06-22-2017 10:05 AM
I did and now getting a UniFi Setup Wizard on my localhost:8443/. Tried to restor from backup, but cannot find it or states I do not have permission even though I have root access......
Use the same user you used when you set up Unifi on the host system. To get the correct system rights you have to use 'sudo'. If you login as 'root' you will get other home directory, etc.
It looks like you have started a new instance of Unifi as 'root' and not as your normal Unifi user. So log in as 'root' to the Unifi host system and issue: systemctl stop unifi. Login to the host system as when you setup unifi and issue my above solution using 'sudo' to get the proper rights.
Hope this helps...
06-23-2017 08:45 AM
Regarding the workaround post for this issue: https://community.ubnt.com/t5/UniFi-Wireless/IMPORTANT-Debian-Ubuntu-users-MUST-READ-Updated-06-21/t...
Will this change need to be reverted when a kernel fix is implemented?
If so, can UBNT provide remediation steps as a follow up to the post linked above?
@dac1319 Hi Andy,
Yes it would be best to revert afterwards. Really it depends. If that is the only line in the default file, then you just remove the default file. If there are other lines, then you'd have to remove that line.
I will update the sticky posts to mention this.
06-25-2017 12:57 PM
I was able to get mine to work, basically rebuilt Ubuntu 16 LTS from scrath, install latest unifi 5.4.16, apply workaround given here, and I'm back.
I did the same. Built an entirely fresh VM with 5.4.16 and adopted all my UniFi devices over.
Frustratingly, I have to leave the wounded VM running as the UniFi NVR is on there until I get time to build it on the new one.
06-26-2017 06:26 AM
I'd just like to throw in a thank you. Although this is a different product, we still have some 'customers' here using CF9 (completely unsupported and want them off, working on that) on Red Hat 6.
The JRun engine behind it was hitting the same crashing senario and the -Xss1280K resolve that as well. CF11 wtih Tomcat on the backend didn't hit the issue.
06-26-2017 03:47 PM - edited 06-26-2017 03:47 PM
sudo sed -i -e 's/^JSVC_EXTRA_OPTS=$/JSVC_EXTRA_OPTS="-Xss2m"/' /usr/lib/unifi/bin/unifi.init
This worked for me on Ubuntu 16.10 with latest updates as of an hour ago. Using 1280k wasn't enough memory.
06-26-2017 05:12 PM - edited 06-26-2017 05:38 PM
I'd like to start of saying I am an AV installer first and a hack IT installer second. Have had my unifi server running nicely until this recent bug. Have attempted to follow the instructions. It appears that I forgot(didn't know) to close my putty after the code so it got some extra lines of code including my garish typos.
So I ran cat /etc/default/unifi:
Here is what I got:
Rebooted Server and still no access.
Ran service status check and got the following:
Any suggestions? Thank you. Running Ubuntu 16.04.1 LTS
06-26-2017 09:02 PM
The easiest might be for you to remove /etc/default/unifi and start again:
sudo rm /etc/default/unifi
Then enter the command @UBNT-MikeD recommended:
echo "JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"" | sudo tee -a /etc/default/unifi
Then reboot your system.
06-26-2017 10:15 PM
Can people simply hold off from running sudo apt-get update and sudo apt-get upgrade until the kernel is updated?
Is it safe to say they wait a month and don't touch their Ubuntu install, things will be good again?
This is going to burn a lot of unknowing people and cost them time and money.
06-27-2017 02:55 AM
@Sam99 Thank you for the suggestions.
I performed the remove directory and then ran the hotfix suggestion. Still no luck.
Here is my /cat results
It looks like I did things correctly.
And below is my service unifi status results.
Which appears to be working.
Any suggestions would be exceptionally helpful! Thank you.
06-27-2017 04:22 AM
I ran into an issue like you are experiencing. The service showed as running but the controller was not accessible. By default on Ubuntu the Unifi controller starts slowly after a reboot, but you can fix this by installing haveged.
sudo apt-get update
sudo apt-get install haveged
Reboot after installing and you should be back in business.
06-27-2017 12:20 PM
@Ambul yes, you can place an apt-mark hold on the packages that are to get updated (specifically kernel and headers.)
The general advice is though that you want to update the kernel to be on top of security updates. I think your decision should rest on where your server resides. If it is local with no outside access then you can probably afford to wait on the update.
If you are like me and the server is in the cloud, then I would advise to upgrade and then issue the prescribed fix.
06-27-2017 12:29 PM
Take a look at some of the comments above; other users were having trouble with the 1280K value not being high enough. Try implementing their solutions first.
The suggestion by @sgtpoliteness to wait a while after a reboot to see if you can connect and/or installing haveged is good. Haveged is useful for other reasons apart from UniFi.
(I compared the service status output in your comment to that from one of our UniFi servers and ours has an additional line under CGroup that yours is missing:
└─2008 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --logappend --logpath logs/mongod.log --nohttpinterface --bind_ip 127.0.0.1
So this could be a symptom of the 1280K issue, or the timing issue, or you might have a Mongo database problem.)
If none of this works, you could try deleting /etc/default/unifi and reverting to an earlier kernel. See my comment earlier in this thread for instructions.
(That's just a temporary bypass to see if you can get things working again until a patched kernel is available; you don't want to remain on the older kernel forever.)
06-27-2017 12:36 PM - edited 06-27-2017 12:48 PM
I am going to answer my own question here...
According to https://tracker.debian.org/pkg/linux :
linux (3.2.89-2) wheezy-security; urgency=high . * Revert previous fixes for CVE-2017-1000364 (Closes: #865303)
This is the only kernel that I see (for any dist) thus far to have reverted the fix.
I can confirm, that for Debian 7 users, that the 3.2.89-2 kernel has fixed the issue and that the /etc/default/unifi file is no longer required.
06-27-2017 12:42 PM
An update from the security mailing list as well:
Debian Security Advisory DSA-3886-2 email@example.com https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux Debian Bug : 865303 The security update announced as DSA-3886-1 caused regressions for some applications using Java - including jsvc, LibreOffice and Scilab - due to the fix for CVE-2017-1000364. Updated packages are now available to correct this issue.
06-27-2017 03:20 PM
I'm seeing the samething here Debian 9 is fixed. I'm still waiting for my Ubunutu to update.
06-27-2017 07:18 PM
According to the CVE
|An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).|
So install 4.11.6 from the unbuntu or debian repos... they are there...
For instance on an x64 system, you'd do..
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.11.7/linux-headers-4.11.7-041107_4.11.7-041107.201706240231_all.deb wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.11.7/linux-headers-4.11.7-041107-generic_4.11.7-041107.201706240231_amd64.deb wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.11.7/linux-headers-4.11.7-041107-lowlatency_4.11.7-041107.201706240231_amd64.deb wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.11.7/linux-image-4.11.7-041107-generic_4.11.7-041107.201706240231_amd64.deb wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.11.7/linux-image-4.11.7-041107-lowlatency_4.11.7-041107.201706240231_amd64.deb sudo dpkg -i linux-headers-4.11* linux-image-4.11*
06-27-2017 07:56 PM
@OnTheGrind The kernel package they released a while back that introduced the fix addressing the CVE caused regressions in several software packages, per the bug notes a few posts up. Have you successfully run the UniFi controller on 4.11.7? I don't recall if any of the other participants in this discussion went there or not.
Anyhow, that might work for Ubuntu users, but Debian users at this point only need to perform a regular update (apt-get update && apt-get upgrade) to clear the issue because an appropriate fix has been loaded into the kernel package (4.9.x for Debian 9). (You should not install Ubuntu packages on Debian. I realize you probably already know this, but I mention it for the benefit of those who find us after a panicked Google search...)
Here is the package info for the kernel version that fixes the issue on Stretch:
Package: linux-image-4.9.0-3-amd64 Version: 4.9.30-2+deb9u2 Priority: optional Section: kernel Source: linux Maintainer: Debian Kernel Team <firstname.lastname@example.org> Installed-Size: 190 MB Depends: kmod, linux-base (>= 4.3~), initramfs-tools (>= 0.120+deb8u2) | linux-initramfs-tool Recommends: firmware-linux-free, irqbalance Suggests: linux-doc-4.9, debian-kernel-handbook, grub-pc | grub-efi-amd64 | extlinux Breaks: initramfs-tools (<< 0.120+deb8u2), xserver-xorg-input-vmmouse (<< 1:13.0.99) Homepage: https://www.kernel.org/ Download-Size: 38.7 MB APT-Manual-Installed: no APT-Sources: http://security.debian.org stretch/updates/main amd64 Packages Description: Linux 4.9 for 64-bit PCs The Linux kernel 4.9 and modules for use on PCs with AMD64, Intel 64 or VIA Nano processors. . This kernel also runs on a Xen hypervisor. It supports both privileged (dom0) and unprivileged (domU) operation.