Deploy Step-by-Step from Repository¶
This section will guide you through the FindFace Security step-by-step deployment process. Follow the instructions below minding the sequence.
In this section:
Install APT Repository¶
First of all, install the FindFace apt repository as follows:
Download the installer file
findface-security-and-server-4.1.2.run
.Put the
.run
file into some directory on the designated host (for example,/home/username
).From this directory, make the
.run
file executable.chmod +x findface-security-and-server-4.1.2.run
Execute the
.run
file.sudo ./findface-security-and-server-4.1.2.run
The installer will ask you a few questions and perform several automated checks to ensure that the host meets the system requirements. Fill out the prompts appropriately once requested. The questions are the following:
Product to install:
FindFace Security
.Installation type:
repo: Don't install anything, just set up the APT repository
.Neural network models to install if necessary. To select a model(s), deselect all those on the list by entering
-*
in the command line first, then select the required model by entering its sequence number (keyword): for example,1 3
. Enter done to save your selection and proceed to another step.Important
At least one model for face biometry has to be installed.
After that, the FindFace apt repository will be automatically installed.
Prerequisites¶
FindFace Security requires such third-party software as PostgreSQL, Redis, etcd, and memcached. Do the following:
Install the prerequisite packages as such:
sudo apt update sudo apt install -y postgresql-9.5 redis-server etcd memcached
Open the
memcached
configuration file. Set the maximum memory to use for items in megabytes:-m 512
. Set the max item size:-I 16m
. If one or both of these parameters are absent, simply add them in the file.sudo vi /etc/memcached.conf -m 512 -I 16m
Enable the prerequisite services autostart and launch the services:
sudo systemctl enable postgresql@9.5-main.service redis-server etcd.service memcached.service sudo systemctl start postgresql@9.5-main.service redis-server etcd.service memcached.service
Provide Licensing¶
See also
You receive a license file from your NTechLab manager. If you opt for the on-premise licensing, we will also send you a USB dongle.
The FindFace Security licensing is provided as follows:
Deploy
findface-ntls
, license server in the FindFace core.Important
There must be only one
findface-ntls
instance in eachFindFace Security
installation.Tip
In the
findface-ntls
configuration file, you can change the license folder and specify your proxy server IP address if necessary. You can also change thefindface-ntls
web interface remote access settings. See findface-ntls for details.sudo apt update sudo apt install -y findface-ntls sudo systemctl enable findface-ntls.service && sudo systemctl start findface-ntls.service
Upload the license file via the
findface-ntls
web interface in one of the following ways:Navigate to the
findface-ntls
web interfacehttp://<NTLS_IP_address>:3185/#/
. Upload the license file.Tip
Later on, use the FindFace Security main web interface to consult your license information, and upgrade or extend your license (
).Directly put the license file into the license folder (by default,
/ntech/license
, can be changed in the/etc/findface-ntls.cfg
configuration file).
For the on-premise licensing, insert the USB dongle into a USB port.
If the licensable components are installed on remote hosts, specify the IP address of the
findface-ntls
host in their configuration files. See findface-extraction-api, findface-tarantool-server, Video face detection: findface-video-manager and findface-video-worker for details.
See also
Deploy Main Database¶
In FindFace Security, the main system database is based on PostgreSQL. To deploy the main database, do the following:
Using the PostgreSQL console, create a new user
ntech
and a databaseffsecurity
in PostgreSQL.sudo -u postgres psql postgres=# CREATE ROLE ntech WITH LOGIN; postgres=# CREATE DATABASE ffsecurity WITH OWNER ntech ENCODING 'UTF-8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE template0;
Tip
To quit from the PostgreSQL console, type
\q
and press Enter.Allow authentication in PostgreSQL by UID of a socket client. Restart PostgreSQL.
echo 'local all ntech peer' | sudo tee -a /etc/postgresql/9.5/main/pg_hba.conf sudo systemctl restart postgresql@9.5-main.service
Deploy FindFace Core¶
To deploy the FindFace core, do the following:
Tip
You can find the description of the FindFace core components and their configuration parameters in Architecture and Components in Depth.
Install the FindFace core components:
sudo apt update sudo apt install -y findface-tarantool-server findface-extraction-api findface-sf-api findface-upload findface-video-manager findface-video-worker-cpu
Note
To install the GPU-accelerated
findface-extraction-api
component, usefindface-extraction-api-gpu
instead offindface-extraction-api
in the command.Note
To install the GPU-accelerated
findface-video-worker
component, usefindface-video-worker-gpu
instead offindface-video-worker-cpu
in the command. If you have several video cards on your server, see Multiple Video Cards Usage.Important
Be sure to manually install neural network models on the host(s) with
findface-extraction-api
.Open the
findface-extraction-api
configuration file (CPU or GPU service). Enable thequality_estimator
to be able to estimate the face quality in a dossier.Note
The minimum face quality in a dossier photo is set as
MINIMUM_DOSSIER_QUALITY
in/etc/ffsecurity/config.py
.sudo vi /etc/findface-extraction-api.ini quality_estimator: true
In the
findface-extraction-api
configuration file, enable recognition models for face features such as gender, age, emotions, glasses3, and/or beard, subject to your needs. Be sure to choose the right acceleration type for each model, matching the acceleration type offindface-extraction-api
: CPU or GPU. Be aware thatfindface-extraction-api
on CPU can work only with CPU-models, whilefindface-extraction-api
on GPU supports both CPU- and GPU-models. See Face Features Recognition for details.models: age: faceattr/age.v1.cpu.fnk emotions: faceattr/emotions.v1.cpu.fnk face: face/ifruit_320.cpu.fnk gender: faceattr/gender.v2.cpu.fnk beard: faceattr/beard.v0.cpu.fnk glasses3: faceattr/glasses3.v0.cpu.fnk
The following models are available:
Face feature Acceleration Configuration file parameter face (biometry) CPU face: face/ifruit_320.cpu.fnk
face: face/ifruit_160.cpu.fnk
GPU face: face/ifruit_320.gpu.fnk
face: face/ifruit_160.gpu.fnk
age CPU age: faceattr/age.v1.cpu.fnk
GPU age: faceattr/age.v1.gpu.fnk
gender CPU gender: faceattr/gender.v2.cpu.fnk
GPU gender: faceattr/gender.v2.gpu.fnk
emotions CPU emotions: faceattr/emotions.v1.cpu.fnk
GPU emotions: faceattr/emotions.v1.gpu.fnk
glasses3 CPU glasses3: faceattr/glasses3.v0.cpu.fnk
GPU glasses3: faceattr/glasses3.v0.gpu.fnk
beard CPU beard: faceattr/beard.v0.cpu.fnk
GPU beard: faceattr/beard.v0.gpu.fnk
Tip
To disable a recognition model, simply pass an empty value to a relevant parameter. Do not remove the parameter itself as in this case the system will be searching for the default model.
models: gender: "" age: "" emotions: ""
Open the
/etc/findface-video-worker-cpu.ini
(/etc/findface-video-worker-gpu.ini
) configuration file. In themgr-static
parameter, specify thefindface-video-manager
host IP address, which providesfindface-video-worker
with settings and the video stream list. In thecapacity
parameter, specify the maximum number of video streams to be processed byfindface-video-worker
.sudo vi /etc/findface-video-worker-cpu.ini sudo vi /etc/findface-video-worker-gpu.ini mgr-static=127.0.0.1:18811 capacity=10
Enable the FindFace core services autostart and launch the services.
sudo systemctl enable findface-extraction-api findface-sf-api findface-video-manager findface-video-worker-cpu sudo systemctl start findface-extraction-api findface-sf-api findface-video-manager findface-video-worker-cpu
Deploy FindFace Security Application Module and Biometric Database¶
To deploy the FindFace Security application module, do the following:
Install the
findface-security
andffsecurity-ui
components.sudo apt update sudo apt install -y ffsecurity ffsecurity-ui
Migrate the database architecture from FindFace Security to PostgreSQL, create user groups with predefined rights and the first user with administrator rights (a.k.a. Super Administrator).
Important
Super Administrator cannot be deprived of its rights, whatever the role.
sudo findface-security migrate sudo findface-security create_groups sudo findface-security create_default_user
Create a structure of the Tarantool-based biometric database.
sudo findface-security make_tnt_schema | sudo tee /etc/ffsecurity/tnt_schema.lua
Import the
meta_scheme
variable from thetnt_schema.lua
file. Open the/etc/tarantool/instances.enabled/FindFace.lua
configuration file. Before theFindFace.start
section, add a linedofile("/etc/ffsecurity/tnt_schema.lua")
. In theFindFace.start
parameters, definemeta_scheme=meta_scheme
.sudo vi /etc/tarantool/instances.enabled/FindFace.lua dofile("/etc/ffsecurity/tnt_schema.lua") FindFace.start("127.0.0.1", 8101, { license_ntls_server="127.0.0.1:3133", facen_size=320, meta_scheme = meta_scheme })
Enable the
findface-tarantool-server
service autostart and launch the service.sudo systemctl enable tarantool@FindFace.service && sudo systemctl start tarantool@FindFace.service
Open the
/etc/ffsecurity/config.py
configuration file. Specify the following parameters:SERVICE_EXTERNAL_ADDRESS
: FindFace Security IP address or URL prioritized for the Genetec integration and webhooks. Once this parameter not specified, the system usesEXTERNAL_ADDRESS
for these purposes. To use Genetec and webhooks, be sure to specify at least one of those parameters:SERVICE_EXTERNAL_ADDRESS
,EXTERNAL_ADDRESS
.EXTERNAL_ADDRESS
: (Optional) IP address or URL that can be used to access the FindFace Security web interface. Once this parameter not specified, the system auto-detects it as the external IP address. To access FindFace Security, you can use both the auto-detected and specified IP addresses.VIDEO_DETECTOR_TOKEN
: to authorize the video face detection module, come up with a token and specify it here.VIDEO_MANAGER_ADDRESS
: IP address of thefindface-video-manager
host.NTLS_HTTP_URL
: IP address of thefindface-ntls
host.ROUTER_URL
: IP address of thefindface-security
host that will receive detected faces from thefindface-video-worker
instance(s). Specify either external or internal IP address, subject to the network through whichfindface-video-worker
interacts withfindface-security
. Change the default port, subject to the redirect settings from HTTP to HTTPS, or omit it leaving only the IP address.SF_API_ADDRESS
: IP address of thefindface-sf-api
host.
Tip
If necessary, ensure data security by enabling SSL.
Tip
If necessary, set
’IGNORE_UNMATCHED’: True
to disable logging events for faces which have no match in the dossiers (negative verification result). Enable this option if the system has to process a large number of faces. The face similarity threshold for verification is defined by theCONFIDENCE_THRESHOLD
parameter.Tip
It is recommended to change the
MINIMUM_DOSSIER_QUALITY
default value. This parameter determines the minimum quality of a face in a dossier photo. Photos containing faces of worse quality will be rejected when uploading to a dossier. Upright faces in frontal position are considered the best quality. They result in values around 0, mostly negative (such as -0.00067401276, for example). Inverted faces and large face angles are estimated with negative values some -5 and less. By default,’MINIMUM_DOSSIER_QUALITY’: -2
which is the average quality.Important
If you enabled recognition models in the
findface-extraction-api
configuration file, add the following line in theFFSECURITY
section: ‘EVENTS_FEATURES’: [‘gender’, ‘age’, ‘emotions’, ‘beard’, ‘glasses’], subject to the list of enabled models. This line must be placed betweenSF_API_ADDRESS
andLIVENESS_THRESHOLD
as shown in the example below. See Face Features Recognition for details.sudo vi /etc/ffsecurity/config.py MEDIA_ROOT = "/var/lib/ffsecurity/uploads" STATIC_ROOT = "/var/lib/ffsecurity/static" # SERVICE_EXTERNAL_ADDRESS prioritized for webhooks and genetec SERVICE_EXTERNAL_ADDRESS = 'http://localhost' EXTERNAL_ADDRESS = "http://172.20.77.58" DEBUG = False LANGUAGE_CODE = 'en-us' TIME_ZONE = 'UTC' DATABASES = { 'default': { 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'ffsecurity', } } # use pwgen -sncy 50 1|tr "'" "." to generate your own unique key SECRET_KEY = 'c8b533847bbf7142102de1349d33a1f6' FFSECURITY = { 'VIDEO_DETECTOR_TOKEN': '381b0f4a20495227d04185ab02f5085f', 'CONFIDENCE_THRESHOLD': 0.739, 'EPISODES_THRESHOLD': 0.689, 'MINIMUM_DOSSIER_QUALITY': -2, 'IGNORE_UNMATCHED': False, 'EXTRACTION_API': 'http://127.0.0.1:18666/', 'VIDEO_MANAGER_ADDRESS': 'http://127.0.0.1:18810', 'EVENTS_MAX_AGE': 30, 'NTLS_HTTP_URL': 'http://127.0.0.1:3185', 'ROUTER_URL': 'http://172.20.77.58', 'MONITORING_UPDATE_INTERVAL': 60, 'SF_API_ADDRESS': 'http://127.0.0.1:18411', 'EVENTS_FEATURES': ['gender', 'age', 'emotions', 'beard', 'glasses'], 'LIVENESS_THRESHOLD': 0.75, 'BEARD_THRESHOLD': 0.7, } ASGI_THREADS = 16 UVICORN_SETTINGS = { 'workers': 'auto', 'host': 'localhost', 'port': 8002, 'ws-workers': 'auto', 'ws-host': 'localhost', 'ws-port': 8003, } FFSECURITY_UI_CONFIG = { "event": { "features": { "f_gender_class": ["male", "female"], "age": { "f_age_gte": "", "f_age_lte": "" }, "f_emotions_class": ["angry", "disgust", "fear", "happy", "sad", "surprise"], "f_glasses_class": ["none", "eye", "sun"], "f_beard_class": ["none", "beard"], "f_liveness_class": ["real", "fake"], } } } # integration plugins INSTALLED_APPS.append('ffsecurity_genetec') # remove or comment out this line to disable genetec integration
Generate a signature key for the session encryption (used by Django) by executing:
pwgen -sncy 50 1|tr “’” “.”
. Specify this key asSECRET_KEY
.Start the services.
sudo systemctl enable findface-security sudo systemctl start findface-security
Disable the default nginx server and add the
findface-security
server to the list of enabled servers. Restart nginx.sudo rm /etc/nginx/sites-enabled/default sudo ln -s /etc/nginx/sites-available/ffsecurity-nginx.conf /etc/nginx/sites-enabled/ sudo nginx -s reload