README.md 1.9 KB

docker: home assistant 🏡🐳

simple wrapper for home-assistant's official docker image.

changes:

  • dropped setuid and setgid permission bits from all files
  • run home assistant as an unprivileged user (instead of root)

guide: https://www.home-assistant.io/docs/installation/docker/

dockerfile: https://git.hammerle.me/fphammerle/docker-home-assistant/src/master/Dockerfile

signed docker image hashes: https://github.com/fphammerle/docker-home-assistant/tags

$ sudo docker run --name home_assistant \
    -v home_assistant_config:/config:rw \
    -p 8123:8123 \
    --read-only --tmpfs /home/hass/.config/async_dns:mode=1777,size=4k
    --security-opt=no-new-privileges --cap-drop=all \
    --restart unless-stopped \
    fphammerle/home-assistant

mount zwave dongle

$ cat /etc/udev/rules.d/zwave.rules
ACTION=="add", SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", SYMLINK+="zwave-dongle"
# check permissions of /dev/zwave-dongle
$ sudo docker run --device /dev/zwave-dongle:/dev/zwave-dongle …

mount /proc/device-tree

Required by Adafruit-DHT: https://github.com/adafruit/Adafruit_Python_DHT/blob/a609d7dcfb2b8208b88498c54a5c099e55159636/source/Raspberry_Pi_2/pi_2_mmio.c#L43

/proc/device-tree is a symlink to /sys/firmware/devicetree/base.

However, docker run -v /sys/firmware/devicetree/base:/sys/firmware/devicetree/base:ro … is ineffective.

Docker masks /sys/firmware: https://github.com/moby/moby/pull/26618 https://github.com/docker/docker-ce/blob/v19.03.5/components/engine/oci/defaults.go#L127

Evil workaround:

# start container without explicitly mounting devicetree
$ sudo docker run --name home_assistant …
# umount shadowing tmpfs
$ sudo nsenter --target $(sudo docker inspect --format={{.State.Pid}} home_assistant) --mount umount /sys/firmware