Disassociate Unifi-Video with the Unifi-Video Cloud

/ squeeby / Leave a comment

On the 15th of January, 2021, Unifi turned off cloud service associated with Unifi-Video, effectively abandoning a faithful community of self-hosted Unifi CCTV users, citing that they are focusing on the Unifi-Protect products and urging all users to buy into their closed-box appliance products.

While there was arguably ample warning, alot of us haven’t disabled the cloud integration within the Unifi-video software.

As such, errors such as the below are piling up in /var/log/unifi-video/cloud.log endlessly:

1610731344.773 2021-01-15 17:22:24.773/UTC: INFO   [uv.cloud.svc] [CloudService:connThread:31] Establishing connection in Cloud-ConnThread-31
1610731344.794 2021-01-15 17:22:24.794/UTC: INFO   [uv.cloud.svc] [CloudService:wsRequestConnection] Connection to cloud requested to wss://device.svc.ubnt.com/device/ufv/v1// in Cloud-ConnThread-31
1610731345.609 2021-01-15 17:22:25.609/UTC: ERROR  [uv.cloud.svc] [CloudWsClient:onWebsocketHandshakeError] WebSocket Handshake error received. Status [503|Service Temporarily Unavailable] in CloudWsClient
1610731345.637 2021-01-15 17:22:25.637/UTC: ERROR  [uv.cloud.svc] [CloudWsClient:onWebsocketHandshakeError] Server Rate limit is now: 30000ms in CloudWsClient
1610731405.609 2021-01-15 17:23:25.609/UTC: INFO   [uv.cloud.svc] [CloudWsClient:onClose] Websocket Closed: [-1] draft org.java_websocket.drafts.Draft_17@51007fa5 refuses handshake by [local] in CloudWsClient
1610731405.609 2021-01-15 17:23:25.609/UTC: INFO   [uv.cloud.svc] [CloudService] handleCloudWsDisconnected: Disconnected from cloud with code:[-1] in CloudWsClient
1610731405.609 2021-01-15 17:23:25.609/UTC: INFO   [uv.cloud.svc] [HeartbeatController] handleWsDisconnectedEvent: stopping HB timer in ApplicationEvtBus-17
1610731405.609 2021-01-15 17:23:25.609/UTC: WARN   [uv.cloud.svc] [CloudService:wsRequestConnection] Connection request failed. Rate limit is: 30000ms in Cloud-ConnThread-31
1610731405.610 2021-01-15 17:23:25.610/UTC: INFO   [uv.cloud.svc] [CloudService:connThread:31] delay 300000ms before reconnecting in Cloud-ConnThread-31

To add insult to injury, it also seems that the ability to remove the cloud integration via the Unifi-Video UI is impossible. The button to disassociate the NVR with the Unifi Video Cloud is greyed out, presumably because the Cloud Connection Status is "NVR is offline".

Thankfully, there appears to be a way to do this via the MongoDB backend:

  • Back up your current database and configuration data.
    You can do this in a few ways, and to be cautious, follow all of them.
    • From the "Settings" page, click "Download Configuration". This will dump a zip file to your browser downloads folder.
    • From the server CLI, use mongodump to pull everything into a directory:
$ mkdir unifi-video-backup-$(date +%F) && mongodump --port 7441 -o unifi-video-backup-$(date +%F)
$ ls 
unifi-video-backup-2021-01-15
  • Log into mongo and select the av database:
$ mongo --port 7441
MongoDB shell version v3.6.3
connecting to: mongodb://127.0.0.1:7441/
MongoDB server version: 3.6.3
Server has startup warnings:
2021-01-15T17:34:28.964+0000 I CONTROL  [initandlisten]
2021-01-15T17:34:28.965+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2021-01-15T17:34:28.965+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2021-01-15T17:34:28.965+0000 I CONTROL  [initandlisten]
> show dbs;
admin   0.000GB
av      0.190GB
config  0.000GB
local   0.000GB
> use av;
switched to db av
  • Show the current server configuration for the cloud integration:
> db.server.findOne().cloudSettings;
{
    "authData": {
      "device_id": "",
      "device_auth": ""
    },
    "ssoId": "",
    "host": "device.svc.ubnt.com"
}
  • Delete it:
> db.server.update( { }, { $unset: { "cloudSettings":  "" } } )
WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })
> db.server.findOne().cloudSettings;
>
  • Come out of mongo
> exit
bye
  • And restart the unifi-video service:
$ sudo systemctl restart unifi-video

$
$ sudo journalctl -n 10 -u unifi-video
-- Logs begin at Tue 2019-12-24 21:43:35 UTC, end at Fri 2021-01-15 18:20:04 UTC. --
Jan 15 18:15:34 cctv unifi-video[1103]:  * Stopping Ubiquiti UniFi Video unifi-video
Jan 15 18:15:34 cctv unifi-video[1103]:    ...done.
Jan 15 18:15:34 cctv systemd[1]: Stopped LSB: Ubiquiti unifi-video.
Jan 15 18:15:41 cctv systemd[1]: unifi-video.service: Failed to reset devices.list: Operation not permitted
Jan 15 18:15:41 cctv systemd[1]: Starting LSB: Ubiquiti unifi-video...
Jan 15 18:15:42 cctv unifi-video[139]:  * Starting Ubiquiti UniFi Video unifi-video
Jan 15 18:15:43 cctv unifi-video[139]: (unifi-video) Hardware type:Unknown
Jan 15 18:15:43 cctv unifi-video[139]: (unifi-video) checking for system.properties and truststore files...
Jan 15 18:15:44 cctv unifi-video[139]:    ...done.
Jan 15 18:15:44 cctv systemd[1]: Started LSB: Ubiquiti unifi-video.

It may take a couple of seconds / minutes for the service to complete booting and if you’re hosting this in an LXC container like I am, you may even need to reboot the container (I’ve always had to do this, bug to do with unifi-video[7545]: mount: /var/cache/unifi-video: cannot remount tmpfs read-write, is write-protected. .. meh.)

But if all went well, your Unifi Video instance should now be disassociated with the Unifi Video Cloud and your logs won’t fill up with garbage.

Proxmox /etc/pve blocked?

/ squeeby / 1 Comment

You’ve returned from your day out at the pub to find that a node in your Proxmox 4.x cluster has had a backing storage issue which has left it I/O blocked.

That is, it cannot write to it’s own disks – and guess what, it had the lock on pmxcfs, that is proxmox’s database driven clustered filesystem.

This means that now your entire cluster can read from /etc/pve but it cannot write to it, infact it just hangs.

You try and restart pve-cluster by issuing systemctl restart pve-cluster but after a while it spits out that the job failed and on further inspection you see that it timed out.

You’re also seeing things like

Starting pve cluster filesystem : pve-clusterfuse: failed to access mountpoint /etc/pve: Transport endpoint is not connected

and on other nodes you see.

pmxcfs[8352]: [status] crit: cpg_send_message failed: 9

Fear not!

Verify that  corosync is still functioning correctly and you have quorum by issuing:

sudo pvecm status

on a node where you haven’t tried to write to /etc/pve yet.

If you see something like:

Votequorum information
----------------------
Expected votes:   14
Highest expected: 14
Total votes:      12
Quorum:           8  
Flags:            Quorate

Then you should be ok to proceed.
Simply perform the following:

  •  On every node do
    systemctl stop pve-cluster
    This may take a while
  • On every node do
    sudo rm -f /var/lib/pve-cluster/.pmxcfs.lockfile
  • On each node – one by one  do
    systemctl start pve-cluster

If all goes well, this should bring the shared cluster back online.

Check that pvestatdpveproxy and pvedaemon are all started and you should now have your cluster back to where it was before it went wrong.

Forgotten to disable RC4 on your SonicWALL?

/ squeeby / 1 Comment

Oh god.

We all upgraded.

We forgot about the RC4 cipher and now no browsers will let us connect to our SonicWALL interface.

SSL_ERROR_NO_CYPHER_OVERLAP yaaaaaay

Brilliant, today couldn’t suck any more because I’ve got a bunch of firewall issues and no way of seeing what’s going on. I suppose I could ssh in but NO WAIT THAT’S CRASHED thanks SonicBALLs.

Ok, so here’s what to do.

  1. Open Firefox
  2. Go to about:config
  3. Search for 
    security.tls.unrestricted_rc4_fallback

    and change it to True

  4. You may also need to set the following: 
    security.tls.version.fallback-limit 0
security.tls.version.min 0
  5. You should now be able to open the SonicWALL WebUI in Safari or any other browser
  6. Now follow the instructions here: https://support.software.dell.com/kb/184069 (This will require a reboot of the SonicWALL)
  7. Remember to reset those parameters back to their defaults after you’re done. Nothing good comes from using TLS1/SSLv3.

Why though?

/ squeeby / Leave a comment

I’m not one for writing things down.

Generally speaking, I hate documentation. We all do. Not doing documentation is what I all do best.
It’s also the reason future me hates past me.

This is an attempt to keep some of my more useful findings available to not just myself, but to anyone who might benefit from something I’ve spent days figuring out.