Update to the latest versions and update tests to use the new schema of the
inspect output.
* buildroot 0aa9729cd5...808ee7b916 (4):
> package/docker-engine: bump version to v29.1.2
> package/docker-cli: bump version to v29.1.2
> package/containerd: bump version to v2.2.0
> package/runc: bump version to v1.3.4
For users having non-English, and especially non-qwerty layouts, using the host
shell can be very awkward. There was no option to change the keymaps as they
haven't been installed in the OS, and the persistence couldn't have been
achieved because of read-only /etc.
With upstream patch merged in #4224, we have an option to put
/etc/vconsole.conf to a writable location and use the same approach as in the
timezone PR. This is needed because even if we only bind-mounted the file from
the overlay directory, the Systemd services which start early will still refer
to the inode on the read-only FS. Also, gzip is required as current version of
kbd in Buildroot (v2.6.4) always compresses the keymaps using gzip. We can get
rid of this after we bump to kbd v2.9.0 [1] or newer. The overall bloat in
local build of the OS is slightly over 1 MiB, so it is acceptable.
With these changes, the `localectl set-keymap` command can be used to use any
available keymap from the installed `kbd` package (refer to `localectl
list-keymaps` for complete lists) and persist it between reboots.
[1] https://github.com/legionus/kbd/releases/tag/v2.9.0Fixes#1775
Since home-assistant/version#305 the AppArmor profiles were split to
per-channel files. This was never reflected in hassio package build though.
Currently this doesn't cause any trouble and the profile is replaced later by
the Supervisor but make sure we're always using the correct one from the
beginning.
Extract some of the parts of the "image import" to the script creating the data
partition to separate concerns. The Docker data directory is now passed as a
daemon option, instead of only mounting the data partition's folder to the
default directory, to be closer to the deployment setup. Also trap the exit and
error signals to remove the build container and unmount the data partition, as
failed or cancelled build have been leaking the containers/mounts when building
interactively (attached to the build container shell).
Importing docker-archive format leads to some layers missing in the content
storage which results in some image metadata missing. This appears to be the
same regression as moby/moby#49473. Importing OCI archives when bootstrapping
the data partition seems to work this bug around.
Fixes#4385
Update Docker and the related components to the latest security releases.
* buildroot 986b8be22d...74aec5a64c (4):
> package/docker-cli: bump version to v28.5.2
> package/docker-engine: bump version to v28.5.2
> package/containerd: bump version to v2.1.5
> package/runc: bump version to v1.3.3
Atm some targets don't have comments support enabled for iptables. There's no reason to limit that to just arm64-rockhip target, so this change addresses that.
* Remove configs and board files of deprecated architectures
* Remove support for ODROID-XU4 boot files
* Remove ASUS Tinker support from rpi-rf-mod
* Remove RPi armv7 config fragment
With https://github.com/home-assistant/cli/pull/604, there is no
--content-trust option anymore. Remove the call and only check if Supervisor is
healthy and there are no issues. This replaces #4370 which is too broad.
(cherry picked from commit 1d29f6b099d797215f0be22b69c281d3425f6992)
With https://github.com/home-assistant/cli/pull/604, there is no
--content-trust option anymore. Remove the call and only check if Supervisor is
healthy and there are no issues. This replaces #4370 which is too broad.
A bug introduced in Docker v28.2+ can cause slow container restart in some
cases because of usage of IPv4 mapped IPv6 addresses in iptables command.
Backport a simple patch from upstream to fix it before we bump to a newer
Docker version.
Fixes#4363
(cherry picked from commit b3a9e765219246f88997a9f51fae5bbf25b409ce)
A bug introduced in Docker v28.2+ can cause slow container restart in some
cases because of usage of IPv4 mapped IPv6 addresses in iptables command.
Backport a simple patch from upstream to fix it before we bump to a newer
Docker version.
Fixes#4363
Because the OS downgrade performed in tests now triggers change in container
snapshotters, all containers need to be redownloaded. Make sure that CLI
container exists and increase the timeout for the time being.
The deprecated-key-path option is no longer handled, but it doesn't cause
problems because the key is explicitly ignored. It was completely removed in
Docker 19.03.0 [1].
As such, the option and the pre-start script to fix the corrupted key.json can
be removed now, as it has no effect, only printing confusing message when
Docker service fails to start.
[1] 98fc09128b
Prefer the containerd snapshotter by using it by default for new installs and
when no Docker data is present (e.g. after datadisk wipe). The snapshotter is
enabled by a dockerd flag which is set when a flag file is present in the data
partition. This flag file can be used also to opt-in for this snapshotter on
legacy installs (high level API through OS Agent and Supervisor TBD), to
migrate to the containerd snapshotter this file can be simply created manually.
Testing shown no major problems when migrating, the old overlay2 folder can be
(and should be - to avoid situations where the data disk might run out of
space) deleted before the docker.service is started in the docker-prepare
script.
Note that there's no offline migration path, OS needs to be connected to the
internet to re-download the images when migrating. This could be theoretically
possible through docker image save/load functions but guarding for enough of
space and other edge cases would be probably too complex to justify it.
Refs #4252
Refs #4253 - easier opt-in method is still needed
Closes#4254 - migration is handled seamlessly by Docker
Use the version used in the docker-engine package to ensure it stays in sync.
Although we haven't seen any issues related to the fact it was sometimes
mismatching, reduce the burden of needing it to be synced manually.
This might be required for some modern Intel processors (Meteor Lake and newer)
which fail to boot Linux kernel without x2APIC controller when some features
(e.g. VT-d or x2APIC itself) are enabled in the BIOS.
Enable it also for OVA, as it can be emulated in virtual machines, even when
the host CPU does not support it.
Fixes#4337, fixes#4144, fixes#4345
