -- zoneminder < 1.25.0-4 -# Save the current service runlevel info -# User must manually run systemd-sysv-convert --apply zoneminder -# to migrate them to systemd targets -%{_bindir}/systemd-sysv-convert --save zoneminder >/dev/null 2>&1 ||: - -# Run these because the SysV package being removed won't do them -/sbin/chkconfig --del zoneminder >/dev/null 2>&1 || : -/bin/systemctl try-restart zoneminder.service >/dev/null 2>&1 || : - %files +# nothing + +%files common %license COPYING %doc AUTHORS README.md distros/redhat/readme/README distros/redhat/readme/README.https @@ -260,18 +316,12 @@ EOF # Config folder contents contain sensitive info # and should not be readable by normal users %{_sysconfdir}/zm/conf.d/README -%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/zm.conf -%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/conf.d/*.conf -%ghost %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/conf.d/zmcustom.conf -%config(noreplace) %attr(644,root,root) %{_sysconfdir}/zm/www/zoneminder.conf -%config(noreplace) %{_sysconfdir}/zm/www/zoneminder.php-fpm.conf %config(noreplace) %{_sysconfdir}/logrotate.d/zoneminder %{_tmpfilesdir}/zoneminder.conf %{_unitdir}/zoneminder.service %{_datadir}/polkit-1/actions/com.zoneminder.systemctl.policy -%{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules %{_bindir}/zmsystemctl.pl %{_bindir}/zma @@ -304,6 +354,15 @@ EOF %{_datadir}/zoneminder/ %{_datadir}/applications/*zoneminder.desktop +%files httpd +%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/zm.conf +%config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/conf.d/0*.conf +%ghost %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/conf.d/zmcustom.conf +%config(noreplace) %{_sysconfdir}/zm/www/zoneminder.apache.conf +%config(noreplace) %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.apache +%ghost %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules + +%{_unitdir}/zoneminder.service.d/zm-apache.conf %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_sharedstatedir}/zoneminder %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_sharedstatedir}/zoneminder/events %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_sharedstatedir}/zoneminder/images @@ -313,9 +372,33 @@ EOF %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/cache/zoneminder %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/log/zoneminder %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/spool/zoneminder-upload -%dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_localstatedir}/run/zoneminder + +%files nginx +%config(noreplace) %attr(640,root,nginx) %{_sysconfdir}/zm/zm.conf +%config(noreplace) %attr(640,root,nginx) %{_sysconfdir}/zm/conf.d/*.conf +%ghost %attr(640,root,nginx) %{_sysconfdir}/zm/conf.d/zmcustom.conf +%config(noreplace) %{_sysconfdir}/zm/www/zoneminder.nginx.conf +%config(noreplace) %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.nginx +%ghost %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules + +%config(noreplace) %{_sysconfdir}/php-fpm.d/zoneminder.php-fpm.conf + + +%{_unitdir}/zoneminder.service.d/zm-nginx.conf +%dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder +%dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/events +%dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/images +%dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/sock +%dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/swap +%dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/temp +%dir %attr(755,nginx,nginx) %{_localstatedir}/cache/zoneminder +%dir %attr(755,nginx,nginx) %{_localstatedir}/log/zoneminder +%dir %attr(755,nginx,nginx) %{_localstatedir}/spool/zoneminder-upload %changelog +* Wed Nov 14 2018 Andrew Bauer - 1.32.2-2 +- Break into sub-packages + * Sat Oct 13 2018 Andrew Bauer - 1.32.2-1 - 1.32.2 release - Bug fix release From d06e1b075ddf22f9a36a4254196d5e0aa315b7f7 Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Sat, 17 Nov 2018 10:47:53 -0600 Subject: [PATCH 2/5] fix filename of com.zoneminder.systemctl.rules.nginx --- distros/redhat/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/distros/redhat/CMakeLists.txt b/distros/redhat/CMakeLists.txt index bf4e2b40d..4c9abb6fa 100644 --- a/distros/redhat/CMakeLists.txt +++ b/distros/redhat/CMakeLists.txt @@ -35,7 +35,7 @@ configure_file(nginx/zoneminder.nginx.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zonemi configure_file(nginx/zoneminder.nginx.tmpfiles.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.nginx.tmpfiles.conf @ONLY) configure_file(nginx/zm-web-user.conf ${CMAKE_CURRENT_SOURCE_DIR}/zm-web-user.conf COPYONLY) configure_file(nginx/zoneminder.php-fpm.conf.in ${CMAKE_CURRENT_SOURCE_DIR}/zoneminder.php-fpm.conf @ONLY) -configure_file(nginx/com.zoneminder.systemctl.rules.nginx.in ${CMAKE_CURRENT_SOURCE_DIR}/com.zoneminder.systemctl.rules.nginx COPYONLY) +configure_file(nginx/com.zoneminder.systemctl.rules.nginx ${CMAKE_CURRENT_SOURCE_DIR}/com.zoneminder.systemctl.rules.nginx COPYONLY) # # INSTALLATION STAGE From 7f7fc44b032a528c6be047b5a874dbbeb899f5dd Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Sat, 17 Nov 2018 11:01:12 -0600 Subject: [PATCH 3/5] fix nameing of tmpfiles config --- distros/redhat/zoneminder.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/distros/redhat/zoneminder.spec b/distros/redhat/zoneminder.spec index 839c9366f..961884921 100644 --- a/distros/redhat/zoneminder.spec +++ b/distros/redhat/zoneminder.spec @@ -319,7 +319,6 @@ EOF %config(noreplace) %{_sysconfdir}/logrotate.d/zoneminder -%{_tmpfilesdir}/zoneminder.conf %{_unitdir}/zoneminder.service %{_datadir}/polkit-1/actions/com.zoneminder.systemctl.policy %{_bindir}/zmsystemctl.pl @@ -363,6 +362,7 @@ EOF %ghost %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules %{_unitdir}/zoneminder.service.d/zm-apache.conf +%{_tmpfilesdir}/zoneminder.apache.tmpfiles.conf %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_sharedstatedir}/zoneminder %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_sharedstatedir}/zoneminder/events %dir %attr(755,%{zmuid_final},%{zmgid_final}) %{_sharedstatedir}/zoneminder/images @@ -385,6 +385,7 @@ EOF %{_unitdir}/zoneminder.service.d/zm-nginx.conf +%{_tmpfilesdir}/zoneminder.nginx.tmpfiles.conf %dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder %dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/events %dir %attr(755,nginx,nginx) %{_sharedstatedir}/zoneminder/images From f79a7e49a817aed4226aef87b10eced6432f5d74 Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Sat, 17 Nov 2018 11:32:35 -0600 Subject: [PATCH 4/5] rpm subpackages - additional fixes --- distros/redhat/apache/zm-apache.conf.in | 2 +- distros/redhat/common/zoneminder.service.in | 2 -- distros/redhat/zoneminder.spec | 12 ++++++++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/distros/redhat/apache/zm-apache.conf.in b/distros/redhat/apache/zm-apache.conf.in index edf3a090d..1a00d8d9b 100644 --- a/distros/redhat/apache/zm-apache.conf.in +++ b/distros/redhat/apache/zm-apache.conf.in @@ -1,4 +1,4 @@ -# Additional config directions for ZoneMinder with Apache web server +# Additional config directives for ZoneMinder with Apache web server [Unit] After=httpd.service diff --git a/distros/redhat/common/zoneminder.service.in b/distros/redhat/common/zoneminder.service.in index 540c2f939..8551a60e2 100644 --- a/distros/redhat/common/zoneminder.service.in +++ b/distros/redhat/common/zoneminder.service.in @@ -7,8 +7,6 @@ After=network.target mariadb.service Requires=mariadb.service [Service] -User=@WEB_USER@ -Group=@WEB_GROUP@ Type=forking ExecStart=@BINDIR@/zmpkg.pl start ExecReload=@BINDIR@/zmpkg.pl restart diff --git a/distros/redhat/zoneminder.spec b/distros/redhat/zoneminder.spec index 961884921..55906516c 100644 --- a/distros/redhat/zoneminder.spec +++ b/distros/redhat/zoneminder.spec @@ -246,12 +246,12 @@ fi # Warn the end user to read the README file echo -e "\nVERY IMPORTANT: Before starting ZoneMinder, you must read the README file\nto finish the installation or upgrade!" -echo -e "\nThe README file is located here: %{_pkgdocdir}/README\n" +echo -e "\nThe README file is located here: %{_pkgdocdir}-common/README\n" %post httpd -ln -s %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.apache %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules +ln -sf %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.apache %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules # backwards compatibility -ln -s %{_sysconfdir}/zm/www/zoneminder.apache.conf %{_sysconfdir}/zm/www/zoneminder.conf +ln -sf %{_sysconfdir}/zm/www/zoneminder.apache.conf %{_sysconfdir}/zm/www/zoneminder.conf # Allow zoneminder access to local video sources, serial ports, and x10 %{_bindir}/gpasswd -a %{zmuid_final} video >/dev/null 2>&1 || : @@ -259,7 +259,9 @@ ln -s %{_sysconfdir}/zm/www/zoneminder.apache.conf %{_sysconfdir}/zm/www/zonemin %post nginx -ln -s %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.nginx %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules +ln -sf %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.nginx %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules +# backwards compatibility +ln -sf %{_sysconfdir}/zm/www/zoneminder.nginx.conf %{_sysconfdir}/zm/www/zoneminder.conf # # TO-DO: configure the README's @@ -358,6 +360,7 @@ EOF %config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/conf.d/0*.conf %ghost %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm/conf.d/zmcustom.conf %config(noreplace) %{_sysconfdir}/zm/www/zoneminder.apache.conf +%ghost %{_sysconfdir}/zm/www/zoneminder.conf %config(noreplace) %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.apache %ghost %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules @@ -378,6 +381,7 @@ EOF %config(noreplace) %attr(640,root,nginx) %{_sysconfdir}/zm/conf.d/*.conf %ghost %attr(640,root,nginx) %{_sysconfdir}/zm/conf.d/zmcustom.conf %config(noreplace) %{_sysconfdir}/zm/www/zoneminder.nginx.conf +%ghost %{_sysconfdir}/zm/www/zoneminder.conf %config(noreplace) %{_sysconfdir}/zm/www/com.zoneminder.systemctl.rules.nginx %ghost %{_datadir}/polkit-1/rules.d/com.zoneminder.systemctl.rules From 719bdf1270d8bf69377eb75c361f2b5b6e0eb8af Mon Sep 17 00:00:00 2001 From: Andrew Bauer Date: Sat, 17 Nov 2018 11:52:04 -0600 Subject: [PATCH 5/5] rpm subpackages - add readme's --- distros/redhat/readme/README | 12 +- distros/redhat/readme/README.Redhat7 | 175 ------------------ .../readme/{README.Fedora => README.httpd} | 21 +-- distros/redhat/readme/README.nginx | 39 +--- distros/redhat/zoneminder.spec | 3 +- 5 files changed, 21 insertions(+), 229 deletions(-) delete mode 100644 distros/redhat/readme/README.Redhat7 rename distros/redhat/readme/{README.Fedora => README.httpd} (90%) diff --git a/distros/redhat/readme/README b/distros/redhat/readme/README index e25001863..ee7eb66a6 100644 --- a/distros/redhat/readme/README +++ b/distros/redhat/readme/README @@ -21,9 +21,17 @@ What's New You can switch between different subpackages with dnf/yum. Be advised that, if you modified any of the default config files supplied by the package, rpm may not update the config file to the proper version. This is by design. - Use drop-in files instead, to avoid this issue. + To avoid this issue, use drop-in files instead. -4. Continue on to the next README that corresponds to the chosen webserver: +4. If you have installed ZoneMinder from the FedBerry repositories, this build + of ZoneMinder has support for Raspberry Pi hardware acceleration when using + ffmpeg. Unforunately, there is a problem with the same hardware acceleration + when using libvlc. Consequently, libvlc support in this build of ZoneMinder + has been disabled until the problem is resolved. See the following bug + report for details: https://trac.videolan.org/vlc/ticket/18594 + +5. Continue on to the next README that corresponds to the chosen webserver: README.httpd - Follow these steps when using Apache README.nginx - Follow these steps when using Nginx + diff --git a/distros/redhat/readme/README.Redhat7 b/distros/redhat/readme/README.Redhat7 deleted file mode 100644 index c78d02042..000000000 --- a/distros/redhat/readme/README.Redhat7 +++ /dev/null @@ -1,175 +0,0 @@ -What's New -========== - -1. See the ZoneMinder release notes for a list of new features: - https://github.com/ZoneMinder/zoneminder/releases - -2. The contents of the ZoneMinder Apache config file have changed. In - addition, this ZoneMinder package now requires you to manually symlink the - ZoneMinder Apache config file. See new install step 6 and upgrade step 3 - below for details. - -New installs -============ - -1. Unless you are already using MariaDB server, you need to ensure that the - server is configured to start during boot and properly secured by running: - - sudo yum install mariadb-server - sudo systemctl enable mariadb - sudo systemctl start mariadb.service - mysql_secure_installation - -2. Using the password for the root account set during the previous step, you - will need to create the ZoneMinder database and configure a database - account for ZoneMinder to use: - - mysql -uroot -p < /usr/share/zoneminder/db/zm_create.sql - mysql -uroot -p -e "grant all on zm.* to \ - 'zmuser'@localhost identified by 'zmpass';" - mysqladmin -uroot -p reload - - The database account credentials, zmuser/zmpass, are arbitrary. Set them to - anything that suits your environment. - -3. If you have chosen to change the zoneminder database account credentials to - something other than zmuser/zmpass, you must now create a config file under - /etc/zm/conf.d and set your credentials there. For example, create the file - /etc/zm/conf.d/zm-db-user.conf and add the following content to it: - - ZM_DB_USER = {username of the sql account you want to use} - ZM_DB_PASS = {password of the sql account you want to use} - - Once the file has been saved, set proper file & ownership permissions on it: - - sudo chown root:apache *.conf - sudo chmod 640 *.conf - -4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local - timezone. PHP will complain loudly if this is not set, or if it is set - incorrectly, and these complaints will show up in the zoneminder logging - system as errors. - - If you are not sure of the proper timezone specification to use, look at - http://php.net/date.timezone - -5. Disable SELinux - - We currently do not have the resources to create and maintain an accurate - SELinux policy for ZoneMinder on CentOS 7. We will gladly accept pull - reqeusts from anyone who wishes to do the work. In the meantime, SELinux - will need to be disabled or put into permissive mode. - - To immediately disbale SELinux for the current seesion, issue the following - from the command line: - - sudo setenforce 0 - - To permanently disable SELinux, edit /etc/selinux/config and change the - SELINUX line from "enforcing" to "disabled". This change will take - effect after a reboot. - -6. Configure the web server - - This package uses the HTTPS protocol by default to access the web portal, - using the default self signed certificate on your system. Requests using - HTTP will auto-redirect to HTTPS. - - Inspect the web server configuration file and verify it meets your needs: - - /etc/zm/www/zoneminder.conf - - If you are running other web enabled services then you may need to edit - this file to suite. See README.https to learn about other alternatives. - - When in doubt, proceed with the default: - - sudo ln -s /etc/zm/www/zoneminder.conf /etc/httpd/conf.d/ - sudo yum install mod_ssl - -7. Now start the web server: - - sudo systemctl enable httpd - sudo systemctl start httpd - -8. Now start zoneminder: - - sudo systemctl enable zoneminder - sudo systemctl start zoneminder - -9. Optionally configure the firewall - - All Redhat distros ship with the firewall enabled. That means you will not - be able to access the ZoneMinder web console from a remote machine until - changes are made to the firewall. - - What follows are a set of minimal commands to allow remote access to the - ZoneMinder web console and also allow ZoneMinder's ONVIF discovery to - work. The following commands do not put any restrictions on which remote - machine(s) have access to the listed ports or services. - - sudo firewall-cmd --permanent --zone=public --add-service=http - sudo firewall-cmd --permanent --zone=public --add-service=https - sudo firewall-cmd --permanent --zone=public --add-port=3702/udp - sudo firewall-cmd --reload - - Additional changes to the firewall may be required, depending on your - security requirements and how you use the system. It is up to you to verify - these commands are sufficient. - -10. Access the ZoneMinder web console - - You may now access the ZoneMinder web console from your web browser using - an appropriate url. Here are some examples: - - http://localhost/zm (works from the local machine only) - http://{machine name}/zm (works only if dns is configured for your network) - http://{ip address}/zm - -Upgrades -======== - -1. Conf.d folder support has been added to ZoneMinder. Any custom - changes previously made to zm.conf must now be made in one or more custom - config files, created under the conf.d folder. Do this now. See - /etc/zm/conf.d/README for details. Once you recreate any custom config changes - under the conf.d folder, they will remain in place indefinitely. - -2. Verify permissions of the zmuser account. - - Over time, the database account permissions required for normal operation - have increased. Verify the zmuser database account has been granted all - permission to the ZoneMinder database: - - mysql -uroot -p -e "show grants for zmuser@localhost;" - - See step 2 of the Installation section to add missing permissions. - -3. Verify the ZoneMinder Apache configuration file in the folder - /etc/zm/www. You will have a file called "zoneminder.conf" and there - may also be a file called "zoneminder.conf.rpmnew". If an rpmnew file - exists, inspect it and merge anything new in that file with zoneminder.conf. - Verify the SSL REquirements meet your needs. Read README.https if necessary. - - The contents of this file must be merged into your Apache configuration. - See step 6 of the installation section if you have not already done this - during a previous upgrade. - -4. Upgrade the database before starting ZoneMinder. - - Most upgrades can be performed by executing the following command: - - sudo zmupdate.pl - - Recent versions of ZoneMinder don't require any parameters added to the - zmupdate command. However, if ZoneMinder complains, you may need to call - zmupdate in the following manner: - - sudo zmupdate.pl --user=root --pass= --version= - -5. Now restart the web server then start zoneminder: - - sudo systemctl restart httpd - sudo systemctl start zoneminder - - diff --git a/distros/redhat/readme/README.Fedora b/distros/redhat/readme/README.httpd similarity index 90% rename from distros/redhat/readme/README.Fedora rename to distros/redhat/readme/README.httpd index 9c5061e28..d85fe7c27 100644 --- a/distros/redhat/readme/README.Fedora +++ b/distros/redhat/readme/README.httpd @@ -1,17 +1,8 @@ -What's New -========== - -1. See the ZoneMinder release notes for a list of new features: - https://github.com/ZoneMinder/zoneminder/releases - -2. The contents of the ZoneMinder Apache config file have changed. In - addition, this ZoneMinder package now requires you to manually symlink the - ZoneMinder Apache config file. See new install step 6 and upgrade step 3 - below for details. - New installs ============ +NOTE: EL7 users should replace "dnf" with "yum" in the instructions below. + 1. Unless you are already using MariaDB server, you need to ensure that the server is configured to start during boot and properly secured by running: @@ -77,14 +68,14 @@ New installs Inspect the web server configuration file and verify it meets your needs: - /etc/zm/www/zoneminder.conf + /etc/zm/www/zoneminder.apache.conf If you are running other web enabled services then you may need to edit this file to suite. See README.https to learn about other alternatives. When in doubt, proceed with the default: - sudo ln -s /etc/zm/www/zoneminder.conf /etc/httpd/conf.d/ + sudo ln -s /etc/zm/www/zoneminder.apache.conf /etc/httpd/conf.d/ sudo dnf install mod_ssl 7. Now start the web server: @@ -146,8 +137,8 @@ Upgrades See step 2 of the Installation section to add missing permissions. 3. Verify the ZoneMinder Apache configuration file in the folder - /etc/zm/www. You will have a file called "zoneminder.conf" and there - may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file + /etc/zm/www. You will have a file called "zoneminder.apache.conf" and there + may also be one or more files with "rpmnew" extenstion. If the rpmnew file exists, inspect it and merge anything new in that file with zoneminder.conf. Verify the SSL REquirements meet your needs. Read README.https if necessary. diff --git a/distros/redhat/readme/README.nginx b/distros/redhat/readme/README.nginx index 90d760952..5f425a2df 100644 --- a/distros/redhat/readme/README.nginx +++ b/distros/redhat/readme/README.nginx @@ -1,24 +1,3 @@ -What's New -========== - -1. See the ZoneMinder release notes for a list of new features: - https://github.com/ZoneMinder/zoneminder/releases - -2. The contents of the ZoneMinder Apache config file have changed. In - addition, this ZoneMinder package now requires you to manually symlink the - ZoneMinder Apache config file. See new install step 6 and upgrade step 3 - below for details. - -3. This is an experimental build of ZoneMinder supporting nginx, rather than - apache web server. - -4. If you have installed ZoneMinder from the FedBerry repositories, this build - of ZoneMinder has support for Raspberry Pi hardware acceleration when using - ffmpeg. Unforunately, there is a problem with the same hardware acceleration - when using libvlc. Consequently, libvlc support in this build of ZoneMinder - has been disabled until the problem is resolved. See the following bug - report for details: https://trac.videolan.org/vlc/ticket/18594 - New installs ============ @@ -52,7 +31,7 @@ New installs Once the file has been saved, set proper file & ownership permissions on it: - sudo chown root:apache *.conf + sudo chown root:nginx *.conf sudo chmod 640 *.conf 4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local @@ -96,19 +75,7 @@ New installs sudo ln -s /etc/zm/www/zoneminder.conf /etc/nginx/default.d/ -7. Fcgiwrap is required when using ZoneMinder with Nginx. At the time of this - writing, fcgiwrap is not yet available in the Fedora repos. Until it - becomes available, you may install it from my Copr repository: - - https://copr.fedorainfracloud.org/coprs/kni/fcgiwrap/ - - Follow the intructions on that site to enable the repo. Once enabled, - install fcgiwrap: - - sudo dnf install fcgiwrap - - After fcgiwrap is installed, it must be configured. Edit - /etc/sysconfig/fcgiwrap and set DAEMON_PROCS to the maximum number of +7. Edit /etc/sysconfig/fcgiwrap and set DAEMON_PROCS to the maximum number of simulatneous streams the server should support. Generally, a good minimum value for this equals the total number of cameras you expect to view at the same time. @@ -193,7 +160,7 @@ Upgrades sudo zmupdate.pl --user=root --pass= --version= -5. Now restart nginx and php-fpm then start and zoneminder: +5. Now restart nginx and php-fpm then start zoneminder: sudo systemctl restart nginx sudo systemctl restart php-fpm diff --git a/distros/redhat/zoneminder.spec b/distros/redhat/zoneminder.spec index 55906516c..f75339706 100644 --- a/distros/redhat/zoneminder.spec +++ b/distros/redhat/zoneminder.spec @@ -166,6 +166,7 @@ Summary: ZoneMinder configuration for Nginx web server Requires: %{name}-common%{?_isa} = %{version}-%{release} Requires: nginx Requires: php-fpm +Requires: fcgiwrap Conflicts: %{name}-httpd @@ -308,7 +309,7 @@ EOF %files common %license COPYING -%doc AUTHORS README.md distros/redhat/readme/README distros/redhat/readme/README.https +%doc AUTHORS README.md distros/redhat/readme/README distros/redhat/readme/README.httpd distros/redhat/readme/README.nginx distros/redhat/readme/README.https # We want these two folders to have "normal" read permission # compared to the folder contents