Update FindFace Security to 4.4

Warning

Since version 4.1, FindFace Security utilizes a new version of Tarantool. The biometric database from previous FindFace Security versions (4.0 and earlier) is NOT COMPATIBLE with FindFace Security 4.4. Be sure to use the Backup/Restore functionality to update the product to 4.4 (see the full algorithm below).

To update FindFace Security from any previous version to 4.4, do the following:

  1. Open the findface-security configuration file. Save the values of the following parameters for later use: EXTERNAL_ADDRESS, SECRET_KEY, VIDEO_DETECTOR_TOKEN, ROUTER_URL.

    # FindFace Security 4.2 and earlier
    
    sudo vi /etc/ffsecurity/config.py
    
    # FindFace Security 4.3
    
    sudo vi /etc/findface-security/config.py
    
    EXTERNAL_ADDRESS = "http://172.20.77.58"
    
    ...
    # use pwgen -sncy 50 1|tr "'" "." to generate your own unique key
    SECRET_KEY = 'c8b533847bbf7142102de1349d33a1f6'
    
    FFSECURITY = {
       'VIDEO_DETECTOR_TOKEN': '381b0f4a20495227d04185ab02f5085f',
       ...
       'ROUTER_URL': 'http://172.20.77.58',
       ...
    }
    
  2. Stop the findface-security service.

    sudo systemctl stop findface-security*
    
  3. Create a backup of the Tarantool-based biometric database in any directory of your choice, for example, /etc/findface_dump.

    Tip

    See Backup and Restore Data Storages for details.

    sudo mkdir -p /etc/findface_dump
    cd /etc/findface_dump
    sudo findface-storage-api-dump -config /etc/findface-sf-api.ini
    
  4. Install the apt repository with the new FindFace Security, using the console installer as described in this section.

  5. Install the pgbouncer package as such:

    sudo apt update
    sudo apt install -y pgbouncer
    
  6. If you are updating from FindFace Security version 4.1.2 or earlier, do the following:

    1. Give a strong password to the ntech user (9T3g1nXy9yx3y8MIGm9fbef3dia8UTc3 in the example below). Output the credentials to the pgbouncer user list.

      echo '"ntech" "9T3g1nXy9yx3y8MIGm9fbef3dia8UTc3"' | sudo tee -a /etc/pgbouncer/userlist.txt
      
    2. Configure pgbouncer. In /etc/pgbouncer/pgbouncer.ini, add ffsecurity to the databases section. Configure named parameters, as shown in the example below. Parameters other than those must be commented out.

      sudo vi /etc/pgbouncer/pgbouncer.ini
      
      [databases]
      ffsecurity = dbname=ffsecurity host=localhost port=5432 user=ntech
      [pgbouncer]
      pidfile = /var/run/postgresql/pgbouncer.pid
      listen_addr = 127.0.0.1
      listen_port = 5439
      unix_socket_dir = /var/run/postgresql
      auth_type = plain
      auth_file = /etc/pgbouncer/userlist.txt
      pool_mode = transaction
      server_reset_query = DISCARD ALL
      max_client_conn = 16384
      default_pool_size = 20
      syslog = 1
      
    3. Copy the password of the ntech user (9T3g1nXy9yx3y8MIGm9fbef3dia8UTc3 in the example). In PostgreSQL, set the copied password for the ntech role. Open the PostgreSQL interactive terminal. You will see the line postgres=# appear. After the # sign, enter the following command: ALTER ROLE ntech PASSWORD '<copied password>'.

      sudo -u postgres psql
      
      postgres=# ALTER ROLE ntech PASSWORD '9T3g1nXy9yx3y8MIGm9fbef3dia8UTc3';
      
    4. Using the PostgreSQL interactive terminal, create a database ffcounter in PostgreSQL.

      postgres=# CREATE DATABASE ffcounter WITH OWNER ntech ENCODING 'UTF-8' LC_COLLATE='C.UTF-8' LC_CTYPE='C.UTF-8' TEMPLATE template0;
      
    5. Create and configure pgbouncer.service.

      sudo touch /etc/systemd/system/pgbouncer.service
      sudo vi /etc/systemd/system/pgbouncer.service
      

      Insert the following code:

      [Unit]
      Description=Pgbouncer service
      After=postgresql.service
      Before=findface-security.service
      [Service]
      User=postgres
      Group=postgres
      ExecStart=/usr/sbin/pgbouncer "/etc/pgbouncer/pgbouncer.ini"
      [Install]
      WantedBy=multi-user.target
      
    6. Enable the pgbouncer.service autostart and restart it:

      sudo systemctl enable pgbouncer.service
      sudo systemctl restart pgbouncer.service
      
  7. Install the new FindFace Security services from the repository, following your architecture outline.

    CPU-version:

    sudo apt update
    sudo apt install findface-security findface-security-ui findface-extraction-api findface-ntls findface-sf-api findface-tarantool-server findface-upload findface-video-manager findface-video-worker-cpu findface-counter
    

    GPU-version:

    sudo apt update
    sudo apt install findface-security findface-security-ui findface-extraction-api-gpu findface-ntls findface-sf-api findface-tarantool-server findface-upload findface-video-manager findface-video-worker-gpu findface-counter
    

    Important

    FindFace Security 4.4 on GPU requires the nvidia-455 and cuda 11.1 drivers. Make sure the right driver versions are installed.

    Important

    At some moment, you will be prompted to choose which version of the findface-security configuration file to keep. Opt for Install the packages maintainer’s version.

  8. Enable the findface-counter service autostart.

    sudo systemctl enable findface-counter
    
  9. Open the findface-security configuration file and paste the saved EXTERNAL_ADDRESS, SECRET_KEY, VIDEO_DETECTOR_TOKEN, and ROUTER_URL into it. Fill in the DATABASES section by analogy: 'PORT': 5439, 'USER': 'ntech', 'PASSWORD': '9T3g1nXy9yx3y8MIGm9fbef3dia8UTc3' (password from /etc/pgbouncer/userlist.txt).

    sudo vi /etc/findface-security/config.py
    ...
    # Database is used by FindFace Security to store cameras,
    # camera groups, watchlists and so on. Only PostgreSQL is supported.
    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.postgresql',
            'DISABLE_SERVER_SIDE_CURSORS': True,
            'NAME': 'ffsecurity',
            'PORT': 5439, 'USER': 'ntech', 'PASSWORD': '9T3g1nXy9yx3y8MIGm9fbef3dia8UTc3',
        }
    }
    ...
    # Use pwgen -sncy 50 1|tr "'" "." to generate your own unique key
    SECRET_KEY = '002231ccb690586f4d33e98322c591bb'
    ...
    SERVICE_EXTERNAL_ADDRESS = 'http://172.20.77.58'
    # EXTERNAL_ADDRESS is used to access objects created inside FFSecurity via external links.
    EXTERNAL_ADDRESS = 'http://172.20.77.58'
    ...
        # findface-video-worker authorization token
        'VIDEO_DETECTOR_TOKEN': '8977e1b0067d43f6c908d0bf60363255',
    ...
        # findface-video-worker face posting address,
        # it must be set to either FFSecurity EXTERNAL_ADDRESS (by default)
        # or findface-facerouter url (in some specific cases)
        'ROUTER_URL': 'http://127.0.0.1:80',
    
  10. Open the old version of the findface-ntls configuration file available at /etc/findface-ntls.cfg.dpkg-old and check it against the new version /etc/findface-ntls.cfg. Make sure that all the custom parameters from the old version are present in the new one. Do the same for other components, e.g. for findface-extraction-api, check /etc/findface-extraction-api.ini.ucf-old against /etc/findface-extraction-api.ini, etc.

    sudo vi /etc/findface-ntls.cfg.dpkg-old
    sudo vi /etc/findface-ntls.cfg
    sudo vi /etc/findface-extraction-api.ini.ucf-old
    sudo vi /etc/findface-extraction-api.ini
    
    ...
    
  11. Modify the Tarantool database structure by applying the tnt_schema.lua file from the new version.

    sudo findface-security make_tnt_schema | sudo tee /etc/findface-security/tnt_schema.lua
    
  12. Stop the findface-tarantool-server shards. Purge data from all the directories relevant to active shards.

    sudo systemctl stop 'tarantool@*'
    
    sudo rm /opt/ntech/var/lib/tarantool/shard-*/{index,snapshots,xlogs}/*
    
  13. Navigate to the directory with Tarantool configuration file(s) /etc/tarantool/instances.enabled/. Check whether each configuration file shard-*.lua contains the dofile command, meta_indexes and meta_scheme definitions, as in the example below.

    sudo vi /etc/tarantool/instances.enabled/shard-*.lua
    
    ...
    dofile("/etc/findface-security/tnt_schema.lua")
    ...
    FindFace.start("127.0.0.1", 8101, {
        license_ntls_server="127.0.0.1:3133",
        meta_indexes=meta_indexes,
        meta_scheme = meta_scheme
    })
    
  14. Restart the findface-tarantool-server shards.

    TNT=$(ls /etc/tarantool/instances.enabled/ | cut -c 7,8,9)
    for i in $TNT; do sudo systemctl restart tarantool@shard-$i.service ; done
    
  15. Restart the findface-ntls service.

    sudo systemctl restart findface-ntls.service
    
  16. Restore the Tarantool database from the backup.

    cd /etc/findface_dump
    
    for x in *.json; do sudo findface-storage-api-restore -config /etc/findface-sf-api.ini < "$x"; done
    
  17. Restart the services.

    sudo systemctl restart findface-security.service
    sudo systemctl restart findface-ntls findface-extraction-api findface-video-worker* findface-video-manager findface-sf-api findface-counter
    
  18. Migrate the main database architecture from FindFace Security to PostgreSQL, re-create user groups with predefined rights, and the first user with administrator rights.

    sudo findface-security migrate
    sudo findface-security create_groups
    sudo findface-security create_default_user
    
  19. Restart PostgreSQL.

    sudo systemctl restart postgresql@10-main.service
    

Important

To preserve the FindFace Security compatibility with the installation environment, we highly recommend you to disable the Ubuntu automatic update. In this case, you will be able to update your OS manually, fully controlling which packages to update.

To disable the Ubuntu automatic update, execute the following commands:

sudo apt-get remove unattended-upgrades
sudo systemctl stop apt-daily.timer
sudo systemctl disable apt-daily.timer
sudo systemctl disable apt-daily.service
sudo systemctl daemon-reload