Move away from using privileged for device mounts

[Ornias1993]

Is your feature request related to a problem? Please describe.
Currently we use/advice privileged for basic device mounts.
This is bad advice and a significant security concern.

Describe the solution you'd like
Need to find and set the correct securityContext capabilities as needed for mounting devices.

[tprelog]

The requirements for this are still a good bit above my (current) level...

There's a related issue for Z-Wave to MQTT here - although it's for the non JS version, I believe the same would apply

[Ornias1993]

@tprelog I think you heavily underestimate your current level...

it's nothing more than adding capabilities using:

securityContext:
  capabilities:
    add:
       - THIS_IS_A_CAPABILITY

I think you're pretty decent in wiki hunting for the right capabilities ;-)

Indeed like the link, linked in your link:
https://github.com/chaos-mesh/chaos-mesh/pull/1126/files

The things is: privileged gives ALL permissions, even if we half them thats a win security wise.

Don't worry it's not something that needs to be rushed though ^^

But I also think it's something that might be of interest for you in the long run, considering usb devices are quite relevant for Zwave and HASS.

[Ornias1993]

Research indicates the following:
supplementalGroups can be used to use devices as non-root users inside containers.

However:
Even when running non-root, privilaged true is required for usb mounts and (possibly) for other devices mounted via the storage system.
I'm not sure if this is required for graphics and/or graphics mounted via resources, it might.
In both cases there is not really a sane workaround however.

The supplementalGroups feature has been added to staging (#216) and hence this can be closed!

[truecharts-admin]

This issue is locked to prevent necro-posting on closed issues. Please create a new issue or contact staff on discord of the problem persists