From 121d483ea84acb4a0c3cf9e4a91b5a47682ac553 Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Fri, 19 Sep 2025 14:15:57 -0400 Subject: [PATCH 1/2] add caps to python binary for bt stack access --- .editorconfig | 0 .github/ISSUE_TEMPLATE/issue.bug.yml | 0 .github/ISSUE_TEMPLATE/issue.feature.yml | 0 .github/workflows/permissions.yml | 0 README.md | 7 +++++-- readme-vars.yml | 7 +++++-- root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run | 2 +- 7 files changed, 11 insertions(+), 5 deletions(-) mode change 100755 => 100644 .editorconfig mode change 100755 => 100644 .github/ISSUE_TEMPLATE/issue.bug.yml mode change 100755 => 100644 .github/ISSUE_TEMPLATE/issue.feature.yml mode change 100755 => 100644 .github/workflows/permissions.yml diff --git a/.editorconfig b/.editorconfig old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml old mode 100755 new mode 100644 diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml old mode 100755 new mode 100644 diff --git a/.github/workflows/permissions.yml b/.github/workflows/permissions.yml old mode 100755 new mode 100644 diff --git a/README.md b/README.md index c978204..daf328c 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ In order to provide HA with access to the host's Bluetooth device, one needs to #### Docker Cli: ```bash ---cap-add=NET_ADMIN --cap-add=NET_RAW -v /var/run/dbus:/var/run/dbus:ro +--cap-add=NET_ADMIN --cap-add=NET_RAW -v /run/dbus:/run/dbus:ro ``` #### Docker Compose: @@ -86,9 +86,11 @@ In order to provide HA with access to the host's Bluetooth device, one needs to - NET_ADMIN - NET_RAW volumes: - - /var/run/dbus:/var/run/dbus:ro + - /run/dbus:/run/dbus:ro ``` +If the dbus path on host differs, such as `/var/run/dbus`, then you can map it as `/var/run/dbus:/run/dbus:ro`. + ### Using the Ping integration For the [Ping][ping0] integration to work, the capability `NET_RAW` must be added to the container. See above for instructions. @@ -316,6 +318,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **19.09.25:** - Add the necessary capabilities in the container to allow the unprivileged user access to bluetooth stack. * **03.01.25:** - Rebase to alpine 3.21. * **04.12.24:** - Make setcap target dynamic. * **07.11.24:** - Add go2rtc binary. diff --git a/readme-vars.yml b/readme-vars.yml index 3b2fa94..f2a279f 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -51,7 +51,7 @@ app_setup_block: | #### Docker Cli: ```bash - --cap-add=NET_ADMIN --cap-add=NET_RAW -v /var/run/dbus:/var/run/dbus:ro + --cap-add=NET_ADMIN --cap-add=NET_RAW -v /run/dbus:/run/dbus:ro ``` #### Docker Compose: @@ -60,9 +60,11 @@ app_setup_block: | - NET_ADMIN - NET_RAW volumes: - - /var/run/dbus:/var/run/dbus:ro + - /run/dbus:/run/dbus:ro ``` + If the dbus path on host differs, such as `/var/run/dbus`, then you can map it as `/var/run/dbus:/run/dbus:ro`. + ### Using the Ping integration For the [Ping][ping0] integration to work, the capability `NET_RAW` must be added to the container. See above for instructions. @@ -114,6 +116,7 @@ init_diagram: | "homeassistant:latest" <- Base Images # changelog changelogs: + - {date: "19.09.25:", desc: "Add the necessary capabilities in the container to allow the unprivileged user access to bluetooth stack."} - {date: "03.01.25:", desc: "Rebase to alpine 3.21."} - {date: "04.12.24:", desc: "Make setcap target dynamic."} - {date: "07.11.24:", desc: "Add go2rtc binary."} diff --git a/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run b/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run index 5c7690e..264a116 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run @@ -3,7 +3,7 @@ PY_LOCAL_PATH=$(find /usr/local/lib -maxdepth 1 -name python* -type d) PY_LOCAL_BIN=$(basename "${PY_LOCAL_PATH}") -setcap 'cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}" +setcap 'cap_net_raw,cap_net_admin,cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}" if [[ -z "${DISABLE_JEMALLOC+x}" ]]; then export LD_PRELOAD="/usr/local/lib/libjemalloc.so.2" From f694b4752fe2cd55760e6b4ae3e7d82ada4d8b3b Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Fri, 19 Sep 2025 15:32:12 -0400 Subject: [PATCH 2/2] add caps only when available --- root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run b/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run index 264a116..31afe7e 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-homeassistant/run @@ -3,7 +3,12 @@ PY_LOCAL_PATH=$(find /usr/local/lib -maxdepth 1 -name python* -type d) PY_LOCAL_BIN=$(basename "${PY_LOCAL_PATH}") -setcap 'cap_net_raw,cap_net_admin,cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}" +if capsh --has-p=cap_net_admin 2>/dev/null && capsh --has-p=cap_net_raw 2>/dev/null; then + echo "Adding cap_net_admin and cap_net_raw to python binary for bt access" + setcap 'cap_net_bind_service,cap_net_raw,cap_net_admin=+ep' "/usr/local/bin/${PY_LOCAL_BIN}" +else + setcap 'cap_net_bind_service=+ep' "/usr/local/bin/${PY_LOCAL_BIN}" +fi if [[ -z "${DISABLE_JEMALLOC+x}" ]]; then export LD_PRELOAD="/usr/local/lib/libjemalloc.so.2"