Omada Controller Docker
Is there a guide similar to:
For installing the Omada controller?
https://hub.docker.com/r/mbentley/omada-controller
=====================================================
I was able to make some progress on this on my Purple FW, but not fully test it.
Here are are the steps I went through:
In addition to the above links the homebridge docker guide was also helpful:
https://help.firewalla.com/hc/en-us/articles/360053184374
Here's what I did:
SSH into the unit:
1. Login to Firewalla via SSH. You will find the credential on your Firewalla app, Settings > Advanced > Configurations > SSH Console. The username is always, "pi"
Install Nano(Sorry, I've never gotten used to vi):
$unalias apt-get
$sudo apt-get install nano
Create data directories:
cd /data
sudo mkdir omada-controller
cd omada-controller
sudo mkdir work
sudo mkdir data
sudo mkdir logs
#change owner of dirs, per recommendation
sudo chown 508:508 *
Create docker-compose.yaml file. This is for a Firewall Purple, If you have a Gold, remove the arch. from the image tag.:
$cd /home/pi/.firewalla/run/docker
$mkdir omada-controller ; cd omada_controller
$nano docker-compose.yaml
(Change TZ to your locale)
version: "3.1"
services:
omada-controller:
container_name: omada-controller
image: mbentley/omada-controller:4.4-arm64
environment:
- TZ=America/Los_Angeles
- MANAGE_HTTP_PORT=8088
- MANAGE_HTTPS_PORT=8043
- PORTAL_HTTP_PORT=8088
- PORTAL_HTTPS_PORT=8043
- SHOW_SERVER_LOGS=true
- SHOW_MONGODB_LOGS=false
- SSL_CERT_NAME="tls.crt"
- SSL_KEY_NAME="tls.key"
network_mode: host
volumes:
- '/data/omada-controller/data:/opt/tplink/EAPController/data'
- '/data/omada-controller/work:/opt/tplink/EAPController/work'
- '/data/omada-controller/logs:/opt/tplink/EAPController/logs'
restart: unless-stopped
Start Docker:
sudo systemctl start docker sudo docker-compose up --detach
Access Interface at:
or
http://IP:8088
See if it detects your Omada Devices:
Optional:
Make Omada start after reboot:
mkdir /home/pi/.firewalla/config/post_main.d/
cd /home/pi/.firewalla/config/post_main.d/
nano start_omada-controller.sh
#!/bin/bash
sudo systemctl start docker sudo systemctl start docker-compose@omada-controller
Move Log/Data/Work locations to sd card.
I'm reluctant to write to the onboard memory. The dB files for omada are around ~400MB so far. I'd rather write them to a cheaply replaceable high-endurance sd card.
Briefly:
- Partition/Format an sd card with ext4(XFS or btrfs might work too but FAT/FAT32/exFAT doesn't allow chown/chgrp)
- Mount the sd card
- create the equivalent omada-controller/work data logs directories with the same 508:508 permissions
- stop docker with sudo docker stop [container]
- rsync all files from /data to your sd card location
- Modify the docker-compose.yaml file to point to the sd_card
volumes:
- '/media/sd_card/docker/omada-controller/data:/opt/tplink/EAPController/data'
- '/media/sd_card/docker/omada-controller/work:/opt/tplink/EAPController/work'
- '/media/sd_card/docker/omada-controller/logs:/opt/tplink/EAPController/logs'
- Modify the start up script to mount your sd card(ignore the swapon line)
#!/bin/bash
sudo mkdir /media/sd_card
sudo chmod 744 /media/sd_card/
sudo mount /dev/mmcblk1p1 /media/sd_card/
#sudo mkswap /media/sd_card/swapfile
sudo swapon /media/sd_card/swapfile
sudo systemctl start docker
sudo systemctl start docker-compose@omada-controller
sync ; sudo reboot
to reboot the unit.
-
mbentley has patched his docker repo for the log4j exploit. Please pull the new files:
cd /home/pi/.firewalla/run/docker/omada-controller
sudo docker pull mbentley/omada-controller:4.4-arm64
sudo docker container stop omada-controller
sudo docker container rm omada-controller
sudo docker-compose up -d
sudo docker ps
sudo docker system prune -
Another quick update about security: Running the docker in host mode makes it use the gateway's IP address. This means that you won't be able to block the webui from VLANs since firewalla currently does not allow blocking even specific ports of the gateway's IP address.
Using bridge mode makes it difficult for the controller to discover and provision new devices since it's on a different subnet.
Use a macvlan network to allow the controller to have a separate static IP address(outside of the DHCP range) on the same subnet, which can then be blocked with rules.
Modify the startup script:
nano ~/.firewalla/config/post_main.d/start_omada-controller.sh
#!/bin/bash
sudo mkdir /media/sd_card
sudo chmod 744 /media/sd_card/
sudo mount /dev/mmcblk1p1 /media/sd_card/
#sudo mkswap /media/sd_card/swapfile
sudo swapon /media/sd_card/swapfile
sudo systemctl start docker
#create docker macvlan network with 2 IP addresses
sudo docker network create -d macvlan --subnet 192.168.1.0/24 --gateway 192.168.1.1 --ip-range 192.168.1.46/31 -o parent=br0 omada_macvlan
#Set promiscuous mode to allow traffic to multiple MAC addresses on one interface
sudo ifconfig br0 promisc
sudo systemctl start docker-compose@omada-controllerModify docker-compose to use a static IP address and external network.
nano ~/.firewalla/run/docker/omada-controller/docker-compose.yaml
version: "3.1"
services:
omada-controller:
container_name: omada-controller
image: mbentley/omada-controller:4.4-arm64
environment:
- TZ=America/Los_Angeles
- MANAGE_HTTP_PORT=8088
- MANAGE_HTTPS_PORT=8043
- PORTAL_HTTP_PORT=8088
- PORTAL_HTTPS_PORT=8043
- SHOW_SERVER_LOGS=true
- SHOW_MONGODB_LOGS=false
- SSL_CERT_NAME="tls.crt"
- SSL_KEY_NAME="tls.key"
# network_mode: host
networks:
default:
# static IP address for omada controller
ipv4_address: 192.168.1.46
volumes:
- '/media/sd_card/docker/omada-controller/data:/opt/tplink/EAPController/data'
- '/media/sd_card/docker/omada-controller/work:/opt/tplink/EAPController/work'
- '/media/sd_card/docker/omada-controller/logs:/opt/tplink/EAPController/logs'
restart: unless-stopped
networks:
default:
external:
name: omada_macvlanOptionally add a DNS entry:
echo address=/omada/192.168.1.46 > ~/.firewalla/config/dnsmasq_local/omada # Restart DNS Service sudo systemctl restart firerouter_dns
-
I followed these steps, but get the following error:
This site can’t be reached
192.168.208.1 refused to connect.
Try:
- Checking the connection
- Checking the proxy and the firewall
ERR_CONNECTION_REFUSEDAny help appreciated. -
Looks like it got stuck in the bring up somehow.
It should be:
pi@Firewalla:~ (Firewalla) $ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f0255f920453 mbentley/omada-controller:4.4-arm64 "/entrypoint.sh /usr…" 4 weeks ago Up 4 weeks (healthy) omada-controller
I'm using 4.4.8. Latest is probably the 5.0.x branch...I've never tried that. You may have to do some debugging or try running the 4.4 Branch.
-
508 is the UID and GID of the user that omada runs as, see here: https://hub.docker.com/r/mbentley/omada-controller.(Rereading it, it seems to imply you only need it for the 3.X Branches) You can sudo ls -lR on /data/omada
-controller and maybetry re-runningsudo
chown -R 508:508 /data/omada-controller/data /data/omada-controller/work /data/omada-controller/logsTo make sure everything is owned by 508.
Lastly, try not using --detach until you get everything running, then you can see line by line what's going on and where it gets stuck/restarts.
-
- Omada docker not stable on Firewalla purple
- I had to modify yaml from 4.4-arm64 to latest-arm64 to get the Controller Docker working
- After two days, Omada Controller has gone offline 3 times randomly. After restart Firewalla, Omada Controller comes online again
- Also my.firewalla.com (web version) stopped working as intended. Cannot go from Firewalla groups and into individual devices to see history.
I expected the controller to work without affecting Firewalla functionality; however, the first time I installed Omada controller, Firewalla purple stopped working.Then, I had to reflash Firewalla purple. After I re-installed Omada Controller a second time, the controller has been going offline randomly. The only choice now is to go back to the Omada hardware Controller and leave Firewalla without Omada controller docker.
Please sign in to leave a comment.
Comments
21 comments