readme: about section about network stack/namespace & home assistant;…

… fix instructions for docker; changelog: document now required access to D-Bus system socket
fphammerle · Nov 5, 2023 · 62fb2e2 · 62fb2e2
1 parent e964cce
commit 62fb2e2
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - TLS now enabled by default (disable via `--mqtt-disable-tls`)
 - require `PySwitchbot>=0.14.0,<0.41` instead of `PySwitchbot>=0.10.0,<0.13`
+- switchbot-mqtt now requires access to the D-Bus' system socket
+  `/var/run/dbus/system_bus_socket`
+  as `bleak` controls bluetooth via BlueZ over D-Bus.
+  access to network namespace containing bluetooth interface is thus
+  no longer required.
 - `--fetch-device-info` no longer requires `CAP_NET_ADMIN`
   (bluepy-helper replaced with bleak)
 - replaced [paho-mqtt](https://github.com/eclipse/paho.mqtt.python)

diff --git a/README.md b/README.md
@@ -116,21 +116,18 @@ When disconnecting (graceful shutdown or unexpected loss of connection), `offlin
 
 Why not use the official [SwitchBot integration](https://www.home-assistant.io/integrations/switchbot/)?
 
-I prefer not to share the host's **network stack** with home assistant
+Older versions of pySwitchbot (before bleak replaced bluepy) required access to the host's **network stack**.
+I prefer not to share the host's network stack with home assistant's container
 (more complicated network setup
 and additional [netfilter](https://en.wikipedia.org/wiki/Netfilter) rules required for isolation).
 
 Sadly, `docker run --network host` even requires `--userns host`:
 > docker: Error response from daemon: cannot share the host's network namespace when user namespaces are enabled.
 
-The docker image built from this repository works around this limitation
-by explicitly running as an **unprivileged user**.
-
 The [official home assistant image](https://hub.docker.com/r/homeassistant/home-assistant)
 runs as `root`.
 This imposes an unnecessary security risk, especially when disabling user namespace remapping
 (`--userns host`).
-See https://github.com/fphammerle/docker-home-assistant for an alternative.
 
 ### Setup
 
@@ -166,7 +163,8 @@ Annotation of signed tags `docker/*` contains docker image digests: https://gith
 ```sh
 $ docker build -t switchbot-mqtt .
 $ docker run --name spelunca_switchbot \
-    --userns host --network host \
+    --userns host \
+    -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket \
     switchbot-mqtt:latest \
     switchbot-mqtt --mqtt-host HOSTNAME_OR_IP_ADDRESS
 ```
@@ -179,14 +177,15 @@ services:
   switchbot-mqtt:
     image: switchbot-mqtt
     container_name: switchbot-mqtt
-    network_mode: host
     userns_mode: host
     environment:
     - MQTT_HOST=localhost
     - MQTT_PORT=1883
     #- MQTT_USERNAME=username
     #- MQTT_PASSWORD=password
     #- FETCH_DEVICE_INFO=yes
+    volumes:
+    - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
     restart: unless-stopped
 ```