Unifi-Controller

To manage Ubiquiti UniFi Wifi- and Networking devices you can deploy your own Network Management Controller.

There is a readily available docker image (https://hub.docker.com/r/jacobalberty/unifi/) containing both the UniFi Software and MongoDB Database running as non-root.

To deploy this with a proper SSL certificate follow these easy steps:

  1. Log in to https://console.appuio.ch/ and choose your project you want to deploy your controller in
  2. Choose “Add to project” at the top-right and “Deploy Image” in the menu
../_images/unifi1.png
  1. Enter “jacobalberty/unifi:latest” in the Image Name and click the magnifying glass button on the right
../_images/unifi2.png

  1. You can customize the Name if you want to, I’ll use the default “unifi” name

  2. Set the following environment variables:

    BIND_PRIV=false
RUNAS_UID0=false
JVM_MAX_THREAD_STACK_SIZE=1280k
TZ=Europe/Zurich (or whatever your timezone is)
../_images/unifi3.png
  1. Click “Deploy” and then “Close”
  2. Open the newly created Deployment Configuration, e.g. via Applications -> Deployments -> unifi -> Configuration
  3. Choose “Actions” -> “Pause Rollouts”
../_images/unifi4.png
  1. Choose “Actions” -> “Edit”
../_images/unifi5.png
  1. Set the deployment strategy type to “Recreate”, acknowledge the popup and Save at the bottom
../_images/unifi6.png ../_images/unifi7.png
  1. back in the Configuration Tab: delete the “unifi-1” storage volume
../_images/unifi8.png
  1. Choose “Actions” -> “Add storage”
  2. If you already have a persistent volume created for the unifi controller choose it here, or click “create storage” to create a new one
../_images/unifi9.png
  1. I chose the name “unifi” and size “10” GB, continue with “Create”
../_images/unifi10.png
  1. back in the volume dialog: set mount path “/unifi” and volume name “unifi-1”, then “Add”
../_images/unifi11.png
  1. Choose “Actions” -> “Edit Resource Limits”
  2. Set CPU Request: 100, Limit: 500 and RAM Requiest: 200, Limit: 500
../_images/unifi12.png
  1. Choose “Actions” -> “Edit Health Checks”
  2. Add both readiness and liveness probes with Type: HTTP, Use HTTPS, Port 8443, Initial Delay 30s
../_images/unifi13.png
  1. Resume rollouts
../_images/unifi14.png
  1. Wait until the deployment rollout is done
../_images/unifi15.png
  1. the controller will have created a new, self-signed SSL-certificate on first start. We have to get this certificate to trust it. I used the CLI-Tools for this: copy login command on the top-right
../_images/unifi16.png
  1. paste the login command into a Terminal window, then oc get pods -l app=unifi to get the pod name and oc port-forward unifi-2-4jm9g 8443:8443 (substituting your pod name in the command) to open a connection from your computer to the running unifi controller instance
../_images/unifi17.png
  1. open another Terminal window and enter openssl s_client -connect 127.0.0.1:8443 to connect to the pod and output the SSL-certificate. Copy the certificate (all the lines from “—–BEGIN CERTIFICATE” up to and includiniig “—–END CERTIFICATE—–”) from the output

Sometimes the self-signed certificate of the controller changes, e.g. after a major version update. Then the controller will be “the application in unavailable” and you need to get the new certificate and update the Route configuration.

../_images/unifi18.png
  1. Open “Applications” -> “Routes” and “Create Route” from the top-left.
  2. I named the new route “unifi”, entered the hostname my controller should be reachable at in the end (“arskacontroller.appuioapp.ch”), selected the Service “unifi”, Port 8443, Enable Security, TLS-Termination “Re-encrypt”, Insecure “Redirect” and paste the copied certificate from above in the “Destination CA Certificate” field. Then click “Create”.
../_images/unifi19.png
  1. The access-points I bought were running firmware 3.7.58.6385. To connect (“adopt” or “inform”) these to the controller another route without SSL is needed: “Create route”, Name “unifi-inform”, Hostname “arskainform.appuioapp.ch”, Service “unifi”, Port “8080”. For access-points with firmware >4 this is not necessary.
../_images/unifi20.png
  1. we can connect to the controller to do the setup wizard using the first route created, https://arskacontroller.appuioapp.ch in my case
  2. To connect a access-point with firmware version 3.x/4.x: ssh ubnt@ip-address-of-ap, password ubnt, set-inform http://arskainform.appuioapp.ch/inform
  3. To connect a access-point with firmware version 4.x: ssh ubnt@ip-address-of-ap, password ubnt, set-inform https://arskacontroller.appuioapp.ch/inform
  4. in both cases the access-point appears as “pending adoption” in the devices tab on the controller. Click “adopt and upgrade”.
../_images/unifi21.png
  1. to finish the process issue the set-inform command above again. After a few seconds the status on the controller should change to “Upgrading”. If not issue the set-inform command again, I used 1-3 times per access-point.
../_images/unifi22.png
  1. after upgrading and rebooting the access-point should be “connected”
../_images/unifi23.png

  1. To enable auto-updating the controller software enter on the CLI where you did oc login:

    oc tag --source=docker jacobalberty/unifi:stable aarno-srf2spotify/unifi:latest --scheduled