zlacker

[parent] [thread] 7 comments
1. wkat42+(OP)[view] [source] 2023-09-27 03:40:07
The idea is that you give it root on a VM or on a docker container.

You don't give it root on your desktop linux system you do all your sensitive stuff on of course. That makes zero sense. Home assistant really runs great even on a cheap raspberry pi if you don't have a VM- or dockerserver.

replies(2): >>h2odra+I3 >>mindsl+Un2
2. h2odra+I3[view] [source] 2023-09-27 04:08:14
>>wkat42+(OP)
thus "sacrificial toy boxes"

also, your faith in "VM" insulation appaears greater than mine. if i dont trust a VM i dont trust the host running the VM.

others have different opinions and that's ok. my systems run to my standards, however quirky they may be. im stating opinion here, not attempting to inscribe Sysadmin Commandments. them's written on the wall of the bathroom stall.

edit: just for reference, the last cpu i could say i trusted was before speculative execution was a feature. since then its more about risk mitigation. i'm not paranoid, there's people worse than me, and they're nuts. I'm just cautious and lazy.

replies(3): >>hsbaua+46 >>guraf+b7 >>wkat42+F8
◧◩
3. hsbaua+46[view] [source] [discussion] 2023-09-27 04:26:04
>>h2odra+I3
If you don’t trust your hypervisor, buy a pi or cheap nuc, but also your hypervisor being 0day’d is probably far less likely than one of the thousands of apps in $PATH being compromised or malicious.
◧◩
4. guraf+b7[view] [source] [discussion] 2023-09-27 04:34:02
>>h2odra+I3
I understand not fully trusting docker, you have to trust several levels of kernel features and configuration, plus it shits all over your firewall like it owns the place.

Real virtualization is a bit more airtight, though. There have been some escape exploits but they all abused drivers that you wouldn't use heedless (shared folders, VGA, PCIe passthrough), not the virtualization layer. But that's a distinction without a different, really, so good on you for being careful!

◧◩
5. wkat42+F8[view] [source] [discussion] 2023-09-27 04:46:23
>>h2odra+I3
Home assistant isn't malware, it's a major open source project that is well understood.

This isn't some binary you downloaded from a Russian forum. VM isolation is more than enough.

replies(1): >>JohnFe+Ju1
◧◩◪
6. JohnFe+Ju1[view] [source] [discussion] 2023-09-27 14:52:15
>>wkat42+F8
If it's so trustworthy, why do you even need a VM?
replies(1): >>LtdJor+vrb
7. mindsl+Un2[view] [source] 2023-09-27 18:21:37
>>wkat42+(OP)
The problem then becomes maintaining it - backing up the config, debugging errors, etc. I ran Home Assistant for a while with their docker method on an otherwise stable server. One day it just shit the bed out of the blue. I wasn't going to spend the time digging into its own bespoke Linux userland to figure out how to figure out what was wrong, and I wasn't going to pave over it and spend the time redoing my meager config. In my book, software that is going to be relied upon gets installed through a distro's package manager, and last time I checked Home Assistant's maintainers are actively opposed to that.
◧◩◪◨
8. LtdJor+vrb[view] [source] [discussion] 2023-09-30 08:49:38
>>JohnFe+Ju1
Because it is a long running process, and it has plugins. Amd because both the container and the VM are premade, you don't even have to install, you just run them.

You can extend the container image with your own Dockerfile.

[go to top]