Home Assistant Community Add-on: Portainer

Installation Home Assistant OS
,
61

yes , starting to like it :slight_smile:
thnx, this is the first addon (that i use) , using ingress

62

I’ve got a security related question for you. Before ingress, I had port 8123 forwarded for outside HA access, and relied on strong passwords and 2FA for security for my front-end. I did not forward ports for any addons, and rely on connecting through OpenVPN if I needed to access addons remotely (addons also are each password protected, but without 2FA). I’m especially concerned about Portainer, SSH, and VSCode because they all allow root access into the container(s) and therefore full access to secrets and limited access to the host.

With Ingress, now all addons are available from outside with only the HA authentication/2FA securing them. My initial thoughts are that this is less secure than needing to go through the VPN to access them - am I wrong? If not, is there a way to disable ingress?

1 Like
63

Agreed, partly. Sounds like you have a false sense of security in the first place. If someone had access to Home Assistant, it already has that level of access.

For example, they could install ZeroTier or Tor…

Being able to put it behind a 2FA now (including addons) and limiting the attack surface (less port) is IMHO a improvement.

64

True, I didn’t think about the fact that they could install additional addons. But even still, pre-ingress how would anyone access an addon they installed? The port won’t map to 8123 and if that’s the only port open they wouldn’t be able to access the addon they installed.

In my case there aren’t fewer ports though, I still forward the port for HA and none for addons so the attack surface is unchanged.

65

They don’t need to, since installing Tor or ZeroTier gives them access to every single port of your machine, even without port forwarding. Punching a hole in almost every firewall configuration out there.

66

Interesting, I did not know that. Thank you for explaining! I do have a Ubiquity USG-Pro with IPS but once they’re in that won’t be much help.

67

:tada: Release v0.6.1

Full Changelog

:sparkles: This release adds support for the “Add to sidebar” feature that became available in Home Assistant 0.92.

Please note: You need to have Home Assistant 0.92 or newer to be able to install this update.

:hammer: Changes

  • :arrow_up: Updates Home Assistant requirement to 0.92.0b2
  • :sparkles: Adds support for showing in sidebar

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

68

I’m running into some issues viewing containers in the Portainer add-on–nothing is showing up. I have Protection Mode disabled, updated to Home Assistant 0.92.1, tried restarting HA and rebooting the host, but still haven’t found a solution. Here are some screenshots of what I’m seeing:

image
image1395×270 16.6 KB

image
image1403×388 21.8 KB

In the Portainer Home view, I can see in the summary that 12 containers are running. But when I click for more details, the containers aren’t there.

image
image1371×134 13.3 KB

I don’t remember having these issues when I first tried Portainer, but I was running a Raspberry Pi 3B+ back then. Maybe there is an issue with this add-on and the Asus Tinkerboard S. Is there some setting I need to change to unhide the containers?

I am running:
Portainer Hass.io addon 0.61 (protection mode is disabled)
Home Assistant 0.92.1
HassOS 2.10
Asus Tinkerboard S

Here is a snippet of the add-on log (I scrubbed my IP address). I don’t see any errors from it.

You are running the latest version of this add-on.
 System: HassOS 2.10  (armv7 / tinker)
 Home Assistant version: 0.92.1
 Supervisor version: 162
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] nginx.sh: executing... 
[cont-init.d] nginx.sh: exited 0.
[cont-init.d] portainer.sh: executing... 
[cont-init.d] portainer.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:40:15] INFO: Starting Portainer...
2019/04/27 09:40:15 Templates already registered inside the database. Skipping template import.
2019/04/27 09:40:15 Instance already has defined endpoints. Skipping the endpoint defined via CLI.
2019/04/27 09:40:15 Starting Portainer 1.20.2 on 127.0.0.1:9000
[09:40:16] INFO: Starting NGinx...
[27/Apr/2019:09:40:54 -0700] 200 192.168.xx.xx, 172.30.32.1(172.30.32.2) GET / HTTP/1.1 (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36)
[27/Apr/2019:09:40:54 -0700] 200 192.168.xx.xx, 172.30.32.1(172.30.32.2) GET /api/settings/public HTTP/1.1 (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36)
[27/Apr/2019:09:40:54 -0700] 200 192.168.xx.xx, 172.30.32.1(172.30.32.2) GET /api/status HTTP/1.1 (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36)
69

By default all Hass.io managed containers are hidden from Portainer.
This is recommended since fooling around with Hass.io managed containers
can easily lead to a broken system.

  1. Go into Portainer → Settings → Hidden containers:
    Delete the listed hidden labels (io.hass.type labels).
2 Likes
70

Thanks, I should have re-read the instructions.

71

:tada: Release v0.6.2

Full Changelog

This is a general maintenance release. Fixes aarch64 support (HassOS 64 bits).

:hammer: Changes

  • :arrow_up: Upgrades add-on base image to 3.1.1
  • :arrow_up: Upgrades lua-resty-http to 0.13-r0
  • :arrow_up: Upgrades nginx to 1.14.2-r1
  • :ambulance: Turns of Lua Resty core in Nginx
  • :books: Correct grammar / typos in README.md (#19) (@ax42)

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

72

:tada: Release v0.6.3

Full Changelog

This is a general maintenance release.

:hammer: Changes

:arrow_up: Upgrades Portainer to 1.21.0

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

73

I still would feel a bit more comfortable if we could turn off ingress for some addons… While I agree this is partly a false sense of security, I still would rather that if someone got my hass password that they also have to know hass well enough to know what addons to install to pwn me rather than just to give them the keys to the car with something easy like portainer straight off the bat.

Also, it would be good to have other options for adding addons than only in the GUI. If we could turn off the ability to add addons in the GUI and do it only by the command line, I’d be a lot more comfortable with that for the exact reason you list.

74

That is a feature request that is misplaced. Even if I wanted to provide you those control, it is currently not possible. Please open up a feature request topic if you’d wanted that feature to see if people join in.

75

:tada: Release v0.7.0

Full Changelog

This is a major maintenance release, with major updates on the internals.

:hammer: Changes

  • :books: Adds info about showing Hass.io managed containers (#20)
  • :arrow_up: Upgrades nginx to 1.16.0-r2
  • :arrow_up: Upgrades add-on base image to v4.0.1
  • :fire: Removes now deprecated ssl directive
  • :pencil2: Maintaince -> Maintenance
  • :sparkles: Adds FUNDING.yml

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

76

maybe a stupid question, i created a container, but i dont want it running the whole time
so i stop it once its not needed
but if i reboot my hassos, seems the container is again autorestarted
where i can i disable the autostart on containers? :slight_smile:

77

:tada: Release v0.7.1

Full Changelog

This is a maintenance release.

:hammer: Changes

  • :arrow_up: Upgrades add-on base image to v4.0.2

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

78

Full Changelog

This is a maintenance release.

:hammer: Changes

  • :arrow_up: Upgrades Portainer to v1.22.0

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

79

:tada: Release v0.7.3

Full Changelog

This is a maintenance release.

:hammer: Changes

  • :arrow_up: Upgrades add-on base image to v4.0.3

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck

80

:tada: Release v0.7.4

Full Changelog

This is a maintenance release.

:hammer: Changes

  • :arrow_up: Upgrades nginx to 1.16.1-r0
  • :arrow_up: Upgrades add-on base image to v4.1.1
  • :hammer: Updates HA Auth URL in NGinx LUA script
  • :ambulance: Fixes path handling for SSL certificates
  • :hammer: Use Hass.io DNS as NGinx resolver
  • :hammer: Hide Hass.io DNS containers by default

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work: https://patreon.com/frenck