I think you are already root when you ssh (whoami say so anyway). I tried to elevate via sudo just for grins and it made no difference. Like you said it curious. I did a search of all files and did not anything useful. I may dig around later and see but for now this is just a science project curiosity
Are you running home assistant as a docker container supervised installation? What OS? And are these commands run on the host level or container level?
Iām just running the vanilla installation of the current version of HA for āgeneric-x86-64ā. That the one that has an OS (Alpine linux) and supervisor (the docker manager). These are all of the docker containers I see currently running:
Did you follow this tutorial or some similar installation?
I see that NetworkManager has some specific detailed steps to work properly, and my feeling is that this is an edge case where not all is set up properly, although it works sufficiently. Do you have dbus installed? I read somewhere that in order to function properly inside a container, NetworkManager needs dbus installed. I would bet that there is some containerization layer preventing the user accessing/seeing the folder and file contents, but the system somehow can (imagine that you mount a volume on top of this folder when NetworkManager has already read the network profiles/configs - just wild guessing hereā¦)
Noā¦I went by HA āofficalā install process for an generic-x86-64 install. There were no CLI commands. First booted up you had a number of docker containers running - the only change I made was installing node-red, mariadb, esphome post installationā¦at least some of those steps are already implemented in this version of HA. For example they recommend you installed networkmanager - it already installedā¦
BTW, if I log in via keyboard/monitor/ directly attached I can see those files under the networkmanager directoryā¦ssh in and no. In both cases whoami says root - but there some restrictions going on via sshā¦
I guess that explains it all and closes up our mystery the config files are obviously stored at the host level and passed on from the container to the host via nmcli and dbus, so when you login to the host via terminal as root you can access/see them. When you do it via ssh you are logging in as root inside the container (a different kind of root), so the separation layer between host and containers, for security reasons, prevents access to the host files. So many ways to install HA that Iām even amazed that the tutorial works so well for so many people!
Good catch. It is the ssh container that processes my ssh connection - so that does make senseā¦
I did use that link you sent to customize my shell a bit more when I ssh in - to make it more like a normal bash looking shell. I even installed neofetch and added that to the profileā¦looks more like my arch linux workstation now!
Looking good!
Just wanted to add a cautionary tale about multi-homed hassos/Home Assistant coming from my experience. I ended up re-designing my network so that Home Assistant can run on a single interface.
Iām not saying multi-homing canāt work, but in some situations it may cause other issues that complicate your network or your Home Assistant installation in ways that are difficult for the home assistant team to support and therefore may not be stable. I think a single-homed model works best for HassOs/HomeAssistant.
My network originally consisted of
- VLAN 1 - Servers/Management (Internet enabled)
- VLAN 10 - Client devices, laptops mobile etc. (Internet enabled)
- VLAN 100 - IoT devices (No Internet access)
- VLAN 101 - IoT and streaming devices (Internet access)
- Home Assistant running on HassOs on RaspberryPi 4 with interfaces on VLAN 1, 100 and 101
My Homeassistant configuration manages devices in VLANs 1, 100 and 101 and was accessed via VLAN 1 so was set up with VLAN sub interfaces on each of these VLANs.
The first problem is more idealistic than pragmatic, but the concept of bridging my server VLAN with my IoT VLANs on a device (other than my router/firewall) never sat well with me.
The second problem is real, and while there probably are good solutions, the complexity isnāt worth it in my opinion. It comes down to MDNS (Multicast Domain Naming System).
For my client devices on VLAN 10 to be able to cast or airplay to my TV or Chromecast on VLAN 101 I need a MDNS reflector running on my router since MDNS is a multicast protocol and cannot be directly routed across networks. I also have services running on VLAN 1 which rely on MDNS, so my MDNS reflector (avahi) listens on all of these networks.
Home Assistant periodically announces itself on your network using MDNS so that during setup you can access the HA web interface without needing to know itās IP address by using the URL homeassistant.local:8123. This announcement has a safety mechanism in that if Home Assistant sees that another device is already advertising the name homeassistant.local
it will add a random number to itās own name and advertise that eg. homeassistant2342.local
.
The problem when you have Home Assistant running on a multi-homed host with a MDNS reflector on the networks is that the MDNS announcements will be seen by all interfaces. Home Assistant has no way of knowing if these reflected announcements are from itself or another device, so it assumes thereās a name collision, announces a new randomised hostname which gets reflected back and so on. This creates a looping situation where your network can become saturated by MDNS announcements.
@skull29 hit this problem here:
My solution to all of this was not to disable MDNS but to re-think my network architecture.
I created a new VLAN (110) for Home Assistant, then through my firewall enabled access in and out of that VLAN from my IoT, Server and client VLANs as needed. In this way Home Assistant remains single homed, MDNS doesnāt get confused and I have precise control of traffic in and out of Home Assistant and my IoT networks.
Can I do this using Opnsense? if yes, can you give me an idea of how you enabled access in and out of the valns ? was it through a rule?
Thank you
I think this is a great option, creating a DMZ for HA, if you can solve your broadcasting, routing and firewall issues. I remember I referred to it here
Opnsense has an mdns plugin
https://docs.opnsense.org/manual/how-tos/multicast-dns.html
you need to set it up and create firewall rules to filter which ips can traverse the network segments/vlans.
Thatās it!
Bless you!
I tried adding a vlan using your method just now and I am getting this error
Error: Failed to add āenp0****@vlan20ā connection: ipv4.dns-data: unknown property
what could be the issue?
Looks like a bug/feature in NetworkManager Does it make any sense to have a dns server defined per vlan connection if these are not used for internet access? Maybe if you have a locally available DNS server answering in each vlan/network segment Given the fact that HA really only needs one connection with gateway and dns to be able to update itself and connect to other networks, I would try to edit out/remove DNS references manually from each Connection file with ānmcli con edit ConnectionNameā and then save and reload, as HA does not really need these DNS entries or other gateways.
If you are following the tutorial from the beginning, just change the command in step 4 from :
#nmcli con add type vlan con-name eth0@vlan10 dev eth0 id 10 ip4 10.0.0.2/8 ipv4.dns 10.0.0.1 gw4 10.0.0.1
To:
#nmcli con add type vlan con-name eth0@vlan10 dev eth0 id 10 ip4 10.0.0.2/8 gw4 10.0.0.1
Or you can also remove the gateway altogether:
#nmcli con add type vlan con-name eth0@vlan10 dev eth0 id 10 ip4 10.0.0.2/8
If you have already the connection created:
#nmcli con edit eth0@vlan10
Then edit/remove the data, save and exit, reload and that should do it.
Please let us know how that goes
this worked. I was able to add the vlan then went back and added dns. Though there must be an issue with my opnsense rules because I keep losing connection to HA if I connect to the HA vlan address through my Lan network. I am not very knowledgeable of networking and itās a little daunting tbh lol
Watch out for multiple gateways. One gateway is enough, and one address that HA goes through the firewall. Remember, you should NOT be traversing the firewall when other VLANs clients to talk to HA, unless you are using one IP only in HA and mdns. All clients/members of a specific VLAN should talk to Home Assistant directly through its appropriate/dedicated VLAN address.
Itās when you start adding more gateways to HA or going to other HA IPs through the firewall that your network gets messy. Letās imagine this setup:
Firewall/gateway for main LAN set as 192.168.0.1
Firewall /gateway for VLAN2 set 192.168.1.1
Main LAN address for HA set as 192.168.0.2
Secondary VLAN2/address for HA set as 192.168.1.2
VLAN2 segregated client address is 192.168.1.3
Remember:
DONāT add 192.168.1.1 as a gateway to HA VLAN2 interface (only VLAN2 clients should have this gateway defined if you want them to exit the VLAN2 and go to internet or other VLANs)
DONāT use 192.168.1.2 to visit your HA page from main LAN, always use 192.168.0.2
DONāT use 192.168.0.2 as HA IP to configure clients outside of Main LAN (unless this is your only HA IP)
DONāT use 192.168.1.2 as HA IP to configure clients outside VLAN2 (they should see themselves nevertheless)
If you follow these rules, everything should be ok.
This is what Iāve been using.
192.168.10.1 is my main LAN.
HA main address is 192.168.10.6
192.168.10.4 is Pi-hole.
Valn 20 is where I keep all IOTs on opnsense
HA vLan 20 address is 192.168.20.3
Should just remove the gate way from this interface then for mdns and HA discovery to work?
Like you said, I was sometimes accessing vlan20 HA instance from my main LAN PC which is wrong as you mentioned.
If you are using the GUI of Home Assistant for network definitions, there is a way to set up an empty gateway easily: just enter ā0.0.0.0ā in every gateway field in each network interface (VLAN or not) that is not the main one (the one that you open the GUI in and usually the one that is set up first)
Thank you. Which network adaptor should choose in my case? The vlan adaptor or the default?