https://github.com/fphammerle/docker-home-assistant

home-assistant running as unprivileged user on alpine
https://github.com/fphammerle/docker-home-assistant

docker docker-compose home-assistant home-automation unprivileged-user

Last synced: 5 days ago
JSON representation

home-assistant running as unprivileged user on alpine

• Host: GitHub
• URL: https://github.com/fphammerle/docker-home-assistant
• Owner: fphammerle
• Created: 2020-05-03T12:23:12.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2023-11-24T08:56:35.000Z (12 months ago)
• Last Synced: 2023-11-24T09:39:36.894Z (12 months ago)
• Topics: docker, docker-compose, home-assistant, home-automation, unprivileged-user
• Language: Dockerfile
• Homepage: https://hub.docker.com/r/fphammerle/home-assistant/tags
• Size: 144 KB
• Stars: 3
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md

Awesome Lists containing this project

README

        
# docker: home assistant 🏡🐳

simple wrapper for

[home-assistant](https://github.com/home-assistant/home-assistant)'s

[official docker image](https://hub.docker.com/r/homeassistant/home-assistant).

changes:

* dropped `setuid` and `setgid` permission bits from all files

* run home assistant as an unprivileged user (instead of `root`)

guide: https://www.home-assistant.io/docs/installation/docker/

dockerfile: https://git.hammerle.me/fphammerle/docker-home-assistant/src/master/Dockerfile

signed docker image hashes: https://github.com/fphammerle/docker-home-assistant/tags

```sh

$ sudo docker run --name home_assistant \

    -v home_assistant_config:/config:rw \

    -p 8123:8123 \

    --read-only --tmpfs /home/hass/.config/async_dns:mode=1777,size=4k \

    --security-opt=no-new-privileges --cap-drop=all \

    --restart unless-stopped \

    fphammerle/home-assistant

```

## mount zwave dongle

```

$ cat /etc/udev/rules.d/zwave.rules

ACTION=="add", SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", SYMLINK+="zwave-dongle"

# check permissions of /dev/zwave-dongle

$ sudo docker run --device /dev/zwave-dongle:/dev/zwave-dongle …

```

## mount `/proc/device-tree`

Required by `Adafruit-DHT`:

https://github.com/adafruit/Adafruit_Python_DHT/blob/a609d7dcfb2b8208b88498c54a5c099e55159636/source/Raspberry_Pi_2/pi_2_mmio.c#L43

`/proc/device-tree` is a symlink to `/sys/firmware/devicetree/base`.

However, `docker run -v /sys/firmware/devicetree/base:/sys/firmware/devicetree/base:ro …` is ineffective.

Docker masks `/sys/firmware`:

https://github.com/moby/moby/pull/26618

https://github.com/docker/docker-ce/blob/v19.03.5/components/engine/oci/defaults.go#L127

Evil workaround:

```sh

# start container without explicitly mounting devicetree

$ sudo docker run --name home_assistant …

# umount shadowing tmpfs

$ sudo nsenter --target $(sudo docker inspect --format={{.State.Pid}} home_assistant) --mount umount /sys/firmware

```