Add Unix socket support for Core communication with feature flag#6742
Add Unix socket support for Core communication with feature flag#6742
Conversation
Reintroduce Unix socket support for Supervisor-to-Core communication (reverted in #6735) with the addition of a feature flag gate. The feature is now controlled by the `core_unix_socket` feature flag and disabled by default. When enabled and Core version supports it, Supervisor communicates with Core via a Unix socket at /run/os/core.sock instead of TCP. This eliminates the need for access token authentication on the socket path, as Core authenticates the peer by the socket connection itself. Key changes: - Add FeatureFlag.CORE_UNIX_SOCKET to gate the feature - HomeAssistantAPI: transport-aware session/url/websocket management - WSClient: separate connect() (Unix, no auth) and connect_with_auth() (TCP) class methods with proper error handling - APIProxy delegates websocket setup to api.connect_websocket() - Container state tracking for Unix session lifecycle - CI builder mounts /run/supervisor for integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mdegat01
left a comment
mdegat01
left a comment
There was a problem hiding this comment.
Looks good. Largely the same code so can probably expediate it, especially since the bulk is now behind a feature flag. Had one small comment but seems ready to me.
If we start to build a bunch of these feature flags we may have to think of a documentation plan for them. For now though I might just recommend a comment somewhere to remind us that once this is turned on you must specifically call ha core rebuild to see it in action. A supervisor restart or even a host reboot won't turn it on alone since the container needs to be rebuilt with the new config.
| url: str, | ||
| token: str, | ||
| *, | ||
| max_msg_size: int = 4 * 1024 * 1024, |
There was a problem hiding this comment.
Does this need to be an argument? I know it was but do we currently change the default anywhere? This feels like an anti-pattern like how ruff now flags arguments called something like timeout as something to set at the object level and not allow to be set by clients on a per call basis.
2 participants
Proposed change
Reintroduce Unix socket support for Supervisor-to-Core communication, originally merged in #6590 and reverted in #6735. The key addition over the original PR is that the feature is now gated behind the
unix_socket_core_apifeature flag (introduced in #6719) and disabled by default.When enabled and Core version supports it, Supervisor communicates with Core via a Unix socket at
/run/os/core.sockinstead of TCP, eliminating the need for access token authentication on that path (Core authenticates the peer by the socket connection itself).TCP path improvements (active by default, no feature flag needed)
The original PR also refactored the TCP communication path. Hence, the following improvements apply regardless of the feature flag:
APIProxyandHomeAssistantWebSocketno longer implement their own auth handshakes. Both delegate toapi.connect_websocket(), eliminating duplicate auth/retry logic.WSClient.connect_with_auth()proper error handling: The old version didn't close the websocket on failure or handle unexpected message types. It now closes the connection on any error and wraps unexpected exceptions inHomeAssistantAPIError.make_request()early bail on stopped container: Checksis_running()before attempting a request, giving a clear error instead of a cryptic connection failure.get_core_state()response validation: Now raisesHomeAssistantAPIErrorif the response isNoneor not a dict (matching the validationget_config()already had).Type of change
Additional information
Checklist
ruff format supervisor tests)If API endpoints or add-on configuration are added/changed: