Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DHCP Discovery - Operation not permitted #62188

Closed
bserrao opened this issue Dec 17, 2021 · 10 comments
Closed

DHCP Discovery - Operation not permitted #62188

bserrao opened this issue Dec 17, 2021 · 10 comments
Assignees
@bdraco
Labels
integration: dhcp

Comments

@bserrao
Copy link

bserrao commented Dec 17, 2021

The problem

I'm seeing this error (Cannot watch for dhcp packets: [Errno 1] Operation not permitted) in home assistant log. As a result some integrations that rely on this don't work properly.
I'm running a Home Assistant container on Fedora Coreos and i've already disabled SELinux.
Any clue why is this happening?

What version of Home Assistant Core has the issue?

core-2021.12.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

DHCP Discovery

Link to integration documentation on our website

https://www.home-assistant.io/integrations/dhcp

Example YAML snippet

No response

Anything in the logs that might be useful for us?

Logger: homeassistant.components.dhcp
Source: components/dhcp/__init__.py:372
Integration: DHCP Discovery (documentation, issues)
First occurred: 11:47:30 AM (1 occurrences)
Last logged: 11:47:30 AM

Cannot watch for dhcp packets: [Errno 1] Operation not permitted

Additional information

No response
@probot-home-assistant
Copy link

dhcp documentation
dhcp source
(message by IssueLinks)

@probot-home-assistant
Copy link

Hey there @bdraco, mind taking a look at this issue as it has been labeled with an integration (dhcp) you are listed as a code owner for? Thanks!
(message by CodeOwnersMention)

@frenck
Copy link
Member

frenck commented Dec 17, 2021

Could you provide information on how you run this container, so we can reroduce it?

@bserrao
Copy link
Author

bserrao commented Dec 17, 2021

Sure, also i've found the issue... it's not directly related to HA
I'm running the container with podman... i've looked at the code, scapy documentation and did some experiments... So i think the problem is scapy that runs inside container needs root access or at least access to CAP_NET_RAW, and podman isn't providing that, even if i run it with privilleged flag.

Because i don't think this is a "supported" setup, i guess we can close this issue.
I'll continue to look into it, and if i find a solution i'll put it here so it could help others...
Also found this (RedHat - Running Home Assistant with Podman) i wonder if they don't have the same issue...

@bserrao
Copy link
Author

bserrao commented Dec 17, 2021

I've managed to solve this.
Running podman container with --cap-add=CAP_NET_RAW,CAP_NET_BIND_SERVICE and removing --network=host solved this issue.

Thanks a lot for your work and sorry for taking your time.

@bserrao bserrao closed this as completed Dec 17, 2021
@JHBoricua
Copy link

I've managed to solve this. Running podman container with --cap-add=CAP_NET_RAW,CAP_NET_BIND_SERVICE and removing --network=host solved this issue.

Thanks a lot for your work and sorry for taking your time.

Hi @bserrao Can you share the config you used to deploy the container in Podman after figuring out the above? I assume since you removed host networking you now have a port mapping for at least 8123?

@bserrao
Copy link
Author

bserrao commented Dec 29, 2021

Hey there @JHBoricua, sure...

podman run -d --name homeassistant --cap-add=CAP_NET_RAW,CAP_NET_BIND_SERVICE --restart=unless-stopped -p 8123:8123 -v /etc/localtime:/etc/localtime:ro -v ~/hass/config:/config:Z -v ~/hass/media:/media:Z --pull=always homeassistant/home-assistant:stable

@jeffgoh
Copy link

jeffgoh commented Jan 2, 2022
edited

This seems to have been true even for earlier home-assistant containers, and probably crept in as a change by Redhat to improve podman security vis-a-viz docker in terms of limiting container capabilities.

To make this work for myself, podman needs CAP_NET_RAW (basically DHCP Discovery/Inspection is running a sniffer on the network, hence the RAW). This seems to be true even for rooted containers (had thought it only applied to rootless). Either -p or host doesn't change whether discovery works. CAP_NET_BIND_SERVICE only affects if listening below port 1000, I believe, so the minimum change is to add this stanza:

--cap-add=CAP_NET_RAW

@JHBoricua
Copy link

Sadly even after adding CAP_NET_RAW and CAP_NET_BIND_SERVICE it still throws the error message Cannot watch for dhcp packets: [Errno 1] Operation not permitted on my podman deployment. Will keep digging more on this.

@stooke
Copy link

stooke commented Jan 18, 2022

@JHBoricua when I experienced this, it was because I hadn't deleted the old container.

@github-actions github-actions bot locked and limited conversation to collaborators Feb 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bdraco bdraco

Labels
integration: dhcp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@frenck @bdraco @bserrao @jeffgoh @JHBoricua @stooke