meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ubiquiti:controller [2020/07/20 16:33] niziakubiquiti:controller [2021/03/20 21:41] (current) niziak
Line 4: Line 4:
   * Works correctly only with host type networking = no network separation   * Works correctly only with host type networking = no network separation
  
-===== In unprivileged LXC ===== 
  
-==== Preparation ==== 
  
-[[https://wiki.debian.org/LXC]]+==== Install MongoDB < 4.0.0 ==== 
 +[[https://docs.mongodb.com/v3.6/tutorial/install-mongodb-on-debian/]]
  
 <code bash> <code bash>
-apt-get install lxc+apt install gnupg2 
 +wget -qO - https://www.mongodb.org/static/pgp/server-3.6.asc | sudo apt-key add - 
 +echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list 
 +apt-get update 
 +sudo apt install mongodb-org 
 +sudo systemctl start mongod
 </code> </code>
  
-Create user: +==== Installing Unifi controller ====
-<code bash>sudo useradd -s /bin/bash -c 'Unifi lxc user' -m unifi</code> +
-<code bash>sudo passwd unifi</code>+
  
-Find subuids and subgids for created user +Inside container:
-<code bash>sudo grep unifi /etc/sub{gid,uid}</code> +
-<code> +
-/etc/subgid:unifi:1738400:65536 +
-/etc/subuid:unifi:1738400:65536 +
-</code> +
- +
-Allow new user create network interfaces: +
-<file | /etc/lxc/lxc-usernet> +
-lxcgitlab veth br-lan 10 +
-</file> +
-[[https://linuxcontainers.org/lxc/manpages/man5/lxc-usernet.5.html|man 5 lxc-usernet]] +
- +
-Now login as new user (using ssh or su). +
-Create default lxc configureation in user directory:+
 <code bash> <code bash>
-mkdir -p ~/.config/lxc +sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https wget 
-cp /etc/lxc/default.conf ~/.config/lxc/default.conf +echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list 
-</code>+sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg  
 +sudo apt update 
 +sudo apt install unifi
  
-Edit file below and put subuid and subgid: 
-<file | ~/.config/lxc/default.conf> 
-lxc.include = /etc/lxc/default.conf 
- 
-lxc.idmap = u 0 1738400 65536 
-lxc.idmap = g 0 1738400 65536 
- 
-# "Secure" mounting 
-lxc.mount.auto = proc:mixed sys:ro cgroup:mixed 
- 
-lxc.net.0.type = veth 
-lxc.net.0.link = br-lan 
-lxc.net.0.flags = up 
-lxc.net.0.hwaddr = 00:FF:xx:xx:xx:xx 
- 
-# Disable AppArmor confinement for containers started by non-root 
-# See https://discuss.linuxcontainers.org/t/unprivileged-container-wont-start-cgroups-sysvinit/6766 and 
-# https://discuss.linuxcontainers.org/t/cannot-use-generated-profile-apparmor-parser-not-available/4449 
- 
-lxc.apparmor.profile = unconfined 
-# Unprivileged containers started by ROOT can use lxc.apparmor.profile = generated 
- 
-/var/lib/lxc/ = ~/.local/share/lxc 
-/var/cache/lxc = ~/.cache/lxc 
-</file> 
- 
-Create container: 
-<code bash>lxc-create -t download -n unifi</code> 
-  * Distribution: ''Debian'' 
-  * Release: ''buster'' 
-  * Architecture: ''amd64'' 
- 
-<code bash> 
-lxc-start -n unifi 
-lxc-ls -f 
-NAME  STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED  
-unifi RUNNING 0              -    -    true          
 </code> </code>
 +Access running controller on: [[https://<IP>:8443/]]
  
-<code bash> +Unifi controller log location
-lxc-attach -n unifi +  * ''/usr/lib/unifi/logs/server.log'' 
- +  * ''/usr/lib/unifi/logs/mongod.log''
-apt install openssh-server +
-<CTRL+D> +
-</code> +
- +
-Add autostarting+
-<file ini ~/.local/share/lxc/unifi/config> +
-    lxc.start.auto = 1 +
-    lxc.start.delay = 5 +
-    lxc.start.order = 100 +
-    lxc.group = onboot +
-</code> +
- +
- +
-Edit cron <code bash>crontab -e</code> +
-<file> +
-@reboot lxc-autostart +
-</file> +
- +
- +
- +
-=== Issues === +
- +
-=== lxc-start: unifi: tools/lxc_start.c: main: 329 The container failed to start ===+
  
 +==== Configure mail agent ====
 <code bash> <code bash>
-lxc-start -n unifi -l DEBUG -o debug.log +sudo apt-get install msmtp-mta
-cat debug.log +
- +
-... +
-lxc-start unifi 20200720135645.187 ERROR    start - start.c:print_top_failing_dir:120 - Permission denied - Could not access /home/unifi/.local. Please grant it x access, or add an ACL for the container root +
-... +
- +
-sudo setfacl -m u:1738400:x . .local .local/share+
 </code> </code>
  
 +See how to configure: [[linux:mail:msmtp]]
  
-=== Error: lxc-create: unifi: confile.c: set_config_net: 261 lxc.net must not have a value ===+=== adding own CA cert to controller === 
 +To send e-mails to own SMTP server with self-signed cert. 
 +It is enough to add cert to Debian certifcate store and restart unifi controller.
  
-LXC3 is using different config keys. Easiest way is to convert config file: 
-<code bash>lxc-update-config -c default.conf</code> 
  
-=== lxc-createunifi: conf.c: chown_mapped_root: 3206 lxc-usernsexec failed: No such file or directory - Failed to open tt === +To add certificate directly to JVM store:
-<code bash> +
-sysctl kernel.unprivileged_userns_clone +
-kernel.unprivileged_userns_clone = 0 +
- +
-sudo echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf +
-sysctl -p +
-</code>+
  
-==== Install MongoDB ==== +[[https://stackoverflow.com/questions/373295/digital-certificate-how-to-import-cer-file-in-to-truststore-file-using|Digital Certificate: How to import .cer file in to .truststore file using]]
-[[https://docs.mongodb.com/v3.0/tutorial/install-mongodb-on-debian/]]+
  
-For Debian Buster: 
 <code bash> <code bash>
-apt install gnupg +sudo cp cacert.crt /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security 
-wget -qO - https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add - +cd /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security 
-echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.2.list +keytool -v -import -file cacert.crt -alias my_own_ca -keystore cacerts -storepass changeit
-apt update +
-sudo apt install mongodb-org+
 </code> </code>
  
-DRAFT: +<code>/etc/init.d/unifi restart</code>
-<code bash> +
-apt install gnupg +
-wget -qO - https://www.mongodb.org/static/pgp/server-3.0.asc | sudo apt-key add - +
-echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list +
-sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9ECBEC467F0CEB10 +
-sudo apt update +
-sudo apt install mongodb-org +
-</code>+
  
-==== Installing Unifi controller ==== 
- 
-Inside container: 
-<code bash> 
-sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https wget 
-echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list 
-sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg  
-sudo apt update 
-sudo apt install unifi 
- 
-</code>