From 7e931df53fdefec18f3e23f8d69917fc269d0857 Mon Sep 17 00:00:00 2001 From: Mike Degatano Date: Wed, 18 May 2022 03:53:06 -0400 Subject: [PATCH] `host_pid` does not work in s6 v3 (#1336) * `host_pid` does not work in s6 v3 * Mention s6 issue in docs * Add overriding `/init` option * Correct options in add-on config doc * Remove temporary workaround --- blog/2022-05-12-s6-overlay-base-images.md | 12 ++++++++++++ docs/add-ons/configuration.md | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/blog/2022-05-12-s6-overlay-base-images.md b/blog/2022-05-12-s6-overlay-base-images.md index 83c85400..a2da9a77 100644 --- a/blog/2022-05-12-s6-overlay-base-images.md +++ b/blog/2022-05-12-s6-overlay-base-images.md @@ -43,3 +43,15 @@ You have to tweak your [AppArmor profile](/docs/add-ons/presentation#apparmor) t /run/{,**} rwk, /dev/tty rw, ``` + +## `host_pid` option + +Addons running without protection mode enabled can set `host_pid: true` in their configuration. As described in the [documentation](https://developers.home-assistant.io/docs/add-ons/configuration#optional-configuration-options): + +> Allow to run container on host PID namespace. Works only for not protected add-ons. + +This is a problem because S6 expects to be PID 1 (it's literally in the [tagline](https://github.com/just-containers/s6-overlay#s6-overlay-)) and that's impossible when using the host PID namespace. + +In V2, S6 didn't actually check that it was running as PID 1. This is why it "worked" when in this mode in the past (although it required some [workarounds](https://github.com/hassio-addons/addon-glances/blob/8575d7903ef4c0a7c49e9ab32e0536bd2eb12dd6/glances/rootfs/bin/s6-nuke) to keep s6 from breaking systems when running this way). In V3 S6 checks that it is actually PID 1 and refuses to start otherwise. + +To fix this, don't use s6 overlay in your addon as it's not designed for this use case. You can continue to use the addon base images by overriding `/init` with a no-op script and then use the normal docker init system. Or you can switch to a different base image like stock alpine or debian and add what you need. diff --git a/docs/add-ons/configuration.md b/docs/add-ons/configuration.md index 6d370ce5..4f710650 100644 --- a/docs/add-ons/configuration.md +++ b/docs/add-ons/configuration.md @@ -141,7 +141,7 @@ Note: Avoid the use of this filename for anything other than add-on configurati | `host_network` | bool | `false` | If `true`, the add-on runs on host network. | `host_ipc` | bool | `false` | Allow to share the IPC namespace with others. | `host_dbus` | bool | `false` | Map the host D-Bus service into the add-on. -| `host_pid` | bool | `false` | Allow to run container on host PID namespace. Works only for not protected add-ons. +| `host_pid` | bool | `false` | Allow to run container on host PID namespace. Works only for not protected add-ons. **Warning:** Does not work with S6 Overlay. If need this to be `true` and you use the normal add-on base image you disable S6 by overriding `/init`. Or use an alternate base image. | `devices` | list | | Device list to map into the add-on. Format is: ``. E.g., `/dev/ttyAMA0` | `homeassistant` | string | | Pin a minimum required Home Assistant Core version for the add-on. Value is a version string like `0.91.2`. | `hassio_role` | str | `default` |Role-based access to Supervisor API. Available: `default`, `homeassistant`, `backup`, `manager` or `admin`