Is anyone using docker to run unifi-controller container on OpenWrt?

stangri · April 24, 2023, 10:11pm

I have the lxc container running unifi-controller just fine, but would prefer a docker container (to easier integrate config in the custom image).

Thanks to help from @Hudra (I can overwrite IP the container responds on)[https://forum.openwrt.org/t/using-docker-on-openwrt-how-to-change-containers-ip-address/], but the docker container can't find the local unifi devices and report they are offline, while the lxc container displays them fine.

I wonder if I don't understand something about the docker containers on OpenWrt -- am I missing some firewall rules or something?

PS. I am NOT running lxc and docker containers at the same time as they compete for the same IP.

trendy · April 24, 2023, 11:21pm

What is the docker inspect unifi-controller ?

psherman · April 24, 2023, 11:24pm

Guessing here... but might this be due to the docker image having an internal nat layer? In other words, is the IP address that the UNA is actually using within the docker container the same as the docker address on the outside facing OpenWrt?

If the docker container is routing, you'll have to use L3 adoption methods to get your devices connected to UNA.

Hudra · April 25, 2023, 5:34am

There is an option in the unifi controller settings:

Override inform host

Make sure this is activated and set to the ip where you bound your container to.

Edit:
Just had some time and tried your config and I had the same issues as you. This fixed it for me:

    ports:
      - 192.168.1.73:8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 6789:6789

Docker with the option -p/ports default binds to all ips (0.0.0.0/0). With an Ip (as we did) we can tell docker to only bind to a specific ip. I guess ap/network discovery of the unifi controller only works when listening on all ips…

In my example I only bound the web interface to my Ip. If you use Unifi guest portal HTTPS and HTTP you probably also have to bind them to your ip.

stangri · April 26, 2023, 9:50pm

That I have no idea about. My concern was that I'm lacking better understanding of the container differences (and yes, routing) between lxc/docker, that's why I asked for help.

Yes, I'm using the same address/name in the controller name and override inform host and that name resolves to 192.168.1.10. It works when using lxc container, not when using the docker container.

I'm currently using the lxc container as I need UAPs to work, when I want to test docker, I do:

stop/disable auto-start of lxc container
remove IP assignment for the mac address of lxc container
add .10 IP as an ipaddr to the LAN interface
reboot and bring up docker container.

I'll try your updated ports section as soon as I can and report back, thank you @Hudra !

PS. Just to confirm is this a correct ports section for guest portal/SSH?

    ports:
      - 192.168.1.10:8443:8443
      - 192.168.1.10:8822:22
      - 192.168.1.10:8880:8880
      - 192.168.1.10:8843:8843
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 6789:6789

psherman · April 26, 2023, 10:23pm

I don't have any actual knowledge about this, either. But can you ssh into the linux CLI for the container itself? If so, run ifconfig or ip to find out what it's using internally.

trendy · April 27, 2023, 7:21am

I am using host mode on my unifi container and I have no issues. Most of the communication occurs on port 8080 tcp. I suppose you have checked firewall and you see hits.

It will not work if ifconfig or ip-utils are not built in the image. But there might by apt so you can add it.

stangri · April 27, 2023, 11:06pm

@Hudra thank you, your suggestion worked for UAPs, however the dumb USW-Flex-Mini could still not be adopted with the settings you recommended (while working fine in lxc container). When I've tried to enable the host network_mode like @trendy has suggested, the USW-Flex-Mini was adopted, but I have to enter 2FA every time I login now and I can't ssh into the controller. Any ideas?

trendy · April 28, 2023, 7:31am

I don't know about the 2FA, I am using local login only with user/pass. Regarding SSH I'd say it is conflicting with 22 on OpenWrt. Since you are on host mode all ports are directly bound on OpenWrt. So maybe you could change the port to 2222.

grrr2 · April 28, 2023, 8:00am

hi,

you're mixing IP binding and all-binding things which in my experience will confuse unifi devices.
I suggest to use IP:port:port syntax for all ports. obviously IP should be set within unifi controller too as the inform ip to override the internal IP (i.e. the docker container's IP) by default unifi controller advertise.

stangri · May 1, 2023, 1:53am

Looks like @grrr2 is correct that all port bindings should have explicit IP. I've removed the host network mode and added the IP to all the bindings and everything works! Thanks to @Hudra, @psherman, @trendy and @grrr2 guiding this thread to a successful conclusion!

This is the yml file I ended up with:

---
version: "2.1"
services:
  unifi-controller:
    image: lscr.io/linuxserver/unifi-controller:latest
    container_name: unifi-controller
#    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Vancouver
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
    volumes:
      - /etc/unifi-controller:/config
    ports:
      - 192.168.1.10:2222:22
      - 192.168.1.10:8443:8443
      - 192.168.1.10:8880:8880
      - 192.168.1.10:8843:8843
      - 192.168.1.10:3478:3478/udp
      - 192.168.1.10:10001:10001/udp
      - 192.168.1.10:8080:8080
      - 192.168.1.10:6789:6789
    restart: unless-stopped

system · May 11, 2023, 1:53am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.