meta data for this page
This is an old revision of the document!
Controller
Docker
- Works correctly only with host type networking = no network separation
In unprivileged LXC
Preparation
apt-get install lxc
Create user:
sudo useradd -s /bin/bash -c 'Unifi lxc user' -m unifi
sudo passwd unifi
Find subuids and subgids for created user
sudo grep unifi /etc/sub{gid,uid}
/etc/subgid:unifi:1738400:65536 /etc/subuid:unifi:1738400:65536
Allow new user create network interfaces:
- /etc/lxc/lxc-usernet
unifi veth br-lan 10
Now login as new user (using ssh or su). Create default lxc configureation in user directory:
mkdir -p ~/.config/lxc cp /etc/lxc/default.conf ~/.config/lxc/default.conf
Edit file below and put subuid and subgid:
- ~/.config/lxc/default.conf
lxc.include = /etc/lxc/default.conf lxc.idmap = u 0 1738400 65536 lxc.idmap = g 0 1738400 65536 # "Secure" mounting lxc.mount.auto = proc:mixed sys:ro cgroup:mixed lxc.net.0.type = veth lxc.net.0.link = br-lan lxc.net.0.flags = up lxc.net.0.hwaddr = 00:FF:xx:xx:xx:xx # Disable AppArmor confinement for containers started by non-root # See https://discuss.linuxcontainers.org/t/unprivileged-container-wont-start-cgroups-sysvinit/6766 and # https://discuss.linuxcontainers.org/t/cannot-use-generated-profile-apparmor-parser-not-available/4449 lxc.apparmor.profile = unconfined # Unprivileged containers started by ROOT can use lxc.apparmor.profile = generated /var/lib/lxc/ = ~/.local/share/lxc /var/cache/lxc = ~/.cache/lxc
Create container:
lxc-create -t download -n unifi
- Distribution:
debian - Release:
stretch - Architecture:
amd64
lxc-start -n unifi lxc-ls -f NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED unifi RUNNING 0 - - - true
cat .ssh/authorized_keys | lxc-attach -n unifi -- /bin/sh -c 'cd /root && mkdir -p .ssh && cat > .ssh/authorized_keys' lxc-attach -n unifi passwd ... <CTRL+D> <code> </code bash> lxc-console -n unifi apt-get install openssh-server gnupg2 sudo ca-certificates apt-transport-https wget <CTRL+D>
Add autostarting:
- ~/.local/share/lxc/unifi/config
lxc.start.auto = 1 lxc.start.delay = 5 lxc.start.order = 100 lxc.group = onboot </code> Edit cron <code bash>crontab -e</code> <file> @reboot /usr/bin/lxc-autostart --all
Issues
lxc-start: unifi: tools/lxc_start.c: main: 329 The container failed to start
lxc-start -n unifi -l DEBUG -o debug.log cat debug.log ... lxc-start unifi 20200720135645.187 ERROR start - start.c:print_top_failing_dir:120 - Permission denied - Could not access /home/unifi/.local. Please grant it x access, or add an ACL for the container root ... sudo setfacl -m u:1738400:x . .local .local/share
Error: lxc-create: unifi: confile.c: set_config_net: 261 lxc.net must not have a value
LXC3 is using different config keys. Easiest way is to convert config file:
lxc-update-config -c default.conf
lxc-create: unifi: conf.c: chown_mapped_root: 3206 lxc-usernsexec failed: No such file or directory - Failed to open tt
sysctl kernel.unprivileged_userns_clone kernel.unprivileged_userns_clone = 0 sudo echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf sysctl -p
Install MongoDB < 4.0.0
https://docs.mongodb.com/v3.6/tutorial/install-mongodb-on-debian/
apt install gnupg2 wget -qO - https://www.mongodb.org/static/pgp/server-3.6.asc | sudo apt-key add - echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list apt-get update sudo apt install mongodb-org sudo systemctl start mongod
Installing Unifi controller
Inside container:
sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https wget echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg sudo apt update sudo apt install unifi
Access running controller on: https://<IP>:8443/
Unifi controller log location:
/usr/lib/unifi/logs/server.log/usr/lib/unifi/logs/mongod.log
Configure mail agent
sudo apt-get install msmtp-mta
See how to configure: MSMTP
adding own CA cert to controller
To send e-mails to own SMTP server with self-signed cert. It is enough to add cert to Debian certifcate store and restart unifi controller.
To add certificate directly to JVM store:
Digital Certificate: How to import .cer file in to .truststore file using
sudo cp cacert.crt /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security cd /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security keytool -v -import -file cacert.crt -alias my_own_ca -keystore cacerts -storepass changeit
/etc/init.d/unifi restart