|
Size: 2905
Comment: add notes on hosting it on docket
|
Size: 5988
Comment: full rework, dump all the old legacy notes that aren't relevant any more
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 5: | Line 5: |
| = Hosted as a docker container = | = Now hosted on kubernetes = |
| Line 7: | Line 7: |
| This turns out to be the nicest solution yet. You need a decently beefy host to run it, but I find it less annoying than the raw Java app in a .deb that needs fiddly backups and upgrades periodically. | Yeah it used to be a docker container on illustrious, now I've deployed it on the [[servers/persica| persica cluster]] instead. In the process I upgraded from v7.4.162 to v8.2.93 using the nice LinuxServer.io containers. |
| Line 9: | Line 9: |
| Via: https://hub.docker.com/r/linuxserver/unifi-controller | It works well, and thanks to using MetalLB I can forward all the traffic to the node running the workload, will the dozen or so ports that it wants to use. |
| Line 11: | Line 11: |
| Details on deployment are here: [[servers/illustrious#Unifi_controller]] | Via: https://hub.docker.com/r/linuxserver/unifi-network-application |
| Line 13: | Line 13: |
| = Deployment notes = | |
| Line 14: | Line 15: |
| = DIY controller stuff = | This new version now uses an external MongoDB instance, so you have to run that yourself. I just made it another pod in the `unifi` namespace. |
| Line 16: | Line 17: |
| On any sort of OS: * https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776 * https://get.glennr.nl/unifi/install/unifi-5.13.32.sh |
1. Dump a backup of the old config from the old instance, I was able to grab 60 days of history (it'd just hang if I asked for more). 2. Start the new controller and import that backup dump from the landing page. Give it 5-10min then it'll be up and running. 3. Unifi controller is now running on a new (MetalLB) IP address, so update the DNS entry for unifi.thighhighs.top to point to that, and wait about 5min for it to propagate. 4. All the APs and switches should now be talking to the new controller. |
| Line 20: | Line 22: |
| Some easy guides: * Easy-UBNT for supported OSes: https://community.ui.com/questions/Easy-UBNT-Install-Update-and-Secure-UBNT-Software/9ccb57b3-b9a7-4e42-9bae-2306efd8243f * Controller on an RPi, with Pi-hole: https://community.ui.com/questions/Step-By-Step-Tutorial-Guide-Raspberry-Pi-with-UniFi-Controller-and-Pi-hole-from-scratch-headless/e8a24143-bfb8-4a61-973d-0b55320101dc |
And that's about it! Remarkably easy. |
| Line 24: | Line 24: |
| I should really setup pihole one of these days, and then I can also use it for dnsmasq and local DNS that doesn't die when the internet goes down. Just get DNS off the USG, I already don't use it as it is. | = TLS cert for unifi = |
| Line 26: | Line 26: |
| This is one thing we need to do again, by default the controller generates its own self-signed cert, and we want to use a real one. Because this is a Java app, it does everything itself and stores the key and cert in a Java keystore, so we have to deal with that pain in the arse. | |
| Line 27: | Line 28: |
| = Installation on vector = | Faff with the keystore so you can jam in your publicly signed cert. This is a script that I found and adapted. |
| Line 29: | Line 30: |
| I used the Easy Update Script mentioned above to install the controller on [[servers/vector]], then import the old site config. | The process goes something like this: 1. Convert your normal PEM-format cert into a PKCS12 container, I don't understand all this but it works. You do this outside the container, on your workstation or whatever. 2. Copy the resultant `.p12` file into the pod. It's not necessary, but we'll leave it on the persistent volume that the Unifi controller uses. 3. Using the magic Java tools, import the p12 cert into the keystore. 4. Restart the Unifi controller so it picks up the new cert. |
| Line 31: | Line 36: |
| * wget https://get.glennr.nl/unifi/install/unifi-6.2.17.sh * Grow partition with cfdisk, then FS with resize2fs * bash unifi-6.2.17.sh * Setup new empty site, create local admin account * Import site from old controller * Update DNS to point unifi to vector |
This has been adapted from a previous local docker setup, but it should work fine in k8s. |
| Line 38: | Line 38: |
| == Convert the cert from PEM to p12 == | |
| Line 39: | Line 40: |
| = A real signed SSL cert for the controller = | This assumes you're keeping the cert in `/etc/ssl/` or similar, we'll put the p12 in there as well. |
| Line 41: | Line 42: |
| This SSL cert command doesn't frikken work, yet it should be exactly the perfect method. -_- | {{{ #!/bin/bash |
| Line 43: | Line 45: |
| `java -jar /usr/lib/unifi/lib/ace.jar import_key_cert STAR_thighhighs_top.key.stripped STAR_thighhighs_top.crt` Instead I used this script, it's stashed in `/root/unifi-import-cert.sh` {{{ # Backup previous keystore cp /var/lib/unifi/keystore /var/lib/unifi/keystore.backup.$(date +%F_%R) |
# Hacked together by Barney Desmond on 2022-11-03 # Updated again on 2024-06-29 # |
| Line 51: | Line 49: |
| openssl pkcs12 -export \ | # Ignore warnings # Turns out we need to enable legacy mode, because Unifi's keytool can't read # the new OpenSSL 3.0.2 encryption. # https://community.ui.com/questions/New-Openssl-v3-may-break-your-controller-network-application-keystore/2e4133d9-d6dd-4a22-acfe-e5d671ffaee4 openssl pkcs12 -export -legacy \ |
| Line 53: | Line 55: |
| -in /etc/ssl/STAR_thighhighs_top.crt \ -out /etc/ssl/STAR_thighhighs_top.p12 \ |
-in /etc/ssl/STAR_thighhighs_top.crt \ -out /etc/ssl/STAR_thighhighs_top.p12 \ |
| Line 57: | Line 59: |
| cat <<EOF Now go copy the p12 file into the Unifi controller container/PVC. Then we'll import the cert into the keystore, from inside the running container. EOF }}} == Copy the p12 cert into the k8s pod == I'm sure there's sensible ways to do this, I personally think it's just easiest to copypasta the thing in via base64. {{{ base64 STAR_thighhighs_top.p12 # get a shell into the container kubectl -n unifi exec deployment.apps/network -it -- /bin/bash # you'll be dropped in /usr/lib/unifi but your persistent volume is mapped to /config # `data` is a symlink to /config/data so we can cd to that cd /config/data/ # pump the cert into a file cat <<EOF | base64 -d > STAR_thighhighs_top.p12 ... paste the base64 encoded .p12 cert here ... EOF }}} Your cert is now sitting in the pod at `/config/data/STAR_thighhighs_top.p12` == Import the p12 cert into the Java keystore == Create this script inside the same directory, you only need to do this once as it'll stick around for future certificate renewals. You can pipe it into a file with the shell, or install an editor with `apt update ; apt install -y vim-tiny` {{{ #!/bin/bash # This is unifi-import-cert.sh # From https://util.wifi.gl/unifi-import-cert.sh which is now dead # Modified by Barney Desmond on 2021-04-20 to just use a normal static paid-for cert. # Author: Frank Gabriel, 01.01.2019 # Credits Kalle Lilja, @SprockTech and others # Script location: /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh (important for auto renewal) # Tested with Debian 9 and UniFi 5.8.28, 5.9.22 and 5.9.32 - should work with any recent Unifi and Ubuntu/Debian releases # This is where the keystore lives inside the container UNIFI_DATADIR=/config/data # Backup previous keystore cp -av "${UNIFI_DATADIR}/keystore" "${UNIFI_DATADIR}/keystore.backup.$(date +%F_%R)" |
|
| Line 58: | Line 109: |
| # Ignore warnings | |
| Line 61: | Line 113: |
| -destkeystore /var/lib/unifi/keystore \ -srckeystore /etc/ssl/STAR_thighhighs_top.p12 \ |
-destkeystore "${UNIFI_DATADIR}/keystore" \ -srckeystore STAR_thighhighs_top.p12 \ |
| Line 67: | Line 119: |
| }}} | |
| Line 68: | Line 121: |
| # Restart UniFi controller systemctl restart unifi |
Now run the script to do the import: {{{ root@network-6d6b5b85f6-qp4k8:/config/data# ./unifi-import-cert.sh '/config/data/keystore' -> '/config/data/keystore.backup.2024-06-29_02:29' Importing keystore STAR_thighhighs_top.p12 to /config/data/keystore... Warning: Overwriting existing alias unifi in destination keystore |
| Line 71: | Line 127: |
Exit the shell from the pod, you're done. == Restart the pod == The cert is imported but not yet active. Restart the service to pick it up, deleting the pod is usually the easiest way. {{{ kubectl -n unifi delete pod -l app=unifi-network-application,tier=web }}} |
I almost just want to buy a cloud key because I think it'll be easier. -_-
Contents
Now hosted on kubernetes
Yeah it used to be a docker container on illustrious, now I've deployed it on the persica cluster instead. In the process I upgraded from v7.4.162 to v8.2.93 using the nice LinuxServer.io containers.
It works well, and thanks to using MetalLB I can forward all the traffic to the node running the workload, will the dozen or so ports that it wants to use.
Via: https://hub.docker.com/r/linuxserver/unifi-network-application
Deployment notes
This new version now uses an external MongoDB instance, so you have to run that yourself. I just made it another pod in the unifi namespace.
- Dump a backup of the old config from the old instance, I was able to grab 60 days of history (it'd just hang if I asked for more).
- Start the new controller and import that backup dump from the landing page. Give it 5-10min then it'll be up and running.
- Unifi controller is now running on a new (MetalLB) IP address, so update the DNS entry for unifi.thighhighs.top to point to that, and wait about 5min for it to propagate.
- All the APs and switches should now be talking to the new controller.
And that's about it! Remarkably easy.
TLS cert for unifi
This is one thing we need to do again, by default the controller generates its own self-signed cert, and we want to use a real one. Because this is a Java app, it does everything itself and stores the key and cert in a Java keystore, so we have to deal with that pain in the arse.
Faff with the keystore so you can jam in your publicly signed cert. This is a script that I found and adapted.
The process goes something like this:
- Convert your normal PEM-format cert into a PKCS12 container, I don't understand all this but it works. You do this outside the container, on your workstation or whatever.
Copy the resultant .p12 file into the pod. It's not necessary, but we'll leave it on the persistent volume that the Unifi controller uses.
- Using the magic Java tools, import the p12 cert into the keystore.
- Restart the Unifi controller so it picks up the new cert.
This has been adapted from a previous local docker setup, but it should work fine in k8s.
Convert the cert from PEM to p12
This assumes you're keeping the cert in /etc/ssl/ or similar, we'll put the p12 in there as well.
# Hacked together by Barney Desmond on 2022-11-03
# Updated again on 2024-06-29
#
# Convert cert to PKCS12 format
# Ignore warnings
# Turns out we need to enable legacy mode, because Unifi's keytool can't read
# the new OpenSSL 3.0.2 encryption.
# https://community.ui.com/questions/New-Openssl-v3-may-break-your-controller-network-application-keystore/2e4133d9-d6dd-4a22-acfe-e5d671ffaee4
openssl pkcs12 -export -legacy \
-inkey /etc/ssl/STAR_thighhighs_top.key \
-in /etc/ssl/STAR_thighhighs_top.crt \
-out /etc/ssl/STAR_thighhighs_top.p12 \
-name unifi -password pass:unifi
cat <<EOF
Now go copy the p12 file into the Unifi controller container/PVC. Then we'll
import the cert into the keystore, from inside the running container.
EOF
Copy the p12 cert into the k8s pod
I'm sure there's sensible ways to do this, I personally think it's just easiest to copypasta the thing in via base64.
base64 STAR_thighhighs_top.p12 # get a shell into the container kubectl -n unifi exec deployment.apps/network -it -- /bin/bash # you'll be dropped in /usr/lib/unifi but your persistent volume is mapped to /config # `data` is a symlink to /config/data so we can cd to that cd /config/data/ # pump the cert into a file cat <<EOF | base64 -d > STAR_thighhighs_top.p12 ... paste the base64 encoded .p12 cert here ... EOF
Your cert is now sitting in the pod at /config/data/STAR_thighhighs_top.p12
Import the p12 cert into the Java keystore
Create this script inside the same directory, you only need to do this once as it'll stick around for future certificate renewals. You can pipe it into a file with the shell, or install an editor with apt update ; apt install -y vim-tiny
# This is unifi-import-cert.sh
# From https://util.wifi.gl/unifi-import-cert.sh which is now dead
# Modified by Barney Desmond on 2021-04-20 to just use a normal static paid-for cert.
# Author: Frank Gabriel, 01.01.2019
# Credits Kalle Lilja, @SprockTech and others
# Script location: /etc/letsencrypt/renewal-hooks/post/unifi-import-cert.sh (important for auto renewal)
# Tested with Debian 9 and UniFi 5.8.28, 5.9.22 and 5.9.32 - should work with any recent Unifi and Ubuntu/Debian releases
# This is where the keystore lives inside the container
UNIFI_DATADIR=/config/data
# Backup previous keystore
cp -av "${UNIFI_DATADIR}/keystore" "${UNIFI_DATADIR}/keystore.backup.$(date +%F_%R)"
# Install certificate
# Ignore warnings
keytool -importkeystore \
-deststorepass aircontrolenterprise \
-destkeypass aircontrolenterprise \
-destkeystore "${UNIFI_DATADIR}/keystore" \
-srckeystore STAR_thighhighs_top.p12 \
-srcstoretype PKCS12 \
-srcstorepass unifi \
-alias unifi \
-nopromptNow run the script to do the import:
root@network-6d6b5b85f6-qp4k8:/config/data# ./unifi-import-cert.sh '/config/data/keystore' -> '/config/data/keystore.backup.2024-06-29_02:29' Importing keystore STAR_thighhighs_top.p12 to /config/data/keystore... Warning: Overwriting existing alias unifi in destination keystore
Exit the shell from the pod, you're done.
Restart the pod
The cert is imported but not yet active. Restart the service to pick it up, deleting the pod is usually the easiest way.
kubectl -n unifi delete pod -l app=unifi-network-application,tier=web