For the last six months or so, I have been using TP-Link’s Omada wireless solution in my home. It works well, it’s not UniFi (I’m not a fan of Ubiquiti products) and is fairly straightforward to configure. As I was in a pinch when I installed the system, I simply spun up a Docker container I found in Docker Hub of the Omada controller which has been running since. I decided that I wanted to tear that Docker host down and use it for something else so I decided to try and install a new version of the Omada controller onto a Z83 Minix running AlmaLinux 8.5. This is going to be a bare metal installation of Omada 5.1.7 on a host that will more or less be dedicated to use for running the Omada SDN controller software.
Prerequisites
I started with a base installation of AlmaLinux 8.5 on the Minix Z83. I performed a minimal install from the DVD iso as I performed the initial installation offline and then upgraded once I got the Minix moved over to my Minix stack (literally a stack of Z83’s on top of one another that are powered via WiFi Texas PoE splitters). Once configured I updated the host using sudo dnf update -y
and then let the host download and install various updates (a security patch for the kernel mainly).
Omada requires the installation of Java’s Headless Runtime Environment (JRE) version 8 or newer and MongoDB version 5. To install JRE and tar (as Alma does not have tar installed in the minimal install), simply issue the command sudo dnf install java-11-openjdk-headless java-11-openjdk-devel tar -y
and let DNF install the package. MongoDB takes a little more work though.
In order to install MongoDB, we first have to create a repo file in /etc/yum.repos.d/
. So change directory to that path and then open the text editor of your choosing (I’m good with vi but nano and vim work as well) and add the following contents to a file named mongodb-org-4.4.repo. It’s worth noting there appears to be a known issue with MongoDB 5 that causes it to dump the core whenever you attempt to start it.
[mongodb-org-5.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
Save and close the file then issue sudo dnf install mongodb-org
and which will cause the repo list to be updated, prompt to verify the import of the gpgkey and then prompt to verify installation of MongoDB. Once completed, SELinux may need to be modified if it is running in enforcing mode. Enforcing mode is enabled in AlmaLinux but to check and see if is is enabled you can issue the command sudo sestatus enforcing
which will return something similar (note Current mode: enforcing).
sudo sestatus enforcing
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Now we will need to create policies to allow MongoDB access to cgroup and netstat. First, start by verifying that checkpolicy is installed by issuing sudo dnf install checkpolicy
which was not installed on my instance of AlmaLinux. Next we will need to create a file named mongodb_cgroup_memory.te with the following (simply copy and paste into commandline).
cat > mongodb_cgroup_memory.te <<EOF
module mongodb_cgroup_memory 1.0;
require {
type cgroup_t;
type mongod_t;
class dir search;
class file { getattr open read };
}
#============= mongod_t ==============
allow mongod_t cgroup_t:dir search;
allow mongod_t cgroup_t:file { getattr open read };
EOF
Next we will apply the policy to SELinux using the following commands.
checkmodule -M -m -o mongodb_cgroup_memory.mod mongodb_cgroup_memory.te
semodule_package -o mongodb_cgroup_memory.pp -m mongodb_cgroup_memory.mod
sudo semodule -i mongodb_cgroup_memory.pp
The finial command could take some time to finish.
Now we need to do the same for a netstat policy by creating the following file.
cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;
require {
type sysctl_net_t;
type mongod_t;
class dir search;
class file { getattr open read };
}
#============= mongod_t ==============
#!!!! This avc is allowed in the current policy
allow mongod_t sysctl_net_t:dir search;
allow mongod_t sysctl_net_t:file open;
#!!!! This avc is allowed in the current policy
allow mongod_t sysctl_net_t:file { getattr read };
EOF
And applying the policy with the following.
checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
sudo semodule -i mongodb_proc_net.pp
Again, the finial command may take some time to finish loading the policy. Now we can download and install the Omada controller.
Now we can start and enable MongoDB and install jsvc. Jsvc must be installed from source from Apache.
curl https://dlcdn.apache.org//commons/daemon/source/commons-daemon-1.3.0-src.tar.gz -o commons-daemon-1.3.0-src.tar.gz
tar xzvf commons-daemon-1.3.0-src.tar.gz
cd commons-daemon-1.3.0-src/src/native/unix
./configure --with-java=/usr/lib/jvm/java-11-openjdk-11.0.14.1.1-2.el8_5.x86_64
make
sudo cp jsvc /usr/bin/
sudo systemctl start mongod
sudo systemctl enable mongod
Installing Omada
Dowloading Omada is fairly straightforward and can be done using wget or curl. As I will be downloading the tar.gz file, will also unzip it.
curl https://static.tp-link.com/upload/software/2022/202203/20220322/Omada_SDN_Controller_v5.1.7_Linux_x64.tar.gz -o Omada_SDN_Controller_v5.1.7_Linux_x64.tar.gz
tar zxvf Omada_SDN_Controller_v5.1.7_Linux_x64.tar.gz
This will create a folder named Omada_SDN_Controller_v5.1.7_Linux_x64
in which contains an executable shell script named install.sh
. To install the Omada controller, execute ./install.sh
and answer the prompts. If all goes well, Omada should successfully start but we aren’t done yet as most everything will be actively being blocked by the firewall rules that ship with EL based distributions.
Configuring Firewall Rules
To configure the firewall, we will enter a series of commands to open ports on the Minix.
sudo firewall-cmd --add-port=8088/tcp --permanent
sudo firewall-cmd --add-port=8043/tcp --permanent
sudo firewall-cmd --add-port=8843/tcp --permanent
sudo firewall-cmd --add-port=29810/udp --permanent
sudo firewall-cmd --add-port=29811/tcp --permanent
sudo firewall-cmd --add-port=29812/tcp --permanent
sudo firewall-cmd --add-port=29813/tcp --permanent
sudo firewall-cmd --add-port=29814/tcp --permanent
sudo firewall-cmd --add-port=27001/udp --permanent
sudo firewall-cmd --add-port=27217/udp --permanent
sudo firewall-cmd --reload
Now some of these ports don’t need to be opened, especially if you are creating a new instance of Omada as they are only relevant when upgrading from older releases of Omada and as I was standing up this box along side an existing 4.x installation of Omada, I was attempting to keep legacy ports open so I could import my old configuration into the new controller. For a full list of ports needed for Omada can be found at https://www.tp-link.com/us/support/faq/3281/ but to summarize, for a new installation you should only need 8088/tcp, 8043/tcp, 8843/tcp, 29810/udp, 29814/tcp, 27001/udp, and 27217/tcp.
Once all of that is done, Omada should function like it would on TP-Link’s hardware controller or any previous Omada installation that you may have.