Can't connect to mongodb for Unifi Network Application

matteog · 17 October 2023 15:31

Hi,
I’m about to get crazy to have the Unifi Network Application to work.
I have two docker compose files:

One file is to create the mongodb part, unifi_db.yml

---
version: "3.1"
services:
  unifi-db:
    image: docker.io/mongo:4.4.18
    ports:
      - 27017:27017
    environment:
      MONGO_INITDB_ROOT_USERNAME: admin
      MONGO_INITDB_ROOT_PASSWORD_FILE : /run/secrets/mongodb_admin_user_password
    container_name: unifi-db
    volumes:
      - db_data:/data/db
        # - ./init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro
    restart: unless-stopped
    secrets:
      - mongodb_admin_user_password
volumes:
  db_data:

secrets:
  mongodb_admin_user_password:
    file: /etc/docker/mongodb_admin_user_password.txt

The other one to instantiate the Unifi Network Application:

---
version: "3.1"
services:
  unifi-network-application:
    image: lscr.io/linuxserver/unifi-network-application:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Amsterdam
      - MONGO_USER=unifi
      - FILE__MONGO_PASS=/run/secrets/mongodb_unifi_user_password
      - MONGO_HOST=unifi-db
      - MONGO_PORT=27017
      - MONGO_DBNAME=unifi
      - MEM_LIMIT=1024 #optional
      - MEM_STARTUP=1024 #optional
    volumes:
      - db_data:/data/db
    ports:
      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 1900:1900/udp #optional
      - 8843:8843 #optional
      - 8880:8880 #optional
      - 6789:6789 #optional
      - 5514:5514/udp #optional
    restart: unless-stopped
    secrets:
      - mongodb_unifi_user_password
volumes:
  db_data:

secrets:
  mongodb_unifi_user_password:
    file: /etc/docker/mongodb_unifi_user_password.txt

Both compose files work fine.
Once the mongodb container is up and running, I connected to it with:

mongo -u admin -p

I enter my password and I’m in. Here I executed the following command to create a user called unifi, owner of a db called unifi:

db.getSiblingDB("unifi").createUser({user: "unifi", pwd: "KJDNFWI4R3R", roles: [{role: "dbOwner", db: "unifi"}, {role: "dbOwner", db: "unifi_stat"}]});

And I get a successful response:

Successfully added user: {
	"user" : "unifi",
	"roles" : [
		{
			"role" : "dbOwner",
			"db" : "unifi"
		},
		{
			"role" : "dbOwner",
			"db" : "unifi_stat"
		}
	]
}

However, the Unifi Network application can’t connect to the database!

I can’t understand what I’m doing wrong. I looked everywhere and I really can’t get the connection to work.

In the logs from the Unifi Network Application I see this:

[2023-10-17 17:25:10,082] <launcher> INFO  db     - Connecting to mongodb://unifi:~MONGO_PASS~@unifi-db:27017/unifi
[2023-10-17 17:25:11,255] <launcher> INFO  db     - db connection established...
[2023-10-17 17:25:12,634] <launcher> ERROR db     - Got error while connecting to db: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-256, userName='unifi', source='unifi', password=<hidden>, mechanismProperties=<hidden>}

What am I doing wrong?
Are the docker volumes set correctly?
Am I injecting the secrets in the right way?
I created the unifi db user in the right way?

Thank you in advance for the help.

j0nnymoe · 17 October 2023 19:35

why are you using the variables our documentation tells you not to use?

driz · 17 October 2023 19:43

it just says don’t mix them. they’ve got the init.js commented out, definitely creating more work, but not a problem specifically.

matteog · 17 October 2023 20:03

Indeed, reading the documentation I spotted the line where it says to not mix the init.js method with the MONGO_INITDB variables.
I tried both ways (new container) since without the MONGO_INITDB I don’t have the Access Control feature enabled on mongodb.
I left the init.js line there but in my post I clearly said that I created the user unifi directly within the mongo shell.

j0nnymoe · 17 October 2023 20:57

You don’t need to be creating any users. You run mongo as the example shows in the documentation and that’s it. Once it’s initially deployed, you can remove the init line.

matteog · 17 October 2023 21:15

Which user doesn’t need to be created? The root user, you mean with that MONGO_INITDB_ROOT?
But then I would need to run

db.getSiblingDB("unifi").createUser({user: "unifi", pwd: "KJDNFWI4R3R", roles: [{role: "dbOwner", db: "unifi"}, {role: "dbOwner", db: "unifi_stat"}]});

rigth? Because that user is needed for the Unifi Network Application to connect to the DB, I assume.

j0nnymoe · 17 October 2023 21:47

I don’t feel like you’ve read the documentation correctly, specifically this part: GitHub - linuxserver/docker-unifi-network-application

driz · 19 October 2023 22:47

I’m not seeing anything outwardly wrong with what you did, it’s pretty similar to what I did (in my case, i used an existing monogdb rather than new). I am on 5.0.13 and you’re on 4.4.18, seeing the error MongoCredential{mechanism=SCRAM-SHA-256, makes me wonder if there is some issue with scram-sha-256 in mongo4.4? You might try 5.x and see if the same issue presents.

As a note, you’ll get MUCH faster replies in discord

matteog · 27 October 2023 07:42

I tried again and again and I’m pretty much sure that the issue is with secrets with the Unifi Network Application container.
If I use the percentage encoded password in clear text in my docker compose file, in the logs I see this:

[2023-10-27 09:25:25,703] <launcher> INFO  db     - Starting database service initialization...
[2023-10-27 09:25:25,705] <launcher> INFO  db     - waiting for db connection...
[2023-10-27 09:25:26,209] <launcher> INFO  db     - Connecting to mongodb://unifi:R4v4b%25VSLHRdy6%2AAD%24@unifi-db:27017/unifi?tls=false&authSource=unifi
[2023-10-27 09:25:27,190] <launcher> INFO  db     - db connection established...
[2023-10-27 09:25:27,849] <launcher> INFO  db     - db connected (v4.4.18@mongodb://unifi:R4v4b%25VSLHRdy6%2AAD%24@unifi-db:27017/unifi?tls=false&authSource=unifi)
[2023-10-27 09:25:37,959] <launcher> INFO  db     - Database service initialized...

So basically, it can connects.

However,
if I try to use a secret to inject the password, this is the result:

[2023-10-27 09:29:52,616] <launcher> INFO  db     - Starting database service initialization...
[2023-10-27 09:29:52,618] <launcher> INFO  db     - waiting for db connection...
[2023-10-27 09:29:53,120] <launcher> INFO  db     - Connecting to mongodb://unifi:~MONGO_PASS~@unifi-db:27017/unifi?tls=false&authSource=unifi
[2023-10-27 09:29:54,049] <launcher> INFO  db     - db connection established...
[2023-10-27 09:29:55,227] <launcher> ERROR db     - Got error while connecting to db: Exception authenticating MongoCredential{mechanism=SCRAM-SHA-256, userName='unifi', source='unifi', password=<hidden>, mechanismProperties=<hidden>}

It seems that ~MONGO_PASS~ is not evaluated or it’s interpreted as a literal password.

By the way, I’m passing the secret in this way"

 - FILE__MONGO_PASS=/run/secrets/mongodb_unifi_password

I don’t get any error with secrets when creating the MongoDB container with:

 MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongodb_root_password

Ah and yes, if I enter the mongo container and I try to login with unifi user and its password, it works:

root@8e7ff42979ee:/# mongo -u unifi --authenticationDatabase unifi -p
MongoDB shell version v4.4.18
Enter password:
connecting to: mongodb://127.0.0.1:27017/?authSource=unifi&compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("e3c9297d-1934-4c39-bd97-1aa2e0a167d9") }
MongoDB server version: 4.4.18

Not really sure at this point what’s wrong.

driz · 27 October 2023 12:31

for anyone who comes across this, the issue was a newline in the secrets.