Hass in non-root user docker container - ping permision problem

Configuration
1

Hello,

I’m working on using my hass via docker container running in non-root user configuration.

It works for my configuration… with one exception: ping platform.
It seems that ping doesn’t have proper permissions.

Many sources suggests adding additional capabilities to the hass container which should deliver proper permisions, something like:

--cap-add NET_RAW --cap-add NET_BIND_SERVICE --cap-drop ALL

Thus, my docker run includes such an arguments:

docker run --init -d --name="hass-docker" -e "TZ=Europe/Warsaw" \
	--user 1000:20 \
	-v /home/pi/.homeassistant-docker:/config \
	-v /etc/localtime:/etc/localtime:ro \
	--cap-add NET_RAW  --cap-add NET_BIND_SERVICE --cap-drop ALL \
	--net=host \
homeassistant/raspberrypi3-homeassistant:latest

but… it seems it doesn’t work:

$ docker exec -it hass-docker /bin/sh
/config $ id
uid=1000 gid=20(dialout)
/config $ ping 8.8.8
PING 8.8.8 (8.8.0.8): 56 data bytes
ping: permission denied (are you root?)
/config $

My system:

$ uname -a
Linux rasp1 4.19.66-v7+ #1253 SMP Thu Aug 15 11:49:46 BST 2019 armv7l GNU/Linux
$ docker --version
Docker version 19.03.5, build 633a0ea
$

Any ideas why capabilities doesn’t work?

Regards,
M.

1 Like
2

I always felt it’s a shame that the official docker images all run as root and there is no documentation on user mapping on them. I’ve been meaning to get to that, but have not found the time. The linuxserver images and Dockerfiles may provide some ideas on how to do this. I have not seen a homeassistant image from them, but they usually setup their images in a way that apps inside their container dont run as root.

3

Anyone found solution?

4

sudo ping?

5

$ docker exec -it hass-docker /bin/sh
/config $ sudo ping
/bin/sh: sudo: not found

6

Can you try with --privileged option ?