UniFi Network Application

Network rootless 2 containers
Open in Generator
unifi lscr.io/linuxserver/unifi-network-application:latest · 8443:8443, 8080:8080
mongodb docker.io/mongo:7

Kubernetes YAML 

apiVersion: v1
kind: Pod
metadata:
  name: unifi
  labels:
    app: unifi
spec:
  restartPolicy: Always
  containers:
  - name: unifi
    image: lscr.io/linuxserver/unifi-network-application:latest
    ports:
    - hostPort: 8443
      containerPort: 8443
    - hostPort: 8080
      containerPort: 8080
    env:
    - name: PUID
      value: '1000'
    - name: PGID
      value: '1000'
    - name: TZ
      value: Europe/Vienna
    - name: MONGO_USER
      value: unifi
    - name: MONGO_PASS
      value: changeme
    - name: MONGO_HOST
      value: 127.0.0.1
    - name: MONGO_PORT
      value: '27017'
    - name: MONGO_DBNAME
      value: unifi
    - name: MONGO_AUTHSOURCE
      value: admin
    volumeMounts:
    - name: vol-0
      mountPath: /config
  - name: mongodb
    image: docker.io/mongo:7
    env:
    - name: MONGO_INITDB_ROOT_USERNAME
      value: unifi
    - name: MONGO_INITDB_ROOT_PASSWORD
      value: changeme
    volumeMounts:
    - name: vol-1
      mountPath: /data/db
  volumes:
  - name: vol-0
    persistentVolumeClaim:
      claimName: unifi-config
  - name: vol-1
    persistentVolumeClaim:
      claimName: unifi-db

Deployment Guide rootless

Operating System:
!

Prerequisites once as root

0. Install Podman

apt update && apt install -y podman

1. Create user (if not existing)

useradd -m -s /bin/bash unifi
passwd unifi

2. Enable linger (service runs after reboot without login)

loginctl enable-linger unifi
1

Save the YAML file

mkdir -p ~/.config/containers/
# Copy the YAML above to:
nano ~/.config/containers/unifi.yaml
2

Test the pod (without autostart)

podman play kube ~/.config/containers/unifi.yaml

# Check status:
podman pod ps && podman ps

# Stop:
podman play kube --down ~/.config/containers/unifi.yaml
3

Create Quadlet .kube file

Place it at ~/.config/containers/systemd/unifi.kube

mkdir -p ~/.config/containers/systemd/
cat > ~/.config/containers/systemd/unifi.kube << 'EOF'
[Unit]
Description=unifi Pod

[Kube]
Yaml=%h/.config/containers/unifi.yaml

[Install]
WantedBy=default.target
EOF
4

Enable systemd service

systemctl --user daemon-reload
systemctl --user enable --now unifi-pod.service
5

Status & Logs

systemctl --user status unifi-pod.service
journalctl --user -u unifi-pod.service -f
podman pod ps
podman ps
6

Apply image updates

Pull new image versions and restart the pod:

podman pull docker.io/<image>:<tag>
podman play kube --replace ~/.config/containers/unifi.yaml

# or via systemd:
systemctl --user restart unifi-pod.service
Useful Tips

Ports < 1024 (e.g. 80, 443)

Rootless cannot open privileged ports. Solution:

sysctl net.ipv4.ip_unprivileged_port_start=80

Make persistent in /etc/sysctl.d/99-podman.conf.

Containers communicate via localhost

All containers in the pod share the same network namespace. Always use localhost, not container names.

# Correct (e.g. app → db):
localhost:5432

# Wrong (doesn't work in a pod):
db-container:5432

List open ports

Which ports is the running pod listening on?

podman port unifi-pod

Custom DNS for the pod

Set a custom DNS server (e.g. local Pi-hole):

# In YAML under spec.dnsConfig:
spec:
  dnsConfig:
    nameservers:
      - 192.168.1.x

Set volume ownership

Fix permission errors by adjusting UID/GID in the user namespace:

podman unshare chown 1000:1000 /path/to/volume

SELinux volume labels

On SELinux systems (RHEL, Fedora) set the volume suffix:

/host/path:/container/path:Z   # private
/host/path:/container/path:z   # shared

List all volumes

podman volume ls
podman volume inspect <volume-name>

Volume backup

Back up data from a named volume:

podman run --rm \
  -v <volume-name>:/data:ro \
  -v $(pwd):/backup \
  busybox tar czf /backup/backup.tar.gz /data

Cleanup

Remove unused images, containers and volumes:

podman system prune -f        # containers + images
podman image prune -f         # untagged images only
podman volume prune -f        # unused volumes

Automatic image updates (podman-auto-update)

Podman can automatically update images and restart the pod. Enable once:

systemctl --user start podman.socket
systemctl --user daemon-reload
systemctl --user enable --now podman-auto-update.timer
systemctl --user status podman-auto-update.timer

Test without actually updating:

podman auto-update --dry-run

Manual update

Pull a new image version and restart the pod:

podman pull <image>:<tag>
podman play kube --replace \
  ~/.config/containers/unifi.yaml

Find outdated images

Check local images against the registry:

podman images --filter dangling=false
podman pull --all-tags <image>

Shell into a running container

podman exec -it unifi-<container> /bin/sh
# or bash:
podman exec -it unifi-<container> /bin/bash

Follow live logs

# All containers in the pod:
podman pod logs -f unifi-pod

# Single container:
podman logs -f unifi-<container>

Pod info & resource usage

podman pod inspect unifi-pod
podman stats unifi-pod

Restart pod without data loss

podman pod restart unifi-pod

# or via systemd:
systemctl --user restart unifi-pod.service
Customize this stack
Change ports, volumes, environment variables and more in the generator.
Open in Generator