-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add gladys assistant #1044
base: master
Are you sure you want to change the base?
Add gladys assistant #1044
Changes from 3 commits
8f6b250
dcc73dd
00f40b5
3669552
9b4af0a
c20b585
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,20 @@ | ||||||
version: "3.7" | ||||||
|
||||||
services: | ||||||
web: | ||||||
image: gladysassistant/gladys:v4 | ||||||
restart: on-failure | ||||||
stop_grace_period: 1m | ||||||
privileged: true | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do you need it to be privileged? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @cicoub13 do you happen to know if all of the following are required for Gladys functionality: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In particular, I'm wondering how important binding the Docker socket is: This gives the Gladys container complete control of the Docker daemon, which we can't allow because Gladys can then issue Docker commands to the host's Docker daemon, where other app containers are running. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For the Docker daemon binding, it's needed from our side to create, restart other containers when a user adds an integration like Zigbee2Mqtt / MQTT / Node-Red. For the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We use the cgroup in Gladys to get Gladys current containerId in Docker ( https://github.com/GladysAssistant/Gladys/blob/master/server/lib/system/system.getGladysContainerId.js#L32 ) We use this to check if the container is in the correct state (network_mode = host for example) privileged is used for some integration like Bluetooth to be able to scan for Bluetooth devices Home Assistant Umbrel integration uses it too: https://github.com/getumbrel/umbrel-apps/blob/master/home-assistant/docker-compose.yml#L8 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks very much for the explanations @cicoub13 and @Pierre-Gilles. Let me run this by Luke to figure out the best path forward. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @cicoub13 @Pierre-Gilles - understood regarding I have added some thoughts on the docker socket mount here: #1044 (comment) |
||||||
network_mode: host | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Consider specifying only the ports you need to be accessible or using app-auth There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, I think for now the Gladys container will need to run in We have some ideas on how to get this to work with bridge networks in the future, but there isn't really a way to do this on umbrelOS right now. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, exactly. We need host for because we are doing network discovery in local network https://demo.gladysassistant.com/dashboard/integration/device/lan-manager/config There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sounds good 👌 |
||||||
cgroup: host | ||||||
volumes: | ||||||
- ${APP_DATA_DIR}/gladysassistant:/var/lib/gladysassistant | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
This is where app data is usually located There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
The If we want to bind This will future proof the data directory in the event that you add other containers to this app in the future, or you want to bind other directories in the future. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let me check and fix that There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I can do this and push a commit @cicoub13 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||||||
- /var/run/docker.sock:/var/run/docker.sock | ||||||
- /dev:/dev | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is really weird. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Binding the entire We can't know in advance what devices a user does or does not have plugged in, so we need to mount the entire This device issue is pretty tricky though. For example, let's just assume that the only device a user ever needs to plug in to work with Gladys gets connected as But there is a huge problem with this in Docker, which is that if the user does not have a device plugged in at There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Exactly. We need to connect to existing or new plugged usb devices and there is no other way to do it. Home Assistant is doing the same here https://github.com/getumbrel/umbrel-apps/blob/master/home-assistant/docker-compose.yml#L11 |
||||||
- /run/udev:/run/udev:ro | ||||||
environment: | ||||||
NODE_ENV: production | ||||||
SQLITE_FILE_PATH: /var/lib/gladysassistant/gladys-production.db | ||||||
SERVER_PORT: 5081 | ||||||
TZ: Europe/Paris |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
manifestVersion: 1 | ||
id: gladys-assistant | ||
category: automation | ||
name: Gladys Assistant | ||
version: "v4" | ||
tagline: A privacy-first, open-source home assistant | ||
description: >- | ||
Gladys Assistant is a privacy-first, open-source home assistant that | ||
runs on any Linux machine: a Raspberry Pi, a NAS, a VPS, or a server at home. | ||
developer: Pierre-Gilles Leymarie | ||
website: https://gladysassistant.com/ | ||
repo: https://github.com/GladysAssistant/Gladys | ||
support: https://en-community.gladysassistant.com | ||
dependencies: [] | ||
port: 5081 | ||
gallery: | ||
- 1.jpg | ||
- 2.jpg | ||
- 3.jpg | ||
path: "" | ||
defaultUsername: "" | ||
defaultPassword: "" | ||
releaseNotes: "" | ||
submitter: Cyril Beslay | ||
submission: https://github.com/getumbrel/umbrel/pull/1044 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to add a digest, so that the exact Dockerfile contents are pinned, not just the tag name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @highghlow 🙏.
@cicoub13 the main reason to do this is that tags can be "overwritten" on docker hub by just pushing another image to the same tag (e.g., v4). If for some reason a newer image that breaks something gets accidentally or maliciously pushed to the same tag, then Docker will download this new image when new users install the app or when existing users restart their app.
Docker gives the highest priority to the
digest
, which locks-in the exact image referenced by the digest. So even if the v4 tag changes at some point, Docker will still download the image associated with the exact digest we have tested here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the recommendation is to fix the image with a hash, then do Pull Requests to update the image, I will follow it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @cicoub13. I'll add this for you and do this one as well to make things easier: #1044 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
multi-arch image digest added here: c20b585
An easy way to grab the digest when you know your image is multi-architecture is to run
and you will see the multi-arch digest in the output. For example: