Omada Controller Docker

Comments

21 comments

  • Avatar
    Charles W

    mbentley has patched his docker repo for the log4j exploit. Please pull the new files:

     

    cd /home/pi/.firewalla/run/docker/omada-controller
    sudo docker pull mbentley/omada-controller:4.4-arm64
    sudo docker container stop omada-controller
    sudo docker container rm omada-controller
    sudo docker-compose up -d
    sudo docker ps
    sudo docker system prune

     

    1
    Comment actions Permalink
  • Avatar
    Charles W

    Another quick update about security: Running the docker in host mode makes it use the gateway's IP address. This means that you won't be able to block the webui from VLANs since firewalla currently does not allow blocking even specific ports of the gateway's IP address.

    Using bridge mode makes it difficult for the controller to discover and provision new devices since it's on a different subnet.

    Use a macvlan network to allow the controller to have a separate static IP address(outside of the DHCP range) on the same subnet, which can then be blocked with rules. 

    Modify the startup script:

    nano  ~/.firewalla/config/post_main.d/start_omada-controller.sh 

    #!/bin/bash

    sudo mkdir /media/sd_card
    sudo chmod 744 /media/sd_card/
    sudo mount /dev/mmcblk1p1 /media/sd_card/
    #sudo mkswap /media/sd_card/swapfile
    sudo swapon /media/sd_card/swapfile

    sudo systemctl start docker
    #create docker macvlan network with 2 IP addresses
    sudo docker network create -d macvlan --subnet 192.168.1.0/24 --gateway 192.168.1.1 --ip-range 192.168.1.46/31 -o parent=br0 omada_macvlan
    #Set promiscuous mode to allow traffic to multiple MAC addresses on one interface
    sudo ifconfig br0 promisc
    sudo systemctl start docker-compose@omada-controller


    Modify docker-compose to use a static IP address and external network.

    nano  ~/.firewalla/run/docker/omada-controller/docker-compose.yaml 

    version: "3.1"




    services:

      omada-controller:

        container_name: omada-controller

        image: mbentley/omada-controller:4.4-arm64

        environment:

          - TZ=America/Los_Angeles

          - MANAGE_HTTP_PORT=8088

          - MANAGE_HTTPS_PORT=8043

          - PORTAL_HTTP_PORT=8088

          - PORTAL_HTTPS_PORT=8043

          - SHOW_SERVER_LOGS=true

          - SHOW_MONGODB_LOGS=false

          - SSL_CERT_NAME="tls.crt"

          - SSL_KEY_NAME="tls.key"

    #    network_mode: host

        networks:

          default:

            # static IP address for omada controller

            ipv4_address: 192.168.1.46

        volumes:

          - '/media/sd_card/docker/omada-controller/data:/opt/tplink/EAPController/data'

          - '/media/sd_card/docker/omada-controller/work:/opt/tplink/EAPController/work'

          - '/media/sd_card/docker/omada-controller/logs:/opt/tplink/EAPController/logs'

        restart: unless-stopped




    networks:

      default:

        external:

          name: omada_macvlan

     

    Optionally add a DNS entry:

    echo address=/omada/192.168.1.46 > ~/.firewalla/config/dnsmasq_local/omada
    
    # Restart DNS Service
    sudo systemctl restart firerouter_dns
    1
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    Finally fixed it!!! In the yaml load the image as -latest only; got rid of the -arm64 suffix.

    1
    Comment actions Permalink
  • Avatar
    Charles W

    I've had to restart the docker once I think, but otherwise it's been stable for me:

    1
    Comment actions Permalink
  • Avatar
    Ciordia9

    Was having trouble with the maintainers raspberian docker image so I decided to move it over to Firewalla. Worked easy. Thanks. :)

    0
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    I followed these steps, but get the following error:

     

    This site can’t be reached

    192.168.208.1 refused to connect.

    Try:

    ERR_CONNECTION_REFUSED
     
    Any help appreciated.
    0
    Comment actions Permalink
  • Avatar
    Charles W

    Does this command on your FW show that it is running? Did you try both port 8088 and 8043?

    sudo docker ps
    0
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    here's the output:

    0
    Comment actions Permalink
  • Avatar
    Charles W

    Looks like it got stuck in the bring up somehow.

    It should be:

    pi@Firewalla:~ (Firewalla) $ sudo docker ps

    CONTAINER ID   IMAGE                                 COMMAND                  CREATED       STATUS                 PORTS     NAMES

    f0255f920453   mbentley/omada-controller:4.4-arm64   "/entrypoint.sh /usr…"   4 weeks ago   Up 4 weeks (healthy)             omada-controller

    I'm using 4.4.8. Latest is probably the 5.0.x branch...I've never tried that. You may have to do some debugging or try running the 4.4 Branch.

     

     

    0
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    Here's a copy of my yaml file:

     

    0
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    I changed the version to 4.4 and still get the same issue.  Only thing I can think of is an issue with my yaml file.  Is that a single quote(') or a backtick(`)?  I used a single quote in my file.

    0
    Comment actions Permalink
  • Avatar
    Charles W

    They are single quotes but if I recall, yaml is very sensitive to white spaces. Like tabs vs spaces, etc. Try to have exactly 2 spaces in the indents. You may also need to use docker inspect or some other debugging methods to see what is going on in the container when it launches.

    0
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    I just can't figure out what's wrong.  I even rebuilt the yaml file and still no go.  Here's some info from the docker inspect:

    0
    Comment actions Permalink
  • Avatar
    Charles W

    508 is the UID and GID of the user that omada runs as, see here: https://hub.docker.com/r/mbentley/omada-controller.(Rereading it, it seems to imply you only need it for the 3.X Branches) You can sudo ls -lR on /data/omada-controller and maybe try re-running

    sudo chown -R 508:508 /data/omada-controller/data /data/omada-controller/work /data/omada-controller/logs

    To make sure everything is owned by 508.

    Lastly, try not using --detach until you get everything running, then you can see line by line what's going on and where it gets stuck/restarts.

     

     

    0
    Comment actions Permalink
  • Avatar
    John H. Ronafalvy

    Here's the error when I remove the --detach command:

     

    0
    Comment actions Permalink
  • Avatar
    Charles W

    That's bizarre. Are you running this on a Firewalla Purple or Gold? 

    0
    Comment actions Permalink
  • Avatar
    Rigoberto L.

    - Omada docker not stable on Firewalla purple

    - I had to modify yaml from 4.4-arm64 to latest-arm64 to get the Controller Docker working

    - After two days, Omada Controller has gone offline 3 times randomly. After restart Firewalla, Omada Controller comes online again

    - Also my.firewalla.com (web version) stopped working as intended. Cannot go from Firewalla groups and into individual devices to see history.

    I expected the controller to work without affecting Firewalla functionality; however, the first time I installed Omada controller, Firewalla purple stopped working.Then, I had to reflash Firewalla purple. After I re-installed Omada Controller a second time, the controller has been going offline randomly. The only choice now is to go back to the Omada hardware Controller and leave Firewalla without Omada controller docker. 

    0
    Comment actions Permalink
  • Avatar
    Steve

    I agree, After I rebooted my box it did not come up online. I have resorted to docker on my NAS.

    0
    Comment actions Permalink
  • Avatar
    Ciordia9

    Been running this for weeks on the purple without an issue. Updated twice along the way. Edge cases?

    0
    Comment actions Permalink
  • Avatar
    Steve

    Glad its working for you guys, Are you running it from a SD card or internal memory? Also do you have it set to start at boot?

    0
    Comment actions Permalink
  • Avatar
    Kenny

    I'm getting an error on my FWP trying to setup the macvlan it doesn't seem to be finding br0. Has anyone gotten the second set of instructions in the comments to work on a FWP?

    0
    Comment actions Permalink

Please sign in to leave a comment.