Rootless Frigate container (with Podman)

[Procsiab]

Greetings, since this was asked before and I think I managed to achieve it, I would like to share the configuration I am using for a rootless Frigate container I am testing.

DISCLAIMER: with rootless I mean that the container is run by an unprivileged system user and not by the root user (UID 0) itself; that being said, some isolation layers sholud be removed to make things still work.

If you are using SystemD Quadlet to manage Podman containers, the following is the snippet to put in the .container "unit" file:

[Unit]
Description=Frigate

[Container]
Image=ghcr.io/blakeblackshear/frigate:stable
ContainerName=frigate
AutoUpdate=registry

ShmSize=256m
Notify=true
PodmanArgs=--privileged --group-add keep-groups
AddCapability=PERFMON
AddDevice=/dev/dri/renderD128

Environment=LIBVA_DRIVER_NAME=i965
Secret=frigate-podman-rtsp-password,type=env,target=FRIGATE_RTSP_PASSWORD

# omitted the volume and port publishing, and a section with health checks

[Service]
Restart=always
TimeoutStartSec=600

[Install]
WantedBy=multi-user.target default.target

If you are using the good old interactive CLI to run Podman containers, the following should mimic the configuration I provided above (I am still excluding the port forwards and volume mounts):

podman run --detach \
  --name frigate \
  --label io.containers.autoupdate=registry \
  --shm-size 256m \
  --sdnotify container \
  --privileged \
  --group-add keep-groups \
  --cap-add PERFMON \
  --device /dev/dri/renderD128 \
  --env LIBVA_DRIVER_NAME=i965 \
  --env FRIGATE_RTSP_PASSWORD=suchsecure \
  # remember to add port and volume mounts
  ghcr.io/blakeblackshear/frigate:stable

Do you have any suggestion regarding this use case? Have you done the same in a different/interesting way?

[reidprichard]

Thanks for the example - quite fortuitous timing, as I'm just in the process of switching to podman. Unfortunately, I'm not having the same luck. While Frigate loads, none of the streams are working. I believe I've tracked the issue down to rootless podman not having proper access to my USB coral at /dev/bus/usb/003/002. If I either run as root or change my detector to a CPU, everything works. The Coral shows up in Frigate's system page, and inference time, CPU, and memory use are being reported, but apparently there is a permissions issue.

I created a group "coral" and added a udev rule that allowed it access to the device, then added my user to the coral group and rebooted. Together with --group-add keep-groups, my understanding is that this should allow the container to access the device.
/etc/udev/rules.d/coral.rules: SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9302", MODE=="0660", group=="coral"
sudo usermod -a -G coral admin

That still didn't work. I thought it could be a SELinux issue, but setenforce 0 before starting made no difference (not to mention I didn't see anything in the audit). I'm afraid my linux-fu is too weak to get much farther on my own - could someone chime in?

podman 4.8.3
Fedora 39 (Server Edition)
docker-compose.yml:

version: "3.9"

services:
  frigate:
    container_name: frigate
    privileged: true
    restart: unless-stopped
    image: ghcr.io/blakeblackshear/frigate:0.13.0-beta7
    shm_size: "256mb"
    devices:
      - "/dev/bus/usb/003/002:/dev/bus/usb/003/002"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./config/:/config/:Z
      - /mnt/Frigate:/media/frigate
      - ./:/database:Z
      - type: tmpfs
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    ports:
      - "5000:5000"
      - "1935:1935" # RTMP feeds
      - "8554:8554" # RTSP restream
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
    environment:
      FRIGATE_RTSP_PASSWORD: "password"

[Procsiab]

I think that you may be missing the keep-groups directive, to allow the use of the device inside the rootless container. I will try tor eproduce it with podman-compose. My environment is Fedora IoT 39.20240122.0

[phillym]

Hey fellow podman rootless folks :)

@reidprichard
When I had rootless group mapping issues/couldn't access the Coral TPU from the container I'm pretty sure (been a while since I got this working) the container just got into a restart loop, it's interesting you have a running instance that is showing inference time (seems like TPU is accessible)

• what do your logs show after you start your container "podman logs [container Id]" ?
• What do the permissions on your Coral device show as in /dev ?
• I use the PCIe Coral, do you have a /dev/apex_0 device?
• Are you using crun as the runtime? (probably, I think it's Fedora default)
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/building_running_and_managing_containers/selecting-a-container-runtime_building-running-and-managing-containers
• Does your version of Podman support group-add for podman compose (I'm using Systemd Unit file instead, like @Procsiab )?
  • Add support for the group_add property of a service. containers/podman-compose#653
• Do you have the same issues if you use podman run (as opposed to compose) ?

Phil

[robotgoat]

I recently troubleshooted the same thing. Are you running in a Debian based distro and followed the install instructions on the Coral website? If so, the issue lies in the udev rules for the Coral device. You won't be able to access the Coral even if you add the apex group to your local user. You can either change the udev rules or run frigate in a rootful container. I think only the PCie Coral has this issue. USB Coral can run without issue in rootless mode.

[phillym]

Sorry @robotgoat, you’ve got the wrong end of the stick. I have PCIe Coral running just fine in rootless. @reidprichard is running USB Coral and is having issues.

[robotgoat]

Which OS are you on? When I tried rootless in Debian 12, I could not access the PCIe Coral at all after following the default driver install.

[reidprichard]

Thanks for the help.

1. Nothing noteworthy in logs. Just the below, then the streams start crashing.

frigate] | 2024-01-30 00:11:37.353172393  [2024-01-30 00:11:34] frigate.detectors.plugins.edgetpu_tfl INFO    : Attempting to load TPU as usb
[frigate] | 2024-01-30 00:11:37.365939513  [2024-01-30 00:11:37] frigate.detectors.plugins.edgetpu_tfl INFO    : TPU found

2. While Linux permissions are Greek to me, here they are:

ls -la /dev/bus/usb/003/002
crw-rw-r--. 1 root root 189, 257 Jan 30 00:14 /dev/bus/usb/003/002

From inside the container:

ls -la /dev/bus/usb/003/002
crw-rw-r--. 1 nobody nogroup 189, 257 Jan 30 00:23 /dev/bus/usb/003/002

3. Nope, that must be a PCIe thing.
4. I believe so. podman info spits out:

...
  ociRuntime:
    name: crun
    package: crun-1.13-1.fc39.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.13
      commit: c761349704905da07cfe67f38dda6850334a160f
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
...

5. I'm not sure, but I can run with a run command or via systemd. I've tried --group-add keep-groups with podman run per below.
6. Yep. podman run with --group-add keep-groups should work AFAIK, but no dice.

I just tried again, both with --group-add=keep-groups and --group-add=1001 (id of my "coral" group). Same result - it starts, seems like everything's fine, then streams start crashing and it shuts down because the detector isn't working.
podman run --rm --group-add=1001 --name=frigate --label io.podman.compose.config-hash=875a24c8b62d32bdace5c7466d5c736faf39e39d6048c190c441ab2a8ce8dd02 --label io.podman.compose.project=frigate --label io.podman.compose.version=1.0.6 --label PODMAN_SYSTEMD_UNIT=podman-compose@frigate.service --label com.docker.compose.project=frigate --label com.docker.compose.project.working_dir=/home/admin/podman/frigate --label com.docker.compose.project.config_files=docker-compose.yml --label com.docker.compose.container-number=1 --label com.docker.compose.service=frigate --device /dev/bus/usb/003/002:/dev/bus/usb/003/002 -e FRIGATE_RTSP_PASSWORD=password -v /etc/localtime:/etc/localtime:ro -v /home/admin/podman/frigate/config:/config/:Z -v /mnt/Frigate:/media/frigate -v /home/admin/podman/frigate:/database:Z --tmpfs /tmp/cache:size=1000000000 --net frigate_default --network-alias frigate -p 5000:5000 -p 1935:1935 -p 8554:8554 -p 8555:8555/tcp -p 8555:8555/udp --shm-size 256mb --privileged ghcr.io/blakeblackshear/frigate:0.13.0-beta7

Digging a bit more into the logs:

2024-01-30 00:34:02.970961815  00:34:02.970 WRN [rtsp] error="streams: exec: exit status 1" stream=office_cam
2024-01-30 00:34:07.320631951  Process detector:coral:
2024-01-30 00:34:07.320748736  [2024-01-30 00:34:07] frigate.detectors.plugins.edgetpu_tfl ERROR   : No EdgeTPU was detected. If you do not have a Coral device yet, you must configure CPU detectors.
2024-01-30 00:34:07.323897422  Traceback (most recent call last):
2024-01-30 00:34:07.323905566    File "/usr/lib/python3/dist-packages/tflite_runtime/interpreter.py", line 160, in load_delegate
2024-01-30 00:34:07.323910107      delegate = Delegate(library, options)
2024-01-30 00:34:07.323920107    File "/usr/lib/python3/dist-packages/tflite_runtime/interpreter.py", line 119, in __init__
2024-01-30 00:34:07.323925217      raise ValueError(capture.message)
2024-01-30 00:34:07.323974488  ValueError
2024-01-30 00:34:07.323978041  
2024-01-30 00:34:07.323982122  During handling of the above exception, another exception occurred:
2024-01-30 00:34:07.323986593  
2024-01-30 00:34:07.323990046  Traceback (most recent call last):
2024-01-30 00:34:07.324038808    File "/usr/lib/python3.9/multiprocessing/process.py", line 315, in _bootstrap
2024-01-30 00:34:07.324043349      self.run()
2024-01-30 00:34:07.324048708    File "/usr/lib/python3.9/multiprocessing/process.py", line 108, in run
2024-01-30 00:34:07.324053758      self._target(*self._args, **self._kwargs)
2024-01-30 00:34:07.324058499    File "/opt/frigate/frigate/object_detection.py", line 102, in run_detector
2024-01-30 00:34:07.324063409      object_detector = LocalObjectDetector(detector_config=detector_config)
2024-01-30 00:34:07.324071413    File "/opt/frigate/frigate/object_detection.py", line 53, in __init__
2024-01-30 00:34:07.324075834      self.detect_api = create_detector(detector_config)
2024-01-30 00:34:07.324080255    File "/opt/frigate/frigate/detectors/__init__.py", line 18, in create_detector
2024-01-30 00:34:07.324084616      return api(detector_config)
2024-01-30 00:34:07.324088857    File "/opt/frigate/frigate/detectors/plugins/edgetpu_tfl.py", line 41, in __init__
2024-01-30 00:34:07.324147350      edge_tpu_delegate = load_delegate("libedgetpu.so.1.0", device_config)
2024-01-30 00:34:07.324152949    File "/usr/lib/python3/dist-packages/tflite_runtime/interpreter.py", line 162, in load_delegate
2024-01-30 00:34:07.324201342      raise ValueError('Failed to load delegate from {}\n{}'.format(
2024-01-30 00:34:07.324206951  ValueError: Failed to load delegate from libedgetpu.so.1.0

[phillym]

I tried a bunch of different distros and had various problems on all until I landed on Ubuntu 22.04. I think my main issue with Debian at the time was the packaged version of Podman (trying to go with prebuilt as much as possible) but maybe something else :D The Coral/Apex drivers were a slight mare I think but the only minor challenge now is signing the kernel modules after a kernel update, otherwise it’s chugging along nicely. Had to chmod the apex device so my mapped group could r/w it but not much else.

…

On Sun, 28 Jan 2024 at 10:29 AM, robotgoat ***@***.***> wrote: Which OS are you on? When I tried rootless in Debian 12, I could not access the PCIe Coral at all after following the default driver install. — Reply to this email directly, view it on GitHub <#9440 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACQI37N7CCNNUBD6JK64FB3YQVWU5AVCNFSM6AAAAABCK3MYL6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DENRXGY2TC> . You are receiving this because you commented.Message ID: ***@***.*** com>

[phillym]

No problems, if you hit any roadblocks you could try asking back here, I
might have seen it (and might even remember!)

[reidprichard]

Could you give more details on how you changed the device permissions? I'm hesitant to go running chmod/chown/etc on devices without more understanding.

[phillym]

Hi, if I remember correctly I just did a simple chown to give the 'apex' group rw access to /dev/apex_0 <- for PCIe this is the first Coral device.

Permissions on my Coral are:
root@hostname:~# ls -al /dev/apex_0
crw-rw---- 1 root apex 120, 0 Jan 27 12:47 /dev/apex_0
My rootless user account is called 'docker' (legacy name :D ), this is in the apex group:
root@hostname:~# getent group apex
apex:x:1111:docker

Looking at your device permissions, only root and members of the 'root' group can r/w to the Coral, whereas others/everyone can read only (0664). Reading up on udev (here especially) I think I see the problem.

When you are attempting to assign r/w to your group (0660/coral) you are using the matches operator (==) instead of the assignment operator (=)

So I believe your udev rules syntax should be:
SUBSYSTEMS=="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="9302", MODE="0660", GROUP="coral"

[reidprichard]

@phillym
Thank you!!! Together with --group-add keep-groups that corrected udev did the trick. Man did I butcher that originally.

I had a bit of difficulty getting --group-add keep-groups set on other methods beside podman run (e.g. podman-compose or podman kube play), but setting it up with podlet wasn't too hard:

podlet podman run \
         -d \
         --group-add keep-groups \
         --name=frigate \
         --device /dev/bus/usb/003/002:/dev/bus/usb/003/002 \
         -e FRIGATE_RTSP_PASSWORD=password \
         -v /etc/localtime:/etc/localtime:ro \
         -v frigate_config:/config/:Z \
         -v /mnt/Frigate:/media/frigate \
         -v frigate_database:/database:Z \
         --tmpfs /tmp/cache:size=1000000000 \
         --net frigate_default \
         --network-alias frigate \
         -p 5000:5000 \
         -p 1935:1935 \
         -p 8554:8554 \
         -p 8555:8555/tcp \
         -p 8555:8555/udp \
         --shm-size 256mb \
         --privileged \
         --restart unless-stopped ghcr.io/blakeblackshear/frigate:0.13.0-beta7 > ~/.config/containers/systemd/frigate.container
echo -e "\n[Install]\nWantedBy=default.target" > ~/.config/containers/systemd/frigate.container # Optional to auto-start container on boot
systemctl --user daemon-reload
systemctl --user start frigate.service

Podlet

For others' benefit: podman-compose --dry-run up 2>&1 | grep 'podman create' | sed 's/podman create/podman run --rm/' will give the podman run command(s) corresponding to a docker-compose.yml. With some minor tweaks you can have a command ready to feed into podlet to generate an auto-starting quadlet like above.

[phillym]

You’re welcome @reidprichard! Glad you’re trucking along rootless.

I learnt about udev which is very handy.

One question I have, your use of "--privileged” - is this required on your distro? I don’t use it and have no issues. Worth a try removing it?

https://www.redhat.com/sysadmin/privileged-flag-container-engines

[Procsiab]

At least on RHEL-based distros, the privileged option is necessary in Podman if SELnux is in "Enforcing" state and using the default policies

[phillym]

“Required” or “easier”? It would be interesting to know what actions from the container are prevented. https://docs.fedoraproject.org/en-US/quick-docs/selinux-troubleshooting/#_selinux_denials_in_the_audit_log

…

On Wed, 31 Jan 2024 at 10:38 PM, Lorenzo Prosseda ***@***.***> wrote: At least on RHEL-based distros, the privileged option is necessary in Podman if SELnux is in "Enforcing" state and using the default policies — Reply to this email directly, view it on GitHub <#9440 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACQI37IXZA3A26U2O2KRA53YRIGKPAVCNFSM6AAAAABCK3MYL6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DGMJXGE2DG> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[adarshahd]

For anyone still looking out, without enabling privileged mode, here is my config. For reference I use Fedora 39, Podman. I never turn off SELinux

$ sudo setsebool container_use_devices 1

docker-compose.yml

version: "3.9"
services:
  frigate:
    container_name: frigate
    restart: unless-stopped
#   privileged: true
#   image: ghcr.io/blakeblackshear/frigate:0.13.0-rc1
    image: ghcr.io/harakas/frigate:latest-rocm
    shm_size: "64mb" # update for your cameras based on calculation above
    volumes:
      - ./config/:/config/:Z
      - ./storage:/media/frigate:Z
      - type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
      - /dev/kfd:/dev/kfd
    ports:
      - "5000:5000"
      - "8554:8554" # RTSP feeds
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
    environment:
      FRIGATE_RTSP_PASSWORD: "password"
      NVIDIA_VISIBLE_DEVICES: void
      LIBVA_DRIVER_NAME: radeonsi
      HSA_OVERRIDE_GFX_VERSION: 11.0.0

[Procsiab]

Following up: on Fedora IoT setting to true that SELinux boolean still does not let me use the GPU device on my device. @adarshahd are you using Docker or Podman? If on Docker, are you running it "rootless"?

[adarshahd]

I use podman. But you can search for what is preventing you from using

sudo ausearch -c 'frigate'

and post the result

[adarshahd]

for example if I reset that flag I get

type=AVC msg=audit(1706702069.315:2137): avc: denied { read write } for pid=345394 comm="frigate.detecto" name="kfd" dev="devtmpfs" ino=446 scontext=system_u:system_r:container_t:s0:c752,c1009 tcontext=system_u:object_r:hsa_device_t:s0 tclass=chr_file permissive=0

[Procsiab]

I found what my issue was: I did remove the --privileged argument, but not the --add-groups one, and the latter was causing issues. With the SELinux boolean activated and the udev rule in place for my user, I can run the container without both those flags 🚀

[adarshahd]

Yay!

[AlphaJack]

Hi, any clue why I get chown: changing ownership of '/dev/shm/logs/frigate': Invalid argument?

I'm using @Procsiab's container config

Apr 30 11:11:57 P4 frigate[41548]: s6-rc: info: service fix-attrs: starting
Apr 30 11:11:57 P4 frigate[41548]: s6-rc: info: service s6rc-fdholder successfully started
Apr 30 11:11:57 P4 frigate[41548]: s6-rc: info: service fix-attrs successfully started
Apr 30 11:11:57 P4 frigate[41548]: s6-rc: info: service legacy-cont-init: starting
Apr 30 11:11:57 P4 frigate[41548]: s6-rc: info: service legacy-cont-init successfully started
Apr 30 11:11:57 P4 frigate[41548]: s6-rc: info: service log-prepare: starting
Apr 30 11:11:57 P4 frigate[41548]: chown: changing ownership of '/dev/shm/logs/frigate': Invalid argument
Apr 30 11:11:57 P4 frigate[41548]: chown: changing ownership of '/dev/shm/logs/go2rtc': Invalid argument
Apr 30 11:11:57 P4 frigate[41548]: chown: changing ownership of '/dev/shm/logs/nginx': Invalid argument
Apr 30 11:11:57 P4 frigate[41548]: s6-rc: warning: unable to start service log-prepare: command exited 1

My /etc/subuid and /etc/subgid` looks like this:

user:100000:70000

Removing this chown script causes another error: #3108 (comment), and #3108 (comment) (March 08, 2024) doesn't fix the issue for me

[woolmonkey]

Have the exact same issue

[asagent7]

Hi, I am able to run frigate successfully from cli, but when I try to enable frigate with podman quadlet, ffmpeg fails because it's not able to find the gpu for hwaccel giving the following error

ERROR : [AVHWDeviceContext @ 0x55c6324db500] No VA display found for device /dev/dri/renderD128. ERROR : Device creation failed: -22. ERROR : [h264 @ 0x55c632650bc0] No device available for decoder: device type vaapi needed for codec h264.

My quadlet config is as follows:

[Container]
ContainerName=frigate
Image=ghcr.io/blakeblackshear/frigate:stable
PublishPort=5000:5000
PublishPort=8554:8554
Volume=%h/podman/frigate:/config
Volume=/mnt/frigate:/media/frigate
AutoUpdate=registry
#NoNewPrivileges=true
Network=IoT.network
PodmanArgs=--group-add=keep-groups
AddDevice=/dev/dri/renderD128:/dev/dri/renderD128
AddDevice=/dev/bus/usb/002/004:/dev/bus/usb/002/004
#AddCapability=PERFMON
Timezone=local
Tmpfs=/tmp/cache:size=1000000000

[Service]
Restart=always

[Install]
WantedBy=default.target

When I do a dryrun and use the generated podman command directly in the cli, it works flawlessly:

podman run --name=frigate --cidfile=./abc.cid --replace --rm --cgroups=split --tz=local --network=IoT --sdnotify=conmon -d --device=/dev/dri/renderD128:/dev/dri/renderD128 --device=/dev/bus/usb/002/004:/dev/bus/usb/002/004 --tmpfs /tmp/cache:size=1000000000 -v /home/adam/podman/frigate:/config -v /mnt/frigate:/media/frigate --label io.containers.autoupdate=registry --publish 5000:5000 --publish 8554:8554 --group-add=keep-groups ghcr.io/blakeblackshear/frigate:stable

I am not able to figure out why it would work from cli but not when started as systemd service using quadlet. Any idea what I am missing?

Podman version is 4.9.3 on debian bookworm.

[asagent7]

If it helps, I was getting the same error on cli as well when I was trying to get it to work without quadlet, and I was able t fix it by adding my user to the render group.

[asagent7]

Rebooting did the trick. Since I had added user to the render group, systemd --user did not recognize that without a reboot.
containers/podman#22734 (comment)

[AlphaJack]

This is my working rootless podman setup for a Raspberry Pi 4:

• I just need to access WebUI
• I am not using motion detection, just recording 24/7

/boot/config.txt

enable_uart=1

# https://wiki.gentoo.org/wiki/Raspberry_Pi_VC4
dtoverlay=vc4-kms-v3d
gpu_mem=128

frigate.container

[Unit]
Description=Frigate

[Container]
ContainerName=frigate
Image=ghcr.io/blakeblackshear/frigate:stable
AutoUpdate=registry

Environment=FRIGATE_RTSP_PASSWORD=XXXXXX

ShmSize=256m
Notify=true

PublishPort=9094:5000

# share all devices
Volume=/dev/dri:/dev/dri
# external exFAT hard drive
Volume=/hdd/frigate:/media/frigate
# internal EXT4 hard drive
Volume=%h/containers/storage/frigate:/config
Volume=/etc/localtime:/etc/localtime:ro

[Service]
Restart=on-failure
TimeoutStartSec=0

[Install]
WantedBy=default.target

config.yml

mqtt:
  enabled: False

telemetry:
  version_check: False

ui:
  use_experimental: True

ffmpeg:
  hwaccel_args: preset-rpi-64-h264
  input_args: preset-rtsp-generic
  output_args:
    #record: preset-record-generic
    record: -f segment -segment_time 10 -segment_format mp4 -reset_timestamps 1 -strftime 1 -an -c:v copy

detectors:
  cpu1:
    type: cpu
    num_threads: 0

audio:
  enabled: False

detect:
  enabled: False

record:
  enabled: True
  retain:
    days: 30
    mode: all

snapshots:
  enabled: False
  retain:
    default: 30

birdseye:
  enabled: False
  restream: False

cameras:
  Entrance:
    enabled: True
    ffmpeg:
      inputs:
        - path: rtsp://192.168.1.1:554/stream0
          roles:
            - record
    record:
      enabled: True
    detect:
      enabled: False

  Box:
    enabled: True
    ffmpeg:
      inputs:
        - path: rtsp://192.168.1.2:554/channel1
          roles:
            - record
    record:
      enabled: True
    detect:
      enabled: False

  Gate:
    enabled: True
    ffmpeg:
      inputs:
        - path: rtsp://192.168.1.3:554/1
          roles:
            - record
        - path: rtsp://192.168.1.3:554/12
          roles:
            - detect
    record:
      enabled: True
    detect:
      enabled: False

  Backyard:
    enabled: True
    ffmpeg:
      inputs:
        - path: rtsp://192.168.1.4:554/1
          roles:
            - record
        - path: rtsp://192.168.1.4:554/12
          roles:
            - detect
    record:
      enabled: True
    detect:
      enabled: False