FN11 Jailed UniFi Controller with Let's Encrypt (iocage) 2018-01-04

[kjake]

Thanks, I'll check it out. BTW, you've inspired me to do one of my own: https://github.com/danb35/freenas-iocage-nextcloud

Rock on!

 

[kjake]

FYI someone reports U3 really breaks vnet and it isn’t slated for fix until 11.2.

https://redmine.ixsystems.com/issues/30276

 

[danb35]

Do we know that vnet is needed for this? I don't use it in mine, and in the three systems I've tried it on so far it hasn't caused a problem.

 

[kjake]

Do we know that vnet is needed for this? I don't use it in mine, and in the three systems I've tried it on so far it hasn't caused a problem.

Possibly. My memory is not recalling if I tested without it... I would suspect that it would be needed for provisioning devices, but would need to test.

 

[danb35]

...and it looks like U3 (or at least U4) also breaks non-vnet. iX is making it hard for us to like their new jail system...

 

[NetSoerfer]

I have a couple of question trying to understand the script. I'm leaving out the letsencrypt part for now, trying to do everything manually, using the script to figure out what to do, and why.

In line 10 ( iocate create), why do we need allow_raw_sockets? I read the manpage explanation of that option and can't claim I understood it, but I'm still curious, how did you know it's needed?

What does mount_linprocfs do? The manpage only lists mount_procfs, I couldn't find mount_linprocfs at all.

Also, if I rename the jail to something other than unifi, line 30 will update the jail's /etc/rc.conf with somethingotherthanunifi_enable="YES".
I don't think this would work, because regardless of the jail name that should be unifi_enable="YES" - or am I missing something here?

 

[ggoldfingerd]

Just a quick FYI, UniFi 5.7.23 changed the mongodb dependency to mongodb 3.4. I ran the script and it failed since the script installs mongodb-2.6.12_3 and then UniFi dependency installs mongodb34-3.4.9_5. They conflicted with each other. I remove "mongodb" from the echo line in the script,manually uninstalled mongodb from the jail, and then ran the script again. I'm successfully on UniFi 5.7.23 now.

 

[danb35]

Also, if I rename the jail to something other than unifi, line 30 will update the jail's /etc/rc.conf with somethingotherthanunifi_enable="YES".

Yeah, I think that's a bug in the script--as you note, the service is called unifi no matter what you call the jail.

They conflicted with each other. I remove "mongodb" from the echo line in the script,manually uninstalled mongodb from the jail, and then ran the script again.

...or just replace "mongodb" with "mongodb34" in that echo line.

 

[NetSoerfer]

Do we know that vnet is needed for this? I don't use it in mine, and in the three systems I've tried it on so far it hasn't caused a problem.

I've been switching back and forth between vnet=on and vnet=off.

Adoption, provisioning, updating the device firmware don't work properly with vnet=off. The controller knew about the device because I'd copied the data directory over from my old warden jail, but during those operations it eventually loses the device and it remains disconnected.

With vnet=on those operations work fine.

What's surprising me is that you haven't run into any problems with vnet=off since march at least. Are your devices on the same subnet as the controller? Mine are on different subnets, could that make a difference regarding vnet?

 

[danb35]

What's surprising me is that you haven't run into any problems with vnet=off since march at least.

I probably wasn't very clear--I was referring to a different iocage jail (specifically, Nextcloud). Sounds like you've pretty well confirmed that vnet is required for this case.

 

[glauco]

I could easily install Unifi Controller version 5.8.24 by doing the following:
iocage create -n UniFi_Controller -r 11.1-RELEASE ip4_addr="lagg0|10.0.0.3/24" boot=on
iocage console UniFi_Controller
Set up a URL override to download from the latest package repository instead of the default quarterly:
mkdir -p /usr/local/etc/pkg/repos
printf "FreeBSD: {\n\turl: "pkg+http://pkg.FreeBSD.org/\${ABI}/latest"\n}\n" > /usr/local/etc/pkg/repos/FreeBSD.conf
Upgrade all packages and then install Unifi Controller:
pkg update && pkg upgrade -y
pkg install -y unifi5
Let the Unifi Controller service start at system startup.
sysrc unifi_enable="YES"
Exit the jail and restart it.
exit
iocage restart Unifi_Controller
Use your web browser to access the UI at https:// your_jail_IP and port 8443: https://10.0.0.3:8443

 

[Jailer]

I could easily install Unifi Controller version 5.8.24 by doing the following:
iocage create -n UniFi_Controller -r 11.1-RELEASE ip4_addr="lagg0|10.0.0.3/24" boot=on
iocage console UniFi_Controller
pkg install nano
nano /etc/pkg/FreeBSD.conf
replace quarterly with latest
pkg update
pkg upgrade
pkg install unifi5
nano /etc/rc.conf
Add line unifi_enable="YES"
exit
iocage restart Unifi_Controller
https://10.0.0.3:8443
I'm wondering why FreeBSD.conf is set to quarterly instead of latest...

If you want the latest version the "proper" way would be to create a pkg override.
mkdir -p /usr/local/etc/pkg/repos
ee /usr/local/etc/pkg/repos/FreeBSD.conf

Add the following code:

Code:

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}

Then run pkg upgrade and finish the installation.

 

[glauco]

If you want the latest version the "proper" way would be to create a pkg override.
mkdir -p /usr/local/etc/pkg/repos
ee /usr/local/etc/pkg/repos/FreeBSD.conf

Add the following code:

Code:

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}

Then run pkg upgrade and finish the installation.

Thank you, I didn't know that!

 

[danb35]

If you want the latest version the "proper" way would be to create a pkg override.

That still only gets the latest version that's been built into a FreeBSD package, which may lag a bit from the official release. This isn't necessarily anything critical, but it's still probably worth pointing out.

 

[Jailer]

That still only gets the latest version that's been built into a FreeBSD package, which may lag a bit from the official release. This isn't necessarily anything critical, but it's still probably worth pointing out.

Correct, it is currently one version behind the official release. Such is the case with most software on FreeBSD unfortunately.

 

[Baenwort]

If you want the latest version the "proper" way would be to create a pkg override.
mkdir -p /usr/local/etc/pkg/repos
ee /usr/local/etc/pkg/repos/FreeBSD.conf

Add the following code:

Code:

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}

Then run pkg upgrade and finish the installation.

Is there an https pkg server that works with FreeNAS? Just changing the above one to https results in certificate errors.

 

[diskdiddler]

If you want the latest version the "proper" way would be to create a pkg override.
mkdir -p /usr/local/etc/pkg/repos
ee /usr/local/etc/pkg/repos/FreeBSD.conf

Add the following code:

Code:

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}

Then run pkg upgrade and finish the installation.

Jailer.
I've done this, precisely in a jail here for Guacamole and it's not working, I'm truly baffled at this ports stuff.

You can see here:

https://www.freshports.org/www/guacamole-client/
1.0 is at the top of the list, as of today.

I've made this bypass file to check for latest build.
I've restarted the jail, then gone pkg update and upgrade - no dice, it's still pulling down version 0.9

What am I doing wrong?

 

[Jailer]

The package may be lagging behind, some do. Give it a few days or so and try again.

 

[diskdiddler]

Oh - is there a way to force, or just deal with it?

 

[Jailer]

If the package isn't available yet, it isn't available. Be patient.