Since home-assistant/version#305 the AppArmor profiles were split to
per-channel files. This was never reflected in hassio package build though.
Currently this doesn't cause any trouble and the profile is replaced later by
the Supervisor but make sure we're always using the correct one from the
beginning.
Extract some of the parts of the "image import" to the script creating the data
partition to separate concerns. The Docker data directory is now passed as a
daemon option, instead of only mounting the data partition's folder to the
default directory, to be closer to the deployment setup. Also trap the exit and
error signals to remove the build container and unmount the data partition, as
failed or cancelled build have been leaking the containers/mounts when building
interactively (attached to the build container shell).
Importing docker-archive format leads to some layers missing in the content
storage which results in some image metadata missing. This appears to be the
same regression as moby/moby#49473. Importing OCI archives when bootstrapping
the data partition seems to work this bug around.
Fixes#4385
Update Docker and the related components to the latest security releases.
* buildroot 986b8be22d...74aec5a64c (4):
> package/docker-cli: bump version to v28.5.2
> package/docker-engine: bump version to v28.5.2
> package/containerd: bump version to v2.1.5
> package/runc: bump version to v1.3.3
Atm some targets don't have comments support enabled for iptables. There's no reason to limit that to just arm64-rockhip target, so this change addresses that.
* Remove configs and board files of deprecated architectures
* Remove support for ODROID-XU4 boot files
* Remove ASUS Tinker support from rpi-rf-mod
* Remove RPi armv7 config fragment
With https://github.com/home-assistant/cli/pull/604, there is no
--content-trust option anymore. Remove the call and only check if Supervisor is
healthy and there are no issues. This replaces #4370 which is too broad.
(cherry picked from commit 1d29f6b099d797215f0be22b69c281d3425f6992)
With https://github.com/home-assistant/cli/pull/604, there is no
--content-trust option anymore. Remove the call and only check if Supervisor is
healthy and there are no issues. This replaces #4370 which is too broad.
A bug introduced in Docker v28.2+ can cause slow container restart in some
cases because of usage of IPv4 mapped IPv6 addresses in iptables command.
Backport a simple patch from upstream to fix it before we bump to a newer
Docker version.
Fixes#4363
(cherry picked from commit b3a9e765219246f88997a9f51fae5bbf25b409ce)
A bug introduced in Docker v28.2+ can cause slow container restart in some
cases because of usage of IPv4 mapped IPv6 addresses in iptables command.
Backport a simple patch from upstream to fix it before we bump to a newer
Docker version.
Fixes#4363
Because the OS downgrade performed in tests now triggers change in container
snapshotters, all containers need to be redownloaded. Make sure that CLI
container exists and increase the timeout for the time being.
The deprecated-key-path option is no longer handled, but it doesn't cause
problems because the key is explicitly ignored. It was completely removed in
Docker 19.03.0 [1].
As such, the option and the pre-start script to fix the corrupted key.json can
be removed now, as it has no effect, only printing confusing message when
Docker service fails to start.
[1] 98fc09128b
Prefer the containerd snapshotter by using it by default for new installs and
when no Docker data is present (e.g. after datadisk wipe). The snapshotter is
enabled by a dockerd flag which is set when a flag file is present in the data
partition. This flag file can be used also to opt-in for this snapshotter on
legacy installs (high level API through OS Agent and Supervisor TBD), to
migrate to the containerd snapshotter this file can be simply created manually.
Testing shown no major problems when migrating, the old overlay2 folder can be
(and should be - to avoid situations where the data disk might run out of
space) deleted before the docker.service is started in the docker-prepare
script.
Note that there's no offline migration path, OS needs to be connected to the
internet to re-download the images when migrating. This could be theoretically
possible through docker image save/load functions but guarding for enough of
space and other edge cases would be probably too complex to justify it.
Refs #4252
Refs #4253 - easier opt-in method is still needed
Closes#4254 - migration is handled seamlessly by Docker
Use the version used in the docker-engine package to ensure it stays in sync.
Although we haven't seen any issues related to the fact it was sometimes
mismatching, reduce the burden of needing it to be synced manually.
This might be required for some modern Intel processors (Meteor Lake and newer)
which fail to boot Linux kernel without x2APIC controller when some features
(e.g. VT-d or x2APIC itself) are enabled in the BIOS.
Enable it also for OVA, as it can be emulated in virtual machines, even when
the host CPU does not support it.
Fixes#4337, fixes#4144, fixes#4345
The CPUfreq governor "powersave" sets the CPU statically to the lowest
frequency within the borders of scaling_min_freq and scaling_max_freq.
This can be useful if a particular power budget should not ever be
crossed. Can be set using `cpufreq.default_governor=powersave`. Note
that this obviously affects performance.
* Improve UX of HA CLI wrapper and emergency console
For many users, the emergency console gives feeling that the system is
completely broken. However, there are various cases when the system just takes
just a bit longer to start up and the emergency message is shown, while it
finishes a proper startup shortly after. This change tries to improve the UX in
several ways:
* The limit before a forced emergency console startup is changed to 3 minutes
* Waiting can be interrupted with Ctrl+C (reset counter is cleared then)
* Some hints what to check have been added before starting the shell
* Also, because if the HA CLI failed for 5 times in a row in quick succession,
the CLI startup was then not retried anymore and user may have been left with
a black screen, the restart limits timeouts have been adjusted only to back
off and never mark the unit as failed
Closes#4273
* Use /bin/sh and printf to silence linter errors
RaspberryMatic was renamed to OpenCCU in
https://github.com/OpenCCU/OpenCCU/pull/3162. This caused change of the name of
the directory in the source tarball, causing build failure when the archive
wasn't cached.
