These capabilities should not be required or suggested.

[cluelessperson]

        --cap-add SYS_ADMIN \
        --cap-add DAC_READ_SEARCH \

[fryfrog]

Can you confirm it works w/o them? I'll test in mine, but many ago I tested each one and only added the ones I needed to get it working.

[jnovack]

False.

For v3.10.8 (because v3.10.10 requires too much time and effort for me to get working at the moment, sending a big FU to Unifi), the container fails to start without both.

Without SYS_ADMIN, the mount fails (I am using docker-compose with a local volume)

unifivideo    | Starting unifi-video... (unifi-video) Java Runtime: /usr/lib/jvm/java-8-openjdk-amd64/jre
unifivideo    | (unifi-video) JSVC: /usr/bin/jsvc
unifivideo    | (unifi-video)
unifivideo    | JVM options:  -Dav.tempdir=/var/cache/unifi-video -Djava.security.egd=file:/dev/./urandom   -Xmx7718M  -Xss512K  -XX:+HeapDumpOnOutOfMemoryError  -XX:+UseG1GC  -XX:+UseStringDeduplication  -XX:MaxMetaspaceSize=1024M  -Djava.library.path=/usr/lib/unifi-video/lib  -Djava.awt.headless=true  -Djavax.net.ssl.trustStore=/usr/lib/unifi-video/data/ufv-truststore  -Dfile.encoding=UTF-8          -Dcom.sun.management.jmxremote          -Dcom.sun.management.jmxremote.ssl=false        -Dcom.sun.management.jmxremote.authenticate=false       -Dcom.sun.management.jmxremote.port=7654 -Djava.rmi.server.hostname=1.1.1.1
unifivideo    | (unifi-video)
unifivideo    | JSVC options:  -cwd /usr/lib/unifi-video -debug  -user unifi-video  -home /usr/lib/jvm/java-8-openjdk-amd64/jre  -cp /usr/share/java/commons-daemon.jar:/usr/lib/unifi-video/lib/airvision.jar  -pidfile /var/run/unifi-video/unifi-video.pid  -procname unifi-video   -Dav.tempdir=/var/cache/unifi-video  -Djava.security.egd=file:/dev/./urandom   -Xmx7718M  -Xss512K  -XX:+HeapDumpOnOutOfMemoryError  -XX:+UseG1GC  -XX:+UseStringDeduplication  -XX:MaxMetaspaceSize=1024M  -Djava.library.path=/usr/lib/unifi-video/lib  -Djava.awt.headless=true  -Djavax.net.ssl.trustStore=/usr/lib/unifi-video/data/ufv-truststore  -Dfile.encoding=UTF-8        -Dcom.sun.management.jmxremote          -Dcom.sun.management.jmxremote.ssl=false        -Dcom.sun.management.jmxremote.authenticate=false       -Dcom.sun.management.jmxremote.port=7654 -Djava.rmi.server.hostname=1.1.1.1
unifivideo    | mount: /var/cache/unifi-video: permission denied.

Without DAC_READ_SEARCH, it seems that libraries are missing?

...truncated...
unifivideo    | User 'unifi-video' validated
unifivideo    | Attempting to locate Java Home in /usr/lib/jvm/java-8-openjdk-amd64/jre
unifivideo    | Attempting to locate VM configuration file /usr/lib/jvm/java-8-openjdk-amd64/jre/jre/lib/jvm.cfg
unifivideo    | Attempting to locate VM configuration file /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jvm.cfg
unifivideo    | Attempting to locate VM configuration file /usr/lib/jvm/java-8-openjdk-amd64/jre/jre/lib/amd64/jvm.cfg
unifivideo    | Attempting to locate VM configuration file /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg
unifivideo    | Found VM configuration file at /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg
unifivideo    | Found VM server definition in configuration
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/jre/lib/amd64/server/libjvm.so
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/server/libjvm.so
unifivideo    | Found VM client definition in configuration
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/jre/lib/amd64/client/libjvm.so
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/client/libjvm.so
unifivideo    | Cannot locate library for VM client (skipping)
unifivideo    | Found VM zero definition in configuration
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/jre/lib/amd64/zero/libjvm.so
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/zero/libjvm.so
unifivideo    | Cannot locate library for VM zero (skipping)
unifivideo    | Found VM dcevm definition in configuration
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/jre/lib/amd64/dcevm/libjvm.so
unifivideo    | Checking library /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/dcevm/libjvm.so
unifivideo    | Cannot locate library for VM dcevm (skipping)
unifivideo    | Java Home located in /usr/lib/jvm/java-8-openjdk-amd64/jre
unifivideo    | +-- DUMPING JAVA HOME STRUCTURE ------------------------
unifivideo    | | Java Home:       "/usr/lib/jvm/java-8-openjdk-amd64/jre"
unifivideo    | | Java VM Config.: "/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg"
unifivideo    | | Found JVMs:      1
unifivideo    | | JVM Name:        "server"
unifivideo    | |                  "/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/server/libjvm.so"
unifivideo    | +-------------------------------------------------------
unifivideo    | Running w/ LD_LIBRARY_PATH=/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/server:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64
unifivideo    | redirecting stdout to /dev/null and stderr to /dev/null
unifivideo    | done.
unifivideo    | Waiting for mongodb to come online...Switching umask back to 022 from 077
unifivideo    | Attemtping to load library /lib64/libcap.so.2
unifivideo    | Attemtping to load library /lib64/libcap.so.1
unifivideo    | Attemtping to load library /lib64/libcap.so
unifivideo    | Attemtping to load library /usr/lib64/libcap.so.2
unifivideo    | Attemtping to load library /usr/lib64/libcap.so.1
unifivideo    | Attemtping to load library /usr/lib64/libcap.so
unifivideo    | Attemtping to load library /lib/libcap.so.2
unifivideo    | Attemtping to load library /lib/libcap.so.1
unifivideo    | Attemtping to load library /lib/libcap.so
unifivideo    | Attemtping to load library /usr/lib/libcap.so.2
unifivideo    | Attemtping to load library /usr/lib/libcap.so.1
unifivideo    | Attemtping to load library /usr/lib/libcap.so
unifivideo    | Attemtping to load library libcap.so.2
unifivideo    | loaded cap_free from libcap.
unifivideo    | loaded cap_init from libcap.
unifivideo    | loaded cap_clear from libcap.
unifivideo    | loaded cap_get_flag from libcap.
unifivideo    | loaded cap_set_flag from libcap.
unifivideo    | loaded cap_set_proc from libcap.
unifivideo    | failed setting default capabilities.
unifivideo    | set_caps(CAPS) failed for user 'unifi-video'
unifivideo    | Service exit with a return value of 4

[fryfrog]

Thanks for testing, I never got around to trying it myself.

@cluelessperson, if you'd like to provide some evidence it works w/o those permissions, I'll be happy to revisit. Otherwise, this is enough evidence for me.

[cluelessperson]

They're required because the software is handling mounting internally, which needs to be fixed.

There's really no reason that video software needs special permissions on a server.

The mounting should be done through docker.

On Wed, Dec 4, 2019, 1:53 PM Donald Webster notifications@github.com wrote:

Thanks for testing, I never got around to trying it myself.

@cluelessperson https://github.com/cluelessperson, if you'd like to provide some evidence it works w/o those permissions, I'll be happy to revisit. Otherwise, this is enough evidence for me.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pducharme/UniFi-Video-Controller/issues/167?email_source=notifications&email_token=ABK7ZNN3UGBJXVH7HE5D6ELQXARG5A5CNFSM4JOHBEEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF6T6LI#issuecomment-561856301, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABK7ZNMPA4ENNSYEPBZZIFLQXARG5ANCNFSM4JOHBEEA .

[fryfrog]

Oh man, all the shit Ubiquity does poorly and/or wrong... feel free to add this to the list. Even if they weren't killing off the Unifi Video line, I still wouldn't suggest wasting your time reporting it to them.

[jnovack]

I'm being swayed towards @cluelessperson 's side here.

We're already patching /usr/sbin/unifi-video, why not also patch out the remounting of tmpfs?

/usr/sbin/unifi-video

      8 NAME=unifi-video
      9 PKGUSER=unifi-video
     10
     11 BASEDIR="/usr/lib/${NAME}"
     12 DATADIR="${BASEDIR}/data"
     13 PIDFILE="/var/run/${NAME}/${NAME}.pid"
     14 TMPFS_DIR="/var/cache/${NAME}"
     ...truncated...
     90 prepare_tmpfs() {
     91         local DIR SIZE PKGUSERID MNT_OPTIONS
     92         DIR=$1
     93         SIZE=$2
     94         PKGUSERID=$(id -u ${PKGUSER})
     95         MNT_OPTIONS="noatime,nodiratime,noexec,size=${SIZE},mode=0700"
     96         [ -z "${PKGUSERID}" ] || MNT_OPTIONS="${MNT_OPTIONS},uid=${PKGUSERID}"
     97
     98         mkdir -p ${DIR} || true
     99         chmod -R 0700 ${DIR}
    100         if mountpoint -q ${DIR}; then
    101                 mount -o remount,${MNT_OPTIONS} ${DIR}
    102         else
    103                 mount -t tmpfs -o ${MNT_OPTIONS} tmpfs ${DIR}
    104         fi
    105 }
    ...truncated...
    345                         [ "x${ENABLE_TMPFS}" = "xyes" ] && prepare_tmpfs ${TMPFS_DIR} ${TMPFS_SIZE}

Functionally, it just remounts /var/cache/unifi-video as tmpfs. We would just have to patch it out and add --mount type=tmpfs,destination=/var/cache/unifi-video \ to the docker run.

[fryfrog]

I would absolutely not object to that. It'd also make it possible to pass in an SSD as cache instead of using tmpfs. Is this something you'd like to work up a pull request for?

[jnovack]

Seems easy enough, I have the next few weeks allocated to "pet projects". I'll add it to the list.

By default /var/cache/unifi-video would be in the container layer (exists), those who upgrade without changes may suffer a performance hit (since now it implicitly lives on disk rather than explicitly lives in memory).

[fryfrog]

Ah, good point. It'd be easy to put a warning into the startup scripts. Maybe even force an exit? Require a DONTUSETMPFS=1 env var to bypass or something?

[fryfrog]

Also, I'll give a think on it and have a look if I have time. Shouldn't be too hard.

[fryfrog]

Thanks to @thomaso-mirodin at improving this. I'm closing this task.