I’m in the process of migrating my installation from Core to Container, as the former is no longer supported.
For improved security, I would like to run the container as a non-root user, as I did with the older Core Python venv installation.
It seems that Home Assistant runs fine in this setup, except that the information screen reports the installation method as “Unsupported Third Party Container.”
Is this expected?
Is there an official or supported method to run the official container as a non-root user?
1 Like
Yes, if the user is not root HA will flag the installation as unsupported. https://github.com/home-assistant/core/blob/cf2e69ed7454a2439455b64ae060d500841a54f3/homeassistant/helpers/system_info.py#L95-L101
# Determine installation type on current data
if info_object["docker"]:
if info_object["user"] == "root" and is_official_image():
info_object["installation_type"] = "Home Assistant Container"
info_object["container_arch"] = await async_get_container_arch(hass)
else:
info_object["installation_type"] = "Unsupported Third Party Container"
Not according to https://github.com/home-assistant/architecture/blob/d63d89d87596d609c5bb7457c7df0b5e80676181/adr/0013-home-assistant-container.md
The only supported way to run the container is on the host network as root with full privileges.
2 Likes
I’ve been running non root container and no host network since 2017 or before.
Does “Unsupported” really have significance?
Seems meaningless
1 Like
I’m running HA container with podman rootless.
It’s running fine on my HA Yellow. No docker for me, not installing that piece of software…
It means if you attempt to open an issue on GitHub related to your installation method, the issue will be quickly closed.
It also means there will be fewer people able and willing to help you on the forums if you need help specific to your installation.
Essentially you are on your own.
Note that being on your own doesn’t mean you will have issues, nor does it mean that an unsupported installation is necessarily the wrong choice for your specific circumstance.
If something doesn’t run well when in the non-root context, it’s not too hard to re-run the image in a container with all the expected privileges, see if the problem recurs, then jump back to the non-root user to return to ‘prod’ status while diagnosing what you saw erring in the restricted mode versus as root.
For anybody that ends up here like I did, and was wondering why you weren’t getting the message the OP gets, it’s because podman rootless (at least in my current configuration) is running internally in the namespace with root (0:0) (even though running “rootless”):
home-assistant:/# id
uid=0(root) gid=0(root) groups=65534(nobody),65534(nobody),0(root)
Podman rootless seems the clear path on this, but I had to wonder if it was really worth the effort required to set it up and maintain.
This question came up after reading the page(s) about how to configure Podman to run rootless, and to also there being a need to run a docker-podman conversion on every new HomeAssistant image publishes.
Seems like the rootless setup of Podman is a one-time thing and not too onerous, but…
Is that image-conversion step truly needed every time HA releases a new one?