Skip to content

goofball222/unifi

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

UniFi Docker Container

Latest Build Status Docker Pulls Docker Stars License

Docker tags:

Tag UniFi Version Description Release Date
8.0, 8.0-alpine, 8.0-debian, 8.0-ubuntu, latest, latest-alpine, latest-debian, latest-ubuntu 8.0.28 UniFi Network Application official release 2024-01-25
8.1-beta, 8.1-alpine-beta, 8.1-debian-beta, 8.1-ubuntu-beta, latest-beta, latest-alpine-beta, latest-debian-beta, latest-ubuntu-beta 8.1.113 UniFi Network Application beta/release candidate 2024-03-11
8.0.28 8.0.28 Static official release tag/image 2024-01-25
7.5.187 7.5.187 Static official release tag/image 2023-10-17
7.4.162 7.4.162 Static official release tag/image 2023-07-03
7.3.83 7.3.83 Static official release tag/image 2023-01-30
7.2.97 7.2.97 Static official release tag/image 2023-02-06
7.1.68 7.1.68 Static official release tag/image 2022-08-02
7.0.25 7.0.25 Static official release tag/image 2022-03-28
6.5.55 6.5.55 Static official release tag/image 2021-12-16
6.4.54 6.4.54 Static official release tag/image 2021-09-20
6.2.26 6.2.26 Static official release tag/image 2021-06-24
6.1.71 6.1.71 Static official release tag/image 2021-03-25
6.0.45 6.0.45 Static official release tag/image 2021-01-26
5.14.23 5.14.23 Static official release tag/image 2020-08-25
5.13.32 5.13.32 Static official release tag/image 2020-07-02
5.12.72 5.12.72 Static official release tag/image 2020-05-18
5.11.50 5.11.50 Static official release tag/image 2019-10-08
5.6.42 5.6.42 Static official release tag/image 2019-05-03


NOTE: Alpine tags DO NOT contain any internal MongoDB binaries. You must connect them to an external Mongo DB container or other host instance.

2023-12-21: Info and proposed changes for Debian-base MongoDB 3.6 Release Signing Key EXPKEYSIG 2023-12-20: MongoDB 3.6 Debian repo signing key has expired, apt-get refuses to install packages from this repo without setting insecure options.

ALL RELEASES AFTER v8.0.26 WILL BE UPDATED TO USE THE UBUNTU BASED BUILD AS THE LATEST/CURRENT VERISON TAG. DEBIAN BASE WILL BE MOVED TO A NEWER VERSION OF MONGODB, NON-MONGO BUILD, OR PHASED OUT ENTIRELY IN THE NEAR FUTURE.**

Current beta tags of v8.0.X have been rebuilt with Ubuntu as the default. Please test and report any bugs, or issues on GitHub


For security/attack surface reduction the container is configured to run the UniFi processes as an internal user & group unifi having a pre-set UID & GID of 999. The container will attempt to adjust permissions on mapped volumes and data to match before dropping privileges to start the UniFi Java and Mongo processes. If the container is being run with a different Docker --user setting permissions may need to be fixed manually.

IE: chown -R 999:999 ./{cert,data,logs}

A custom UID and GID can be configured for the container internal unifi user and group. For more information see the "Environment variables" section in this document.


ALWAYS MAKE A VERIFIED BACKUP OF DATA BEFORE INSTALLING UPDATES. Export a .unf from the web interface and/or stop the current container and create a backup or copy of the data volume. Database rollback from newer to older versions of UniFi and/or Mongo isn't always possible.


Usage

This container exposes three volumes:

  • /usr/lib/unifi/cert - SSL custom certificate storage
  • /usr/lib/unifi/data - UniFi configuration data and DBs
  • /usr/lib/unifi/logs - UniFi and MongoDB logs for troubleshooting

This container exposes the following ports (see: https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used):

  • 3478/udp (port used for STUN connection)
  • 6789/tcp (port used for throughput measurement from Android/iOS app)
  • 8080/tcp (port for UAP/USW/USG to inform controller)
  • 8443/tcp (port for controller GUI / API)
  • 8880/tcp (port for HTTP portal redirect)
  • 8843/tcp (port for HTTPS portal redirect)
  • 10001/udp (port used for UBNT discovery broadcasts - Local LAN/L2/same subnet only)

The most basic way to run this container:

$ docker run --name unifi -d \
    -p 3478:3478/udp -p 8080:8080 -p 8443:8443 \
    -p 8880:8880 -p 8843:8843 \
    ghcr.io/goofball222/unifi

Recommended run method: Docker Compose - UniFi app and internal Mongo DB:

version: '3'

services:
  unifi:
    image: ghcr.io/goofball222/unifi
    container_name: unifi
    restart: unless-stopped
    network_mode: bridge
    ports:
      - 3478:3478/udp
      - 8080:8080
      - 8443:8443
      - 8880:8880
      - 8843:8843
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./cert:/usr/lib/unifi/cert
      - ./data:/usr/lib/unifi/data
      - ./logs:/usr/lib/unifi/logs
    environment:
      - TZ=UTC

Recommended run method: Docker Compose - UniFi app and Mongo DB as separate services:

version: '3'

services:
  mongo:
#   Use max mongo version 5.0.X. Higher versions are incompatible with the mongo driver built into Unifi.
#   Older versions are acceptable, ie: mongo:3.6
    image: mongo:5.0
    container_name: unifidb
    restart: unless-stopped
#   By default docker-compose will create a new bridge network for the services in the compose file.
#   Enable this to have the services/containers use the existing docker0/default bridge network.
#    network_mode: bridge
    volumes:
      - ./data/db:/data/db

  unifi:
    image: ghcr.io/goofball222/unifi
    container_name: unifi
    restart: unless-stopped
#   By default docker-compose will create a new bridge network for the services in the compose file.
#   Enable this to have the services/containers use the existing docker0/default bridge network.
#    network_mode: bridge
    links:
      - mongo
    ports:
      - 3478:3478/udp
      - 8080:8080
      - 8443:8443
      - 8880:8880
      - 8843:8843
#     Optional: Uncomment to enable speed tests from the UniFi iOS & Android apps
#      - 6789:6789
#     Optional: Uncomment for layer 2 broadcast discovery if container running on a host in the local LAN
#      - 10001:10001/udp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./cert:/usr/lib/unifi/cert
      - ./data:/usr/lib/unifi/data
      - ./logs:/usr/lib/unifi/logs
    environment:
      - DB_MONGO_LOCAL=false
      - DB_MONGO_URI=mongodb://mongo:27017/unifi
      - STATDB_MONGO_URI=mongodb://mongo:27017/unifi_stat
      - TZ=UTC
      - UNIFI_DB_NAME=unifi

Alternative network setup suggested by rogierlommers -

Please make sure to read the "NETWORK: HOST" section of the Docker "run" reference and understand the implications of this before using.

Copy the following to both services in the docker-compose.yml file under the commented out network_mode: bridge line in the example above, and then uncomment the network_mode: host line:

#   Use host network mode. Does not allow for port remapping. You may need to manually adjust
#       host firewall settings to allow traffic. Running a container in this mode is considered insecure.
#    network_mode: host

Example basic docker-compose.yml in file form.

Example advanced docker-compose.yml in file form with external Mongo DB service and UniFi service using environment variables.


Environment variables:

Variable Default Description
BIND_PRIV false Set to true to allow UniFi process to bind to container internal ports < 1024
DEBUG false Set to true for extra container and UniFi verbosity for debugging
JVM_EXTRA_OPTS unset Any additional custom run flags for the container Java process
JVM_INIT_HEAP_SIZE unset Sets the start and min memory size for the container Java process (-Xms)
JVM_MAX_HEAP_SIZE 1024M Sets the max memory size for the container Java process (-Xmx)
LOGSTDOUT true Set to false to disable the UniFi process log output to STDOUT. System will still output to log volume files if configured.
PGID 999 Specifies the GID for the container internal unifi group (used for file ownership)
PUID 999 Specifies the UID for the container internal unifi user (used for process and file ownership)
READENV true Set to false to disable environment variables conversion to UniFi system.properties settings.
RUN_CHOWN true Set to false to disable the container automatic chown at startup. Speeds up startup process on overlay2 Docker hosts. NB/IMPORTANT: It's critical that you insure directory/data permissions on all mapped volumes are correct before disabling this or UniFi and/or Mongo will not start.
RUNAS_UID0 false Set to true to force the container to run the Java/Mongo processes as UID=0 (root) - workaround for setcap AUFS missing xargs failure - NB/IMPORTANT: running with this set to "true" is insecure

Recommended UniFi system.properties converted environment variables to externalize Mongo DB via docker-compose:

Variable Recommended Setting Description
DB_MONGO_LOCAL false Setting this to false tells UniFi that we're using an external Mongo DB
DB_MONGO_URI mongodb://mongo:27017/unifi This sets the URI that UniFi should connect to for the main configuration database
STATDB_MONGO_URI mongodb://mongo:27017/unifi_stat This sets the URI that UniFi should connect to for the statistics database
UNIFI_DB_NAME unifi Sets a database name that can be connected and managed on the external Mongo DB server, must match with the URI variables (IE: unifi, unifi_stat = unifi).

NB/IMPORTANT: Although I've been running my own deployments with an external DB without issue with these settings externalizing the DB, just like running the app itself in a Docker container, is considered experimental and totally unsupported by UBNT. Full documentation for an external DB setup is outside the scope of this README and is left as an exercise for the interested reader. Additional information available on the UBNT forums in this post and in the PDF post linked below.

Additional UniFi system.properties config file settings can be passed to the container as -e/--env/environment flags at runtime (more detail and a PDF with UBNT examples here). Envrionment variables must be in ALL CAPS and replace "." with "_". -- IE:

system.properties Environment Variable
unifi.db.extraargs UNIFI_DB_EXTRAARGS
unifi.https.hsts UNIFI_HTTPS_HSTS

SSL custom certificate auto-configuration support (LetsEncrypt, etc.):

  1. Map the Docker host cert storage location or volume to the /usr/lib/unifi/cert volume exposed by the container
  2. Must contain a PEM format SSL private key corresponding to the SSL certificate to be installed. Private key file MUST be named privkey.pem.
  3. Must contain a PEM format SSL certificate file with the full certification chain. LetsEncrypt handles this automatically, other providers may need manual work (https://www.digicert.com/ssl-support/pem-ssl-creation.htm). Certificate file MUST be named fullchain.pem.
  4. Start the container. SSL import and Java keystore update process is automated during startup. Status, errors, etc. can be found in the container log, IE: docker logs "containername"
  5. Existing keystore file will be backed up to /usr/lib/unifi/data/keystore-"epochseconds"
  6. Java keystore is only updated when changes to the certificate files are detected. To force a re-import of existing files delete the unificert.sha256 file in ./cert and restart the container.

If you don't want to use a custom SSL certificate then the /usr/lib/unifi/cert volume can be left unmapped. Alternatively if the privkey.pem and/or fullchain.pem file are not present SSL customization will be skipped.

To revert from a custom cert to a UniFi self-signed certificate stop the container, rename or remove ./data/keystore, and restart the container. The UniFi application will automatically generate a new keystore file with a new self-signed cert.


beta and bleeding-edge official tag warning

NOT RECOMMENDED FOR USE IN A PRODUCTION ENVIRONMENT - FOR TESTING/LABS ONLY

There have been past UniFi beta and official releases with AP bricking firmware, network breaking bugs, etc.

Proceed with caution! Use at your own risk.

If you're going to use these images please make sure you create a UBNT community account: https://community.ui.com/

Instructions for how to sign up for beta/early access at: https://help.ui.com/hc/en-us/articles/204908664-How-To-Sign-Up-for-Early-Access

Please make sure to participate in discussion and create bug reports for any issues you encounter with beta/early access releases.

USE BETA/BLEEDING-EDGE RELEASES AT YOUR OWN RISK - REPEAT: NOT RECOMMENDED FOR USE IN A PRODUCTION ENVIRONMENT WITHOUT EXTENSIVE TESTING