redhat rpm packaging modifications
This commit is contained in:
parent
04fcc253bd
commit
dc9a5b13fe
|
@ -1,23 +1,19 @@
|
|||
|
||||
What's New
|
||||
==========
|
||||
|
||||
1. The Apache ScriptAlias has been changed from "/cgi-bin/zm/zms" to
|
||||
"/cgi-bin-zm/zms". This has been to done to avoid this bug:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=973067
|
||||
1. The ZoneMinder mysql account now requires "Create" permission. This change
|
||||
must be done manually before ZoneMinder will run. See the installation steps
|
||||
below.
|
||||
|
||||
IMPORTANT: ZoneMinder will not update this value during an upgrade. You must
|
||||
manually update ZM_PATH_ZMS yourself under Options. This does not affect
|
||||
new installs.
|
||||
2. A new permission group called "Groups" has been added. This allows the
|
||||
system administrator to assign "view", "edit", or "none" permission to
|
||||
normal users, without giving them access to the rest of the ZoneMinder
|
||||
system. During an upgrade, existing accounts will default to a Groups
|
||||
permission of "none".
|
||||
|
||||
2. During an rpm package upgrade, zmupdate.pl will now auto-update the database
|
||||
and the zonemidner service will restart automatically.
|
||||
|
||||
3. The ZoneMinder config file, zm.conf, has been moved under /etc/zm.
|
||||
|
||||
4. Systemd. CentOS 7 uses Systemd instead of the legacy Sys V Init. Under the
|
||||
hood, Systemd does things quite a bit differently. Prepare to go through a
|
||||
learning curve if you have not done so already.
|
||||
3. This package now requires the HTTPS protocol to access the web portal.
|
||||
Requests using HTTP will auto-redirect to HTTPS. See README.https for
|
||||
more information.
|
||||
|
||||
New installs
|
||||
============
|
||||
|
@ -36,7 +32,7 @@ New installs
|
|||
|
||||
mysql -u root -p < /usr/share/zoneminder/db/zm_create.sql
|
||||
mysql -u root -p
|
||||
mysql> grant select,insert,update,delete,lock tables,alter, create
|
||||
mysql> grant select,insert,update,delete,lock tables,alter,create
|
||||
on zm.* to 'zmuser'@localhost identified by 'zmpass';
|
||||
mysql> exit;
|
||||
mysqladmin -u root -p reload
|
||||
|
@ -50,21 +46,22 @@ New installs
|
|||
step.
|
||||
|
||||
4. Edit /etc/php.ini, uncomment the date.timezone line, and add your local
|
||||
timezone. For whatever reason, PHP will complain loudly if this is not set,
|
||||
or if it is set incorrectly, and these complaints will show up in the
|
||||
zoneminder logging system as errors.
|
||||
timezone. PHP will complain loudly if this is not set, or if it is set
|
||||
incorrectly, and these complaints will show up in the zoneminder logging
|
||||
system as errors.
|
||||
|
||||
If you are not sure of the proper timezone specification to use, look at
|
||||
http://php.net/date.timezone
|
||||
|
||||
5. This package will automatically configure and install an SELinux policy
|
||||
called local_zoneminder. A copy of this policy is in the documentation
|
||||
folder.
|
||||
5. Disable SELinux
|
||||
|
||||
We currently do not have the resources to create and maintain an accurate
|
||||
SELinux policy for ZoneMinder on CentOS 7. We will gladly accept pull
|
||||
reqeusts from anyone who wishes to do the work. In the meantime, SELinux
|
||||
will need to be disabled or put into permissive mode.
|
||||
|
||||
Maintaining an accurate SELinux policy file that does not create issues has
|
||||
been a struggle. If SELinux blocks nortmal ZoneMinder acitivity, or you
|
||||
feel you just don't need it, SELinux can be disabled for the current running
|
||||
session with the following command:
|
||||
To immediately disbale SELinux for the current seesion, issue the following
|
||||
from the command line:
|
||||
|
||||
sudo setenforce 0
|
||||
|
||||
|
@ -99,7 +96,7 @@ Upgrades
|
|||
|
||||
2. Verify permissions of the zmuser account.
|
||||
|
||||
Overtime, the database account permissions required for normal operation
|
||||
Over time, the database account permissions required for normal operation
|
||||
have changed. Verify the zmuser database account has been granted select,
|
||||
insert, update, delete, lock tables, alter, and create permission to the
|
||||
ZoneMinder database:
|
||||
|
@ -108,20 +105,26 @@ Upgrades
|
|||
mysql> show grants for zmuser@localhost;
|
||||
mysql> exit;
|
||||
|
||||
3. Verify the database was upgraded automatically.
|
||||
See step 2 of the Installation section to add missing permissions.
|
||||
|
||||
From the web console, ZoneMinder should show a status of "Running", and the
|
||||
version number should have incremented.
|
||||
3. Verify the ZoneMinder Apache configuration file in the folder
|
||||
/etc/httpd/conf.d. You will have a file called "zoneminder.conf" and there
|
||||
may also be a file called "zoneminder.conf.rpmnew". If the rpmnew file
|
||||
exists, inspect it and merge anything new in that file with zoneminder.conf.
|
||||
|
||||
If it is not running, then try to start it. The web console will indicate
|
||||
if there is a database version conflict. If this is the case, then you may
|
||||
need to manually update the database from the command line:
|
||||
4. Upgrade the database before starting ZoneMinder.
|
||||
|
||||
Most upgrades can be performed by executing the following command:
|
||||
|
||||
sudo zmupdate.pl
|
||||
|
||||
Modern versions of ZoneMinder don't require any parameters added to the
|
||||
Recent versions of ZoneMinder don't require any parameters added to the
|
||||
zmupdate command. However, if ZoneMinder complains, you may need to call
|
||||
zmupdate in the following manner:
|
||||
|
||||
sudo zmupdate.pl --user=root --pass=<mysql_root_pwd> --version=<from version>
|
||||
|
||||
5. Now start zoneminder:
|
||||
|
||||
sudo systemctl start zoneminder
|
||||
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
HTTPS is now a requirement
|
||||
==========================
|
||||
|
||||
This package now depends on Apache's mod_ssl pacakge. This will automatically
|
||||
be installed along with ZoneMinder. Upon installation, the mod_ssl package
|
||||
will create a default, self-signed certificate. This is the certificate that
|
||||
ZoneMinder will use out of the box.
|
||||
|
||||
Since the certificate is self-signed, you will get a warning from your browser
|
||||
the first time you access the web portal. This is normal.
|
||||
|
||||
This is not intended to be an all encompasing solution for everyone. ZoneMinder
|
||||
will work just fine over HTTPS the way it is currently configured. However,
|
||||
here are a couple of considerations you may want to take.
|
||||
|
||||
1. Create your own certificate. The CentOS wiki has a guide that describes how
|
||||
to do this: https://wiki.centos.org/HowTos/Https . Additionally, Googling
|
||||
"centos certificate" reveals many articles on the subject. Note that some
|
||||
third party applications, such as zmNinja, will require you to create a
|
||||
certificate different than the default certificate on your machine.
|
||||
|
||||
2. You can turn off HTTPS entirely by simply commenting out the SSLRequireSSL
|
||||
directives found in /etc/httpd/conf.d/zoneminder.conf. You should also
|
||||
comment out the HTTP -> HTTPS Rewrite rule.
|
||||
|
|
@ -1,16 +1,17 @@
|
|||
# When using Zoneminder's own authentication, recorded CCTV images are
|
||||
# accessible from the web directly without passing the authentication. This
|
||||
# means any attacker could see your CCTV images without a password. In order
|
||||
# to avoid this you can disable Zoneminder's authentication and configure
|
||||
# standard Apache authentication (see the Apache documentation for details on
|
||||
# this).
|
||||
#
|
||||
# If you still wish to use Zoneminder's own authentication, or have an
|
||||
# internal site which needs no authentication, you need to delete the line
|
||||
# marked below and restart Apache.
|
||||
# ZoneMinder Apache configuration file
|
||||
# With SSLRequire and HTTPS auto redirect
|
||||
# Modify this configuration to suit your requirements
|
||||
#
|
||||
|
||||
# Auto Redirect HTTP requests to HTTPS
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTPS} !=on
|
||||
RewriteRule ^/?(zm)(.*) https://%{SERVER_NAME}/$1$2 [R,L]
|
||||
|
||||
Alias /zm "@ZM_WEBDIR@"
|
||||
<Directory "@ZM_WEBDIR@">
|
||||
SSLRequireSSL
|
||||
Options -Indexes +MultiViews +FollowSymLinks
|
||||
AllowOverride All
|
||||
<IfModule mod_authz_core.c>
|
||||
|
@ -22,12 +23,11 @@ Alias /zm "@ZM_WEBDIR@"
|
|||
Order deny,allow
|
||||
Allow from all
|
||||
</IfModule>
|
||||
# ZoneMinder no longer uses short tags so this is safe to leave disabled
|
||||
# php_value short_open_tag 1
|
||||
</Directory>
|
||||
|
||||
ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@"
|
||||
<Directory "@ZM_CGIDIR@">
|
||||
SSLRequireSSL
|
||||
AllowOverride All
|
||||
Options +ExecCGI +FollowSymLinks
|
||||
<IfModule mod_authz_core.c>
|
||||
|
@ -40,3 +40,4 @@ ScriptAlias /cgi-bin-zm "@ZM_CGIDIR@"
|
|||
Allow from all
|
||||
</IfModule>
|
||||
</Directory>
|
||||
|
||||
|
|
|
@ -32,8 +32,8 @@ BuildRequires: ffmpeg ffmpeg-devel perl(X10::ActiveHome) perl(Astro::SunTime)
|
|||
# cmake needs the following installed at build time due to the way it auto-detects certain parameters
|
||||
BuildRequires: httpd polkit-devel
|
||||
|
||||
Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools psmisc
|
||||
Requires: libjpeg-turbo vlc-core libcurl
|
||||
Requires: httpd php php-gd php-mysql mariadb-server polkit net-tools mod_ssl
|
||||
Requires: psmisc libjpeg-turbo vlc-core libcurl
|
||||
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
|
||||
Requires: perl(DBD::mysql) perl(Archive::Tar) perl(Archive::Zip)
|
||||
Requires: perl(MIME::Entity) perl(MIME::Lite) perl(Net::SMTP) perl(Net::FTP)
|
||||
|
@ -87,20 +87,27 @@ fi
|
|||
/usr/bin/gpasswd -a %{zmuid_final} video
|
||||
/usr/bin/gpasswd -a %{zmuid_final} dialout
|
||||
|
||||
# Disabled. SELinux policy does not work for RHEL 7.
|
||||
# Create and load zoneminder selinux policy module
|
||||
echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n"
|
||||
/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null
|
||||
/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
|
||||
/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
|
||||
#echo -e "\nCreating and installing a ZoneMinder SELinux policy module. Please wait.\n"
|
||||
#/usr/bin/checkmodule -M -m -o %{_docdir}/%{name}-%{version}/local_zoneminder.mod %{_docdir}/%{name}-%{version}/local_zoneminder.te > /dev/null
|
||||
#/usr/bin/semodule_package -o %{_docdir}/%{name}-%{version}/local_zoneminder.pp -m %{_docdir}/%{name}-%{version}/local_zoneminder.mod > /dev/null
|
||||
#/usr/sbin/semodule -i %{_docdir}/%{name}-%{version}/local_zoneminder.pp > /dev/null
|
||||
|
||||
# Upgrade from a previous version of zoneminder
|
||||
if [ $1 -eq 2 ] ; then
|
||||
# Freshen the database
|
||||
/usr/bin/zmupdate.pl -f
|
||||
|
||||
# We can't run this automatically when new sql account permissions need to
|
||||
# be manually added first
|
||||
# Run zmupdate non-interactively
|
||||
/usr/bin/zmupdate.pl --nointeractive
|
||||
#/usr/bin/zmupdate.pl --nointeractive
|
||||
fi
|
||||
|
||||
# Display the README for post installation instructions
|
||||
/usr/bin/less %{_docdir}/%{name}-%{version}/README.Centos7
|
||||
# Warn the end user to read the README file
|
||||
echo -e "/nVERY IMPORTANT: Before starting ZoneMinder, read README.Centos7 to finish the\ninstallation or upgrade!\n"
|
||||
echo -e "/nThe README file is located here: %{_docdir}/%{name}-%{version}."
|
||||
|
||||
%preun
|
||||
if [ $1 -eq 0 ] ; then
|
||||
|
@ -184,6 +191,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Sep 7 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1
|
||||
- Require https, disable selinux module, freshen dB on updates.
|
||||
|
||||
* Sun Feb 8 2015 Andrew Bauer <knnniggett@users.sourceforge.net> - 1.28.1
|
||||
- Initial release for CentOS 7.
|
||||
|
||||
|
|
Loading…
Reference in New Issue