[Support] Linuxserver.io - Unifi


Recommended Posts

5 minutes ago, mifronte said:

 

Now that you have the UniFi Controller docker running on its own IP, can you ssh into the controller app?

 

Now that you mention it, I had never tried it.

 

SSH from the unRAID web terminal results in a "no route to host" error and PuTTY gets a "connection refused" error.

 

So, no, I cannot SSH into the controller app.  There is more tweaking to be done.

Link to comment

Can you try ssh to the ip from an external device (not unRAID terminal)?

 

I would like to see if it is possible to install your own SSL certificate and that requires ssh into the UniFi controller app as described here.

 

Edit:

Oops I didn't see that you tried PuTTY.  Did you try the controller ID and password  or your unRAID id and password?

Edited by mifronte
Link to comment
3 minutes ago, mifronte said:

Can you try ssh to the ip from an external device (not unRAID terminal)?

 

I would like to see if it is possible to install your own SSL certificate and that requires ssh into the UniFi controller app as described here.

 

I tried PuTTY from both my laptop and desktop machines. Of course, they are on the same LAN and subnet as unRAID/UniFI docker. Both failed. 

 

If I turn off WiFi on my iPhone and try Cloud Access to the UniFi controller via the IP address assigned to the UniFI docker, it works.  I know that is not an SSH test, but, I was curious and it does work.

Link to comment
1 minute ago, Hoopster said:

 

I tried PuTTY from both my laptop and desktop machines. Of course, they are on the same LAN and subnet as unRAID/UniFI docker. Both failed. 

 

If I turn off WiFi on my iPhone and try Cloud Access to the UniFi controller via the IP address assigned to the UniFI docker, it works.  I know that is not an SSH test, but, I was curious and it does work.

 

With this docker, can you access /var/lib/unifi from the unRAID terminal?

Link to comment
17 minutes ago, mifronte said:

With this docker, can you access /var/lib/unifi from the unRAID terminal?

There is no var/lib/unifi path.

 

I can get to /var/lib/docker/containers.

 

The folders under this path are long strings representing each docker container.  One of those is the Unifi docker.  I checked the advanced view in the UniFi docker edit page to see which string was the correct one and was able to access this folder.  It is a very long string of letters and numbers. That was fun to type. 

 

In this folder I see various .json files as well as .conf files, hosts and hostname, etc.  So, it is the UniFi docker folder.

 

 

Edited by Hoopster
Link to comment
5 minutes ago, Hoopster said:

There is no var/lib/unifi path.

 

I can get to /var/lib/docker/containers.

 

The folders under this path are long strings representing each docker container.  One of those is the Unifi docker.  I checked the advanced view in the UniFi docker edit page to see which string was the correct one and was able to access this folder.  It is a very long string of letters and numbers. That was fun to type. 

 

In this folder I see various .json files as well as .conf files, hosts and hostname, etc.  So, it is the UniFi docker folder.

 

 

I believe /var/lib/unifi would map to /mnt/cache/appdata/unifi.  Can you tell be the contents of /mnt/cache/appdata/unifi?  I am curious as to what is stored in the docker image and what is stored in the /mnt/cache/appdata/unifi directory.  To use my self-signed SSL certificate, I am hopping most needed files are in the cache location.

 

P.S.  Can you also tell me how to install this docker app?  Its been so long, I completely forgot how I installed my current UniFi docker.

Link to comment
2 minutes ago, mifronte said:

I believe /var/lib/unifi would map to /mnt/cache/appdata/unifi.  Can you tell be the contents of /mnt/cache/appdata/unifi?  I am curious as to what is stored in the docker image and what is stored in the /mnt/cache/appdata/unifi directory.  To use my self-signed SSL certificate, I am hopping most needed files are in the cache location.

 

P.S.  Can you also tell me how to install this docker app?  Its been so long, I completely forgot how I installed my current UniFi docker.

/mnt/cache/appdata/unifi contains three folders; /data /logs and /run

 

/data would seem to be the most likely candidate for what you are looking for.

 

/mnt/cache/appdata/unifi and /var/lib/docker/containers/{gibberish} are not identical.

 

UniFi and other dockers and plugins are installed from the Apps (Community Applications) tab in the unRAID GUI. There may be more than one docker (as is the case with UniFI) for the same app, so pick the container you prefer.  I usually stick with Linuxserver.io containers where possible. My UniFi docker is from LSIO.

Link to comment

This discussion thread explains why, after assigning an IP address to the UniFi docker, there is no communication between the host (unRAID) and the docker.  Apparently, it is a by-design security measure of the macvlan implementation.

 

There may be a way around it with vLANS and static routes defined in the UniFi controller. 

Link to comment
8 hours ago, Hoopster said:

This discussion thread explains why, after assigning an IP address to the UniFi docker, there is no communication between the host (unRAID) and the docker.  Apparently, it is a by-design security measure of the macvlan implementation.

 

Does that cause any problems with the docker, or anything else for that matter?

Link to comment
2 hours ago, wayner said:

Does that cause any problems with the docker, or anything else for that matter?

 

Everything functions fine with the docker when it is assigned its own IP address.  In my case some call traces are generated as a result.  As a test, I removed the IP address assignment on the docker last night and the call traces went away.  Previously, they were occurring every 4-5 hours.  However, even with the call traces, everything system wide seemed to function fine.

 

The only observable difference so far has been the inability to ssh into the controller via its assigned IP address.  I suspect proper VLAN and routing definition in the controller could resolve that if it was needed.   SSH into the USG, switches, APs still worked.

 

I will likely go back to the assigned IP address on the docker once I figure out the call traces.  I don't know if others have seen this with IP addresses assigned to dockers, but, I could see no negative side effects as a result.  However, it does make me a bit nervous that they are occurring.

Edited by Hoopster
Link to comment

I don't know that I have had to SSH into the controller.  I had to use SSH to set up OpenVPN server as that wasn't available in the GUI when I set mine up a year or so ago and I don't know that it still is available, at least not for OpenVPN server.  But I am pretty sure that was done on my USG rather than the controller.  And I have had to SSH into my UAPs from time to time to get them set up and/or fix a stuck upgrade.

Link to comment
22 minutes ago, wayner said:

I don't know that I have had to SSH into the controller.  I had to use SSH to set up OpenVPN server as that wasn't available in the GUI when I set mine up a year or so ago and I don't know that it still is available, at least not for OpenVPN server.  But I am pretty sure that was done on my USG rather than the controller.  And I have had to SSH into my UAPs from time to time to get them set up and/or fix a stuck upgrade.

I started the ssh into the controller question because I wanted to try installing my own self-signed SSL certificate.

 

To clarify, since the UniFi controller is running in its own Docker container with its own IP address, it is kind of like a virtual host server.  So I would like to ssh into that UniFi controller docker container as if the controller was running on its own physical server.  I don't know too much about the underpinnings of Docker, but if I can get into the UniFi controller host, to try these steps: Installing SSL Certificate on UniFi Controller

Link to comment

I am thinking about switching from pducharme's UniFi container to linuxserver.io's container.  Going over the linuxserver.io's webpage, it specified a PGID and PUID.

 

Just what should be this value?  My current UniFi container does not require the PGID or PUID and looks like it runs as root.  Should I use the PGID and PUID for root or should I create an ID for the Docker UniFi container?

Link to comment
2 hours ago, wayner said:

What's the advantage of installing the cert?  You don't get the security warnings when going to the web UI?

That's correct.  Since I use pfSense, I use the pfSense Cert Manager to maintain my own internal certificates.  This way all my internal https do not get the browser warning.  For example, with unRAID 6.4, I created a self-signed certificate that the browser does not complain since I am my own certificate authority (CA) and have configured my desktops to trust my internal CA.

Edited by mifronte
Link to comment

I was messing around with the letsencrypt certificates because the security warning was annoying me.  Here is what I did in case someone else can use it.

 

Domain setup:

I added a "unifi" CNAME to my domain and added that to letsencrypt.

 

Pihole setup:

I use pihole and configured it to return my unraid IP when resolving my domain.  In Pihole appdata/dnsmask.d, add a file called "03-lan.conf" containing 

addn-hosts=/etc/pihole/lan.list

In pihole appdata lan.list, I added the unifi redirect:

192.168.1.11 mydomain.ca
192.168.1.12 unifi.mydomain.ca

where .11 is my unraid box and .12 is my unifi container.  I don't think you need a separate IP for unifi but this is my setup.

 

Unifi container setup:

Set the WebUI url to https://unifi.mydomain.ca:[PORT:8443]

 

Certificate install:

I copy cert.pem and privkey.pem from the letsencrypt appdata/keys/letsencrypt to the unifi appdata directory

 

Create a file, concat.pem, in the unifi appdata directory with the Identrust CA cert (https://www.identrust.com/certificates/trustid/root-download-x3.html) followed by chain.pem:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

add content of chain.pem here

then get in the container (docker exec -it unifi bash) I generate the certificate:

openssl pkcs12 -export  -passout pass:aircontrolenterprise \
-in /config/cert.pem \
-inkey /config/privkey.pem \
-out /config/certificate.pem -name unifi \
-CAfile /config/concat.pem -caname root

Delete the old key and insert the new one:

keytool -delete -alias unifi -keystore /usr/lib/unifi/data/keystore -deststorepass aircontrolenterprise

keytool -trustcacerts -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise \
-destkeystore /usr/lib/unifi/data/keystore \
-srckeystore /config/certificate.pem -srcstoretype PKCS12 \
-srcstorepass aircontrolenterprise \
-alias unifi

 

Of course that's ugly and I need to redo that every 3 months so I'll need to script that eventually but it's a working hack for now.

 

There must be a way to do this with "java -jar /usr/lib/unifi/lib/ace.jar import_cert" and I thought I had the right mix a few times but this works so I'm leaving it alone.

Link to comment

Anyone running this docker app in its own VLAN with a static assigned IP?

 

I just installed this UniFi docker app in its own VLAN with a static assigned IP.  Everything works with the exception that this UniFi docker app is unable to resolve FQDN hosts.  For example, the Mail Server configuration cannot send SMTP mails if I use a FQDN for the SMTP server.  However, if I use an IP address, then it can send mail.  The log says unknown host for the FQDN.  Also the Cloud Access cannot be enabled because it is using FQDN to get to the Ubiquiti Cloud Services.  I have a feeling that DNS is not properly being set up for the container in the VLAN configuration.  I just don't know if this is an unRAID or container issue.

 

@Gog I will have to try your suggestion to get my self-signed cert into the UniF docker.  Is the "\" part of the command?

 

Update:

The DNS issue with resolving FQDN in the container is related to Docker using the same DNS across all interfaces.  This would be a problem if you are using a local DNS and have Docker running in a VLAN configured with the unRAID GUI.  Docker will use the DNS of the host which is on a different interface as the VLAN and thereby not reachable by the container.  For now, I just supplied the --dns option to the container with the correct local DNS for the VLAN interface that Docker is using.

Edited by mifronte
Link to comment

@Gog I followed similar intstructions found here to import my self-signed SSL certificate and it worked!  I did not run the script, but just followed a couple of commands from the script that is similar to your instructions.  It looked like it is best if you are self-signed, then you can use your server.key, server.crt, and internal-CA.crt to generate the pkcs12 certificate.

 

At first I tried the "java -jar lib/ace.jar import_cert" method with my concatenated crt and key in a pem file, but I ended up getting a SSL error of invalid response (ERR_SSL_PROTOCOL_ERROR) although the import was successful.  It turned out the UniFi Controller is very picky and you may have to go through the entire ugly keytool commands.

Edited by mifronte
Link to comment

Hi @mifronte

 

Good of you to load your self signed certificate.  That is a perfectly good way of doing it.  My way is a bit more complicated because the letsencrypt install is not in the same container and I'm not interested in installing it in the unify container.

 

FYI, the \ is part of the command, it allows you to write a one-liner command in multiple lines.

 

As for the FQDN issue, I can't say I tried configuring that in unifi.  I'd start by bash into the container to ping the FQDN and check the dns settings.

Link to comment
On 1/29/2018 at 4:04 PM, wayner said:

Thanks @Gog.  Can/should you omit any steps if you don't care about accessing your Unifi system over the internet?  I generally use the Unifi app on my phone/pad for that.  I just want to get rid of the annoying message.

 

My unifi setup is not accessible over the internet, I am also doing that just to get rid of the annoying message.  That being said, I probably used the most complex way of doing that :)

 

@mifronte above suggested a link that explains how to import a certificate in unify.  The link also has instructions on how to get a free ssl certificate that lasts a year.  You might want to go this way if you are not already using letsencrypt or don't want to deal with my convoluted method.

Link to comment

Hi, I have a couple of questions:

1. Is there a way to install the beta release of the controller firmware?

2. Where would I place my own config.gateway.json file? I noticed that the /mnt/user/appdata/unifi directory has 3 empty directories (data, logs, run). I know that the config.gateway.json file should go in /data/sites/the_site according to this: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-with-config-gateway-json but, as said before, the data dir is empty.

 

Thanks!

Link to comment
17 minutes ago, RevelRob said:

1. Is there a way to install the beta release of the controller firmware?

 

There is another Unifi docker by a different author that will let you run beta versions of the controller.  LSIO have stated their intention to support only official controller releases in their docker.

Link to comment
1 hour ago, Hoopster said:

 

There is another Unifi docker by a different author that will let you run beta versions of the controller.  LSIO have stated their intention to support only official controller releases in their docker.

Ok thank you for that. Would you know about question 2?

Link to comment
  • trurl locked this topic
Guest
This topic is now closed to further replies.