This adds two patches with fixes/improvements for the Docker engine
- `0001-daemon-respect-explicit-AppArmor-profile-on-privileg.patch`:
Makes sure that AppArmor rules are always loaded, also on reboot. This
is a long standing bug in Docker and affects Supervisor which is a
privileged container with an AppArmor profile.
Upstream PR: https://github.com/moby/moby/pull/52215
- `0002-bridge-protect-bridge-subnet-from-direct-external-ac.patch`:
Makes sure that the whole network (including gateway IP) of any Docker
bridge network in NAT mode is firewalled from access from the outside.
This essentially implements on Docker level what Supervisor applies on
startup with https://github.com/home-assistant/supervisor/pull/6650.
Upstream PR: https://github.com/moby/moby/pull/52224.
Afer builder changes, ARM images are now correctly published with their
platform, and when skopeo is used to inspect/pull the image on x86 without any
other flags, it fails with:
Error parsing manifest for image: Error choosing image instance: no image found in image index for architecture amd64, variant "", OS linux
Pass the correct arch in skopeo operations to fix that.
* Bumped to latest version
* Changed to HTTPS download source
* Updated build dependencies (mirroring package/qemu)
* Added path to host Python (same as package/qemu)
* Removed meson flag (no longer needed)
* Added --disable-linux-io-uring (new in v10)
* Replaced old --disable-user by per-OS flags
* Removed duplicated flags
* Sorted flags alphabetically for easier maintenance
Fixes#4336
Update the patch adjusting findBootFS for HAOS. Make sure that the hardware
survey is performed before that so we know if we can/should use flashrom on
Pi 5 with NVMe.
Fixes#4574
* RaspberryPi: Update kernel to 6.12.75 - 89050b1059997d38d55462b323b099a6436dc10d
Raspberry devs now don't seem to care about updating any of the repositories
following a kernel release anymore so the hash for the latest release was
determined from the source package of the latest APT release.
* Update rpi-firmware
* buildroot d9cb724f06...be34a81850 (1):
> package/rpi-firmware: update to eb3ee43 (for 6.12.75)
* Add patch fixing serial in U-Boot, refresh patches
Change in DTS includes shadowed previous patch adding U-Boot-specific
compatible string for UARTs. Make sure that AMBA UARTs in device trees also
contain compatibles consumed by U-Boot as fallback.
Also, refresh RPi patches with --zero-commit.
Remove net.ipv6.conf.all.forwarding=1 from 60-otbr-ip-forward.conf
and rely on Docker to enable IPv6 forwarding instead, just as we
already rely on it for IPv4 forwarding (needed for NAT64 in OTBR).
When this sysctl was added (d9ec60316), Docker did not enable IPv6 by
default. Since Docker 27 (April 2024), IPv6 support — including
ip6tables — is enabled by default, and Docker enables IPv6 forwarding
at startup just like it does for IPv4.
Importantly, when Docker enables forwarding itself (rather than finding
it already on), it also sets the FORWARD chain policy to DROP as a
safety measure, Pre-enabling the sysctl prevents this, leaving the IPv6
FORWARD chain at ACCEPT. By removing our sysctl, we get the same
protective DROP policy for IPv6 that we already benefit from for IPv4.
Supervisor takes a logind delay inhibitor lock on startup and releases it
after gracefully stopping all add-ons, Home Assistant Core, and plugins in
the correct order. The default 5s window is far too short — Core alone can
take 40+ seconds to stop. 300s gives enough headroom for a clean shutdown.
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
The retry when fetching containers from the registry didn't work because the
script was executed with `set -e`. Capture the error code also for non-zero
exit status.
Also use while loop instead of recursion and back off exponentially - start
with 5s and multiply by 3 (i.e. 5s, 15s, 45s - waiting in total up to 1 minute
for the registry to recover).
Backport NetworkManager patch (backported alsso in upstream to v1.56.0) to
restrict connectivity check lookups to per-link DNS. This reduces the number of
DNS queries performed by NetworkManager itself.
Note that Supervisor has its own connectivity check routine which is
independent on this one, so user may still see more requests in a 10 minute
interval.
Closes#4560
Set wifi.powersave to 2 (disabled) in NetworkManager settings by default for
all connections. Since HAOS is generally used on servers, powersaving doesn't
bring any obvious benefit and is often cause of problems and higher network
latency. If needed, nmcli can be used to override the new default.
Refs #3832
For some messages, RAUC uses GLib's structured logging API, which doesn't add
the SYSLOG_IDENTIFIER implicitly, like the convenience messages do. Backport a
patch submitted upstream which add this field to all messages, making all RAUC
logging available when rauc identifier is queried.
This backports patch from GLib v2.85.0 which adds SYSLOG_IDENTIFIER to messages
logged through GLib's convenience logging messages. This immediately makes some
RAUC messages previously not present in Host logs (which rely on the identifier
field being present) to be available in the host logs. For the remaining
messages, the identifier needs to be added directly in RAUC.
This change adds termios2 compatibility to the ioctl interface of generic_raw_uart making it compatible to glibc 2.42+ environments which prefer termios2 rather than the old/obsolete termios ioctls. This is a similar change to what was introduced to eq3_char_loop in #4471. However, this change in generic_raw_uart is required so that /dev/raw-uart will be termios2 compatible for applications within the OpenCCU Add-on directly opening it in case a non-dualcopro RF module like HmIP-RFUSB-TK is using it directly. (This refs https://github.com/OpenCCU/OpenCCU/issues/3498)
This PR updates the eq3_char_loop package to contain the latest
eq3_char_loop v1.3 sources with termios2 compatibility which is required
for glibc 2.42+ environments (latest OpenCCU) so that the HMIPServer
within OpenCCU is able to startup correctly.
* Enable CONFIG_I2C_ACPI in kernel configuration for generic-x86-64
Needed to support i2c-based touchscreens on x86 boards
* Enable I2C HID support in kernel configuration for generic aarch64
Needed to support i2c touchscreens on arm64 devices
For users having non-English, and especially non-qwerty layouts, using the host
shell can be very awkward. There was no option to change the keymaps as they
haven't been installed in the OS, and the persistence couldn't have been
achieved because of read-only /etc.
With upstream patch merged in #4224, we have an option to put
/etc/vconsole.conf to a writable location and use the same approach as in the
timezone PR. This is needed because even if we only bind-mounted the file from
the overlay directory, the Systemd services which start early will still refer
to the inode on the read-only FS. Also, gzip is required as current version of
kbd in Buildroot (v2.6.4) always compresses the keymaps using gzip. We can get
rid of this after we bump to kbd v2.9.0 [1] or newer. The overall bloat in
local build of the OS is slightly over 1 MiB, so it is acceptable.
With these changes, the `localectl set-keymap` command can be used to use any
available keymap from the installed `kbd` package (refer to `localectl
list-keymaps` for complete lists) and persist it between reboots.
[1] https://github.com/legionus/kbd/releases/tag/v2.9.0Fixes#1775
Since home-assistant/version#305 the AppArmor profiles were split to
per-channel files. This was never reflected in hassio package build though.
Currently this doesn't cause any trouble and the profile is replaced later by
the Supervisor but make sure we're always using the correct one from the
beginning.
Extract some of the parts of the "image import" to the script creating the data
partition to separate concerns. The Docker data directory is now passed as a
daemon option, instead of only mounting the data partition's folder to the
default directory, to be closer to the deployment setup. Also trap the exit and
error signals to remove the build container and unmount the data partition, as
failed or cancelled build have been leaking the containers/mounts when building
interactively (attached to the build container shell).
Importing docker-archive format leads to some layers missing in the content
storage which results in some image metadata missing. This appears to be the
same regression as moby/moby#49473. Importing OCI archives when bootstrapping
the data partition seems to work this bug around.
Fixes#4385
Atm some targets don't have comments support enabled for iptables. There's no reason to limit that to just arm64-rockhip target, so this change addresses that.
* Remove configs and board files of deprecated architectures
* Remove support for ODROID-XU4 boot files
* Remove ASUS Tinker support from rpi-rf-mod
* Remove RPi armv7 config fragment
