* buildroot fb7fbb2f72...c0e24ce54b (4):
> package/runc: bump version to v1.3.5
> package/containerd: bump version to v2.2.2
> package/docker-cli: bump version to v29.3.1
> package/docker-engine: bump version to v29.3.1
This adds two patches with fixes/improvements for the Docker engine
- `0001-daemon-respect-explicit-AppArmor-profile-on-privileg.patch`:
Makes sure that AppArmor rules are always loaded, also on reboot. This
is a long standing bug in Docker and affects Supervisor which is a
privileged container with an AppArmor profile.
Upstream PR: https://github.com/moby/moby/pull/52215
- `0002-bridge-protect-bridge-subnet-from-direct-external-ac.patch`:
Makes sure that the whole network (including gateway IP) of any Docker
bridge network in NAT mode is firewalled from access from the outside.
This essentially implements on Docker level what Supervisor applies on
startup with https://github.com/home-assistant/supervisor/pull/6650.
Upstream PR: https://github.com/moby/moby/pull/52224.
When running tests on an image that contains older hassio components
(Supervisor or plugins), the autoupdate may interfere with the test run.
To avoid this, patch Suprvisor updater config as early as possible and
restart Supervisor.
For Supervisor tests, we need all components to be updated, so
parametrize the supervisor update test to update all plugins too.
Afer builder changes, ARM images are now correctly published with their
platform, and when skopeo is used to inspect/pull the image on x86 without any
other flags, it fails with:
Error parsing manifest for image: Error choosing image instance: no image found in image index for architecture amd64, variant "", OS linux
Pass the correct arch in skopeo operations to fix that.
* Bumped to latest version
* Changed to HTTPS download source
* Updated build dependencies (mirroring package/qemu)
* Added path to host Python (same as package/qemu)
* Removed meson flag (no longer needed)
* Added --disable-linux-io-uring (new in v10)
* Replaced old --disable-user by per-OS flags
* Removed duplicated flags
* Sorted flags alphabetically for easier maintenance
Fixes#4336
Update the patch adjusting findBootFS for HAOS. Make sure that the hardware
survey is performed before that so we know if we can/should use flashrom on
Pi 5 with NVMe.
Fixes#4574
* RaspberryPi: Update kernel to 6.12.75 - 89050b1059997d38d55462b323b099a6436dc10d
Raspberry devs now don't seem to care about updating any of the repositories
following a kernel release anymore so the hash for the latest release was
determined from the source package of the latest APT release.
* Update rpi-firmware
* buildroot d9cb724f06...be34a81850 (1):
> package/rpi-firmware: update to eb3ee43 (for 6.12.75)
* Add patch fixing serial in U-Boot, refresh patches
Change in DTS includes shadowed previous patch adding U-Boot-specific
compatible string for UARTs. Make sure that AMBA UARTs in device trees also
contain compatibles consumed by U-Boot as fallback.
Also, refresh RPi patches with --zero-commit.
Remove net.ipv6.conf.all.forwarding=1 from 60-otbr-ip-forward.conf
and rely on Docker to enable IPv6 forwarding instead, just as we
already rely on it for IPv4 forwarding (needed for NAT64 in OTBR).
When this sysctl was added (d9ec60316), Docker did not enable IPv6 by
default. Since Docker 27 (April 2024), IPv6 support — including
ip6tables — is enabled by default, and Docker enables IPv6 forwarding
at startup just like it does for IPv4.
Importantly, when Docker enables forwarding itself (rather than finding
it already on), it also sets the FORWARD chain policy to DROP as a
safety measure, Pre-enabling the sysctl prevents this, leaving the IPv6
FORWARD chain at ACCEPT. By removing our sysctl, we get the same
protective DROP policy for IPv6 that we already benefit from for IPv4.
Supervisor takes a logind delay inhibitor lock on startup and releases it
after gracefully stopping all add-ons, Home Assistant Core, and plugins in
the correct order. The default 5s window is far too short — Core alone can
take 40+ seconds to stop. 300s gives enough headroom for a clean shutdown.
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The retry when fetching containers from the registry didn't work because the
script was executed with `set -e`. Capture the error code also for non-zero
exit status.
Also use while loop instead of recursion and back off exponentially - start
with 5s and multiply by 3 (i.e. 5s, 15s, 45s - waiting in total up to 1 minute
for the registry to recover).
Backport NetworkManager patch (backported alsso in upstream to v1.56.0) to
restrict connectivity check lookups to per-link DNS. This reduces the number of
DNS queries performed by NetworkManager itself.
Note that Supervisor has its own connectivity check routine which is
independent on this one, so user may still see more requests in a 10 minute
interval.
Closes#4560
actions/upload-artifact v7 added possibility to disable creating a ZIP archive
when only a single file is uploaded. Since this behavior is not desired for the
images, as they're already compressed, disable it (default is enabled). The
action/download-artifact in the test workflow should handle it gracefully based
on mimetype.
* buildroot 3c9f409eed...ad0e1ef2be (3):
> package/go: security bump to version 1.25.7
> package/go: security bump to version 1.25.6
> package/go: security bump to version 1.25.5
Backup now fails after home-assistant/supervisor#6553 if Core isn't installed
and started. Similarly to the tests in the Supervisor CI, wait until Core
install finishes before proceeding with other tests in the suite.
Set wifi.powersave to 2 (disabled) in NetworkManager settings by default for
all connections. Since HAOS is generally used on servers, powersaving doesn't
bring any obvious benefit and is often cause of problems and higher network
latency. If needed, nmcli can be used to override the new default.
Refs #3832
