Hi,
Can openhab run on a docker host machine that has only root user?
The documentation specifies that openhab user needs to be created on the host, but that is not possible on LibreELEC, which is a read only kodi appliance that runs docker…
Is there any way that inside the container he uses openhab but no such user exists outside? is the problem related only to the permissions of files inside /etc/openhab which would have to be root?
in case of running on a machine with only root user, what to define here?
-e USER_ID=<uid> \
-e GROUP_ID=<gid> \
will the container run if I delete these 2 lines and not define anything?
any other expected issues? I found some folks had errors like "OpenJDK Client VM warning: No monotonic clock was available " and solved it with installing libseccomp2 - this will again not be possible on libre elec.
I am looking into options of moving out of my old trusty RPI3B+ as OH5 will transition to 64bit java…
I believe many folks will soon be in the same boat (32bit arm platform…)
My kodi libreELEC machine is a beefy HP micro elitedesk pc with i5,16gb ram that has plenty of power for dockers (already running mariadb, influxdb, transmission, grafana etc)
In that case I would have to leave zigbee2mqtt, mosquitto, knxd behind on rpi3. for zwave I would try ser2net (Share Z-wave dongle over IP (USB over IP using ser2net / socat ) guide)
of course I could abandon this idea and just buy rpi5 or something and migrate OH setup to that. to be honest i dont know which scenario is more work, but in any case it ain’t gonna be easy…
and of course the new machine (or docker) will need to match my 4.2 version, then restore backup, then upgrade to 5…
If it’s read only how do you intend to save configuration changes, logs, and persistence? OH needs to be able to both read and write to the file system.
Sure, but only if you don’t mount a volume from the host machine into the container which means you lose everything every time change the container. And even then that assumes that writing is allowed. Even if you don’t mount a volume, the container will write stuff to disk.
Sure, it will default those to uid 9001 which is most decidedly not root which has uid of 0.
How is user management handled for these? How is this data saved on a read only system?
Ultimately, the container starts up as root. Changes the permissions and ownership of all the files and folders used by OH to the passed in UID/GID (or 9001:9001 if using the defaults) and then drops root and runs OH as the passed in UID/GID (9001:9001 if using the defaults). All files read by and written to by OH will be owned by the passed in UID/GID.
If that user does not exist on the host OS I don’t know what will happen. It might work and it might cause problems to have files and folders and processes running under a user that doesn’t exist in /etc/passwd.
You can maybe try to run as root by passing in 0 for the UID/GID. It’s generally considered a bad idea to run any service as root though but that seems to be what LibreELEC has chosen to do. They seem to primarily be concerned with users messing up than compromise and exploitation of the machine. I’m kind of glad I don’t run it any more if that’s their approach to security.
Only root / of the libre system is RO so you cannot install stuff /add users or mess with the system.
You can of course write to /storage/docker and you can mount docker volumes to containers that you keep there. Also kodi keeps his config in /storage/.kodi and you can preserve some settings like cron, bash history, startup scripts etc in /storage/.config.
All my other containers run as root, i think this is the only way on this system, as root is the only user. There is no sudo as well
I agree its not very secure or best practice…
Its a minimal appliance like system that was not designed to run stuff in containers or do anything else then watch tv, yet someone made it possible
Another way would be to install debian server, install kodi and make it default window manager, so its the default (and only) gui to which server boots to and then install proxmox on that debian and have complete freedom on the system.
This is for people like me who want to minimize the number of 24-7 machines around the house…
In theory you can have a fully declarative file based openhab install that will not need anything to write to except a ramdisk. If you configure bindings in addons.cfg and cfg files and then use things/items/sitemaps/rules you can potentially deploy everything without having to touch the UI once. I dont think it would be easy though, i do almost everything with files but binding install and binding config is done via UI, also most things are discovered through UI as well. Off course RRD dbs will not be persistent.
There is no need to have that user id / group id on the host. In fact when you use user namespaces you explicitly map users to a uid/gid that does not exist on the host to prevent the container process from breaking out of its container (Isolate containers with a user namespace | Docker Docs).
OK, great, so i can run it with random/non existent uid gid.
I definitely want /etc/openhab outside the container as i rely heavily on editing items, things files…
Also, where is openhab storing its internal config database? Would it be wise to keep that folder outside of container? also maybe entire /var/lib/openhab ?
In the past I used LibreElec as well and before that OpenElec. However since I bought a Sony TV with GoogleTV I simply installed Kodi on it from the playstore. I haven’t used LibreElec since.
So, here’s what I would do if your budget allows. I’d buy a GoogleTV Streamer or an nVidia Shield and install Kodi on it. Then you have the HP EliteDesk available to run openHAB and any other Docker container you can think of.
All the folders listed (the -v arguments) need to have a volume mounted into the container.
Note that the paths inside the container do not match the paths for an apt installed OH. /openhab/userdata is the folder where OH saves anything done through the UI.
yeah, i came from open elec, so been on that system for more then a decade…hard to let go.
I dont like android…sooner or later the machine gets obsolete and then you end up with crappy android 9 forever
Smart tv install is not an option because I use kodi as audio streamer as well, openhab fires up some internet radio stations when house becomes occupied, etc…so basically i run kodi 24/7
but I am considering some libre elec / core elec capable machine to release the hp machine and turn it into a proxmox host, as I see this became popular. monolith design where you run all your stuff on one machine, including router/firewall…
