mirror of
https://github.com/home-assistant/supervisor.git
synced 2026-07-02 03:15:42 +01:00
6e062ca22b
As discussed in home-assistant/architecture#1034, apps using host networking get no isolation at all, while the default internal network cannot serve use cases like custom multicast protocols or interface selection on multi-homed hosts. Allow users to assign apps with host networking an isolated endpoint on a physical interface instead: the container runs in bridge mode, attached to the internal hassio network (keeping ingress, API proxy and DNS plug-in communication unchanged) plus a Supervisor-managed macvlan network on the selected interface with a user-chosen static IPv4 and its own MAC address. The macvlan endpoint gets default route priority via GwPriority, which requires Docker 28; the feature is gated accordingly. Docker allows only one macvlan network per parent interface, so these networks are a shared resource keyed by interface: created on demand from the host interface configuration via NetworkManager, recreated when that configuration changed and garbage collected once no installed app references them anymore. If the endpoint cannot be set up at app start (interface gone, subnet changed), the app falls back to host networking and a resolution issue is raised; a scheduled check detects such drift as well. Apps with an isolated endpoint no longer run in the host network namespace, so the host network security rating penalty and the unprotected Docker gateway boot gate do not apply to them. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>