roles/homeassistant: Install in a virtualenv
Because the Home Assistant user's home directory is on `/var`, Python packages installed in the "user site" do not get the correct SELinux labels and thus run in the wrong domain. This causes a lot of AVC denials and other issues that prevent Home Assistant from working correctly. To resolve this issue, Home Assistant is now installed in a virtual environment at `/usr/local/homeassistant`. This directory is still owned by the Home Assistant user, allowing Home Assistant to manage packages installed there. Since it is rooted under `/usr`, files are labelled correctly and processes launched from executables there will run in the correct domain.
This commit is contained in:
@@ -1,7 +1,13 @@
|
||||
- name: load architecture-specific values
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- '{{ ansible_architecture }}.yml'
|
||||
- defaults.yml
|
||||
|
||||
- name: ensure system dependencies are installed
|
||||
package:
|
||||
name:
|
||||
- python3-pip
|
||||
name: >-
|
||||
{{ homeassistant_common_system_deps + homeassistant_arch_system_deps }}
|
||||
state: present
|
||||
tags:
|
||||
- install
|
||||
@@ -12,18 +18,46 @@
|
||||
system: true
|
||||
home: /var/lib/homeassistant
|
||||
|
||||
- name: ensure homeassistant tmp dir exists
|
||||
file:
|
||||
path: /var/lib/homeassistant/tmp
|
||||
mode: '0700'
|
||||
owner: homeassistant
|
||||
group: homeassistant
|
||||
state: directory
|
||||
|
||||
- name: ensure homeassistant install dir exists
|
||||
file:
|
||||
path: /usr/local/homeassistant
|
||||
mode: '0755'
|
||||
owner: homeassistant
|
||||
group: homeassistant
|
||||
state: directory
|
||||
- name: ensure homeassistant is installed
|
||||
environment:
|
||||
TMPDIR: /var/lib/homeassistant/tmp
|
||||
become: true
|
||||
become_user: homeassistant
|
||||
pip:
|
||||
name: homeassistant
|
||||
extra_args: >-
|
||||
--user
|
||||
--prefer-binary
|
||||
virtualenv: /usr/local/homeassistant
|
||||
virtualenv_command: '/usr/bin/python3 -m venv'
|
||||
|
||||
- name: ensure selinux file context map is correct for home assistant dir
|
||||
sefcontext:
|
||||
ftype: a
|
||||
setype: bin_t
|
||||
target: /usr/local/homeassistant/bin(/.*)?
|
||||
state: present
|
||||
notify: relabel home assistant dir
|
||||
|
||||
- name: ensure homeassistant entry point is installed
|
||||
copy:
|
||||
src: hass.sh
|
||||
dest: /usr/local/bin/hass
|
||||
setype: bin_t
|
||||
mode: '0755'
|
||||
notify:
|
||||
- restart homeassistant
|
||||
|
||||
Reference in New Issue
Block a user