-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add-on with "devices:" config entry does not allow to access device nodes anymore #2690
Comments
Please allow me to directly tag @pvizeli and @agners here to get their attention to this ticket/issue since I feel they could immediately help in trying to help or identify the root cause here since we lately had contact regarding new So if you guys have any idea what might be wrong here, please let me know. Some versions ago I could really perfectly start the add-on without any elevated |
Yes, zram is blocked because we not allow add-ons to access to such nodes. We use that for the OS. You can only access to that node with disabled protection mode. If you need zram, your add-on is not compatible with our eco system, you can use this add-on only with disabled protection mode. |
I was using
And even thought I defined these dev nodes in |
@pvizeli Sorry to bother you once again, but is there any chance that add-ons can use the I really think it would be worth allowing add-ons to explicitly define device nodes (while internally keeping a black list for no-go device nodes exclusively protected by the supervisor) they would like to have access (e.g. because they generate them on their own) to without forcing them into unprotected mode and thus confuse users of such add-ons by having to disable protection mode altogether. I would really like to get my add-on working without having to disable protection mode altogether. As said, |
If they show themselves as uart interface, they should get access over Make also sure, that you have not run an udev daemon inside your container because they get out of sync over time. Just add |
@pvizeli Thanks for the hint. I will try to test/analyze that and let you know what I find out. But please note that not all devices my add-on need are actualy uart devices. See the list, it also requires access to, e.g. |
Right:
That will allow you to access all uart devices (subsystem=tty) and if available, the /dev/i2c-0. But that work only for devices which you see on |
@pvizeli Thanks again, I changed the
This application tries to access the |
|
That would be great, thanks. The actual
Please note, on top of that another process of my add-on (
Thus, the protected container would also need to be able to access these slave char devices, which is currently not possible. |
Can you use somethings like: https://github.com/home-assistant/operating-system/blob/dev/buildroot-external/rootfs-overlay/usr/lib/udev/rules.d/99-hmip-rfusb.rules ? It's not possible to adjust the cgroup devices permission at runtime. Means you need call |
I don't think that this is possible. As said the
The devices in question look like: - attributes:
DEVNAME: /dev/eq3loop
DEVPATH: /devices/virtual/eq3loop/eq3loop
MAJOR: "235"
MINOR: "0"
SUBSYSTEM: eq3loop
by_id: null
dev_path: /dev/eq3loop
name: eq3loop
subsystem: eq3loop
sysfs: /sys/devices/virtual/eq3loop/eq3loop
- attributes:
DEVNAME: /dev/mmd_hmip
DEVPATH: /devices/virtual/eq3loop/mmd_hmip
MAJOR: "235"
MINOR: "1"
SUBSYSTEM: eq3loop
by_id: null
dev_path: /dev/mmd_hmip
name: mmd_hmip
subsystem: eq3loop
sysfs: /sys/devices/virtual/eq3loop/mmd_hmip
- attributes:
DEVNAME: /dev/mmd_bidcos
DEVPATH: /devices/virtual/eq3loop/mmd_bidcos
MAJOR: "235"
MINOR: "2"
SUBSYSTEM: eq3loop
by_id: null
dev_path: /dev/mmd_bidcos
name: mmd_bidcos
subsystem: eq3loop
sysfs: /sys/devices/virtual/eq3loop/mmd_bidcos Would really be great to have some methodology in the supervisor or |
If you have the device exists on But what you saw is, you can't use the |
@pvizeli Thanks for your comments. Let me explain first that of course the add-on works fine with Most of the stuff within the add-on already works with protection mode enabled and in the past (some supervisor versions ago) the add-on also worked completely in protection mode. But at some point in time it stopped because you probably changed the logic regarding Edit: |
Your driver uses not specify MAJOR:MINOR, they are different based on Linux Kernel and which kind of devices the user have. You will maybe show all time the same number, but that number is only for this system and maybe some other with exactly the same configuration/kernel. The reason why we evaluate the major un runtime for such devices. There is another way, Using |
You are right. I didn't consider this. However, what I still don't understand is, why this was already working in the past when then
That would be great, indeed. Is there any planned ETA for that? Because I would rather not write another |
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. |
This issue indeed still exists and is relevant since I would really like to get my RaspberryMatic HA add-on to not force users into disabling protection mode. And some work has already been started on getting this situation improved. @pvizeli and ETA for getting this done? |
I need to finish #2811 - but it looks like I can't finish it this month, too many stuff on my list :( |
No problem. Take your time, I just wanted to make sure you won't forget it. If during the next months it will be possible to remove the requirement for disabling protection mode for my add-on, this is fine with me. Thanks in advance! |
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. |
@pvizeli two more months have past since my last comment here and it seems you have finished #2811. Any chance you can work on this issue anytime soon because with the latest HA core my RaspberryMatic HA addon is now even rated 1 even thought protected mode is not disabled. And this would definitely make some users wonder if it is safe to use this addon or not while IMHO it is quite uninvasive in its current sense. |
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. |
Please allow me to reopen this ticket. Is there any chance that there will be any progress here since os-agent is now merge for a long time and it would be great to get this issue fixes/resolved somehow. |
Whenever something gets merged onto main it gets built and a new dev release hits the dev channel (see https://github.com/home-assistant/supervisor/actions/runs/1751928414, in thise case
|
Thanks for the hints regarding updating the supervisor to the latest dev version. And "hooray" 🎉 I could perfectly verify that with these changes here from @pvizeli together with the latest HAos 8.0dev version a RaspberryMatic add-on with enabled protection mode ( So the RaspberryMatic add-on now gets a green 6 rating as an add-on while it is perfectly able to load/unload all necessary kernel modules for using all homematic rf modules. As it seems the only things missing are now:
Afterwards we/I can then try to get multicast udp running. Thus solving home-assistant/plugin-multicast#17 and to jens-maus/RaspberryMatic#1373 So when exactly is (1) and (2) going to be happening? |
|
Describe the issue you are experiencing
Since the logic for the
devices:
entry in theconfig.json
of add-on has changed some supervisor versions ago, I am not able to properly access certain device nodes in/dev
even thought these device nodes are perfectly defined in the correspondingconfig.json
of the developed test add-on (see https://github.com/jens-maus/ha-addon-raspmatic/blob/main/home-assistant-addon-strict/config.json#L21-L32)What is the used version of the Supervisor?
supervisor-2021.03.04
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
What is the version of your installed operating system?
6.0dev
What version of Home Assistant Core is installed?
core-2021.3.1
Steps to reproduce the issue
RaspberryMatic CCU (strict)
add-on listeddocker exec -it ...
)cat /dev/zram0
and see that it returnsRaspberryMatic CCU
from the same shopconfig.json
of the "strict" add-on version is, thatfull_access
is not set to true and thedevices:
entry is used and defines/dev/zram0
as a valid access device, thought the strict add-on is still not able to access the device properly.Anything in the Supervisor logs that might be useful for us?
The only logout I see when starting the strict add-on is:
See, that I didn't see any further output that might be helpful in seeing if the supervisor provides enough access to the add-on to be able to access the device nodes it requests access for using the
devices:
section inconfig.json
. In addition, I couldn't even spot something in thedocker inspect
output of the container that shows up access assignment for the configured device nodes.As outlined, in some previous versions a similar add-on
config.json
withoutfull_access
and enoughprivileged
capabilities setting perfectly allowed to access all defined device nodes from the previousdevices:
config setting. However, after the change (and potentially also some other additional changes) this behaviour somehow broke and now I always have to start the add-on in privileged/non-protected mode to see it accessing the device nodes it requires.The text was updated successfully, but these errors were encountered: