[Resolved] Issue changing the apache user/group

[Spart]

First of all, yes I know what I'm doing isn't recommended. I'm aware of the drawbacks, particularly regarding updates, when not using the default apache user/group for ZoneMinder. My setup is a Cent OS 7.3 machine running Asterisk/FreePBX and ZoneMinder 1.30.4, among other things, together on one machine.

I know that the best way to do this is with VMs, but I have some PSTN hardware constraints that would prevent Asterisk from working properly on a VM.

I also know that the next best way to do this is with separate hardware, but that's not an option due to our space and heat dissipation ability at this location, as well as not being economical. This server is replacing another server that has been chugging along for four years with ZM and Asterisk/FreePBX working in harmony.

With all of that out of the way, I have ZoneMinder and Asterisk playing nice. My Apache user/group is "asterisk" and that's what ZM is running on as well.

However, whenever I reboot, the user/group ownership of the sock and temp directories in /var/lib/zoneminder are inexplicably reset to apache:apache. The ZoneMinder service will not start until I chown -R those back to asterisk:asterisk, but after I do that it works fine. Before that, I get the following:

Code: Select all

Sep 28 09:12:55 localhost.localdomain zmdc[1597]: FAT [Can't bind to /var/lib/zoneminder/sock/zmdc.sock: Permission denied]
Sep 28 09:13:03 localhost.localdomain zmdc[1593]: FAT [Can't connect: No such file or directory]
Sep 28 09:13:03 localhost.localdomain zmpkg[1581]: ERR [Unable to run "/usr/bin/zmdc.pl startup", output is "Starting server"]
Sep 28 09:13:03 localhost.localdomain systemd[1]: zoneminder.service: control process exited, code=exited status=255
Sep 28 09:13:03 localhost.localdomain systemd[1]: Failed to start ZoneMinder CCTV recording and security system.
Sep 28 09:13:03 localhost.localdomain systemd[1]: Unit zoneminder.service entered failed state.
Sep 28 09:13:03 localhost.localdomain systemd[1]: zoneminder.service failed.

I'd like to fix this without dirty hacks. What is changing the owner on those directories and how do I stop or correct it? The ZoneMinder service isn't set to run automatically, and after I make the change and start it for the first time, it doesn't mess with the permissions. So I don't think that's the issue.

My /etc/zm/zm.conf files has ZM_WEB_USER and ZM_WEB_GROUP set to asterisk. Am I missing somewhere else that I need to make that change?

[Baylink]

I'm just gonna go ahead and blame systemd, if that's ok with you.

[Spart]

How so? This is the contents of /etc/systemd/system/multi-user.target.wants/zoneminder.service

Code: Select all

# ZoneMinder systemd unit file for CentOS 7

[Unit]
Description=ZoneMinder CCTV recording and security system
After=network.target mariadb.service httpd.service
Requires=mariadb.service httpd.service

[Service]
User=asterisk
Group=asterisk
Type=forking
ExecStart=/usr/bin/zmpkg.pl start
ExecReload=/usr/bin/zmpkg.pl restart
ExecStop=/usr/bin/zmpkg.pl stop
PIDFile=/var/run/zoneminder/zm.pid
Environment=TZ=/etc/localtime
RuntimeDirectory=zoneminder
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target

The user and group are specified correctly there as "asterisk" instead of "apache"

Also, once I reset the user/group on those two dirs back to "asterisk" after booting, running "systemctl start zoneminder.service" works perfectly.

Are you saying there may be another service that's changing the ownership of those directories at boot? If so, what might that be?

[Baylink]

I would be betting on the Apache service itself. Or perhaps it's called the httpd service in that distribution. Is it deterministic which order those two start in?

My comment was mostly a vast and considered distaste for the design of systemd in the first place rather than an actual target to shoot at, but I'd say the odds are pretty good there's an actual target there to shoot at.

[knight-of-ni]

Since you are aware of the drawbacks, why not just avoid them altogether?

This kind of scenario is exactly why I wrote the following instructions:
http://zoneminder.readthedocs.io/en/lat ... er-package

Specifically, what you want to do is download zoneminder 1.30.4 source rpm from rpmfusion.
Install it as a normal user, modify the zoneminder spec file to set the user & group to asterisk, instead of apache, and then rebuild the package.

Solves all your problems.

When finished, you will need to either disable the zmrepo/rpmfusion repos on your system, or you need to add an "exclude=zoneminder" statement to keep a future update from overwriting your own package.

[Spart]

I would be betting on the Apache service itself. Or perhaps it's called the httpd service in that distribution. Is it deterministic which order those two start in?

My comment was mostly a vast and considered distaste for the design of systemd in the first place rather than an actual target to shoot at, but I'd say the odds are pretty good there's an actual target there to shoot at.

httpd is setup to run as asterisk... it doesn't really make any sense at all that if httpd were the culprit, that it would *only* be modifying two folders in /var/lib/zoneminder? httpd has no reason to be aware of the /var/lib/zoneminder directory. Seems far more likely to me that it's something a ZM related process is doing.

Since you are aware of the drawbacks, why not just avoid them altogether?

Because I've gotten ZM and Asterisk/FreePBX to play nicely together before, and back then it wasn't recommended either. If I can have one server instead of two (or five, or ten) I'm going to go that route.

This kind of scenario is exactly why I wrote the following instructions:
[snip]

I really appreciate the help. I actually had read through that part of the readthedocs site, but it's not specifically mentioned in there that building your own package is a way to change the apache user. So I didn't bother pursuing that route. Perhaps including the information you just gave me in your post about changing the apache user could help prevent this situation in the future?

[Spart]

With the above post in mind, I have a few questions. First, from the readthedocs site:

Be advised that you need to start with a clean system before installing ZoneMinder.

I have a feeling that I'm going to create more problems by trying to replace my ZM install from the repo with my own altered package.

So am I able to replicate whatever would have been changed by altering the zoneminder spec file on my install? Or are you saying that the apache user is now hardcoded somewhere? Or is there some uncompiled file I can alter that will fix this?

If the apache user is indeed hardcoded somewhere, why on earth isn't it reading the settings from zm.conf?

[Baylink]

You're right. I was paying insufficient attention to which objects were having their ownerships set incorrectly.

[knight-of-ni]

When I asked the question, "why not avoid the problem altogether?", I was simply using that a segue to building your own package. To put it another way, THE way to avoid the problem altogether, is to build your own package. We have instructions that show you how to do this.

The warning on our readthedocs site, in the chapter titled "How to Avoid Known Installation Problems", applies when installing packages which are already built for you. It does not apply when you build your own package, because you are now building the package to suit your environment, rather than the clean environment the zoneminder packages on rpmfusion where built from. To put it another way, by rebuilding the package to suit, you are redefining the target environment the package is compatible with. You are changing the rules.

Set up your environment for building rpms:
http://zoneminder.readthedocs.io/en/lat ... nvironment

Follow all the steps line by line. I tried to make the commands in the instructions as copy-and-pasteable as possible.
Make sure and follow the steps linked to on the CentOS site.
https://wiki.centos.org/HowTos/SetupRpmBuildEnvironment

Now grab a zoneminder source rpm from rpmfusion and install it.
Next, edit the file ~/rpmbuild/SPECS/zoneminder.spec
Change the top to two lines that set the user & group. That's it. Two lines. No kidding. It's that easy.
You then turn that specfile into a new source rpm
Lastly, you use mock to build your new source rpm in a new zoneminder rpm.

Mock runs in a chroot, so you can't screw up your system. All the packages zoneminder needs to build are only in the chroot.

The commands will look something like this after you have your build environment set up:

Code: Select all

wget http://download1.rpmfusion.org/free/el/updates/7/SRPMS/z/zoneminder-1.30.4-3.el7.src.rpm
rpm -ivh zoneminder-1.30.4-3.el7.src.rpm
vi ~/rpmbuild/SPECS/zoneminder.spec
rpmbuild -bs --nodeps ~/rpmbuild/SPECS/zoneminder.spec
mock -r epel-7-x86_64-rpmfusion_free ~/rpmbuild/SRPMS/zoneminder-1.30.4-3.el7.src.rpm

[Spart]

Is there a good way to clean up or remove my existing install of zoneminder so I don't have to flush the whole OS and start over on everything?

[knight-of-ni]

Sometimes yum/rpm will detect modified files and not remove them during an uninstall so....

First, yum uninstall zoneminder.

Then check for & delete zoneminder related files in these folders:
/var/lib/systemd/system/zoneminder.service
/etc/zm
/usr/share/zoneminder
/var/lib/zoneminder <- your events folder is here. You can back that up but it would be easier to just delete it

If you don't need to keep anything, it would be simplest to just dump the database:
mysql -uroot -p
drop database zm;
exit

This will get you back to square one.

[Spart]

Excellent thank you, I'll give it a shot and report back.

[Spart]

Alright, so that didn't work.

One thing I noticed in your instructions on readthedocs is that it suggests using the Zmrepo site, but it appears that's out of date. As I write this, you can only get 1.30.4-1 from https://zmrepo.zoneminder.com/el/7/SRPMS/ but I noticed you linked to rpmfusion which has 1.30.4-3:http://download1.rpmfusion.org/free/el/ ... 7/SRPMS/z/ I'm not sure how much that matters, but I did use rpmfusion and 1.30.4-3.

Anyway, these are the actual commands I ended up running in lieu of those under the "Build from SRPM" section here: http://zoneminder.readthedocs.io/en/lat ... er-package

Code: Select all

wget -P ~/rpmbuild/SRPMS http://download1.rpmfusion.org/free/el/updates/7/SRPMS/z/zoneminder-1.30.4-3.el7.src.rpm
rpm -ivh ~/rpmbuild/SRPMS/zoneminder-1.30.4-3.el7.src.rpm
vi ~/rpmbuild/SPECS/zoneminder.spec
(edited top two lines, changed from apache to asterisk)
rpmbuild -bs --nodeps ~/rpmbuild/SPECS/zoneminder.spec
mock -r epel-7-x86_64-rpmfusion_free ~/rpmbuild/SRPMS/zoneminder-1.30.4-3.el7.src.rpm
sudo yum localinstall /var/lib/mock/epel-7-x86_64/result/zoneminder-1.30.4-3.el7.centos.x86_64.rpm

After going through the steps in the readme, I couldn't get zoneminder to start.

I had to go through and change a bunch of ownerships from apache to asterisk again, as well as changing zm.conf and zoneminder.service to reflect the asterisk user/group instead of apache.

After that, I temporarily had a working zoneminder install. But once I rebooted, the ownership of the sock and temp directories in /var/lib/zoneminder was reset to apache:apache and zoneminder failed to start again.

Again, "chown -R asterisk. /var/lib/zoneminder" got me back in business... but I'm right back where I started, I guess.

For what it's worth, I did start out the first time with 1.30.4-1 from Zmrepo following the instructions on readthedocs and at that time, I did not create or edit the .spec file. I don't know if that tainted my install, but I don't think it should have since I didn't use the RPM that was created. I switched to 1.30.4-3 from rpmfusion and followed your instructions to edit the .spec file, and then used that 1.30.4-3 RPM that was created.

[knight-of-ni]

As long as readthedocs is set to "latest" rather than "stable", then you are reading the latest up-to-date documentation. The documentation is correct. Yes, the particular example does in fact reference zmrepo in some of the urls, but the opening paragraph to the Build from SRPM chapter explains what is going on. Releases are on RPMFsuion, while the latest development packages will remain on zmrepo. The steps to build either are the same.

Since you are after a release, you should use the srpms from rpmfusion as indicated.

I just performed the build steps I listed earlier, and file permissions in the resulting rpm are as expected:

Code: Select all

$ rpm -qlvp /var/lib/mock/epel-7-x86_64/result/zoneminder-1.30.4-3.el7.centos.x86_64.rpm | grep asterisk
-rw-r-----    1 root    asterisk                 1584 Sep 29 18:17 /etc/zm/zm.conf
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/lib/zoneminder
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/lib/zoneminder/events
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/lib/zoneminder/images
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/lib/zoneminder/sock
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/lib/zoneminder/swap
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/lib/zoneminder/temp
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/log/zoneminder
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/run/zoneminder
drwxr-xr-x    2 asteriskasterisk                    0 Sep 29 18:19 /var/spool/zoneminder-upload

When I inspect the contents of zm.conf, it appears correct:

Code: Select all

$ cat /etc/zm/zm.conf | grep asterisk
ZM_WEB_USER=asterisk
ZM_WEB_GROUP=asterisk

When I look at the systemd service file, that is correct too:

Code: Select all

$ cat /usr/lib/systemd/system/zoneminder.service | grep asterisk
User=asterisk
Group=asterisk

As you can see, all the file ownership and user account stuff is taken care of for you. When I build zoneminder to run on nginx, I'm doing the same the steps. I've got a couple of those currently in production.

As far as what might have gone wrong with your build, I would verify you installed the right rpm.
Make sure you install the rpm in the folder /var/lib/mock/epel-7-x86_64/result and not any other. Due to all the duplicate filenames flying around, it is incredibly easy to inadvertently install the wrong rpm. I mix up rpms from time to time too.

If you want to make it easier to track the rpm you built, you can change the name of the package specified in zoneminder.spec to something like zoneminder-asterisk.spec. It is around line 35 in the spec file.

I could upload the rpm I built for you, but I'd rather you successfully complete this process. Otherwise, you will be faced with the same challenge the next time around.

[Spart]

Frustrating for sure!

As far as what might have gone wrong with your build, I would verify you installed the right rpm.
Make sure you install the rpm in the folder /var/lib/mock/epel-7-x86_64/result and not any other. Due to all the duplicate filenames flying around, it is incredibly easy to inadvertently install the wrong rpm. I mix up rpms from time to time too.

Yeah, that's why I ran "yum localinstall /var/lib/mock/epel-7-x86_64/result/zoneminder-1.30.4-3.el7.centos.x86_64.rpm"

It would seem that I did indeed have that local package installed, the output of "rpm -qi zoneminder.x86_64" said the build host was localhost, and the build date matches up also. It also didn't show a repo when I did "yum list zoneminder.x86_64", it just showed "installed".

With that said, I nuked the rpmbuild directory in my home directory as well as the epel-7-x86_64 directory in /var/lib/mock, and I started over with a renamed package as you suggested. It's working now! I'm guessing that because I had previously tested the complete RPM build process without changing the spec file, somewhere along the line something wasn't getting overwritten properly. So nuking those directories must have been what I needed to do to get around that.

For anybody else trying to do the same thing I'm doing on CentOS 7.3, these are the commands I ended up running in lieu of those under the "Build from SRPM" section here: http://zoneminder.readthedocs.io/en/lat ... er-package

Code: Select all

wget -P ~/rpmbuild/SRPMS http://download1.rpmfusion.org/free/el/updates/7/SRPMS/z/zoneminder-1.30.4-3.el7.src.rpm
rpm -ivh ~/rpmbuild/SRPMS/zoneminder-1.30.4-3.el7.src.rpm
mv ~/rpmbuild/SPECS/zoneminder.spec ~/rpmbuild/SPECS/zoneminder-ast.spec
vi ~/rpmbuild/SPECS/zoneminder-ast.spec
(edited top two lines, changed from apache to asterisk.  edited line "Name: zoneminder" to "Name: zoneminder-ast")
rpmbuild -bs --nodeps ~/rpmbuild/SPECS/zoneminder-ast.spec
mock -r epel-7-x86_64-rpmfusion_free ~/rpmbuild/SRPMS/zoneminder-ast-1.30.4-3.el7.centos.src.rpm
sudo yum localinstall /var/lib/mock/epel-7-x86_64/result/zoneminder-ast-1.30.4-3.el7.centos.x86_64.rpm

I also added an exclude=zoneminder* line to yum.conf after doing all this, just in case. Be aware that it will also block local installs of packages that match zoneminder* (including the one these instructions will build) so you'll need to comment that line out if you decide to manually update in the future.