Deploy Step-by-Step from Repository

This section will guide you through the FindFace Security step-by-step deployment process. Follow the instructions below minding the sequence.

In this section:

Get Distributable Packages

If you opt to deploy FindFace Security from an APT repository, you will be provided with the following packages:

  • <ffsecurity-repo*.deb>: a deb-package that installs a local repository with components.
  • <findface-data*.deb>: a deb-package(s) that installs neural network models for face detection and face features recognition.

You receive the packages from your Ntech Lab manager.

Note

You can deploy step-by-step by using the FindFace Security console installer.

Prepare Packages for Installation

To prepare the distributable packages for installation, do the following:

  1. Unpack the package with components on each designated host.

    sudo dpkg -i <ffsecurity-repo>.deb
    
  2. Add a signature key on each designated host.

    sudo apt-key add /var/ffsecurity-repo/public.key
    sudo apt update
    
  3. Unpack the packages with models (face, gender, age, emotions, etc.). In the cluster environment, models are installed only on the findface-extraction-api hosts.

    sudo dpkg -i findface-data*
    

Prerequisites

FindFace Security requires such third-party software as PostgreSQL, Redis, etcd, and memcached. Do the following:

  1. Install the prerequisite packages as such:

    sudo apt update
    sudo apt install -y postgresql-9.5 redis-server etcd memcached
    
  2. Open the memcached configuration file. Set the maximum memory to use for items in megabytes: -m 512. Set the max item size: -I 16m. If one or both of these parameters are absent, simply add them in the file.

    sudo vi /etc/memcached.conf
    
    -m 512
    -I 16m
    
  3. Enable the prerequisite services autostart and launch the services:

    sudo systemctl enable postgresql@9.5-main.service redis-server etcd.service memcached.service
    sudo systemctl start postgresql@9.5-main.service redis-server etcd.service memcached.service
    

Provide Licensing

You receive a license file from your NTechLab manager. If you opt for the on-premise licensing, we will also send you a USB dongle.

The FindFace Security licensing is provided as follows:

  1. Deploy findface-ntls, license server in the FindFace core.

    Important

    There must be only one findface-ntls instance in each FindFace Security installation.

    Tip

    In the findface-ntls configuration file, you can change the license folder and specify your proxy server IP address if necessary. You can also change the findface-ntls web interface remote access settings. See findface-ntls for details.

    sudo apt update
    sudo apt install -y findface-ntls
    sudo systemctl enable findface-ntls.service && sudo systemctl start findface-ntls.service
    
  2. Upload the license file via the findface-ntls web interface in one of the following ways:

    • Navigate to the findface-ntls web interface http://<NTLS_IP_address>:3185/#/. Upload the license file.

      Tip

      Later on, use the FindFace Security main web interface to consult your license information, and upgrade or extend your license (Settings -> License).

    • Directly put the license file into the license folder (by default, /ntech/license, can be changed in the /etc/findface-ntls.cfg configuration file).

  3. For the on-premise licensing, insert the USB dongle into a USB port.

  4. If the licensable components are installed on remote hosts, specify the IP address of the findface-ntls host in their configuration files. See findface-extraction-api, findface-tarantool-server, Video face detection: findface-video-manager and findface-video-worker for details.

Deploy Main Database

In FindFace Security, the main system database is based on PostgreSQL. To deploy the main database, do the following:

  1. Using the PostgreSQL console, create a new user ntech and a database ffsecurity in PostgreSQL.

    sudo -u postgres psql
    
    postgres=# CREATE ROLE ntech WITH LOGIN;
    
    postgres=# CREATE DATABASE ffsecurity WITH OWNER ntech ENCODING 'UTF-8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE template0;
    

    Tip

    To quit from the PostgreSQL console, type \q and press Enter.

  2. Allow authentication in PostgreSQL by UID of a socket client. Restart PostgreSQL.

    echo 'local all ntech peer' | sudo tee -a /etc/postgresql/9.5/main/pg_hba.conf
    
    sudo systemctl restart postgresql@9.5-main.service
    

Deploy FindFace Core

To deploy the FindFace core, do the following:

Tip

You can find the description of the FindFace core components and their configuration parameters in Architecture and Components in Depth.

  1. Install the FindFace core components:

    sudo apt update
    sudo apt install -y findface-tarantool-server findface-extraction-api findface-sf-api findface-upload findface-video-manager findface-video-worker
    

    Note

    To install the GPU-accelerated findface-extraction-api component, use findface-extraction-api-gpu instead of findface-extraction-api in the command.

    Note

    To install the GPU-accelerated findface-video-worker component, use findface-video-worker-gpu instead of findface-video-worker in the command.

  2. Open the findface-extraction-api configuration file (CPU or GPU service). Enable the quality_estimator to be able to estimate the face quality in a dossier.

    Note

    The minimum face quality in a dossier photo is set as MINIMUM_DOSSIER_QUALITY in /etc/ffsecurity/config.py.

    sudo vi /etc/findface-extraction-api.ini
    
    quality_estimator: true
    
  3. In the findface-extraction-api configuration file, enable recognition models for face features such as gender, age, emotions, glasses3, and/or beard, subject to your needs. Be sure to choose the right acceleration type for each model, matching the acceleration type of findface-extraction-api: CPU or GPU. Be aware that findface-extraction-api on CPU can work only with CPU-models, while findface-extraction-api on GPU supports both CPU- and GPU-models.

    models:
      age: faceattr/age.v1.cpu.fnk
      emotions: faceattr/emotions.v1.cpu.fnk
      face: face/elderberry_576.cpu.fnk
      gender: faceattr/gender.v2.cpu.fnk
      beard: faceattr/beard.v0.cpu.fnk
    

    The following models are available:

    Face feature Acceleration Configuration file parameter
    face (biometry) CPU face: face/elderberry_576.cpu.fnk
    GPU face: face/elderberry_576.gpu.fnk
    age CPU age: faceattr/age.v1.cpu.fnk
    GPU age: faceattr/age.v1.gpu.fnk
    gender CPU gender: faceattr/gender.v2.cpu.fnk
    GPU gender: faceattr/gender.v2.gpu.fnk
    emotions CPU emotions: faceattr/emotions.v1.cpu.fnk
    GPU emotions: faceattr/emotions.v1.gpu.fnk
    glasses3 CPU glasses3: faceattr/glasses3.v0.cpu.fnk
    GPU glasses3: faceattr/glasses3.v0.gpu.fnk
    beard CPU beard: faceattr/beard.v0.cpu.fnk
    GPU beard: faceattr/beard.v0.gpu.fnk

    Tip

    To disable a recognition model, simply pass an empty value to a relevant parameter. Do not remove the parameter itself as in this case the system will be searching for the default model.

    models:
      gender: ""
      age: ""
      emotions: ""
    
  4. Open the /etc/findface-video-worker.ini (/etc/findface-video-worker-gpu.ini) configuration file. In the mgr-static parameter, specify the findface-video-manager host IP address, which provides findface-video-worker with settings and the video stream list. In the capacity parameter, specify the maximum number of video streams to be processed by findface-video-worker.

    sudo vi /etc/findface-video-worker.ini
    sudo vi /etc/findface-video-worker-gpu.ini
    
    mgr-static=127.0.0.1:18811
    
    capacity=10
    
  5. Enable the FindFace core services autostart and launch the services.

    sudo systemctl enable findface-extraction-api findface-sf-api findface-video-manager findface-video-worker
    sudo systemctl start findface-extraction-api findface-sf-api findface-video-manager findface-video-worker
    

Deploy FindFace Security Application Module and Biometric Database

To deploy the FindFace Security application module, do the following:

  1. Install the ffsecurity and ffsecurity-ui components from the <ffsecurity-repo>.deb package.

    sudo apt update
    sudo apt install -y ffsecurity ffsecurity-ui
    
  2. Migrate the database architecture from FindFace Security to PostgreSQL, create user groups with predefined rights and the first user with administrator rights (a.k.a. Super Administrator).

    Important

    Super Administrator cannot be deprived of its rights, whatever the role.

    sudo findface-security migrate
    sudo findface-security create_groups
    sudo findface-security createsuperuser --username admin --email root@localhost
    
  3. Create a structure of the Tarantool-based biometric database.

    sudo findface-security make_tnt_schema | sudo tee /etc/ffsecurity/tnt-schema.lua
    
  4. Import the meta_scheme variable from the tnt-schema.lua file. Open the /etc/tarantool/instances.enabled/FindFace.lua configuration file. Before the FindFace.start section, add a line dofile("/etc/ffsecurity/tnt-schema.lua"). In the FindFace.start parameters, define meta_scheme=meta_scheme.

    sudo vi /etc/tarantool/instances.enabled/FindFace.lua
    
    dofile("/etc/ffsecurity/tnt-schema.lua")
    
    FindFace.start("@TNT_FF_LISTEN_IP@", @TNT_FF_LISTEN_PORT@, {
        license_ntls_server="@TNT_FF_NTLS@",
        facen_size=576,
        meta_scheme = meta_scheme
     })
    
  5. Enable the findface-tarantool-server service autostart and launch the service.

    sudo systemctl enable tarantool@FindFace.service && sudo systemctl start tarantool@FindFace.service
    
  6. Open the /etc/ffsecurity/config.py configuration file. Specify the following parameters:

    • EXTERNAL_ADDRESS: external IP address or URL that will be used to access the FindFace Security web interface.
    • VIDEO_DETECTOR_TOKEN: to authorize the video face detection module, come up with a token and specify it here.
    • VIDEO_MANAGER_ADDRESS: IP address of the findface-video-manager host.
    • NTLS_HTTP_URL: IP address of the findface-ntls host.
    • ROUTER_URL: IP address of the ffsecurity host that will receive detected faces from the findface-video-worker instance(s). Specify either external or internal IP address, subject to the network through which findface-video-worker interacts with ffsecurity.
    • SF_API_ADDRESS: IP address of the findface-sf-api host.

    Tip

    If necessary, ensure data security by enabling SSL.

    Tip

    If necessary, set ’IGNORE_UNMATCHED’: True to disable logging events for faces which have no match in the dossiers (negative verification result). Enable this option if the system has to process a large number of faces. The face similarity threshold for verification is defined by the CONFIDENCE_THRESHOLD parameter.

    Tip

    It is recommended to change the MINIMUM_DOSSIER_QUALITY default value. This parameter determines the minimum quality of a face in a dossier photo. Photos containing faces of worse quality will be rejected when uploading to a dossier. Upright faces in frontal position are considered the best quality. They result in values around 0, mostly negative (such as -0.00067401276, for example). Inverted faces and large face angles are estimated with negative values some -5 and less. By default, ’MINIMUM_DOSSIER_QUALITY’: -2 which is the average quality.

    Important

    If you enabled recognition models in the findface-extraction-api configuration file, add the following line in the FFSECURITY section: ‘EVENTS_FEATURES’: [‘gender’, ‘age’, ‘emotions’, ‘beard’, ‘glasses’], subject to the list of enabled models.

    sudo vi /etc/ffsecurity/config.py
    
    MEDIA_ROOT="/var/lib/ffsecurity/uploads"
    STATIC_ROOT="/var/lib/ffsecurity/static"
    
    EXTERNAL_ADDRESS="http://172.20.77.23"
    
    DEBUG = False
    
    LANGUAGE_CODE = 'en-us'
    
    TIME_ZONE = 'UTC'
    
    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.postgresql',
            'NAME': 'ffsecurity',
        }
    }
    
    # use pwgen -sncy 50 1|tr "'" "." to generate your own unique key
    SECRET_KEY = 'changeme'
    
    FFSECURITY = {
        'VIDEO_DETECTOR_TOKEN': 'GOOD_TOKEN',
        'CONFIDENCE_THRESHOLD': 0.75,
        'MINIMUM_DOSSIER_QUALITY': -2,
        'IGNORE_UNMATCHED': False,
        'VIDEO_MANAGER_ADDRESS': 'http://127.0.0.1:18810',
        'EVENTS_MAX_AGE': 30,
        'NTLS_HTTP_URL': 'http://127.0.0.1:3185',
        'ROUTER_URL': 'http://172.20.77.23',
        'MONITORING_UPDATE_INTERVAL': 60,
        'SF_API_ADDRESS': 'http://127.0.0.1:18411',
        'EVENTS_FEATURES': ['gender', 'age', 'beard', 'glasses'],
    }
    
    FFSECURITY_UI_CONFIG = {
    }
    
    # integration plugins
    INSTALLED_APPS.append('ffsecurity_genetec') # remove or comment out this line to disable genetec integration```
    
  7. Generate a signature key for the session encryption (used by Django) by executing: pwgen -sncy 50 1|tr “’” “.”. Specify this key as SECRET_KEY.

  8. Start the services.

    Important

    The ffsecurity service includes findface-security-proto (provides HTTP and web socket), findface-security-worker (provides interaction with the other system components), findface-security-monitoring-updater, and findface-security-webhook-updater.

    Important

    The number of the findface-security-worker instances is calculated using the formula: N=(number of CPU cores-1), and specified after the @ character, for example, findface-security-worker@{1,2,3} indicates 3 instances.

    In the example below, findface-security-worker has 4 instances.

    sudo systemctl enable findface-security-proto findface-security-worker@{1,2,3,4} findface-security-monitoring-updater findface-security-webhook-updater
    sudo systemctl start findface-security-proto findface-security-worker@{1,2,3,4} findface-security-monitoring-updater findface-security-webhook-updater
    

    Important

    For high load projects, start more instances of findface-security-worker. The main indicator that allocated resources are not enough and you should start more findface-security-worker instances is errors in the web interface.

  9. Disable the default nginx server and add the ffsecurity server to the list of enabled servers. Restart nginx.

    sudo rm /etc/nginx/sites-enabled/default
    
    sudo ln -s /etc/nginx/sites-available/ffsecurity-nginx.conf /etc/nginx/sites-enabled/
    
    sudo nginx -s reload