Ability to allow addons to mount system volumes

roippi · March 7, 2025, 11:05pm

Hi, turning a developer topic post into a FR, this is the original thread: Mount hosts /proc & /sys into add on container

Basically, for certain advanced container monitoring abilities, appliances such as datadog/agent require mounting of /proc and /sys/fs/cgroup into the agent container. While mounting docker.sock is covered via docker_api:true, neither /proc nor /sys/** is currently allowed to be mounted in devices: via an addon. (gpio and filetree get a couple of special hardcoded exceptions)

I understand allowing an addon to do this would, at minimum, require turning off all relevant security flags.

I am happy to contribute a PR if this is acceptable.

roippi · March 7, 2025, 11:17pm

Relevant DD docs showing the docker mounts: Docker Agent for Docker, containerd, and Podman

CLI equivalent: docker run -d --cgroupns host --pid host --name dd-agent -v /var/run/docker.sock:/var/run/docker.sock:ro -v /proc/:/host/proc/:ro -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro -e DD_SITE=<DATADOG_SITE> -e DD_API_KEY=<DATADOG_API_KEY> gcr.io/datadoghq/agent:7

felipecrs · March 26, 2025, 11:43pm

I have the exact same need for Netdata.

@roippi I was able to work around it by using nsenter, which is extremely hacky and dangerous.

github.com/felipecrs/netdata-hass-addon

netdata/rootfs/opt/netdata-hass-addon/run.sh

2aac1367f


      
            mv -fv /homeassistant/netdata /config/
          fi
          
          # This is a trick to mount host directories and files inside the container,
          # given HA add-ons cannot specify bind mounts.
          if ! mountpoint --quiet /host/etc/os-release; then
            set_container_id
            set_container_root_on_host
          
            # Mount /proc from host to /host/proc as readonly with nsenter
            mkdir -p /host/proc
            nsenter --target 1 --mount -- \
              mount --bind --read-only /proc "${container_root_on_host}/host/proc"
          
            # Same for /sys and /sys/fs/cgroup
            mkdir -p /host/sys
            nsenter --target 1 --mount -- \
              mount --bind --read-only /sys "${container_root_on_host}/host/sys"
            nsenter --target 1 --mount -- \
              mount --bind --read-only /sys/fs/cgroup "${container_root_on_host}/host/sys/fs/cgroup"

It would be a lot simpler and even safer if there was an option to add arbitrary mounts in add-on’s config.yaml.

felipecrs · March 26, 2025, 11:50pm

A very important note is that only read-only access to these directories are required. This should greatly reduce the risk.