1
0
mirror of https://github.com/home-assistant/supervisor.git synced 2026-07-02 03:15:42 +01:00
Files
Stefan Agner 6e062ca22b Add isolated physical network access for apps
As discussed in home-assistant/architecture#1034, apps using host
networking get no isolation at all, while the default internal network
cannot serve use cases like custom multicast protocols or interface
selection on multi-homed hosts.

Allow users to assign apps with host networking an isolated endpoint on
a physical interface instead: the container runs in bridge mode,
attached to the internal hassio network (keeping ingress, API proxy and
DNS plug-in communication unchanged) plus a Supervisor-managed macvlan
network on the selected interface with a user-chosen static IPv4 and
its own MAC address. The macvlan endpoint gets default route priority
via GwPriority, which requires Docker 28; the feature is gated
accordingly.

Docker allows only one macvlan network per parent interface, so these
networks are a shared resource keyed by interface: created on demand
from the host interface configuration via NetworkManager, recreated
when that configuration changed and garbage collected once no installed
app references them anymore.

If the endpoint cannot be set up at app start (interface gone, subnet
changed), the app falls back to host networking and a resolution issue
is raised; a scheduled check detects such drift as well. Apps with an
isolated endpoint no longer run in the host network namespace, so the
host network security rating penalty and the unprotected Docker gateway
boot gate do not apply to them.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 16:54:37 +02:00
..