host_pid does not work in s6 v3 (#1336)

* `host_pid` does not work in s6 v3

* Mention s6 issue in docs

* Add overriding `/init` option

* Correct options in add-on config doc

* Remove temporary workaround
This commit is contained in:
Mike Degatano 2022-05-18 03:53:06 -04:00 committed by GitHub
parent 59df487ca1
commit 7e931df53f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 1 deletions

View File

@ -43,3 +43,15 @@ You have to tweak your [AppArmor profile](/docs/add-ons/presentation#apparmor) t
/run/{,**} rwk,
/dev/tty rw,
```
## `host_pid` option
Addons running without protection mode enabled can set `host_pid: true` in their configuration. As described in the [documentation](https://developers.home-assistant.io/docs/add-ons/configuration#optional-configuration-options):
> Allow to run container on host PID namespace. Works only for not protected add-ons.
This is a problem because S6 expects to be PID 1 (it's literally in the [tagline](https://github.com/just-containers/s6-overlay#s6-overlay-)) and that's impossible when using the host PID namespace.
In V2, S6 didn't actually check that it was running as PID 1. This is why it "worked" when in this mode in the past (although it required some [workarounds](https://github.com/hassio-addons/addon-glances/blob/8575d7903ef4c0a7c49e9ab32e0536bd2eb12dd6/glances/rootfs/bin/s6-nuke) to keep s6 from breaking systems when running this way). In V3 S6 checks that it is actually PID 1 and refuses to start otherwise.
To fix this, don't use s6 overlay in your addon as it's not designed for this use case. You can continue to use the addon base images by overriding `/init` with a no-op script and then use the normal docker init system. Or you can switch to a different base image like stock alpine or debian and add what you need.

View File

@ -141,7 +141,7 @@ Note: Avoid the use of this filename for anything other than add-on configurati
| `host_network` | bool | `false` | If `true`, the add-on runs on host network.
| `host_ipc` | bool | `false` | Allow to share the IPC namespace with others.
| `host_dbus` | bool | `false` | Map the host D-Bus service into the add-on.
| `host_pid` | bool | `false` | Allow to run container on host PID namespace. Works only for not protected add-ons.
| `host_pid` | bool | `false` | Allow to run container on host PID namespace. Works only for not protected add-ons. **Warning:** Does not work with S6 Overlay. If need this to be `true` and you use the normal add-on base image you disable S6 by overriding `/init`. Or use an alternate base image.
| `devices` | list | | Device list to map into the add-on. Format is: `<path_on_host>`. E.g., `/dev/ttyAMA0`
| `homeassistant` | string | | Pin a minimum required Home Assistant Core version for the add-on. Value is a version string like `0.91.2`.
| `hassio_role` | str | `default` |Role-based access to Supervisor API. Available: `default`, `homeassistant`, `backup`, `manager` or `admin`