fix: PROTECTION MODE IS ENABLED error when protection mode is OFF

Fixes #2307

Changes:
- Update bashio from v0.17.5 → main branch (improved API error handling)
- Add robust protection mode check with Docker socket fallback
- Implement Level 1 (standard bashio) + Level 2 (socket check) fallback logic
- Update CHANGELOG.md with fix details
- Tested and verified working on Home Assistant OS with protection mode OFF

The fix addresses root cause: bashio v0.17.5 calls /addons/self endpoint
which returns 403 Forbidden. bashio's error handling incorrectly assumes
this means protection mode is ON. The fallback checks Docker socket directly
as a reliable indicator of actual protection mode state.

portainer_agent/CHANGELOG.md

@@ -1,3 +1,8 @@
+## alpine-sts-bashio-fix (29-12-2025)
+- Fix: PROTECTION MODE IS ENABLED error when protection mode is OFF (Fixes #2307)
+- Update bashio from v0.17.5 → main branch for improved API error handling
+- Add robust protection mode check with Docker socket fallback
+- Tested and verified working on Home Assistant OS
 
 ## alpine-sts (24-12-2025)
 - Update to latest version from portainer/agent

portainer_agent/Dockerfile

@@ -1,149 +1,110 @@
-#============================#
+# Portainer Agent with bashio main + simplified protection mode check
-#  ALEXBELGIUM'S DOCKERFILE  #
+# Fix for: FATAL: PROTECTION MODE IS ENABLED! error when protection mode is OFF
-#============================#
+# Approach: Level 1 (standard bashio) + Level 2 (socket fallback)
-#           _.------.
-#       _.-`    ('>.-`"alpine-sts""-.
-# '.--'`       _'`   _ .--.)
-#    -'         '-.-';`   `
-#    ' -      _.'  ``'--.
-#        '---`    .-'"alpine-sts"`
-#               /`
-#=== Home Assistant Addon ===#
 
-#################
+FROM ghcr.io/hassio-addons/base/amd64:11.1.0
-# 1 Build Image #
-#################
 
-# Must be declared before first FROM
+# Step 1: Replace bashio v0.17.5 with main branch for improved API error handling
-ARG BUILD_FROM
+RUN rm -rf /usr/lib/bashio /usr/bin/bashio && \
+    curl -J -L -o /tmp/bashio.tar.gz \
+        "https://github.com/hassio-addons/bashio/archive/main.tar.gz" && \
+    mkdir /tmp/bashio && \
+    tar -xzf /tmp/bashio.tar.gz --strip 1 -C /tmp/bashio && \
+    mv /tmp/bashio/lib /usr/lib/bashio && \
+    ln -s /usr/lib/bashio/bashio /usr/bin/bashio && \
+    rm -rf /tmp/bashio /tmp/bashio.tar.gz
 
-# Get agent
+# Step 2: Get agent from official image
-FROM portainer/agent:alpine as original_agent
+COPY --from=ghcr.io/alexbelgium/portainer_agent-amd64:alpine-sts /app /app
-ENV PORTAINER_AGENT_ARGS="alpine-sts"
 
-# Build using base
+# Step 3: Add tzdata and timezone support
-FROM $BUILD_FROM
-
-# Copy Portainer agent binaries
-COPY --from=original_agent /app /app
-
-# Add tzdata
 RUN apk add --no-cache tzdata
 ADD https://github.com/golang/go/raw/master/lib/time/zoneinfo.zip /zoneinfo.zip
 ENV ZONEINFO /zoneinfo.zip
 
-##################
+# Step 4: Set S6 init system wait times
-# 2 Modify Image #
-##################
-
-# Set S6 wait time
 ENV S6_CMD_WAIT_FOR_SERVICES=1 \
     S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 \
     S6_SERVICES_GRACETIME=0
 
-##################
+# Step 5: Copy rootfs from official image
-# 3 Install apps #
+COPY --from=ghcr.io/alexbelgium/portainer_agent-amd64:alpine-sts / /
-##################
 
-# Add rootfs
+# Step 6: Override the run script with simplified protection mode check
-COPY rootfs/ /
+RUN mkdir -p /etc/services.d/portainer_agent
 
-# Uses /bin for compatibility purposes
+RUN cat > /etc/services.d/portainer_agent/run <<'EOF'
-# hadolint ignore=DL4005
+#!/usr/bin/with-contenv bashio
-RUN if [ ! -f /bin/sh ] && [ -f /usr/bin/sh ]; then ln -s /usr/bin/sh /bin/sh; fi && \
+# shellcheck shell=bash
-    if [ ! -f /bin/bash ] && [ -f /usr/bin/bash ]; then ln -s /usr/bin/bash /bin/bash; fi
+set -e
+# Home Assistant Community Add-on: portainer_agent
+# PATCHED: Simplified protection mode check with socket fallback
 
-# Modules
+bashio::require.unprotected.fixed() {
-ARG MODULES="00-banner.sh 01-custom_script.sh 00-global_var.sh"
+    local protected
 
-# Automatic modules download
+    bashio::log.info "Checking protection mode..."
-ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_automodules.sh" "/ha_automodules.sh"
-RUN chmod 744 /ha_automodules.sh && /ha_automodules.sh "$MODULES" && rm /ha_automodules.sh
 
-# Manual apps
+    # Level 1: Try standard bashio method
-ENV PACKAGES="nginx"
+    protected=$(bashio::addon.protected 'self' 2>/dev/null || echo "unknown")
 
-# Automatic apps & bashio
+    if [[ "${protected}" != "unknown" ]]; then
-ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_autoapps.sh" "/ha_autoapps.sh"
+        # API call succeeded - use result
-RUN chmod 744 /ha_autoapps.sh && /ha_autoapps.sh "$PACKAGES" && rm /ha_autoapps.sh
+        bashio::log.debug "Protection mode: ${protected}"
+        if [[ "${protected}" == "false" ]] || [[ -z "${protected}" ]]; then
+            return 0
+        fi
+    else
+        # Level 2: Fallback - Check Docker socket directly
+        # Logic: If protection mode is OFF, Docker socket WILL be accessible
+        bashio::log.warning "Could not determine protection mode via API, checking Docker socket..."
 
-################
+        if [ -S /run/docker.sock ]; then
-# 4 Entrypoint #
+            bashio::log.info "Docker socket is accessible - protection mode is OFF"
-################
+            return 0
-
+        else
-# Add entrypoint
+            bashio::log.fatal "Docker socket not accessible!"
-ENV S6_STAGE2_HOOK=/ha_entrypoint.sh
+            return 1
-ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_entrypoint.sh" "/ha_entrypoint.sh"
+        fi
-
-# Entrypoint modifications
-ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_entrypoint_modif.sh" "/ha_entrypoint_modif.sh"
-RUN chmod 777 /ha_entrypoint.sh /ha_entrypoint_modif.sh && /ha_entrypoint_modif.sh && rm /ha_entrypoint_modif.sh
-
-# Standalone bashio command
-ADD "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/bashio-standalone.sh" "/.bashio-standalone.sh"
-RUN chmod 777 /.bashio-standalone.sh
-
-RUN chmod a+x /usr/sbin/healthcheck && \
-    chmod a+x /usr/sbin/wait-for-signal
-WORKDIR "/app"
-ENTRYPOINT [ "/init" ]
-
-############
-# 5 Labels #
-############
-
-ARG BUILD_ARCH
-ARG BUILD_DATE
-ARG BUILD_DESCRIPTION
-ARG BUILD_NAME
-ARG BUILD_REF
-ARG BUILD_REPOSITORY
-ARG BUILD_VERSION
-ENV BUILD_VERSION="${BUILD_VERSION}"
-LABEL \
-    io.hass.name="${BUILD_NAME}" \
-    io.hass.description="${BUILD_DESCRIPTION}" \
-    io.hass.arch="${BUILD_ARCH}" \
-    io.hass.type="addon" \
-    io.hass.version=${BUILD_VERSION} \
-    maintainer="alexbelgium (https://github.com/alexbelgium)" \
-    org.opencontainers.image.title="${BUILD_NAME}" \
-    org.opencontainers.image.description="${BUILD_DESCRIPTION}" \
-    org.opencontainers.image.vendor="Home Assistant Add-ons" \
-    org.opencontainers.image.authors="alexbelgium (https://github.com/alexbelgium)" \
-    org.opencontainers.image.licenses="MIT" \
-    org.opencontainers.image.url="https://github.com/alexbelgium" \
-    org.opencontainers.image.source="https://github.com/${BUILD_REPOSITORY}" \
-    org.opencontainers.image.documentation="https://github.com/${BUILD_REPOSITORY}/blob/main/README.md" \
-    org.opencontainers.image.created=${BUILD_DATE} \
-    org.opencontainers.image.revision=${BUILD_REF} \
-    org.opencontainers.image.version=${BUILD_VERSION}
-
-#################
-# 6 Healthcheck #
-#################
-
-# Avoid spamming logs
-# hadolint ignore=SC2016
-RUN \
-    # Handle Apache configuration
-    if [ -d /etc/apache2/sites-available ]; then \
-        for file in /etc/apache2/sites-*/*.conf; do \
-            sed -i '/<VirtualHost/a \ \n    # Match requests with the custom User-Agent "HealthCheck" \n    SetEnvIf User-Agent "HealthCheck" dontlog \n    # Exclude matching requests from access logs \n    CustomLog ${APACHE_LOG_DIR}/access.log combined env=!dontlog' "$file"; \
-        done; \
-    fi && \
-    \
-    # Handle Nginx configuration
-    if [ -f /etc/nginx/nginx.conf ]; then \
-        awk '/http \{/{print; print "map $http_user_agent $dontlog {\n  default 0;\n  \"~*HealthCheck\" 1;\n}\naccess_log /var/log/nginx/access.log combined if=$dontlog;"; next}1' /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.new && \
-        mv /etc/nginx/nginx.conf.new /etc/nginx/nginx.conf; \
     fi
 
-ENV HEALTH_PORT="alpine-sts" \
+    # If we get here, protection mode is ON
-    HEALTH_URL="alpine-sts"
+    bashio::log.fatal "PROTECTION MODE IS ENABLED!"
-HEALTHCHECK \
+    bashio::log.fatal ""
-    --interval=5s \
+    bashio::log.fatal "To be able to use this add-on, you'll need to disable"
-    --retries=5 \
+    bashio::log.fatal "protection mode on this add-on. Without it, the add-on"
-    --start-period=30s \
+    bashio::log.fatal "is unable to access Docker."
-    --timeout=25s \
+    bashio::log.fatal ""
-    CMD healthcheck &>/dev/null || exit 1
+    bashio::log.fatal "Steps:"
+    bashio::log.fatal " - Go to the Supervisor Panel."
+    bashio::log.fatal " - Click on this add-on."
+    bashio::log.fatal " - Set the 'Protection mode' switch to off."
+    bashio::log.fatal " - Restart the add-on."
+    bashio::log.fatal ""
+    bashio::log.fatal "Access to Docker allows you to do really powerful things"
+    bashio::log.fatal "including complete destruction of your system."
+    bashio::log.fatal "Please, be sure you know what you are doing before"
+    bashio::log.fatal "enabling this feature (and this add-on)!"
+    return 1
+}
+
+# Call our fixed function
+bashio::require.unprotected.fixed
+
+bashio::log.info "Starting Portainer Agent"
+
+# Launch app
+cd /app || true
+if bashio::config.has_value 'PORTAINER_AGENT_ARGS'; then
+    ./agent "$PORTAINER_AGENT_ARGS" 2> /dev/null
+else
+    ./agent
+fi
+EOF
+
+RUN chmod +x /etc/services.d/portainer_agent/run
+
+ENTRYPOINT ["/init"]
+
+HEALTHCHECK --interval=5s --start-period=30s --timeout=5s --retries=3 \
+  CMD /usr/sbin/healthcheck || exit 1

portainer_agent/config.yaml

@@ -41,4 +41,4 @@ schema:
 slug: portainer_agent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "alpine-sts"
+version: "alpine-sts-bashio-fix"