How important is network_mode: host anyway?

thisisamateurhour · October 17, 2023, 5:33pm

After a couple hours of searching, and a couple more of testing. I need help.

I am trying to start with a fresh install of home assistant in a portainer stack that will include multiple other containers including maria db, frigate, vscode, hass-configurator (until I can figure out if I can get the HA config yaml setup on the vscode container), and more.

The challenge is I’d like to conform to a sequential port schema which requires me to change the listening port for each container either through port mapping 8011:#### or through changing the listening port through environment variables (preferred)

I am aware that HTTP - Home Assistant exists and have updated my configuration.yaml to account for that. However, nothing I change the port to in the yaml file seems to work with the recommended network_mode: host container compose setting. Attempting to browse to host-ip:new_port just results in a timeout.

The only way I can get the port I want to work is by disabling network_mode: host and adding port: 8011:8011 in the portainer stack/ docker compose. Judging from that the config yaml change is doing something, but it’s not overriding whatever allows 8123 to work with network_mode: host enabled.

So what do I do here? Just run HA at 8011 without network_mode: host enabled? What are the impacts of that?

config yaml

# Loads default set of integrations. Do not remove.
default_config:

# Example HTTP configuration.yaml entry https://www.home-assistant.io/integrations/http/
http:
  server_port: 8011 #12345

The below works perfectly fine with port 8123

  homeassistant:
    #container_name: hass
    image: homeassistant/home-assistant
    environment:
      - PUID=1000
      - PGID=1000    
    volumes:
      - /home/example/config:/config #./hass-config:/config
      - /nfs/examplemedia:/media 
      - /nfs/examplenvr_maybe_for_frigate/nvr_capture:/nvr_capture      
      - /etc/localtime:/etc/localtime:ro  
    restart: unless-stopped
    network_mode: host

Only working compose setup to actually change/ access HA at port other than 8123

#version: '3'
#services:
  homeassistant:
    #container_name: hass
    image: homeassistant/home-assistant
    environment:
      - PUID=1000
      - PGID=1000    
    volumes:
      - /home/example/config:/config #./hass-config:/config
      - /nfs/examplemedia:/media 
      - /nfs/examplenvr_maybe_for_frigate/nvr_capture:/nvr_capture      
      - /etc/localtime:/etc/localtime:ro  
    restart: unless-stopped
    #network_mode: host
    #expose:
      #- 8011       
    ports:
      - 8011:8011

thisisamateurhour · October 17, 2023, 5:57pm

Well, I’ve noticed one issue, I can’t seem to connect mariadb as a recorder without host mode on…
I’ve tried the host-name of the container maria-db:9006, 127.0.0.1:9006, and the host-ip of the machine 192.168.1.123:9006 (I have mariadb running at port 9006)

Using 127.0.0.1:9006 worked fine with network_mode: host

EDIT: looks like there’s a permission issue related to this, I’m thinking it should work with maria-db:9600
Got the db working, needed to add user: 1000:1000 to mariadb compose file as without network_mode: host on the home assistant compose, there was a conflict

Still not sure how to change the default port on Homeassistant from 8123 to anything else, and keep network_mode: host. If anyone is aware please share as I would dearly love to know.

EDIT: Ah, just logged into homeassistant on port 8011… It’s immediately apparent why network_mode: host is important as HA doesn’t find any available devices… Well that’s fun!

squirtbrnr · October 17, 2023, 8:14pm

discovery. As you found in your last post edit, HA heavily relies on beacons, broadcasts, etc over the network and this is how it does discovery of devices. turning off host networking puts the container into a sort of docker network “sandbox”. The only way in is through ports. That said though, any container in the same sandbox can point to another container, you just have to find out what that containers IP address is in the docker default range of 172.17.0.0/16. In the case of mariadb, you have to make sure the user has permission to connect on the network interface.

PeteRage · October 17, 2023, 10:15pm

I do this by running all the containers in the same docker bridge network. Certainly it’s a lot easier running everything is host mode up until you want to run multiple stacks at the same time (e…g a prod and test environment). I can share my compose file. My guess is you have multiple issues. So we may want to break it down and go step by step.

thisisamateurhour · October 18, 2023, 12:35am

The challenge is that most of my IOT ware is wifi or POE based. I’ve tried other protocols in the past and found these to be best for me. Also my server is in a rack that’s a bit hard to get to and plug dongles in. Primary use cases are lights (lifx/nanoleaf), temp monitoring (awair/aqara), NVR (new hopefully with frigate currently using blueiris)
I tried to get too complex on my first setup and just didn’t have time for all the maintenance overhead.

thisisamateurhour · October 18, 2023, 12:36am

thanks for the offer to help, sent a pm

thisisamateurhour · October 18, 2023, 3:33pm

All,

In my ineptitude, I completely forgot to set UFW. Adding this here for anyone else that forgets. In order to change HA from the default 8123 port and keep network mode host.

update config yaml
open updated port in ufw (linux firewall) ufw allow ####

jdulrich · March 8, 2024, 12:14am

I’m brand new to Home Assistant and I have a medium level of experience with docker. I think I want to do exactly what you described here. Can I see your compose file? I would PM you, but I just joined here and can’t figure out how. Maybe I’m too new?

PeteRage · March 8, 2024, 1:14pm

Actually I’ve changed my strategy and now run HA is host mode. I do run the other containers in bridge mode. I did this because there was a capability I needed in HA that only works on the local lan segment and won’t route across a bridge network.

Here in the .env file

You’ll see a couple things, when I change versions I make a new folder (and cp -rp the old contents over.). This is so I can easily roll back if the upgrade has problems.

My system backs up the docker folder every 4 hours. With MariaDB I use the built in backup tools to create a database backup hence I don’t need to backup the physical database files that frequent. So I put them in a different folder.

DOCKER_FOLDER=/volume2/docker
DOCKER_LOCAL_FOLDER=/volume2/docker_local
#HA_FOLDER=ha_prod_2023_9_3
#HA_VERSION=2023.9.3
HA_VERSION=2024.1.5
HA_FOLDER=ha_prod_2024_1_5
#ZWAVE_FOLDER=zwavejs_8_26_0
#ZWAVE_VERSION=8.26.0
ZWAVE_FOLDER=zwavejs_9_7_1
ZWAVE_VERSION=9.7.1
SUBNET=172.20.0
MARIADB_PWD=mypassword
#MARIADB_FOLDER=mariadb10_2023_9_3
MARIADB_FOLDER=mariadb10_2024_1_5
MQTT_FOLDER=mqtt_2_0_15
MQTT_VERSION=2.0.15

and the docke4-compose.yaml, you will see the three lines commented out for HA right below network mode host, so if you uncomment those and comment out the network mode host it’ll put HA on 172.20.0.2. Likewise the extra_hosts config isn’t need in bridge mode (but still should work) and docker will automatically resolve those host on the bridge network.

version: '3'

networks:
  local_network:
    ipam:
      driver: default
      config:
        - subnet: ${SUBNET}.0/24

        
services:
  ha:
    container_name: ha
    image: homeassistant/home-assistant:${HA_VERSION}
    volumes:
      - ${DOCKER_FOLDER}/${HA_FOLDER}/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    environment:
      PROXY_IP: ${SUBNET}.1
      TZ: America/New_York
    network_mode: "host"
#    networks: 
#      local_network:
#        ipv4_address: ${SUBNET}.2
    depends_on:        
      - zwave
      - mariadb
    extra_hosts:
      - "zwave:${SUBNET}.3"
      - "mqtt:${SUBNET}.6"
      - "mariadb:${SUBNET}.4"
#    ports:
#      - 8123:8123
#      - 1400:1400
#      - 1401:1401
  zwave:
    container_name: zwave
    image: zwavejs/zwave-js-ui:${ZWAVE_VERSION}
    volumes:
      - ${DOCKER_FOLDER}/${ZWAVE_FOLDER}:/usr/src/app/store
      - /etc/localtime:/etc/localtime:ro
    devices:
      - /dev/ttyACM0:/dev/ttyACM0
    restart: unless-stopped
    environment:
      TZ: America/New_York
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.3
    ports:
      - 3000:3000
      - 8091:8091
        
  mqtt:
    container_name: mqtt
    image: eclipse-mosquitto:${MQTT_VERSION}
    # chown 1883:1883
    volumes:
      - ${DOCKER_FOLDER}/${MQTT_FOLDER}/config:/mosquitto/config
      - ${DOCKER_FOLDER}/${MQTT_FOLDER}/log:/mosquitto/log
      - ${DOCKER_FOLDER}/${MQTT_FOLDER}/data:/mosquitto/data
    restart: unless-stopped
    user: "1883:1883"
    environment:
      TZ: America/New_York
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.6
    ports:
      - 1883:1883
      - 9001:9001
        
  mariadb:
    container_name: mariadb_ha
    image: mariadb:10.11.2
    volumes:
      - ${DOCKER_LOCAL_FOLDER}/${MARIADB_FOLDER}:/var/lib/mysql
      - ${DOCKER_LOCAL_FOLDER}/mariadb_conf:/etc/mysql/conf.d
      - /etc/localtime:/etc/localtime:ro
      
    restart: unless-stopped
    environment:
      MARIADB_ROOT_PASSWORD: ${MARIADB_PWD}
      MARIADB_MYSQL_LOCALHOST_USER: "yes"
      MARIADB_MYSQL_LOCALHOST_GRANTS: "yes"
      MARIADB_AUTO_UPGRADE: "yes"
      MARIADB_DISABLE_UPGRADE_BACKUP: "yes"
      TZ: America/New_York
      PUID: 1037
      PGID: 100
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.4
    ports:
      - 3316:3306
  phpmyadmin:
    container_name: phpmyadmin
    image: phpmyadmin:5.2.1
    restart: unless-stopped
    environment:
      - PMA_HOST=mariadb_ha
    hostname: phpmyadmin
    domainname: phpmyadmin.st.home.arpa
    networks: 
      local_network:
        ipv4_address: ${SUBNET}.5
    ports:
      - 8088:80

jdulrich · March 27, 2024, 1:31am

I know it’s been a few weeks, but thank you SO MUCH for this post. This setup has so many cool ideas in it and I’ve learned so much just from reading your compose file. I haven’t implemented yet, but I think you just saved me many hours of work.

jdulrich · March 29, 2024, 9:45pm

I have HA and zwave working now thanks to you, but I have one question about your mqtt implementation if you’ve got another sec to spare. It seems like you are creating a user:group (user: “1883:1883”) specifically for the MQTT container? I have searched the internet to try to figure out why that could possibly be and have come up empty. Care to explain yourself?

Are you doing that instead of password protecting the service or are you also doing password protection?

I barely know my way around linux so please forgive me if this is a dumb question.

PeteRage · March 30, 2024, 11:47am

That a great question.

Sometimes when setting up a container I get into permission problems with the container note being able to access and write to the mounted folders. So here I have the owner and group being 1883 and set that in the container. I don’t recall if all that was necessary or I got it to a point where it was working and that was good enough.

drwxrwxrwx  1 1883     1883    504 May 24  2023  mqtt_2_0_15

github.com/eclipse/mosquitto

Docker Error: Unable to open log file /mqtt/logs/mosquitto.log for writing.

opened 08:53AM - 13 Dec 18 UTC

celeroll

I have a problem with running eclipse image under docker. Particular with the ac…cess to the log folder. Compose file: ``` version: '2.1' services: mqtt: image: eclipse-mosquitto:latest container_name: "mqtt2" restart: always ports: - 1883:1883 - 9001:9001 volumes: - /volume1/apps/configs/mqtt/data:/mosquitto/data - /volume1/apps/configs/mqtt/config:/mosquitto/config:ro - /volume1/apps/configs/mqtt/logs:/mosquitto/log environment: - TZ=Europe/Berlin ``` And the docker logs: ``` 1544689704: Error: Unable to open log file /mqtt/logs/mosquitto.log for writing. 1544689704: Error: Unable to open log file /mqtt/logs/mosquitto.log for writing. 1544689705: Error: Unable to open log file /mqtt/logs/mosquitto.log for writing. 1544689706: Error: Unable to open log file /mqtt/logs/mosquitto.log for writing. 1544689708: Error: Unable to open log file /mqtt/logs/mosquitto.log for writing. 1544689710: Error: Unable to open log file /mqtt/logs/mosquitto.log for writing. ``` This is folder permission: ``` drwx------+ 5 myUser users 4096 Dec 12 23:42 . drwx------+ 9 myUser users 4096 Dec 12 21:12 .. drwxrwxrwx 2 root users 4096 Dec 12 23:22 config drwxrwxrwx 2 root users 4096 Dec 12 21:12 data d---------+ 2 root root 4096 Dec 12 23:42 logs ``` I have also tried creating the `mosquitto.log` file ahead, but no success. When I run the same command with ``` mqtt: image: toke/mosquitto:latest ``` everything is fine. But I would like to run eclipse image. P.S. I dont have mosquitto user in my system added.