From Gentoo Wiki
Jump to:navigation Jump to:search
ZoneMinder has been removed by this commit. There are unofficial overlays continuing support for this package.

ZoneMinder is open source software used to capture, analyse, record, and monitor cameras.



This guide includes optional steps for configuring ZoneMinder with php-fpm.

The following required packages must be configured properly for ZoneMinder to work:

USE flags

Enable the following USE flags for dev-lang/php, app-eselect/eselect-php, and media-video/ffmpeg:

FILE /etc/portage/package.use/local
app-eselect/eselect-php apache2 fpm
dev-lang/php cgi pdo sysvipc mysqli inifile intl curl apache2 sockets gd mysql fpm
media-video/ffmpeg x264 jpeg2k x265

Unmask packages

There are a few unstable packages in the tree for ~amd64

FILE /etc/portage/package.accept_keywords/local

Apache Modules

Proxy is needed for FPM-PHP support.

FILE /etc/portage/make.conf
APACHE2_MODULES="${APACHE2_MODULES} proxy proxy_fcgi"


Install MariaDB, this was decoupled from ebuild allowing users to run database on another host:

root #emerge --ask dev-db/mariadb

Install ZoneMinder:

root #emerge --ask www-misc/zoneminder

Web Server

Upstream primarily develops support for Apache, Gentoo ebuild provides an alternative path using Nginx.


  • Select correct version of PHP:
root #eselect php list fpm
  [1]   php7.4
  [2]   php8.0 *

Recent versions of ZoneMinder will warn if the local timezone is unset and reverts to using UTC, instead of throwing failures as seen with previous releases.

  • Edit your active php module /etc/php/MODULE-VERSION)/php.ini to reflect the following:
FILE /etc/php/fpm-php8.0/php.ini
date.timezone = <Country/City>
  • Edit /etc/conf.d/apache2 and add -D PHP -D PROXY to APACHE2_OPTS:
FILE /etc/conf.d/apache2
FILE /etc/apache2/modules.d/70_mod_php.conf
        <FilesMatch "\.(php|php[57]|phtml)$">
                SetHandler "proxy:unix:/var/run/php-fpm/www.sock|fcgi://localhost"
  • An example configuration file for Apache is placed under /usr/share/doc/zoneminder*/
FILE /etc/apache2/vhosts.d/zoneminder_vhost.conf
<VirtualHost *:80>
    ServerName localhost
    #ServerAlias zoneminder

    ErrorLog /var/log/apache2/zoneminder_error_log

    <IfModule log_config_module>
        CustomLog /var/log/apache2/zoneminder_access_log common

    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

<VirtualHost *:443>
    ServerName localhost
    #ServerAlias zoneminder

    SSLEngine on
    SSLCertificateFile /etc/ssl/apache2/zoneminder.crt
    SSLCertificateKeyFile /etc/ssl/apache2/zoneminder.key

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"

    ErrorLog /var/log/apache2/zoneminder_ssl_error_log
    <IfModule log_config_module>
        CustomLog /var/log/apache2/zoneminder_ssl_access_log common

    Include /etc/apache2/vhosts.d/zoneminder_vhost.include


# modern configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
FILE /etc/apache2/vhosts.d/zoneminder_vhost.include
# gentoo apache2 vhost include file
ServerAdmin webmaster@localhost

DocumentRoot "/usr/share/zoneminder/www"

## if zoneminder is the only thing on this named vhost you might want to
## redirect root / to /zm/ so you don't have to remember to type the path
#RedirectMatch ^/$ /zm/

# Order matters. This alias must come first.
Alias /zm/cache "/var/cache/zoneminder"
<Directory "/var/cache/zoneminder">
    Options -Indexes +FollowSymLinks
    AllowOverride None
    Require all granted

ScriptAlias /zm/cgi-bin "/usr/libexec/zoneminder/cgi-bin"
Alias /zoneminder "/usr/share/zoneminder/www"
Alias /zm "/usr/share/zoneminder/www"

<Directory "/usr/share/zoneminder/www">
    Options -Indexes +MultiViews +FollowSymLinks
    AllowOverride None
    Require all granted

<Directory "/usr/libexec/zoneminder/cgi-bin">
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    AllowOverride All
    Require all granted

# For better visibility, the following directives have been migrated from the
# default .htaccess files included with the CakePHP project.
# Parameters not set here are inherited from the parent directive above.
<Directory "/usr/share/zoneminder/www/api">
    RewriteEngine on
    RewriteRule ^$ app/webroot/ [L]
    RewriteRule (.*) app/webroot/$1 [L]
    RewriteBase /zm/api

<Directory "/usr/share/zoneminder/www/api/app">
    RewriteEngine on
    RewriteRule ^$ webroot/ [L]
    RewriteRule (.*) webroot/$1 [L]
    RewriteBase /zm/api

<Directory "/usr/share/zoneminder/www/api/app/webroot">
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
    RewriteBase /zm/api


/etc/php/fpm-php8.0/fpm.d/www.conf needs to be adjusted to listen on UNIX socket and run as Apache. While a separate UID/GUI could be created for this, the /var/log/zm/ and /etc/zm/conf.d/private.conf permissions would also need to be adjusted.

FILE /etc/php/fpm-php8.0/fpm.d/www.conf
user = apache
group = apache

listen = /var/run/php-fpm/www.sock
listen.owner = apache = apache


An example configuration file for Nginx is placed under /usr/share/doc/zoneminder*/

FILE /etc/nginx/conf.d/zoneminder.conf
server {
    listen 80 http2;
    listen [::]:80 http2;
    server_name = localhost $hostname;

    access_log /var/log/nginx/zoneminder.access_log main;
    error_log /var/log/nginx/zoneminder.error_log info;

    location / {
        return 301 https://$host$request_uri;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name = localhost $hostname;

    root "/usr/share/zoneminder/www";
    access_log /var/log/nginx/zoneminder.ssl_access_log main;
    error_log /var/log/nginx/zoneminder.ssl_error_log info;

    ssl_certificate "/etc/ssl/nginx/zoneminder.crt";
    ssl_certificate_key "/etc/ssl/nginx/zoneminder.key";
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # modern configuration
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # Auto redirect to server/zm when no url suffix was given
    #location = / {
    #    return 301 zm;

    location /zm/cgi-bin {
        gzip off;
        alias "/usr/libexec/zoneminder/cgi-bin";

        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_pass unix:/run/fcgiwrap-zoneminder.sock;

    location /zm/cache {
        alias "/var/cache/zoneminder";

    location /zm {
        gzip    off;
        alias   "/usr/share/zoneminder/www";
        index   index.php;

        location ~ \.php$ {
            try_files           $uri =404;
            expires             epoch;
            include             /etc/nginx/fastcgi_params;
            fastcgi_param       SCRIPT_FILENAME         $request_filename;
            fastcgi_index       index.php;
            fastcgi_pass        unix:/run/php-fpm.socket;

        location ~ \.(jpg|jpeg|gif|png|ico)$ {
            access_log  off;
            expires     33d;

        location /zm/api/ {
            alias   "/usr/share/zoneminder/www";
            rewrite ^/zm/api(.+)$ /zm/api/app/webroot/index.php?p=$1 last;



/etc/php/fpm-php8.0/fpm.d/www.conf needs to be adjusted to listen on UNIX socket and run as Apache. While a separate UID/GUI could be created for this, the /var/log/zm/ and /etc/zm/conf.d/private.conf permissions would also need to be adjusted.

FILE /etc/php/fpm-php8.0/fpm.d/www.conf
user = nginx
group = nginx

listen = /var/run/php-fpm/www.sock
listen.owner = nginx = nginx


Ngnix needs an external CGI processor.

The ebuild provides a custom www-servers/spawn-fcgi init.d script which incorporates www-servers/multiwatch to creates one unix socket for nginx and forks multiple children behind it for /usr/libexec/zoneminder/cgi-bin

ZoneMinder Montage page opens a connection to each camera stream, adjust FCGI_CHILDREN for the number of cameras you have.

FILE /etc/conf.d/spawn-fcgi.zoneminder



  • Create ZoneMinder's database, zm, and setup a new user zmuser.
root #mysql -p
mysql> create database zm;

mysql> grant lock tables,alter,drop,select,insert,update,delete,create,index,alter routine,create routine, trigger,execute on zm.* to 'zmuser'@localhost identified by 'zmpass';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit;
  • Import the database schema and base data, the .sql script is created by the configure phase above, so make sure you do that first.
root #mysql -p zm < /usr/share/zoneminder/db/zm_create.sql


To make custom changes, create a new configuration file, with an extension of .conf, under the /etc/zm/conf.d folder, containing your desired modifications. Adjust the permissions to protect credentials and make it readable by your web server.

For example, creating new /etc/zm/conf.d/99-local.conf

root #touch /etc/zm/conf.d/99-local.conf
root #chmod 640 /etc/zm/conf.d/99-local.conf
root #chown root:apache /etc/zm/conf.d/99-local.conf

Configuration files

  • Edit your new local configuration file and add the above MySQL database username and password:
FILE /etc/zm/conf.d/99-local.conf
# ZoneMinder database user

# ZoneMinder database password



Add PHP to the default runlevel and start the service:

root #rc-update add php-fpm default
root #rc-service php-fpm start

Add MySQL to the default runlevel and start the service:

root #rc-update add mysql default
root #rc-service mysql start

Add ZoneMinder to the default runlevel and start:

root #rc-update add zoneminder default
root #rc-service zoneminder start


Add Apache to the default runlevel and start the service:

root #rc-update add apache2 default
root #rc-service apache2 start


Add Nginx to the default runlevel and start the service:

root #rc-update add nginx default
root #rc-service nginx start

Add spawn-fcgi to the default runlevel and start the service:

root #rc-update add spawn-fcgi.zoneminder default
root #rc-service spawn-fcgi.zoneminder start


While Nginx has a service file for systemd, we need one written/tested for the custom spawn-fcgi.zoneminder component.

Enable the Apache to start on system boot and start the service:

root #systemctl enable apache2
root #systemctl start apache2

Enable the PHP service to start on system boot and start the service:

root #systemctl enable php-fpm
root #systemctl start php-fpm

Enable the MySQL service to start on system boot and start the service:

root #systemctl enable mysql
root #systemctl start mysql

Enable the ZoneMinder service to start on system boot and start the service:

root #systemctl enable zoneminder
root #systemctl start zoneminder


When using SELinux, first create a SELinux policy for the application:

FILE local_zoneminder.teType enforcement rules for ZoneMinder
module local_zoneminder 1.0; 

require { 
               type httpd_t;
               type initrc_var_run_t;
               type initrc_t;
               type v4l_device_t;
               type file_t;
              class unix_stream_socket { read connectto };
              class file { read lock };
              class shm { unix_read unix_write associate read write getattr };
              class chr_file getattr;

#============= httpd_t ============== 
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr };
allow httpd_t initrc_var_run_t:file { read lock };
allow httpd_t v4l_device_t:chr_file getattr;

Now build the modules:

root #checkmodule -M -m -o local_zoneminder.mod local_zoneminder.te
root #semodule_package -o local_zoneminder.pp -m local_zoneminder.mod
root #semodule -i local_zoneminder.pp


Shared memory:

root #sysctl kernel.shmmax=536870912


ZoneMinder includes a Perl utility to update the database schema as needed. Note: a Perl interpreter will required to run the script.

Normally you just need to run without parameters, credentials are read from configurations under /etc/zm. If you have a unique upgrade situation, you can specify the previous version and database credentials for the zm database:

root #/usr/bin/ --version=1.30.2 --user=zmuser --pass=zmpass
Initiating database upgrade to version 1.30.4 from version 1.30.2

Please ensure that ZoneMinder is stopped on your system prior to upgrading the database.
Press enter to continue or ctrl-C to stop :

Do you wish to take a backup of your database prior to upgrading?
This may result in a large file in /var/tmp/zm if you have a lot of events.
Press 'y' for a backup or 'n' to continue : y
Creating backup to /var/tmp/zm/zm-1.30.2.dump. This may take several minutes.
Database successfully backed up to /var/tmp/zm/zm-1.30.2.dump, proceeding to upgrade.

Upgrading database to version 1.30.4
Loading config from DB
Saving config to DB
Upgrading DB to 1.30.3 from 1.30.2

Database successfully upgraded to version 1.30.3.
Upgrading DB to 1.30.4 from 1.30.2

Database successfully upgraded to version 1.30.4.

Database upgrade to version 1.30.4 successful.

See also

  • PHP — a general-purpose server-side scripting language to produce dynamic web pages.
  • Apache — an efficient, extensible web server. It is one of the most popular web servers used the Internet.
  • Nginx — a robust, small, high performance web server and reverse proxy server.
  • MariaDB — is an enhanced, drop-in MySQL replacement.