Category Archives: Security

Products Security Virtualization

Unifi Video on CentOS Via Docker

Published by:

I recently got a UniFi Video Camera Dome to evaluate. It can be used standalone, but to get the most out of the camera it’s a good idea to run the UniFi Video server. This software provides management for the cameras and recordings. Unfortunately, my home NAS is EL based (CentOS 6), and they only provide Debian and Ubuntu .deb packages. I found some instructions online involving alien to convert .deb to .rpm, and others involving extracting the .deb, installing the java files, rewriting the init script, etc. Instead, I decided to use Docker to create an image that had the necessary Ubuntu dependencies. This is simpler than building a VM, and provides direct access for the Docker container to my NAS filesystem.

Prerequisites:

  • Any OS with Docker daemon. Setting up your system for Docker is outside of the scope of this post, but there are plenty of easy to find instructions for a wide array of operating systems. Oh, one other thing. It needs to support SO_REUSEADDR, due to a dependency that the UniFi software has. For linux this means kernel 3.9+, which you’ll probably already have if you’re running Docker. For CentOS 6, see https://wiki.centos.org/Cloud/Docker. If you need a kernel, El Repo is always a good source.
  • A filesystem capable of holding at least a few tens of gigs for videos. For my example I use a fictitious path “/local/video/data”.
  • The URL to the UniFi Video .deb package for Ubuntu 14.04. This can be found on the ubnt.com support site.

First, we pull the prerequisite Ubuntu image, download the .deb to the video path so we’ll have it in the container, and launch the Ubuntu container. When we launch the container we’re going to do so in interactive mode, linking the host’s network to the container, and mapping the host’s selected video filesystem to the container’s unifi-video path:

docker pull ubuntu:14.04

wget -O /local/video/data/unifi-video.deb http://dl.ubnt.com/firmwares/unifi-video/3.1.2/unifi-video_3.1.2-Ubuntu14.04_amd64.deb

docker run -t -i --net=host -v /local/video/data:/var/lib/unifi-video/videos ubuntu:14.04

 

At this point we should be in a prompt within the container. We’re simply going to install the .deb and its dependencies:

 

apt-get update

dpkg -i /var/lib/unifi-video/videos/unifi-video.deb #errors are ok

apt-get install -f #(to fix/install dependencies)
exit

 

Now we should be out of the container. We’re going to commit our changes, making a new container image, and then run an instance of that container, starting the unifi software and then tailing /dev/null to keep the container running.

 

docker ps -a # find container id

docker commit <container id> unifi-video:1

docker run -d --privileged=true --net=host -v /local/video/data:/var/lib/unifi-video/videos unifi-video:1 /bin/bash -c "/etc/init.d/unifi-video start; tail -f /dev/null"

 

That’s it. At this point you should be able to go to http://<server ip>:7080 or 7443 and see the UniFi software.

While this is fairly easy and straightforward, it’s also a fairly naive way to deploy software in a container.  Normally you’d want to just have the necessary Java components and launch the java process itself, rather than using a whole pseudo OS, but it gets the job done quickly.

Linux Security Troubleshooting

Snort in the Right Place

Published by:

So, this morning I was installing the latest Snort from RPM at home, and ran into an issue that kept me busy for a little while. Basically what had happened was that snort was not logging to the mysql database.  I had defined my output properly in /etc/snort/snort.conf, and even verified that snort could log in, but it wasn’t even attempting to write to it. I immediately found that it was writing text files in /var/log/snort, but it took me a bit to realize that ALERTMODE was set to ‘fast’ in /etc/sysconfig/snort. This bypasses any database config you might have.  A pretty embarrassing mistake, but since I found a lot of people on forums out there with the same problem and nobody posting solutions, I figured I’d better share.