Deploy Step-By-Step

This section will guide you through the FindFace Security step-by-step deployment process. Follow the instructions below minding the sequence.

Warning

Before deploying FindFace Security, make sure that the system time and time zone are correct, and time synchronization via ntpd/systemd-timesyncd is enabled. When using FindFace Security, avoid any sudden changes in time, as they may result in unavailability of the FindFace Security services after reboot.

Tip

See System Requirements and Architecture.

In this section:

Prepare Packages for Installation

To prepare the FindFace Security deb-packages for installation, do the following:

1. Unpack the package with components.

   sudo dpkg -i <findface-security-repo>.deb
   

2. Add a signature key.

   sudo apt-key add /var/findface-security-repo/public.key
   sudo apt-get update
   

3. Unpack the packages with the neural network models.

   sudo dpkg -i findface-data*.deb
   

Prerequisites

The FindFace Security basic configuration requires PostgreSQL and Redis. Install them from the Ubuntu repository as such:

sudo apt-get update
sudo apt install -y postgresql-server-dev-9.5 redis-server

The FindFace Security video-based biometric identification requires ETCD. Install it from the FindFace Security package with components:

sudo apt install -y etcd

Licensing

You receive a license file from your NTechLab manager along with the FindFace Security distributable packages. For on-premise licensing, you will be also provided with a Guardant USB dongle.

To install and configure the license server (NTLS), do the following:

1. Install the NTLS component:

   sudo apt-get update
   sudo apt-get install ntls
   

   Tip

   In the NTLS configuration file, you can change the license folder and the NTLS web interface remote access settings. To open the NTLS configuration file, execute:

   sudo vi /etc/ntls.cfg
   

   If necessary, change the license folder in the license-dir parameter. By default, license files are stored at /ntech/license:

   license-dir = /ntech/license
   

   If necessary, uncomment the proxy line and specify your proxy server IP address:

   proxy = http://192.168.1.1:12345
   

   By default, you can access the NTLS web interface from any remote host (ui = 0.0.0.0:3185). To indicate that accessing the NTLS web interface must originate from a specific IP address, edit the ui parameter:

   ui = 127.0.0.1:3185
   

2. Enable the NTLS service autostart and launch the service:

   sudo systemctl enable ntls && sudo systemctl start ntls
   

3. Upload the license file via the NTLS web interface http://<NTLS_IP_address>:3185/#/.

4. For the on-premise licensing, insert a Guardant USB dongle into a USB port.

Basic Configuration

The FindFace Security basic configuration includes a database, database extensions, the ffsecurity and ffsecurity-ui components. To install the basic configuration, do the following:

1. Install the findface-postgres-9.5-facen extension for PostgreSQL from the <ffsecurity-repo>.deb package:

   sudo apt install -y findface-postgres-9.5-facen
   

2. Using the PostgreSQL console, create a new user ntech and a database ffsecurity. Upload the findface-postgres-9.5-facen extension to the ffsecurity database by using the facen-compare-bytea label.

   sudo -u postgres psql
   
   postgres=# CREATE ROLE ntech WITH LOGIN;
   
   postgres=# CREATE DATABASE ffsecurity WITH OWNER ntech ENCODING 'UTF-8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE template0;
   
   postgres=# \c ffsecurity;
   
   ffsecurity=# CREATE EXTENSION "facen-compare-bytea";
   

   To quit from the PostgreSQL console, type \q и press Enter.

3. Allow authentication in PostgreSQL by UID of a socket client. Restart PostgreSQL.

   echo 'local all ntech peer' | sudo tee -a /etc/postgresql/9.5/main/pg_hba.conf
   
   sudo systemctl restart postgresql@9.5-main.service
   

4. Install the ffsecurity component from the <ffsecurity-repo>.deb package.

   Note

   NginX will be automatically installed from dependencies.

   sudo apt install -y ffsecurity
   

5. Install the ffsecurity-ui web interface from the <ffsecurity-repo>.deb package.

   sudo apt install -y ffsecurity-ui
   

6. Open the /etc/ffsecurity/config.py configuration file. In the EXTERNAL_ADDRESS parameter , specify the external IP address or URL that will be used to access the FindFace Security web interface. If videomanager-api and/or extraction-api are to be installed on remote hosts, specify these hosts’ IP addresses in the VIDEO_MANAGER_ADDRESS and EXTRACTION_API parameters respectively (see Video-Based Biometric Identification for details). To authorize the video face detection module, come up with a token and specify it as VIDEO_DETECTOR_TOKEN. This token will be being passed to the videomanager-api jobs.

   Tip

   If necessary, ensure data security by enabling SSL.

   Tip

   If necessary, set ’IGNORE_UNMATCHED’: True to disable logging events for faces which have no match in the dossiers (negative verification result). Enable this option if the system has to process a large number of faces. The face similarity threshold for verification is defined by the CONFIDENCE_THRESHOLD parameter.

   Tip

   It is recommended to change the MINIMUM_DOSSIER_QUALITY default value. This parameter determines the minimum quality of a face in a dossier photo. Photos containing faces of worse quality will be rejected when uploading to a dossier. Upright faces in frontal position are considered the best quality. They result in values around 0, mostly negative (such as -0.00067401276, for example). Inverted faces and large face angles are estimated with negative values some -5 and less. By default, ’MINIMUM_DOSSIER_QUALITY’: -2 which is the average quality.

   sudo vi /etc/ffsecurity/config.py
   
   MEDIA_ROOT="/var/lib/ffsecurity/uploads"
   STATIC_ROOT="/var/lib/ffsecurity/static"
   
   EXTERNAL_ADDRESS="http://172.20.77.26:8000"
   
   DEBUG = False
   
   LANGUAGE_CODE = 'en-us'
   
   TIME_ZONE = 'UTC'
   
   DATABASES = {
       'default': {
           'ENGINE': 'django.db.backends.postgresql',
           'NAME': 'ffsecurity',
       }
   }
   
   # use pwgen -sncy 50 1|tr "'" "." to generate your own unique key
   SECRET_KEY = 'changeme'
   
   FFSECURITY = {
       'VIDEO_DETECTOR_TOKEN': 'GOOD_TOKEN',
       'CONFIDENCE_THRESHOLD': 0.75,
       'MINIMUM_DOSSIER_QUALITY': -0.1,
       'IGNORE_UNMATCHED': False,
       'VIDEO_MANAGER_ADDRESS':'http://127.0.0.1:18810',
       'EXTRACTION_API': 'http://127.0.0.1:18666/',
   }
   
   FFSECURITY_UI_CONFIG = {
       'plugins': {
           'genetec': True,
       },
   }
   

   Tip

   If necessary, edit the /etc/nginx/sites-available/ffsecurity-nginx.conf configuration file as well.

7. Generate a signature key for the session encryption (used by Django) by executing: pwgen -sncy 50 1|tr “’” “.”. Specify this key as SECRET_KEY.

8. Disable the default nginx server and add the ffsecurity server to the list of enabled servers. Restart nginx.

   sudo rm /etc/nginx/sites-enabled/default
   
   sudo ln -s /etc/nginx/sites-available/ffsecurity-nginx.conf /etc/nginx/sites-enabled/
   
   sudo nginx -s reload
   

9. Migrate the database architecture from FindFace Security to PostgreSQL, create user groups with pre-defined rights and the first user with administrator rights (a.k.a. Super Administrator).

   Important

   Super Administrator cannot be deprived of its rights, whatever the role.

   sudo findface-security migrate
   
   sudo findface-security create_groups
   
   sudo findface-security createsuperuser --username admin --email root@localhost
   

10. Start the services.

    Important

    The ffsecurity service includes findface-security-proto (provides HTTP and web socket) and findface-security-worker (provides interaction of the other system components). The number of the findface-security-worker instances is calculated using the formula: N=(number of CPU cores-1). It is specified after the @ character, for example, findface-security-worker@{1,2,3} for 3 instances.

    sudo systemctl enable redis-server findface-security-proto findface-security-worker@{1,2,3,4}
    
    sudo systemctl start redis-server findface-security-proto findface-security-worker@{1,2,3,4}
    

Video-Based Biometric Identification

To install the videomanager-api, video-worker, and extraction-api components for video-based biometric identification, do the following:

1. Enable the ETCD service autostart and launch the service:

   sudo systemctl enable etcd.service && sudo systemctl start etcd.service
   

2. Install videomanager-api, video-worker, and extraction-api.

   sudo apt install -y findface-videomanager-api fkvideo-worker findface-extraction-api
   

3. Open the /etc/findface-videomanager-api.conf configuration file for editing. In the router_url parameter, substitute the string that goes before v0/frame with the ffsecurity IP address and port (set as EXTERNAL_ADDRESS at /etc/ffsecurity/config.py). The video-worker component will be posting detected faces to the specified address.

   sudo vi /etc/findface-videomanager-api.conf
   
   router_url: http://127.0.0.1:8000/v0/frame
   

4. In the ntls -> url parameter, specify the NTLS host IP address if the NTLS host is remote.

   ntls:
       url: http://127.0.0.1:3185/
   

5. Open the /etc/video-worker.ini configuration file for editing.

   sudo vi /etc/video-worker.ini
   

6. In the ntls-addr parameter, specify the NTLS host IP address if the NTLS host is remote.

   ntls-addr=127.0.0.1:3133
   

7. In the mgr-static parameter, specify the videomanager-api host IP address, which provides video-worker with settings and the video stream list.

   mgr-static=127.0.0.1:18811
   

8. In the capacity parameter, specify the maximum number of video streams to be processed by video-worker.

   capacity=10
   

9. In the extraction-api configuration file, enable the quality_estimator to be able to estimate the face quality in a dossier.

   Note

   The minimum face quality in a dossier photo is set as MINIMUM_DOSSIER_QUALITY in /etc/ffsecurity/config.py.

   sudo vi /etc/findface-extraction-api.ini
   
   quality_estimator: true
   

10. In the extraction-api configuration file, disable searching for gender, age, emotions, and country recognition models by passing empty values to the gender, age and emotions and countries47 parameters:

    Warning

    Do not remove the parameters themselves as in this case the system will be searching for default models.

    models:
      gender: ''
      age: ''
      emotions: ''
      countries47: ''
    

    As a result, the extraction-api configuration file should look something like this:

    listen: :18666
    dlib:
      model: /usr/share/findface-data/normalizer.dat
      options:
        adjust_threshold: 0
        upsample_times: 1
    nnd:
      model: /usr/share/nnd/nnd.dat
      quality_estimator: false
      quality_estimator_model: /usr/share/nnd/quality_estimator_v2.dat
      options:
        min_face_size: 30
        max_face_size: .inf
        scale_factor: 0.79
        p_net_thresh: 0.5
        r_net_thresh: 0.5
        o_net_thresh: 0.9
        p_net_max_results: 0
    models:
      root: /usr/share/findface-data/models
      facen: elderberry_576
      gender: ''
      age: ''
      emotions: ''
      countries47: ''
      model_instances: 1
    license_ntls_server: 127.0.0.1:3133
    fetch:
      enabled: true
      size_limit: 10485760
    max_dimension: 6000
    allow_cors: false
    ticker_interval: 5000
    

11. Enable the videomanager-api, video-worker, and extraction-api autostart and launch the services.

    sudo systemctl enable findface-videomanager-api.service && sudo systemctl start findface-videomanager-api.service
    
    sudo systemctl enable video-worker.service && sudo systemctl start video-worker.service
    
    sudo systemctl enable findface-extraction-api.service && sudo systemctl start findface-extraction-api.service