Scale progress by fraction of layers that have reported

When pulling Docker images with many layers, tiny layers that complete
immediately would show inflated progress (e.g., 70%) even when most
layers haven't started reporting yet. This made the UI jump to 70%
quickly, then appear stuck during actual download.

The fix scales progress by the fraction of layers that have reported:
- If 2/25 layers report at 70%, progress shows ~5.6% instead of 70%
- As more layers report, progress increases proportionally
- When all layers have reported, no scaling is applied

This ensures progress accurately reflects overall download status rather
than being dominated by a few tiny layers that complete first.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.github/workflows/builder.yml

@@ -34,6 +34,9 @@ on:
 
 env:
   DEFAULT_PYTHON: "3.13"
+  COSIGN_VERSION: "v2.5.3"
+  CRANE_VERSION: "v0.20.7"
+  CRANE_SHA256: "8ef3564d264e6b5ca93f7b7f5652704c4dd29d33935aff6947dd5adefd05953e"
   BUILD_NAME: supervisor
   BUILD_TYPE: supervisor
 
@@ -53,7 +56,7 @@ jobs:
       requirements: ${{ steps.requirements.outputs.changed }}
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 
@@ -92,7 +95,7 @@ jobs:
         arch: ${{ fromJson(needs.init.outputs.architectures) }}
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 
@@ -107,7 +110,7 @@ jobs:
       # home-assistant/wheels doesn't support sha pinning
       - name: Build wheels
         if: needs.init.outputs.requirements == 'true'
-        uses: home-assistant/wheels@2025.09.1
+        uses: home-assistant/wheels@2025.11.0
         with:
           abi: cp313
           tag: musllinux_1_2
@@ -126,15 +129,15 @@ jobs:
 
       - name: Set up Python ${{ env.DEFAULT_PYTHON }}
         if: needs.init.outputs.publish == 'true'
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.DEFAULT_PYTHON }}
 
       - name: Install Cosign
         if: needs.init.outputs.publish == 'true'
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
-          cosign-release: "v2.5.3"
+          cosign-release: ${{ env.COSIGN_VERSION }}
 
       - name: Install dirhash and calc hash
         if: needs.init.outputs.publish == 'true'
@@ -170,17 +173,15 @@ jobs:
             --target /data \
             --cosign \
             --generic ${{ needs.init.outputs.version }}
-        env:
-          CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
 
   version:
     name: Update version
-    needs: ["init", "run_supervisor"]
+    needs: ["init", "run_supervisor", "retag_deprecated"]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
         if: needs.init.outputs.publish == 'true'
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       - name: Initialize git
         if: needs.init.outputs.publish == 'true'
@@ -205,7 +206,7 @@ jobs:
     timeout-minutes: 60
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
       # home-assistant/builder doesn't support sha pinning
       - name: Build the Supervisor
@@ -293,33 +294,6 @@ jobs:
             exit 1
           fi
 
-      - name: Check the Supervisor code sign
-        if: needs.init.outputs.publish == 'true'
-        run: |
-          echo "Enable Content-Trust"
-          test=$(docker exec hassio_cli ha security options --content-trust=true --no-progress --raw-json | jq -r '.result')
-          if [ "$test" != "ok" ]; then
-            exit 1
-          fi
-
-          echo "Run supervisor health check"
-          test=$(docker exec hassio_cli ha resolution healthcheck --no-progress --raw-json | jq -r '.result')
-          if [ "$test" != "ok" ]; then
-            exit 1
-          fi
-
-          echo "Check supervisor unhealthy"
-          test=$(docker exec hassio_cli ha resolution info --no-progress --raw-json | jq -r '.data.unhealthy[]')
-          if [ "$test" != "" ]; then
-            exit 1
-          fi
-
-          echo "Check supervisor supported"
-          test=$(docker exec hassio_cli ha resolution info --no-progress --raw-json | jq -r '.data.unsupported[]')
-          if [[ "$test" =~ source_mods ]]; then
-            exit 1
-          fi
-
       - name: Create full backup
         id: backup
         run: |
@@ -381,3 +355,50 @@ jobs:
       - name: Get supervisor logs on failiure
         if: ${{ cancelled() || failure() }}
         run: docker logs hassio_supervisor
+
+  retag_deprecated:
+    needs: ["build", "init"]
+    name: Re-tag deprecated ${{ matrix.arch }} images
+    if: needs.init.outputs.publish == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    strategy:
+      matrix:
+        arch: ["armhf", "armv7", "i386"]
+    env:
+      # Last available release for deprecated architectures
+      FROZEN_VERSION: "2025.11.5"
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: ${{ env.COSIGN_VERSION }}
+
+      - name: Install crane
+        run: |
+          curl -sLO https://github.com/google/go-containerregistry/releases/download/${{ env.CRANE_VERSION }}/go-containerregistry_Linux_x86_64.tar.gz
+          echo "${{ env.CRANE_SHA256 }}  go-containerregistry_Linux_x86_64.tar.gz" | sha256sum -c -
+          tar xzf go-containerregistry_Linux_x86_64.tar.gz crane
+          sudo mv crane /usr/local/bin/
+
+      - name: Re-tag deprecated image with updated version label
+        run: |
+          crane auth login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
+          crane mutate \
+            --label io.hass.version=${{ needs.init.outputs.version }} \
+            --tag ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }} \
+            ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ env.FROZEN_VERSION }}
+
+      - name: Sign image with Cosign
+        run: |
+          cosign sign --yes ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }}

.github/workflows/ci.yaml

@@ -26,10 +26,10 @@ jobs:
     name: Prepare Python dependencies
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python
         id: python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: ${{ env.DEFAULT_PYTHON }}
       - name: Restore Python virtual environment
@@ -68,9 +68,9 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -111,9 +111,9 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -154,7 +154,7 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Register hadolint problem matcher
         run: |
           echo "::add-matcher::.github/workflows/matchers/hadolint.json"
@@ -169,9 +169,9 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -213,9 +213,9 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -257,9 +257,9 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -293,9 +293,9 @@ jobs:
     needs: prepare
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -339,14 +339,14 @@ jobs:
     name: Run tests Python ${{ needs.prepare.outputs.python-version }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
           cosign-release: "v2.5.3"
       - name: Restore Python virtual environment
@@ -386,7 +386,7 @@ jobs:
             -o console_output_style=count \
             tests
       - name: Upload coverage artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: coverage
           path: .coverage
@@ -398,9 +398,9 @@ jobs:
     needs: ["pytest", "prepare"]
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
@@ -417,7 +417,7 @@ jobs:
           echo "Failed to restore Python virtual environment from cache"
           exit 1
       - name: Download all coverage artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: coverage
           path: coverage/

.github/workflows/release-drafter.yml

@@ -11,7 +11,7 @@ jobs:
     name: Release Drafter
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           fetch-depth: 0
 

.github/workflows/sentry.yaml

@@ -10,9 +10,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Sentry Release
-        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3.3.0
+        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3.4.0
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}

.github/workflows/stale.yml

@@ -9,13 +9,14 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30
           days-before-close: 7
           stale-issue-label: "stale"
           exempt-issue-labels: "no-stale,Help%20wanted,help-wanted,pinned,rfc,security"
+          only-issue-types: "bug"
           stale-issue-message: >
             There hasn't been any activity on this issue recently. Due to the
             high number of incoming GitHub notifications, we have to clean some

.github/workflows/update_frontend.yml

@@ -14,7 +14,7 @@ jobs:
       latest_version: ${{ steps.latest_frontend_version.outputs.latest_tag }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Get latest frontend release
         id: latest_frontend_version
         uses: abatilo/release-info-action@32cb932219f1cee3fc4f4a298fd65ead5d35b661 # v1.3.3
@@ -49,7 +49,7 @@ jobs:
     if: needs.check-version.outputs.skip != 'true'
     steps:
       - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       - name: Clear www folder
         run: |
           rm -rf supervisor/api/panel/*
@@ -68,7 +68,7 @@ jobs:
         run: |
           rm -f supervisor/api/panel/home_assistant_frontend_supervisor-*.tar.gz
       - name: Create PR
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
         with:
           commit-message: "Update frontend to version ${{ needs.check-version.outputs.latest_version }}"
           branch: autoupdate-frontend

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.11.10
+    rev: v0.14.3
     hooks:
       - id: ruff
         args:

AGENTS.md

@@ -0,0 +1 @@
+.github/copilot-instructions.md

build.yaml

@@ -1,13 +1,7 @@
 image: ghcr.io/home-assistant/{arch}-hassio-supervisor
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.13-alpine3.22
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.13-alpine3.22
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22
-  i386: ghcr.io/home-assistant/i386-base-python:3.13-alpine3.22
-codenotary:
-  signer: notary@home-assistant.io
-  base_image: notary@home-assistant.io
+  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22-2025.11.1
+  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22-2025.11.1
 cosign:
   base_identity: https://github.com/home-assistant/docker-base/.*
   identity: https://github.com/home-assistant/supervisor/.*

requirements.txt

@@ -1,14 +1,16 @@
 aiodns==3.5.0
-aiohttp==3.12.15
+aiodocker==0.24.0
+aiohttp==3.13.2
 atomicwrites-homeassistant==1.4.1
-attrs==25.3.0
+attrs==25.4.0
 awesomeversion==25.8.0
+backports.zstd==1.1.0
 blockbuster==1.5.25
-brotli==1.1.0
+brotli==1.2.0
 ciso8601==2.3.3
-colorlog==6.9.0
+colorlog==6.10.1
 cpe==1.3.1
-cryptography==46.0.2
+cryptography==46.0.3
 debugpy==1.8.17
 deepmerge==2.0
 dirhash==0.5.0
@@ -17,14 +19,14 @@ faust-cchardet==2.1.19
 gitpython==3.1.45
 jinja2==3.1.6
 log-rate-limit==1.4.2
-orjson==3.11.3
+orjson==3.11.4
 pulsectl==24.12.0
-pyudev==0.24.3
+pyudev==0.24.4
 PyYAML==6.0.3
 requests==2.32.5
 securetar==2025.2.1
-sentry-sdk==2.39.0
+sentry-sdk==2.46.0
 setuptools==80.9.0
 voluptuous==0.15.2
-dbus-fast==2.44.3
+dbus-fast==3.1.2
 zlib-fast==0.2.1

requirements_tests.txt

@@ -1,16 +1,16 @@
-astroid==3.3.11
-coverage==7.10.7
+astroid==4.0.2
+coverage==7.12.0
 mypy==1.18.2
-pre-commit==4.3.0
-pylint==3.3.8
+pre-commit==4.5.0
+pylint==4.0.3
 pytest-aiohttp==1.1.0
-pytest-asyncio==0.25.2
+pytest-asyncio==1.3.0
 pytest-cov==7.0.0
 pytest-timeout==2.4.0
-pytest==8.4.2
-ruff==0.13.2
-time-machine==2.19.0
-types-docker==7.1.0.20250916
+pytest==9.0.1
+ruff==0.14.6
+time-machine==3.1.0
+types-docker==7.1.0.20251127
 types-pyyaml==6.0.12.20250915
 types-requests==2.32.4.20250913
 urllib3==2.5.0

supervisor/addons/addon.py

@@ -226,6 +226,7 @@ class Addon(AddonModel):
         )
 
         await self._check_ingress_port()
+
         default_image = self._image(self.data)
         try:
             await self.instance.attach(version=self.version)
@@ -774,7 +775,6 @@ class Addon(AddonModel):
             raise AddonsError("Missing from store, cannot install!")
 
         await self.sys_addons.data.install(self.addon_store)
-        await self.load()
 
         def setup_data():
             if not self.path_data.is_dir():
@@ -797,6 +797,9 @@ class Addon(AddonModel):
             await self.sys_addons.data.uninstall(self)
             raise AddonsError() from err
 
+        # Finish initialization and set up listeners
+        await self.load()
+
         # Add to addon manager
         self.sys_addons.local[self.slug] = self
 
@@ -1510,13 +1513,6 @@ class Addon(AddonModel):
         _LOGGER.info("Finished restore for add-on %s", self.slug)
         return wait_for_start
 
-    def check_trust(self) -> Awaitable[None]:
-        """Calculate Addon docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
     @Job(
         name="addon_restart_after_problem",
         throttle_period=WATCHDOG_THROTTLE_PERIOD,
@@ -1559,7 +1555,15 @@ class Addon(AddonModel):
                 )
                 break
 
-            await asyncio.sleep(WATCHDOG_RETRY_SECONDS)
+            # Exponential backoff to spread retries over the throttle window
+            delay = WATCHDOG_RETRY_SECONDS * (1 << max(attempts - 1, 0))
+            _LOGGER.debug(
+                "Watchdog will retry addon %s in %s seconds (attempt %s)",
+                self.name,
+                delay,
+                attempts + 1,
+            )
+            await asyncio.sleep(delay)
 
     async def container_state_changed(self, event: DockerContainerStateEvent) -> None:
         """Set addon state from container state."""

supervisor/addons/build.py

@@ -2,7 +2,9 @@
 
 from __future__ import annotations
 
+import base64
 from functools import cached_property
+import json
 from pathlib import Path
 from typing import TYPE_CHECKING, Any
 
@@ -12,12 +14,15 @@ from ..const import (
     ATTR_ARGS,
     ATTR_BUILD_FROM,
     ATTR_LABELS,
+    ATTR_PASSWORD,
     ATTR_SQUASH,
+    ATTR_USERNAME,
     FILE_SUFFIX_CONFIGURATION,
     META_ADDON,
     SOCKET_DOCKER,
 )
 from ..coresys import CoreSys, CoreSysAttributes
+from ..docker.const import DOCKER_HUB
 from ..docker.interface import MAP_ARCH
 from ..exceptions import ConfigurationFileError, HassioArchNotFound
 from ..utils.common import FileConfiguration, find_one_filetype
@@ -122,8 +127,43 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
         except HassioArchNotFound:
             return False
 
+    def get_docker_config_json(self) -> str | None:
+        """Generate Docker config.json content with registry credentials for base image.
+
+        Returns a JSON string with registry credentials for the base image's registry,
+        or None if no matching registry is configured.
+
+        Raises:
+            HassioArchNotFound: If the add-on is not supported on the current architecture.
+
+        """
+        # Early return before accessing base_image to avoid unnecessary arch lookup
+        if not self.sys_docker.config.registries:
+            return None
+
+        registry = self.sys_docker.config.get_registry_for_image(self.base_image)
+        if not registry:
+            return None
+
+        stored = self.sys_docker.config.registries[registry]
+        username = stored[ATTR_USERNAME]
+        password = stored[ATTR_PASSWORD]
+
+        # Docker config.json uses base64-encoded "username:password" for auth
+        auth_string = base64.b64encode(f"{username}:{password}".encode()).decode()
+
+        # Use the actual registry URL for the key
+        # Docker Hub uses "https://index.docker.io/v1/" as the key
+        registry_key = (
+            "https://index.docker.io/v1/" if registry == DOCKER_HUB else registry
+        )
+
+        config = {"auths": {registry_key: {"auth": auth_string}}}
+
+        return json.dumps(config)
+
     def get_docker_args(
-        self, version: AwesomeVersion, image_tag: str
+        self, version: AwesomeVersion, image_tag: str, docker_config_path: Path | None
     ) -> dict[str, Any]:
         """Create a dict with Docker run args."""
         dockerfile_path = self.get_dockerfile().relative_to(self.addon.path_location)
@@ -172,12 +212,24 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
             self.addon.path_location
         )
 
+        volumes = {
+            SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
+            addon_extern_path: {"bind": "/addon", "mode": "ro"},
+        }
+
+        # Mount Docker config with registry credentials if available
+        if docker_config_path:
+            docker_config_extern_path = self.sys_config.local_to_extern_path(
+                docker_config_path
+            )
+            volumes[docker_config_extern_path] = {
+                "bind": "/root/.docker/config.json",
+                "mode": "ro",
+            }
+
         return {
             "command": build_cmd,
-            "volumes": {
-                SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
-                addon_extern_path: {"bind": "/addon", "mode": "ro"},
-            },
+            "volumes": volumes,
             "working_dir": "/addon",
         }
 

supervisor/addons/manager.py

@@ -9,8 +9,6 @@ from typing import Self, Union
 
 from attr import evolve
 
-from supervisor.jobs.const import JobConcurrency
-
 from ..const import AddonBoot, AddonStartup, AddonState
 from ..coresys import CoreSys, CoreSysAttributes
 from ..exceptions import (
@@ -21,6 +19,8 @@ from ..exceptions import (
     DockerError,
     HassioError,
 )
+from ..jobs import ChildJobSyncFilter
+from ..jobs.const import JobConcurrency
 from ..jobs.decorator import Job, JobCondition
 from ..resolution.const import ContextType, IssueType, SuggestionType
 from ..store.addon import AddonStore
@@ -182,6 +182,9 @@ class AddonManager(CoreSysAttributes):
         conditions=ADDON_UPDATE_CONDITIONS,
         on_condition=AddonsJobError,
         concurrency=JobConcurrency.QUEUE,
+        child_job_syncs=[
+            ChildJobSyncFilter("docker_interface_install", progress_allocation=1.0)
+        ],
     )
     async def install(
         self, slug: str, *, validation_complete: asyncio.Event | None = None
@@ -229,6 +232,13 @@ class AddonManager(CoreSysAttributes):
         name="addon_manager_update",
         conditions=ADDON_UPDATE_CONDITIONS,
         on_condition=AddonsJobError,
+        # We assume for now the docker image pull is 100% of this task for progress
+        # allocation. But from a user perspective that isn't true. Other steps
+        # that take time which is not accounted for in progress include:
+        # partial backup, image cleanup, apparmor update, and addon restart
+        child_job_syncs=[
+            ChildJobSyncFilter("docker_interface_install", progress_allocation=1.0)
+        ],
     )
     async def update(
         self,
@@ -271,7 +281,10 @@ class AddonManager(CoreSysAttributes):
                 addons=[addon.slug],
             )
 
-        return await addon.update()
+        task = await addon.update()
+
+        _LOGGER.info("Add-on '%s' successfully updated", slug)
+        return task
 
     @Job(
         name="addon_manager_rebuild",

supervisor/addons/model.py

@@ -72,6 +72,7 @@ from ..const import (
     ATTR_TYPE,
     ATTR_UART,
     ATTR_UDEV,
+    ATTR_ULIMITS,
     ATTR_URL,
     ATTR_USB,
     ATTR_VERSION,
@@ -102,7 +103,6 @@ from .configuration import FolderMapping
 from .const import (
     ATTR_BACKUP,
     ATTR_BREAKING_VERSIONS,
-    ATTR_CODENOTARY,
     ATTR_PATH,
     ATTR_READ_ONLY,
     AddonBackupMode,
@@ -462,6 +462,11 @@ class AddonModel(JobGroup, ABC):
         """Return True if the add-on have his own udev."""
         return self.data[ATTR_UDEV]
 
+    @property
+    def ulimits(self) -> dict[str, Any]:
+        """Return ulimits configuration."""
+        return self.data[ATTR_ULIMITS]
+
     @property
     def with_kernel_modules(self) -> bool:
         """Return True if the add-on access to kernel modules."""
@@ -626,13 +631,8 @@ class AddonModel(JobGroup, ABC):
 
     @property
     def signed(self) -> bool:
-        """Return True if the image is signed."""
-        return ATTR_CODENOTARY in self.data
-
-    @property
-    def codenotary(self) -> str | None:
-        """Return Signer email address for CAS."""
-        return self.data.get(ATTR_CODENOTARY)
+        """Currently no signing support."""
+        return False
 
     @property
     def breaking_versions(self) -> list[AwesomeVersion]:

supervisor/addons/validate.py

@@ -88,6 +88,7 @@ from ..const import (
     ATTR_TYPE,
     ATTR_UART,
     ATTR_UDEV,
+    ATTR_ULIMITS,
     ATTR_URL,
     ATTR_USB,
     ATTR_USER,
@@ -206,6 +207,12 @@ def _warn_addon_config(config: dict[str, Any]):
             name,
         )
 
+    if ATTR_CODENOTARY in config:
+        _LOGGER.warning(
+            "Add-on '%s' uses deprecated 'codenotary' field in config. This field is no longer used and will be ignored. Please report this to the maintainer.",
+            name,
+        )
+
     return config
 
 
@@ -416,13 +423,26 @@ _SCHEMA_ADDON_CONFIG = vol.Schema(
         vol.Optional(ATTR_BACKUP, default=AddonBackupMode.HOT): vol.Coerce(
             AddonBackupMode
         ),
-        vol.Optional(ATTR_CODENOTARY): vol.Email(),
         vol.Optional(ATTR_OPTIONS, default={}): dict,
         vol.Optional(ATTR_SCHEMA, default={}): vol.Any(
             vol.Schema({str: SCHEMA_ELEMENT}),
             False,
         ),
         vol.Optional(ATTR_IMAGE): docker_image,
+        vol.Optional(ATTR_ULIMITS, default=dict): vol.Any(
+            {str: vol.Coerce(int)},  # Simple format: {name: limit}
+            {
+                str: vol.Any(
+                    vol.Coerce(int),  # Simple format for individual entries
+                    vol.Schema(
+                        {  # Detailed format for individual entries
+                            vol.Required("soft"): vol.Coerce(int),
+                            vol.Required("hard"): vol.Coerce(int),
+                        }
+                    ),
+                )
+            },
+        ),
         vol.Optional(ATTR_TIMEOUT, default=10): vol.All(
             vol.Coerce(int), vol.Range(min=10, max=300)
         ),

supervisor/api/__init__.py

@@ -152,6 +152,7 @@ class RestAPI(CoreSysAttributes):
                         self._api_host.advanced_logs,
                         identifier=syslog_identifier,
                         latest=True,
+                        no_colors=True,
                     ),
                 ),
                 web.get(
@@ -449,6 +450,7 @@ class RestAPI(CoreSysAttributes):
                     await async_capture_exception(err)
                 kwargs.pop("follow", None)  # Follow is not supported for Docker logs
                 kwargs.pop("latest", None)  # Latest is not supported for Docker logs
+                kwargs.pop("no_colors", None)  # no_colors not supported for Docker logs
                 return await api_supervisor.logs(*args, **kwargs)
 
         self.webapp.add_routes(
@@ -460,7 +462,7 @@ class RestAPI(CoreSysAttributes):
                 ),
                 web.get(
                     "/supervisor/logs/latest",
-                    partial(get_supervisor_logs, latest=True),
+                    partial(get_supervisor_logs, latest=True, no_colors=True),
                 ),
                 web.get("/supervisor/logs/boots/{bootid}", get_supervisor_logs),
                 web.get(
@@ -576,7 +578,7 @@ class RestAPI(CoreSysAttributes):
                 ),
                 web.get(
                     "/addons/{addon}/logs/latest",
-                    partial(get_addon_logs, latest=True),
+                    partial(get_addon_logs, latest=True, no_colors=True),
                 ),
                 web.get("/addons/{addon}/logs/boots/{bootid}", get_addon_logs),
                 web.get(
@@ -811,6 +813,10 @@ class RestAPI(CoreSysAttributes):
         self.webapp.add_routes(
             [
                 web.get("/docker/info", api_docker.info),
+                web.post(
+                    "/docker/migrate-storage-driver",
+                    api_docker.migrate_docker_storage_driver,
+                ),
                 web.post("/docker/options", api_docker.options),
                 web.get("/docker/registries", api_docker.registries),
                 web.post("/docker/registries", api_docker.create_registry),

supervisor/api/docker.py

@@ -4,6 +4,7 @@ import logging
 from typing import Any
 
 from aiohttp import web
+from awesomeversion import AwesomeVersion
 import voluptuous as vol
 
 from supervisor.resolution.const import ContextType, IssueType, SuggestionType
@@ -16,6 +17,7 @@ from ..const import (
     ATTR_PASSWORD,
     ATTR_REGISTRIES,
     ATTR_STORAGE,
+    ATTR_STORAGE_DRIVER,
     ATTR_USERNAME,
     ATTR_VERSION,
 )
@@ -42,6 +44,12 @@ SCHEMA_OPTIONS = vol.Schema(
     }
 )
 
+SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER = vol.Schema(
+    {
+        vol.Required(ATTR_STORAGE_DRIVER): vol.In(["overlayfs", "overlay2"]),
+    }
+)
+
 
 class APIDocker(CoreSysAttributes):
     """Handle RESTful API for Docker configuration."""
@@ -123,3 +131,27 @@ class APIDocker(CoreSysAttributes):
 
         del self.sys_docker.config.registries[hostname]
         await self.sys_docker.config.save_data()
+
+    @api_process
+    async def migrate_docker_storage_driver(self, request: web.Request) -> None:
+        """Migrate Docker storage driver."""
+        if (
+            not self.coresys.os.available
+            or not self.coresys.os.version
+            or self.coresys.os.version < AwesomeVersion("17.0.dev0")
+        ):
+            raise APINotFound(
+                "Home Assistant OS 17.0 or newer required for Docker storage driver migration"
+            )
+
+        body = await api_validate(SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER, request)
+        await self.sys_dbus.agent.system.migrate_docker_storage_driver(
+            body[ATTR_STORAGE_DRIVER]
+        )
+
+        _LOGGER.info("Host system reboot required to apply Docker storage migration")
+        self.sys_resolution.create_issue(
+            IssueType.REBOOT_REQUIRED,
+            ContextType.SYSTEM,
+            suggestions=[SuggestionType.EXECUTE_REBOOT],
+        )

supervisor/api/host.py

@@ -206,6 +206,7 @@ class APIHost(CoreSysAttributes):
         identifier: str | None = None,
         follow: bool = False,
         latest: bool = False,
+        no_colors: bool = False,
     ) -> web.StreamResponse:
         """Return systemd-journald logs."""
         log_formatter = LogFormatter.PLAIN
@@ -251,6 +252,9 @@ class APIHost(CoreSysAttributes):
         if "verbose" in request.query or request.headers[ACCEPT] == CONTENT_TYPE_X_LOG:
             log_formatter = LogFormatter.VERBOSE
 
+        if "no_colors" in request.query:
+            no_colors = True
+
         if "lines" in request.query:
             lines = request.query.get("lines", DEFAULT_LINES)
             try:
@@ -280,7 +284,9 @@ class APIHost(CoreSysAttributes):
                 response = web.StreamResponse()
                 response.content_type = CONTENT_TYPE_TEXT
                 headers_returned = False
-                async for cursor, line in journal_logs_reader(resp, log_formatter):
+                async for cursor, line in journal_logs_reader(
+                    resp, log_formatter, no_colors
+                ):
                     try:
                         if not headers_returned:
                             if cursor:
@@ -318,9 +324,12 @@ class APIHost(CoreSysAttributes):
         identifier: str | None = None,
         follow: bool = False,
         latest: bool = False,
+        no_colors: bool = False,
     ) -> web.StreamResponse:
         """Return systemd-journald logs. Wrapped as standard API handler."""
-        return await self.advanced_logs_handler(request, identifier, follow, latest)
+        return await self.advanced_logs_handler(
+            request, identifier, follow, latest, no_colors
+        )
 
     @api_process
     async def disk_usage(self, request: web.Request) -> dict:
@@ -334,10 +343,14 @@ class APIHost(CoreSysAttributes):
 
         disk = self.sys_hardware.disk
 
-        total, used, _ = await self.sys_run_in_executor(
+        total, _, free = await self.sys_run_in_executor(
             disk.disk_usage, self.sys_config.path_supervisor
         )
 
+        # Calculate used by subtracting free makes sure we include reserved space
+        # in used space reporting.
+        used = total - free
+
         known_paths = await self.sys_run_in_executor(
             disk.get_dir_sizes,
             {

supervisor/api/ingress.py

@@ -253,18 +253,28 @@ class APIIngress(CoreSysAttributes):
             skip_auto_headers={hdrs.CONTENT_TYPE},
         ) as result:
             headers = _response_header(result)
+
             # Avoid parsing content_type in simple cases for better performance
             if maybe_content_type := result.headers.get(hdrs.CONTENT_TYPE):
                 content_type = (maybe_content_type.partition(";"))[0].strip()
             else:
                 content_type = result.content_type
+
+            # Empty body responses (304, 204, HEAD, etc.) should not be streamed,
+            # otherwise aiohttp < 3.9.0 may generate an invalid "0\r\n\r\n" chunk
+            # This also avoids setting content_type for empty responses.
+            if must_be_empty_body(request.method, result.status):
+                # If upstream contains content-type, preserve it (e.g. for HEAD requests)
+                if maybe_content_type:
+                    headers[hdrs.CONTENT_TYPE] = content_type
+                return web.Response(
+                    headers=headers,
+                    status=result.status,
+                )
+
             # Simple request
             if (
-                # empty body responses should not be streamed,
-                # otherwise aiohttp < 3.9.0 may generate
-                # an invalid "0\r\n\r\n" chunk instead of an empty response.
-                must_be_empty_body(request.method, result.status)
-                or hdrs.CONTENT_LENGTH in result.headers
+                hdrs.CONTENT_LENGTH in result.headers
                 and int(result.headers.get(hdrs.CONTENT_LENGTH, 0)) < 4_194_000
             ):
                 # Return Response

supervisor/api/security.py

@@ -1,24 +1,20 @@
 """Init file for Supervisor Security RESTful API."""
 
-import asyncio
-import logging
 from typing import Any
 
 from aiohttp import web
-import attr
 import voluptuous as vol
 
-from ..const import ATTR_CONTENT_TRUST, ATTR_FORCE_SECURITY, ATTR_PWNED
+from supervisor.exceptions import APIGone
+
+from ..const import ATTR_FORCE_SECURITY, ATTR_PWNED
 from ..coresys import CoreSysAttributes
 from .utils import api_process, api_validate
 
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
 # pylint: disable=no-value-for-parameter
 SCHEMA_OPTIONS = vol.Schema(
     {
         vol.Optional(ATTR_PWNED): vol.Boolean(),
-        vol.Optional(ATTR_CONTENT_TRUST): vol.Boolean(),
         vol.Optional(ATTR_FORCE_SECURITY): vol.Boolean(),
     }
 )
@@ -31,7 +27,6 @@ class APISecurity(CoreSysAttributes):
     async def info(self, request: web.Request) -> dict[str, Any]:
         """Return Security information."""
         return {
-            ATTR_CONTENT_TRUST: self.sys_security.content_trust,
             ATTR_PWNED: self.sys_security.pwned,
             ATTR_FORCE_SECURITY: self.sys_security.force,
         }
@@ -43,8 +38,6 @@ class APISecurity(CoreSysAttributes):
 
         if ATTR_PWNED in body:
             self.sys_security.pwned = body[ATTR_PWNED]
-        if ATTR_CONTENT_TRUST in body:
-            self.sys_security.content_trust = body[ATTR_CONTENT_TRUST]
         if ATTR_FORCE_SECURITY in body:
             self.sys_security.force = body[ATTR_FORCE_SECURITY]
 
@@ -54,6 +47,9 @@ class APISecurity(CoreSysAttributes):
 
     @api_process
     async def integrity_check(self, request: web.Request) -> dict[str, Any]:
-        """Run backend integrity check."""
-        result = await asyncio.shield(self.sys_security.integrity_check())
-        return attr.asdict(result)
+        """Run backend integrity check.
+
+        CodeNotary integrity checking has been removed. This endpoint now returns
+        an error indicating the feature is gone.
+        """
+        raise APIGone("Integrity check feature has been removed.")

supervisor/api/supervisor.py

@@ -16,14 +16,12 @@ from ..const import (
     ATTR_BLK_READ,
     ATTR_BLK_WRITE,
     ATTR_CHANNEL,
-    ATTR_CONTENT_TRUST,
     ATTR_COUNTRY,
     ATTR_CPU_PERCENT,
     ATTR_DEBUG,
     ATTR_DEBUG_BLOCK,
     ATTR_DETECT_BLOCKING_IO,
     ATTR_DIAGNOSTICS,
-    ATTR_FORCE_SECURITY,
     ATTR_HEALTHY,
     ATTR_ICON,
     ATTR_IP_ADDRESS,
@@ -69,8 +67,6 @@ SCHEMA_OPTIONS = vol.Schema(
         vol.Optional(ATTR_DEBUG): vol.Boolean(),
         vol.Optional(ATTR_DEBUG_BLOCK): vol.Boolean(),
         vol.Optional(ATTR_DIAGNOSTICS): vol.Boolean(),
-        vol.Optional(ATTR_CONTENT_TRUST): vol.Boolean(),
-        vol.Optional(ATTR_FORCE_SECURITY): vol.Boolean(),
         vol.Optional(ATTR_AUTO_UPDATE): vol.Boolean(),
         vol.Optional(ATTR_DETECT_BLOCKING_IO): vol.Coerce(DetectBlockingIO),
         vol.Optional(ATTR_COUNTRY): str,

supervisor/api/utils.py

@@ -63,12 +63,10 @@ def json_loads(data: Any) -> dict[str, Any]:
 def api_process(method):
     """Wrap function with true/false calls to rest api."""
 
-    async def wrap_api(
-        api: CoreSysAttributes, *args, **kwargs
-    ) -> web.Response | web.StreamResponse:
+    async def wrap_api(*args, **kwargs) -> web.Response | web.StreamResponse:
         """Return API information."""
         try:
-            answer = await method(api, *args, **kwargs)
+            answer = await method(*args, **kwargs)
         except BackupFileNotFoundError as err:
             return api_return_error(err, status=404)
         except APIError as err:
@@ -109,12 +107,10 @@ def api_process_raw(content, *, error_type=None):
     def wrap_method(method):
         """Wrap function with raw output to rest api."""
 
-        async def wrap_api(
-            api: CoreSysAttributes, *args, **kwargs
-        ) -> web.Response | web.StreamResponse:
+        async def wrap_api(*args, **kwargs) -> web.Response | web.StreamResponse:
             """Return api information."""
             try:
-                msg_data = await method(api, *args, **kwargs)
+                msg_data = await method(*args, **kwargs)
             except APIError as err:
                 return api_return_error(
                     err,
@@ -151,7 +147,7 @@ def api_return_error(
         if check_exception_chain(error, DockerAPIError):
             message = format_message(message)
     if not message:
-        message = "Unknown error, see supervisor"
+        message = "Unknown error, see Supervisor logs (check with 'ha supervisor logs')"
 
     match error_type:
         case const.CONTENT_TYPE_TEXT:

supervisor/bootstrap.py

@@ -105,7 +105,6 @@ async def initialize_coresys() -> CoreSys:
 
     if coresys.dev:
         coresys.updater.channel = UpdateChannel.DEV
-        coresys.security.content_trust = False
 
     # Convert datetime
     logging.Formatter.converter = lambda *args: coresys.now().timetuple()

supervisor/bus.py

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+from asyncio import Task
 from collections.abc import Callable, Coroutine
 import logging
 from typing import Any
@@ -38,11 +39,13 @@ class Bus(CoreSysAttributes):
         self._listeners.setdefault(event, []).append(listener)
         return listener
 
-    def fire_event(self, event: BusEvent, reference: Any) -> None:
+    def fire_event(self, event: BusEvent, reference: Any) -> list[Task]:
         """Fire an event to the bus."""
         _LOGGER.debug("Fire event '%s' with '%s'", event, reference)
+        tasks: list[Task] = []
         for listener in self._listeners.get(event, []):
-            self.sys_create_task(listener.callback(reference))
+            tasks.append(self.sys_create_task(listener.callback(reference)))
+        return tasks
 
     def remove_listener(self, listener: EventListener) -> None:
         """Unregister an listener."""

supervisor/const.py

@@ -328,6 +328,7 @@ ATTR_STATE = "state"
 ATTR_STATIC = "static"
 ATTR_STDIN = "stdin"
 ATTR_STORAGE = "storage"
+ATTR_STORAGE_DRIVER = "storage_driver"
 ATTR_SUGGESTIONS = "suggestions"
 ATTR_SUPERVISOR = "supervisor"
 ATTR_SUPERVISOR_INTERNET = "supervisor_internet"
@@ -348,6 +349,7 @@ ATTR_TRANSLATIONS = "translations"
 ATTR_TYPE = "type"
 ATTR_UART = "uart"
 ATTR_UDEV = "udev"
+ATTR_ULIMITS = "ulimits"
 ATTR_UNHEALTHY = "unhealthy"
 ATTR_UNSAVED = "unsaved"
 ATTR_UNSUPPORTED = "unsupported"

supervisor/coresys.py

@@ -9,6 +9,7 @@ from datetime import UTC, datetime, tzinfo
 from functools import partial
 import logging
 import os
+import time
 from types import MappingProxyType
 from typing import TYPE_CHECKING, Any, Self, TypeVar
 
@@ -655,8 +656,14 @@ class CoreSys:
         if kwargs:
             funct = partial(funct, **kwargs)
 
+        # Convert datetime to event loop time base
+        # If datetime is in the past, delay will be negative and call_at will
+        # schedule the call as soon as possible.
+        delay = when.timestamp() - time.time()
+        loop_time = self.loop.time() + delay
+
         return self.loop.call_at(
-            when.timestamp(), funct, *args, context=self._create_context()
+            loop_time, funct, *args, context=self._create_context()
         )
 
 

supervisor/dbus/agent/system.py

@@ -15,3 +15,8 @@ class System(DBusInterface):
     async def schedule_wipe_device(self) -> bool:
         """Schedule a factory reset on next system boot."""
         return await self.connected_dbus.System.call("schedule_wipe_device")
+
+    @dbus_connected
+    async def migrate_docker_storage_driver(self, backend: str) -> None:
+        """Migrate Docker storage driver."""
+        await self.connected_dbus.System.call("migrate_docker_storage_driver", backend)

supervisor/dbus/const.py

@@ -306,6 +306,8 @@ class DeviceType(IntEnum):
     VLAN = 11
     TUN = 16
     VETH = 20
+    WIREGUARD = 29
+    LOOPBACK = 32
 
 
 class WirelessMethodType(IntEnum):

supervisor/dbus/manager.py

@@ -115,7 +115,7 @@ class DBusManager(CoreSysAttributes):
 
     async def load(self) -> None:
         """Connect interfaces to D-Bus."""
-        if not SOCKET_DBUS.exists():
+        if not await self.sys_run_in_executor(SOCKET_DBUS.exists):
             _LOGGER.error(
                 "No D-Bus support on Host. Disabled any kind of host control!"
             )

supervisor/dbus/network/__init__.py

@@ -134,9 +134,10 @@ class NetworkManager(DBusInterfaceProxy):
     async def check_connectivity(self, *, force: bool = False) -> ConnectivityState:
         """Check the connectivity of the host."""
         if force:
-            return await self.connected_dbus.call("check_connectivity")
-        else:
-            return await self.connected_dbus.get("connectivity")
+            return ConnectivityState(
+                await self.connected_dbus.call("check_connectivity")
+            )
+        return ConnectivityState(await self.connected_dbus.get("connectivity"))
 
     async def connect(self, bus: MessageBus) -> None:
         """Connect to system's D-Bus."""

supervisor/dbus/network/connection.py

@@ -69,7 +69,7 @@ class NetworkConnection(DBusInterfaceProxy):
     @dbus_property
     def state(self) -> ConnectionStateType:
         """Return the state of the connection."""
-        return self.properties[DBUS_ATTR_STATE]
+        return ConnectionStateType(self.properties[DBUS_ATTR_STATE])
 
     @property
     def state_flags(self) -> set[ConnectionStateFlags]:

supervisor/dbus/network/interface.py

@@ -1,5 +1,6 @@
 """NetworkInterface object for Network Manager."""
 
+import logging
 from typing import Any
 
 from dbus_fast.aio.message_bus import MessageBus
@@ -23,6 +24,8 @@ from .connection import NetworkConnection
 from .setting import NetworkSetting
 from .wireless import NetworkWireless
 
+_LOGGER: logging.Logger = logging.getLogger(__name__)
+
 
 class NetworkInterface(DBusInterfaceProxy):
     """NetworkInterface object represents Network Manager Device objects.
@@ -57,7 +60,15 @@ class NetworkInterface(DBusInterfaceProxy):
     @dbus_property
     def type(self) -> DeviceType:
         """Return interface type."""
-        return self.properties[DBUS_ATTR_DEVICE_TYPE]
+        try:
+            return DeviceType(self.properties[DBUS_ATTR_DEVICE_TYPE])
+        except ValueError:
+            _LOGGER.debug(
+                "Unknown device type %s for %s, treating as UNKNOWN",
+                self.properties[DBUS_ATTR_DEVICE_TYPE],
+                self.object_path,
+            )
+            return DeviceType.UNKNOWN
 
     @property
     @dbus_property

supervisor/dbus/resolved.py

@@ -75,7 +75,7 @@ class Resolved(DBusInterfaceProxy):
     @dbus_property
     def current_dns_server(
         self,
-    ) -> list[tuple[int, DNSAddressFamily, bytes]] | None:
+    ) -> tuple[int, DNSAddressFamily, bytes] | None:
         """Return current DNS server."""
         return self.properties[DBUS_ATTR_CURRENT_DNS_SERVER]
 
@@ -83,7 +83,7 @@ class Resolved(DBusInterfaceProxy):
     @dbus_property
     def current_dns_server_ex(
         self,
-    ) -> list[tuple[int, DNSAddressFamily, bytes, int, str]] | None:
+    ) -> tuple[int, DNSAddressFamily, bytes, int, str] | None:
         """Return current DNS server including port and server name."""
         return self.properties[DBUS_ATTR_CURRENT_DNS_SERVER_EX]
 

supervisor/dbus/systemd.py

@@ -70,7 +70,7 @@ class SystemdUnit(DBusInterface):
     @dbus_connected
     async def get_active_state(self) -> UnitActiveState:
         """Get active state of the unit."""
-        return await self.connected_dbus.Unit.get("active_state")
+        return UnitActiveState(await self.connected_dbus.Unit.get("active_state"))
 
     @dbus_connected
     def properties_changed(self) -> DBusSignalWrapper:

supervisor/dbus/udisks2/data.py

@@ -9,7 +9,7 @@ from dbus_fast import Variant
 from .const import EncryptType, EraseMode
 
 
-def udisks2_bytes_to_path(path_bytes: bytearray) -> Path:
+def udisks2_bytes_to_path(path_bytes: bytes) -> Path:
     """Convert bytes to path object without null character on end."""
     if path_bytes and path_bytes[-1] == 0:
         return Path(path_bytes[:-1].decode())
@@ -73,7 +73,7 @@ FormatOptionsDataType = TypedDict(
     {
         "label": NotRequired[str],
         "take-ownership": NotRequired[bool],
-        "encrypt.passphrase": NotRequired[bytearray],
+        "encrypt.passphrase": NotRequired[bytes],
         "encrypt.type": NotRequired[str],
         "erase": NotRequired[str],
         "update-partition-type": NotRequired[bool],

supervisor/docker/addon.py

@@ -7,8 +7,10 @@ from ipaddress import IPv4Address
 import logging
 import os
 from pathlib import Path
+import tempfile
 from typing import TYPE_CHECKING, cast
 
+import aiodocker
 from attr import evolve
 from awesomeversion import AwesomeVersion
 import docker
@@ -318,7 +320,18 @@ class DockerAddon(DockerInterface):
             mem = 128 * 1024 * 1024
             limits.append(docker.types.Ulimit(name="memlock", soft=mem, hard=mem))
 
-        # Return None if no capabilities is present
+        # Add configurable ulimits from add-on config
+        for name, config in self.addon.ulimits.items():
+            if isinstance(config, int):
+                # Simple format: both soft and hard limits are the same
+                limits.append(docker.types.Ulimit(name=name, soft=config, hard=config))
+            elif isinstance(config, dict):
+                # Detailed format: both soft and hard limits are mandatory
+                soft = config["soft"]
+                hard = config["hard"]
+                limits.append(docker.types.Ulimit(name=name, soft=soft, hard=hard))
+
+        # Return None if no ulimits are present
         if limits:
             return limits
         return None
@@ -693,12 +706,38 @@ class DockerAddon(DockerInterface):
             with suppress(docker.errors.NotFound):
                 self.sys_docker.containers.get(builder_name).remove(force=True, v=True)
 
-            result = self.sys_docker.run_command(
-                ADDON_BUILDER_IMAGE,
-                version=builder_version_tag,
-                name=builder_name,
-                **build_env.get_docker_args(version, addon_image_tag),
-            )
+            # Generate Docker config with registry credentials for base image if needed
+            docker_config_path: Path | None = None
+            docker_config_content = build_env.get_docker_config_json()
+            temp_dir: tempfile.TemporaryDirectory | None = None
+
+            try:
+                if docker_config_content:
+                    # Create temporary directory for docker config
+                    temp_dir = tempfile.TemporaryDirectory(
+                        prefix="hassio_build_", dir=self.sys_config.path_tmp
+                    )
+                    docker_config_path = Path(temp_dir.name) / "config.json"
+                    docker_config_path.write_text(
+                        docker_config_content, encoding="utf-8"
+                    )
+                    _LOGGER.debug(
+                        "Created temporary Docker config for build at %s",
+                        docker_config_path,
+                    )
+
+                result = self.sys_docker.run_command(
+                    ADDON_BUILDER_IMAGE,
+                    version=builder_version_tag,
+                    name=builder_name,
+                    **build_env.get_docker_args(
+                        version, addon_image_tag, docker_config_path
+                    ),
+                )
+            finally:
+                # Clean up temporary directory
+                if temp_dir:
+                    temp_dir.cleanup()
 
             logs = result.output.decode("utf-8")
 
@@ -706,19 +745,21 @@ class DockerAddon(DockerInterface):
                 error_message = f"Docker build failed for {addon_image_tag} (exit code {result.exit_code}). Build output:\n{logs}"
                 raise docker.errors.DockerException(error_message)
 
-            addon_image = self.sys_docker.images.get(addon_image_tag)
-
-            return addon_image, logs
+            return addon_image_tag, logs
 
         try:
-            docker_image, log = await self.sys_run_in_executor(build_image)
+            addon_image_tag, log = await self.sys_run_in_executor(build_image)
 
             _LOGGER.debug("Build %s:%s done: %s", self.image, version, log)
 
             # Update meta data
-            self._meta = docker_image.attrs
+            self._meta = await self.sys_docker.images.inspect(addon_image_tag)
 
-        except (docker.errors.DockerException, requests.RequestException) as err:
+        except (
+            docker.errors.DockerException,
+            requests.RequestException,
+            aiodocker.DockerError,
+        ) as err:
             _LOGGER.error("Can't build %s:%s: %s", self.image, version, err)
             raise DockerError() from err
 
@@ -740,11 +781,8 @@ class DockerAddon(DockerInterface):
     )
     async def import_image(self, tar_file: Path) -> None:
         """Import a tar file as image."""
-        docker_image = await self.sys_run_in_executor(
-            self.sys_docker.import_image, tar_file
-        )
-        if docker_image:
-            self._meta = docker_image.attrs
+        if docker_image := await self.sys_docker.import_image(tar_file):
+            self._meta = docker_image
             _LOGGER.info("Importing image %s and version %s", tar_file, self.version)
 
             with suppress(DockerError):
@@ -758,17 +796,21 @@ class DockerAddon(DockerInterface):
         version: AwesomeVersion | None = None,
     ) -> None:
         """Check if old version exists and cleanup other versions of image not in use."""
-        await self.sys_run_in_executor(
-            self.sys_docker.cleanup_old_images,
-            (image := image or self.image),
-            version or self.version,
+        if not (use_image := image or self.image):
+            raise DockerError("Cannot determine image from metadata!", _LOGGER.error)
+        if not (use_version := version or self.version):
+            raise DockerError("Cannot determine version from metadata!", _LOGGER.error)
+
+        await self.sys_docker.cleanup_old_images(
+            use_image,
+            use_version,
             {old_image} if old_image else None,
             keep_images={
                 f"{addon.image}:{addon.version}"
                 for addon in self.sys_addons.installed
                 if addon.slug != self.addon.slug
                 and addon.image
-                and addon.image in {old_image, image}
+                and addon.image in {old_image, use_image}
             },
         )
 
@@ -835,16 +877,6 @@ class DockerAddon(DockerInterface):
         ):
             self.sys_resolution.dismiss_issue(self.addon.device_access_missing_issue)
 
-    async def _validate_trust(self, image_id: str) -> None:
-        """Validate trust of content."""
-        if not self.addon.signed:
-            return
-
-        checksum = image_id.partition(":")[2]
-        return await self.sys_security.verify_content(
-            cast(str, self.addon.codenotary), checksum
-        )
-
     @Job(
         name="docker_addon_hardware_events",
         conditions=[JobCondition.OS_AGENT],

supervisor/docker/const.py

@@ -15,6 +15,12 @@ from ..const import MACHINE_ID
 
 RE_RETRYING_DOWNLOAD_STATUS = re.compile(r"Retrying in \d+ seconds?")
 
+# Docker Hub registry identifier
+DOCKER_HUB = "hub.docker.com"
+
+# Regex to match images with a registry host (e.g., ghcr.io/org/image)
+IMAGE_WITH_HOST = re.compile(r"^((?:[a-z0-9]+(?:-[a-z0-9]+)*\.)+[a-z]{2,})\/.+")
+
 
 class Capabilities(StrEnum):
     """Linux Capabilities."""

supervisor/docker/homeassistant.py

@@ -1,11 +1,10 @@
 """Init file for Supervisor Docker object."""
 
-from collections.abc import Awaitable
 from ipaddress import IPv4Address
 import logging
 import re
 
-from awesomeversion import AwesomeVersion, AwesomeVersionCompareException
+from awesomeversion import AwesomeVersion
 from docker.types import Mount
 
 from ..const import LABEL_MACHINE
@@ -236,21 +235,10 @@ class DockerHomeAssistant(DockerInterface):
             environment={ENV_TIME: self.sys_timezone},
         )
 
-    def is_initialize(self) -> Awaitable[bool]:
+    async def is_initialize(self) -> bool:
         """Return True if Docker container exists."""
-        return self.sys_run_in_executor(
-            self.sys_docker.container_is_initialized,
-            self.name,
-            self.image,
-            self.sys_homeassistant.version,
+        if not self.sys_homeassistant.version:
+            return False
+        return await self.sys_docker.container_is_initialized(
+            self.name, self.image, self.sys_homeassistant.version
         )
-
-    async def _validate_trust(self, image_id: str) -> None:
-        """Validate trust of content."""
-        try:
-            if self.version in {None, LANDINGPAGE} or self.version < _VERIFY_TRUST:
-                return
-        except AwesomeVersionCompareException:
-            return
-
-        await super()._validate_trust(image_id)

supervisor/docker/interface.py

@@ -6,17 +6,17 @@ from abc import ABC, abstractmethod
 from collections import defaultdict
 from collections.abc import Awaitable
 from contextlib import suppress
+from http import HTTPStatus
 import logging
-import re
 from time import time
 from typing import Any, cast
 from uuid import uuid4
 
+import aiodocker
 from awesomeversion import AwesomeVersion
 from awesomeversion.strategy import AwesomeVersionStrategy
 import docker
 from docker.models.containers import Container
-from docker.models.images import Image
 import requests
 
 from ..bus import EventListener
@@ -31,15 +31,13 @@ from ..const import (
 )
 from ..coresys import CoreSys
 from ..exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
     DockerAPIError,
     DockerError,
+    DockerHubRateLimitExceeded,
     DockerJobError,
     DockerLogOutOfOrder,
     DockerNotFound,
     DockerRequestError,
-    DockerTrustError,
 )
 from ..jobs import SupervisorJob
 from ..jobs.const import JOB_GROUP_DOCKER_INTERFACE, JobConcurrency
@@ -47,16 +45,13 @@ from ..jobs.decorator import Job
 from ..jobs.job_group import JobGroup
 from ..resolution.const import ContextType, IssueType, SuggestionType
 from ..utils.sentry import async_capture_exception
-from .const import ContainerState, PullImageLayerStage, RestartPolicy
+from .const import DOCKER_HUB, ContainerState, PullImageLayerStage, RestartPolicy
 from .manager import CommandReturn, PullLogEntry
 from .monitor import DockerContainerStateEvent
 from .stats import DockerStats
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
-IMAGE_WITH_HOST = re.compile(r"^((?:[a-z0-9]+(?:-[a-z0-9]+)*\.)+[a-z]{2,})\/.+")
-DOCKER_HUB = "hub.docker.com"
-
 MAP_ARCH: dict[CpuArch | str, str] = {
     CpuArch.ARMV7: "linux/arm/v7",
     CpuArch.ARMHF: "linux/arm/v6",
@@ -181,25 +176,16 @@ class DockerInterface(JobGroup, ABC):
         return self.meta_config.get("Healthcheck")
 
     def _get_credentials(self, image: str) -> dict:
-        """Return a dictionay with credentials for docker login."""
-        registry = None
+        """Return a dictionary with credentials for docker login."""
         credentials = {}
-        matcher = IMAGE_WITH_HOST.match(image)
-
-        # Custom registry
-        if matcher:
-            if matcher.group(1) in self.sys_docker.config.registries:
-                registry = matcher.group(1)
-                credentials[ATTR_REGISTRY] = registry
-
-        # If no match assume "dockerhub" as registry
-        elif DOCKER_HUB in self.sys_docker.config.registries:
-            registry = DOCKER_HUB
+        registry = self.sys_docker.config.get_registry_for_image(image)
 
         if registry:
             stored = self.sys_docker.config.registries[registry]
             credentials[ATTR_USERNAME] = stored[ATTR_USERNAME]
             credentials[ATTR_PASSWORD] = stored[ATTR_PASSWORD]
+            if registry != DOCKER_HUB:
+                credentials[ATTR_REGISTRY] = registry
 
             _LOGGER.debug(
                 "Logging in to %s as %s",
@@ -209,21 +195,12 @@ class DockerInterface(JobGroup, ABC):
 
         return credentials
 
-    async def _docker_login(self, image: str) -> None:
-        """Try to log in to the registry if there are credentials available."""
-        if not self.sys_docker.config.registries:
-            return
-
-        credentials = self._get_credentials(image)
-        if not credentials:
-            return
-
-        await self.sys_run_in_executor(self.sys_docker.docker.login, **credentials)
-
-    def _process_pull_image_log(self, job_id: str, reference: PullLogEntry) -> None:
+    def _process_pull_image_log(  # noqa: C901
+        self, install_job_id: str, reference: PullLogEntry
+    ) -> None:
         """Process events fired from a docker while pulling an image, filtered to a given job id."""
         if (
-            reference.job_id != job_id
+            reference.job_id != install_job_id
             or not reference.id
             or not reference.status
             or not (stage := PullImageLayerStage.from_status(reference.status))
@@ -237,39 +214,28 @@ class DockerInterface(JobGroup, ABC):
                 name="Pulling container image layer",
                 initial_stage=stage.status,
                 reference=reference.id,
-                parent_id=job_id,
+                parent_id=install_job_id,
+                internal=True,
             )
             job.done = False
             return
 
         # Find our sub job to update details of
         for j in self.sys_jobs.jobs:
-            if j.parent_id == job_id and j.reference == reference.id:
+            if j.parent_id == install_job_id and j.reference == reference.id:
                 job = j
                 break
 
-        # This likely only occurs if the logs came in out of sync and we got progress before the Pulling FS Layer one
+        # There should no longer be any real risk of logs out of order anymore.
+        # However tests with very small images have shown that sometimes Docker
+        # skips stages in log. So keeping this one as a safety check on null job
         if not job:
             raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for image id {reference.id} and parent job {job_id} but could not find a matching job, skipping",
+                f"Received pull image log with status {reference.status} for image id {reference.id} and parent job {install_job_id} but could not find a matching job, skipping",
                 _LOGGER.debug,
             )
 
-        # Hopefully these come in order but if they sometimes get out of sync, avoid accidentally going backwards
-        # If it happens a lot though we may need to reconsider the value of this feature
-        if job.done:
-            raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for job {job.uuid} but job was done, skipping",
-                _LOGGER.debug,
-            )
-
-        if job.stage and stage < PullImageLayerStage.from_status(job.stage):
-            raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for job {job.uuid} but job was already on stage {job.stage}, skipping",
-                _LOGGER.debug,
-            )
-
-        # For progress calcuation we assume downloading and extracting are each 50% of the time and others stages negligible
+        # For progress calculation we assume downloading is 70% of time, extracting is 30% and others stages negligible
         progress = job.progress
         match stage:
             case PullImageLayerStage.DOWNLOADING | PullImageLayerStage.EXTRACTING:
@@ -278,22 +244,26 @@ class DockerInterface(JobGroup, ABC):
                     and reference.progress_detail.current
                     and reference.progress_detail.total
                 ):
-                    progress = 50 * (
+                    progress = (
                         reference.progress_detail.current
                         / reference.progress_detail.total
                     )
-                    if stage == PullImageLayerStage.EXTRACTING:
-                        progress += 50
+                    if stage == PullImageLayerStage.DOWNLOADING:
+                        progress = 70 * progress
+                    else:
+                        progress = 70 + 30 * progress
             case (
                 PullImageLayerStage.VERIFYING_CHECKSUM
                 | PullImageLayerStage.DOWNLOAD_COMPLETE
             ):
-                progress = 50
+                progress = 70
             case PullImageLayerStage.PULL_COMPLETE:
                 progress = 100
             case PullImageLayerStage.RETRYING_DOWNLOAD:
                 progress = 0
 
+        # No real risk of getting things out of order in current implementation
+        # but keeping this one in case another change to these trips us up.
         if stage != PullImageLayerStage.RETRYING_DOWNLOAD and progress < job.progress:
             raise DockerLogOutOfOrder(
                 f"Received pull image log with status {reference.status} for job {job.uuid} that implied progress was {progress} but current progress is {job.progress}, skipping",
@@ -303,9 +273,13 @@ class DockerInterface(JobGroup, ABC):
         # Our filters have all passed. Time to update the job
         # Only downloading and extracting have progress details. Use that to set extra
         # We'll leave it around on later stages as the total bytes may be useful after that stage
+        # Enforce range to prevent float drift error
+        progress = max(0, min(progress, 100))
         if (
             stage in {PullImageLayerStage.DOWNLOADING, PullImageLayerStage.EXTRACTING}
             and reference.progress_detail
+            and reference.progress_detail.current is not None
+            and reference.progress_detail.total is not None
         ):
             job.update(
                 progress=progress,
@@ -316,19 +290,111 @@ class DockerInterface(JobGroup, ABC):
                 },
             )
         else:
+            # If we reach DOWNLOAD_COMPLETE without ever having set extra (small layers that skip
+            # the downloading phase), set a minimal extra so aggregate progress calculation can proceed
+            extra = job.extra
+            if stage == PullImageLayerStage.DOWNLOAD_COMPLETE and not job.extra:
+                extra = {"current": 1, "total": 1}
+
             job.update(
                 progress=progress,
                 stage=stage.status,
                 done=stage == PullImageLayerStage.PULL_COMPLETE,
-                extra=None
-                if stage == PullImageLayerStage.RETRYING_DOWNLOAD
-                else job.extra,
+                extra=None if stage == PullImageLayerStage.RETRYING_DOWNLOAD else extra,
             )
 
+        # Once we have received a progress update for every child job, start to set status of the main one
+        install_job = self.sys_jobs.get_job(install_job_id)
+        layer_jobs = [
+            job
+            for job in self.sys_jobs.jobs
+            if job.parent_id == install_job.uuid
+            and job.name == "Pulling container image layer"
+        ]
+
+        # Calculate total from layers that have reported size info
+        # With containerd snapshotter, some layers skip "Downloading" and go directly to
+        # "Download complete", so we can't wait for all layers to have extra before reporting progress
+        layers_with_extra = [
+            job for job in layer_jobs if job.extra and job.extra.get("total")
+        ]
+        if not layers_with_extra:
+            return
+
+        # Sum up total bytes. Layers that skip downloading get placeholder extra={1,1}
+        # which doesn't represent actual size. Separate "real" layers from placeholders.
+        # Filter guarantees job.extra is not None and has "total" key
+        real_layers = [
+            job for job in layers_with_extra if cast(dict, job.extra)["total"] > 1
+        ]
+        placeholder_layers = [
+            job for job in layers_with_extra if cast(dict, job.extra)["total"] == 1
+        ]
+
+        # If we only have placeholder layers (no real size info yet), don't report progress
+        # This prevents tiny cached layers from showing inflated progress before
+        # the actual download sizes are known
+        if not real_layers:
+            return
+
+        total = sum(cast(dict, job.extra)["total"] for job in real_layers)
+        if total == 0:
+            return
+
+        # Update install_job.extra with current total (may increase as more layers report)
+        install_job.extra = {"total": total}
+
+        # Calculate progress based on layers that have real size info
+        # Placeholder layers (skipped downloads) count as complete but don't affect weighted progress
+        progress = 0.0
+        stage = PullImageLayerStage.PULL_COMPLETE
+        for job in real_layers:
+            progress += job.progress * (cast(dict, job.extra)["total"] / total)
+            job_stage = PullImageLayerStage.from_status(cast(str, job.stage))
+
+            if job_stage < PullImageLayerStage.EXTRACTING:
+                stage = PullImageLayerStage.DOWNLOADING
+            elif (
+                stage == PullImageLayerStage.PULL_COMPLETE
+                and job_stage < PullImageLayerStage.PULL_COMPLETE
+            ):
+                stage = PullImageLayerStage.EXTRACTING
+
+        # Check if any layers are still pending (no extra yet)
+        # If so, we're still in downloading phase even if all layers_with_extra are done
+        layers_pending = len(layer_jobs) - len(layers_with_extra)
+        if layers_pending > 0:
+            # Scale progress to account for unreported layers
+            # This prevents tiny layers that complete first from showing inflated progress
+            # e.g., if 2/25 layers reported at 70%, actual progress is ~70 * 2/25 = 5.6%
+            layers_fraction = len(layers_with_extra) / len(layer_jobs)
+            progress = progress * layers_fraction
+
+            if stage == PullImageLayerStage.PULL_COMPLETE:
+                stage = PullImageLayerStage.DOWNLOADING
+
+        # Also check if all placeholders are done but we're waiting for real layers
+        if placeholder_layers and stage == PullImageLayerStage.PULL_COMPLETE:
+            # All real layers are done, but check if placeholders are still extracting
+            for job in placeholder_layers:
+                job_stage = PullImageLayerStage.from_status(cast(str, job.stage))
+                if job_stage < PullImageLayerStage.PULL_COMPLETE:
+                    stage = PullImageLayerStage.EXTRACTING
+                    break
+
+        # Ensure progress is 100 at this point to prevent float drift
+        if stage == PullImageLayerStage.PULL_COMPLETE:
+            progress = 100
+
+        # To reduce noise, limit updates to when result has changed by an entire percent or when stage changed
+        if stage != install_job.stage or progress >= install_job.progress + 1:
+            install_job.update(stage=stage.status, progress=max(0, min(progress, 100)))
+
     @Job(
         name="docker_interface_install",
         on_condition=DockerJobError,
         concurrency=JobConcurrency.GROUP_REJECT,
+        internal=True,
     )
     async def install(
         self,
@@ -347,15 +413,14 @@ class DockerInterface(JobGroup, ABC):
 
         _LOGGER.info("Downloading docker image %s with tag %s.", image, version)
         try:
-            if self.sys_docker.config.registries:
-                # Try login if we have defined credentials
-                await self._docker_login(image)
+            # Get credentials for private registries to pass to aiodocker
+            credentials = self._get_credentials(image) or None
 
-            job_id = self.sys_jobs.current.uuid
+            curr_job_id = self.sys_jobs.current.uuid
 
             async def process_pull_image_log(reference: PullLogEntry) -> None:
                 try:
-                    self._process_pull_image_log(job_id, reference)
+                    self._process_pull_image_log(curr_job_id, reference)
                 except DockerLogOutOfOrder as err:
                     # Send all these to sentry. Missing a few progress updates
                     # shouldn't matter to users but matters to us
@@ -365,74 +430,65 @@ class DockerInterface(JobGroup, ABC):
                 BusEvent.DOCKER_IMAGE_PULL_UPDATE, process_pull_image_log
             )
 
-            # Pull new image
-            docker_image = await self.sys_run_in_executor(
-                self.sys_docker.pull_image,
+            # Pull new image, passing credentials to aiodocker
+            docker_image = await self.sys_docker.pull_image(
                 self.sys_jobs.current.uuid,
                 image,
                 str(version),
                 platform=MAP_ARCH[image_arch],
+                auth=credentials,
             )
 
-            # Validate content
-            try:
-                await self._validate_trust(cast(str, docker_image.id))
-            except CodeNotaryError:
-                with suppress(docker.errors.DockerException):
-                    await self.sys_run_in_executor(
-                        self.sys_docker.images.remove,
-                        image=f"{image}:{version!s}",
-                        force=True,
-                    )
-                raise
-
             # Tag latest
             if latest:
                 _LOGGER.info(
                     "Tagging image %s with version %s as latest", image, version
                 )
-                await self.sys_run_in_executor(docker_image.tag, image, tag="latest")
+                await self.sys_docker.images.tag(
+                    docker_image["Id"], image, tag="latest"
+                )
         except docker.errors.APIError as err:
-            if err.status_code == 429:
+            if err.status_code == HTTPStatus.TOO_MANY_REQUESTS:
                 self.sys_resolution.create_issue(
                     IssueType.DOCKER_RATELIMIT,
                     ContextType.SYSTEM,
                     suggestions=[SuggestionType.REGISTRY_LOGIN],
                 )
-                _LOGGER.info(
-                    "Your IP address has made too many requests to Docker Hub which activated a rate limit. "
-                    "For more details see https://www.home-assistant.io/more-info/dockerhub-rate-limit"
-                )
+                raise DockerHubRateLimitExceeded(_LOGGER.error) from err
+            await async_capture_exception(err)
             raise DockerError(
                 f"Can't install {image}:{version!s}: {err}", _LOGGER.error
             ) from err
-        except (docker.errors.DockerException, requests.RequestException) as err:
+        except aiodocker.DockerError as err:
+            if err.status == HTTPStatus.TOO_MANY_REQUESTS:
+                self.sys_resolution.create_issue(
+                    IssueType.DOCKER_RATELIMIT,
+                    ContextType.SYSTEM,
+                    suggestions=[SuggestionType.REGISTRY_LOGIN],
+                )
+                raise DockerHubRateLimitExceeded(_LOGGER.error) from err
+            await async_capture_exception(err)
+            raise DockerError(
+                f"Can't install {image}:{version!s}: {err}", _LOGGER.error
+            ) from err
+        except (
+            docker.errors.DockerException,
+            requests.RequestException,
+        ) as err:
             await async_capture_exception(err)
             raise DockerError(
                 f"Unknown error with {image}:{version!s} -> {err!s}", _LOGGER.error
             ) from err
-        except CodeNotaryUntrusted as err:
-            raise DockerTrustError(
-                f"Pulled image {image}:{version!s} failed on content-trust verification!",
-                _LOGGER.critical,
-            ) from err
-        except CodeNotaryError as err:
-            raise DockerTrustError(
-                f"Error happened on Content-Trust check for {image}:{version!s}: {err!s}",
-                _LOGGER.error,
-            ) from err
         finally:
             if listener:
                 self.sys_bus.remove_listener(listener)
 
-        self._meta = docker_image.attrs
+        self._meta = docker_image
 
     async def exists(self) -> bool:
         """Return True if Docker image exists in local repository."""
-        with suppress(docker.errors.DockerException, requests.RequestException):
-            await self.sys_run_in_executor(
-                self.sys_docker.images.get, f"{self.image}:{self.version!s}"
-            )
+        with suppress(aiodocker.DockerError, requests.RequestException):
+            await self.sys_docker.images.inspect(f"{self.image}:{self.version!s}")
             return True
         return False
 
@@ -491,11 +547,11 @@ class DockerInterface(JobGroup, ABC):
                     ),
                 )
 
-        with suppress(docker.errors.DockerException, requests.RequestException):
+        with suppress(aiodocker.DockerError, requests.RequestException):
             if not self._meta and self.image:
-                self._meta = self.sys_docker.images.get(
+                self._meta = await self.sys_docker.images.inspect(
                     f"{self.image}:{version!s}"
-                ).attrs
+                )
 
         # Successful?
         if not self._meta:
@@ -563,14 +619,17 @@ class DockerInterface(JobGroup, ABC):
     )
     async def remove(self, *, remove_image: bool = True) -> None:
         """Remove Docker images."""
+        if not self.image or not self.version:
+            raise DockerError(
+                "Cannot determine image and/or version from metadata!", _LOGGER.error
+            )
+
         # Cleanup container
         with suppress(DockerError):
             await self.stop()
 
         if remove_image:
-            await self.sys_run_in_executor(
-                self.sys_docker.remove_image, self.image, self.version
-            )
+            await self.sys_docker.remove_image(self.image, self.version)
 
         self._meta = None
 
@@ -592,18 +651,16 @@ class DockerInterface(JobGroup, ABC):
         image_name = f"{expected_image}:{version!s}"
         if self.image == expected_image:
             try:
-                image: Image = await self.sys_run_in_executor(
-                    self.sys_docker.images.get, image_name
-                )
-            except (docker.errors.DockerException, requests.RequestException) as err:
+                image = await self.sys_docker.images.inspect(image_name)
+            except (aiodocker.DockerError, requests.RequestException) as err:
                 raise DockerError(
                     f"Could not get {image_name} for check due to: {err!s}",
                     _LOGGER.error,
                 ) from err
 
-            image_arch = f"{image.attrs['Os']}/{image.attrs['Architecture']}"
-            if "Variant" in image.attrs:
-                image_arch = f"{image_arch}/{image.attrs['Variant']}"
+            image_arch = f"{image['Os']}/{image['Architecture']}"
+            if "Variant" in image:
+                image_arch = f"{image_arch}/{image['Variant']}"
 
             # If we have an image and its the right arch, all set
             # It seems that newer Docker version return a variant for arm64 images.
@@ -629,7 +686,10 @@ class DockerInterface(JobGroup, ABC):
         concurrency=JobConcurrency.GROUP_REJECT,
     )
     async def update(
-        self, version: AwesomeVersion, image: str | None = None, latest: bool = False
+        self,
+        version: AwesomeVersion,
+        image: str | None = None,
+        latest: bool = False,
     ) -> None:
         """Update a Docker image."""
         image = image or self.image
@@ -662,11 +722,13 @@ class DockerInterface(JobGroup, ABC):
         version: AwesomeVersion | None = None,
     ) -> None:
         """Check if old version exists and cleanup."""
-        await self.sys_run_in_executor(
-            self.sys_docker.cleanup_old_images,
-            image or self.image,
-            version or self.version,
-            {old_image} if old_image else None,
+        if not (use_image := image or self.image):
+            raise DockerError("Cannot determine image from metadata!", _LOGGER.error)
+        if not (use_version := version or self.version):
+            raise DockerError("Cannot determine version from metadata!", _LOGGER.error)
+
+        await self.sys_docker.cleanup_old_images(
+            use_image, use_version, {old_image} if old_image else None
         )
 
     @Job(
@@ -718,10 +780,10 @@ class DockerInterface(JobGroup, ABC):
         """Return latest version of local image."""
         available_version: list[AwesomeVersion] = []
         try:
-            for image in await self.sys_run_in_executor(
-                self.sys_docker.images.list, self.image
+            for image in await self.sys_docker.images.list(
+                filters=f'{{"reference": ["{self.image}"]}}'
             ):
-                for tag in image.tags:
+                for tag in image["RepoTags"]:
                     version = AwesomeVersion(tag.partition(":")[2])
                     if version.strategy == AwesomeVersionStrategy.UNKNOWN:
                         continue
@@ -730,7 +792,7 @@ class DockerInterface(JobGroup, ABC):
             if not available_version:
                 raise ValueError()
 
-        except (docker.errors.DockerException, ValueError) as err:
+        except (aiodocker.DockerError, ValueError) as err:
             raise DockerNotFound(
                 f"No version found for {self.image}", _LOGGER.info
             ) from err
@@ -755,24 +817,3 @@ class DockerInterface(JobGroup, ABC):
         return self.sys_run_in_executor(
             self.sys_docker.container_run_inside, self.name, command
         )
-
-    async def _validate_trust(self, image_id: str) -> None:
-        """Validate trust of content."""
-        checksum = image_id.partition(":")[2]
-        return await self.sys_security.verify_own_content(checksum)
-
-    @Job(
-        name="docker_interface_check_trust",
-        on_condition=DockerJobError,
-        concurrency=JobConcurrency.GROUP_REJECT,
-    )
-    async def check_trust(self) -> None:
-        """Check trust of exists Docker image."""
-        try:
-            image = await self.sys_run_in_executor(
-                self.sys_docker.images.get, f"{self.image}:{self.version!s}"
-            )
-        except (docker.errors.DockerException, requests.RequestException):
-            return
-
-        await self._validate_trust(cast(str, image.id))

supervisor/docker/manager.py

@@ -6,20 +6,24 @@ import asyncio
 from contextlib import suppress
 from dataclasses import dataclass
 from functools import partial
+from http import HTTPStatus
 from ipaddress import IPv4Address
+import json
 import logging
 import os
 from pathlib import Path
+import re
 from typing import Any, Final, Self, cast
 
+import aiodocker
+from aiodocker.images import DockerImages
+from aiohttp import ClientSession, ClientTimeout, UnixConnector
 import attr
 from awesomeversion import AwesomeVersion, AwesomeVersionCompareException
 from docker import errors as docker_errors
 from docker.api.client import APIClient
 from docker.client import DockerClient
-from docker.errors import DockerException, ImageNotFound, NotFound
 from docker.models.containers import Container, ContainerCollection
-from docker.models.images import Image, ImageCollection
 from docker.models.networks import Network
 from docker.types.daemon import CancellableStream
 import requests
@@ -45,7 +49,7 @@ from ..exceptions import (
 )
 from ..utils.common import FileConfiguration
 from ..validate import SCHEMA_DOCKER_CONFIG
-from .const import LABEL_MANAGED
+from .const import DOCKER_HUB, IMAGE_WITH_HOST, LABEL_MANAGED
 from .monitor import DockerMonitor
 from .network import DockerNetwork
 
@@ -53,6 +57,7 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)
 
 MIN_SUPPORTED_DOCKER: Final = AwesomeVersion("24.0.0")
 DOCKER_NETWORK_HOST: Final = "host"
+RE_IMPORT_IMAGE_STREAM = re.compile(r"(^Loaded image ID: |^Loaded image: )(.+)$")
 
 
 @attr.s(frozen=True)
@@ -71,15 +76,25 @@ class DockerInfo:
     storage: str = attr.ib()
     logging: str = attr.ib()
     cgroup: str = attr.ib()
+    support_cpu_realtime: bool = attr.ib()
 
     @staticmethod
-    def new(data: dict[str, Any]):
+    async def new(data: dict[str, Any]) -> DockerInfo:
         """Create a object from docker info."""
+        # Check if CONFIG_RT_GROUP_SCHED is loaded (blocking I/O in executor)
+        cpu_rt_file_exists = await asyncio.get_running_loop().run_in_executor(
+            None, Path("/sys/fs/cgroup/cpu/cpu.rt_runtime_us").exists
+        )
+        cpu_rt_supported = (
+            cpu_rt_file_exists and os.environ.get(ENV_SUPERVISOR_CPU_RT) == "1"
+        )
+
         return DockerInfo(
             AwesomeVersion(data.get("ServerVersion", "0.0.0")),
             data.get("Driver", "unknown"),
             data.get("LoggingDriver", "unknown"),
             data.get("CgroupVersion", "1"),
+            cpu_rt_supported,
         )
 
     @property
@@ -90,23 +105,21 @@ class DockerInfo:
         except AwesomeVersionCompareException:
             return False
 
-    @property
-    def support_cpu_realtime(self) -> bool:
-        """Return true, if CONFIG_RT_GROUP_SCHED is loaded."""
-        if not Path("/sys/fs/cgroup/cpu/cpu.rt_runtime_us").exists():
-            return False
-        return bool(os.environ.get(ENV_SUPERVISOR_CPU_RT) == "1")
-
 
 @dataclass(frozen=True, slots=True)
 class PullProgressDetail:
     """Progress detail information for pull.
 
     Documentation lacking but both of these seem to be in bytes when populated.
+
+    Containerd-snapshot update - When leveraging this new feature, this information
+    becomes useless to us while extracting. It simply tells elapsed time using
+    current and units.
     """
 
     current: int | None = None
     total: int | None = None
+    units: str | None = None
 
     @classmethod
     def from_pull_log_dict(cls, value: dict[str, int]) -> PullProgressDetail:
@@ -194,6 +207,27 @@ class DockerConfig(FileConfiguration):
         """Return credentials for docker registries."""
         return self._data.get(ATTR_REGISTRIES, {})
 
+    def get_registry_for_image(self, image: str) -> str | None:
+        """Return the registry name if credentials are available for the image.
+
+        Matches the image against configured registries and returns the registry
+        name if found, or None if no matching credentials are configured.
+        """
+        if not self.registries:
+            return None
+
+        # Check if image uses a custom registry (e.g., ghcr.io/org/image)
+        matcher = IMAGE_WITH_HOST.match(image)
+        if matcher:
+            registry = matcher.group(1)
+            if registry in self.registries:
+                return registry
+        # If no registry prefix, check for Docker Hub credentials
+        elif DOCKER_HUB in self.registries:
+            return DOCKER_HUB
+
+        return None
+
 
 class DockerAPI(CoreSysAttributes):
     """Docker Supervisor wrapper.
@@ -204,7 +238,15 @@ class DockerAPI(CoreSysAttributes):
     def __init__(self, coresys: CoreSys):
         """Initialize Docker base wrapper."""
         self.coresys = coresys
-        self._docker: DockerClient | None = None
+        # We keep both until we can fully refactor to aiodocker
+        self._dockerpy: DockerClient | None = None
+        self.docker: aiodocker.Docker = aiodocker.Docker(
+            url="unix://localhost",  # dummy hostname for URL composition
+            connector=(connector := UnixConnector(SOCKET_DOCKER.as_posix())),
+            session=ClientSession(connector=connector, timeout=ClientTimeout(900)),
+            api_version="auto",
+        )
+
         self._network: DockerNetwork | None = None
         self._info: DockerInfo | None = None
         self.config: DockerConfig = DockerConfig()
@@ -212,28 +254,28 @@ class DockerAPI(CoreSysAttributes):
 
     async def post_init(self) -> Self:
         """Post init actions that must be done in event loop."""
-        self._docker = await asyncio.get_running_loop().run_in_executor(
+        self._dockerpy = await asyncio.get_running_loop().run_in_executor(
             None,
             partial(
                 DockerClient,
-                base_url=f"unix:/{str(SOCKET_DOCKER)}",
+                base_url=f"unix:/{SOCKET_DOCKER.as_posix()}",
                 version="auto",
                 timeout=900,
             ),
         )
-        self._info = DockerInfo.new(self.docker.info())
+        self._info = await DockerInfo.new(self.dockerpy.info())
         await self.config.read_data()
-        self._network = await DockerNetwork(self.docker).post_init(
+        self._network = await DockerNetwork(self.dockerpy).post_init(
             self.config.enable_ipv6, self.config.mtu
         )
         return self
 
     @property
-    def docker(self) -> DockerClient:
+    def dockerpy(self) -> DockerClient:
         """Get docker API client."""
-        if not self._docker:
+        if not self._dockerpy:
             raise RuntimeError("Docker API Client not initialized!")
-        return self._docker
+        return self._dockerpy
 
     @property
     def network(self) -> DockerNetwork:
@@ -243,19 +285,19 @@ class DockerAPI(CoreSysAttributes):
         return self._network
 
     @property
-    def images(self) -> ImageCollection:
+    def images(self) -> DockerImages:
         """Return API images."""
         return self.docker.images
 
     @property
     def containers(self) -> ContainerCollection:
         """Return API containers."""
-        return self.docker.containers
+        return self.dockerpy.containers
 
     @property
     def api(self) -> APIClient:
         """Return API containers."""
-        return self.docker.api
+        return self.dockerpy.api
 
     @property
     def info(self) -> DockerInfo:
@@ -267,7 +309,7 @@ class DockerAPI(CoreSysAttributes):
     @property
     def events(self) -> CancellableStream:
         """Return docker event stream."""
-        return self.docker.events(decode=True)
+        return self.dockerpy.events(decode=True)
 
     @property
     def monitor(self) -> DockerMonitor:
@@ -383,7 +425,7 @@ class DockerAPI(CoreSysAttributes):
                 with suppress(DockerError):
                     self.network.detach_default_bridge(container)
         else:
-            host_network: Network = self.docker.networks.get(DOCKER_NETWORK_HOST)
+            host_network: Network = self.dockerpy.networks.get(DOCKER_NETWORK_HOST)
 
             # Check if container is register on host
             # https://github.com/moby/moby/issues/23302
@@ -410,35 +452,33 @@ class DockerAPI(CoreSysAttributes):
 
         return container
 
-    def pull_image(
+    async def pull_image(
         self,
         job_id: str,
         repository: str,
         tag: str = "latest",
         platform: str | None = None,
-    ) -> Image:
+        auth: dict[str, str] | None = None,
+    ) -> dict[str, Any]:
         """Pull the specified image and return it.
 
         This mimics the high level API of images.pull but provides better error handling by raising
         based on a docker error on pull. Whereas the high level API ignores all errors on pull and
         raises only if the get fails afterwards. Additionally it fires progress reports for the pull
         on the bus so listeners can use that to update status for users.
-
-        Must be run in executor.
         """
-        pull_log = self.docker.api.pull(
-            repository, tag=tag, platform=platform, stream=True, decode=True
-        )
-        for e in pull_log:
+        async for e in self.images.pull(
+            repository, tag=tag, platform=platform, auth=auth, stream=True
+        ):
             entry = PullLogEntry.from_pull_log_dict(job_id, e)
             if entry.error:
                 raise entry.exception
-            self.sys_loop.call_soon_threadsafe(
-                self.sys_bus.fire_event, BusEvent.DOCKER_IMAGE_PULL_UPDATE, entry
+            await asyncio.gather(
+                *self.sys_bus.fire_event(BusEvent.DOCKER_IMAGE_PULL_UPDATE, entry)
             )
 
         sep = "@" if tag.startswith("sha256:") else ":"
-        return self.images.get(f"{repository}{sep}{tag}")
+        return await self.images.inspect(f"{repository}{sep}{tag}")
 
     def run_command(
         self,
@@ -459,7 +499,7 @@ class DockerAPI(CoreSysAttributes):
         _LOGGER.info("Runing command '%s' on %s", command, image_with_tag)
         container = None
         try:
-            container = self.docker.containers.run(
+            container = self.dockerpy.containers.run(
                 image_with_tag,
                 command=command,
                 detach=True,
@@ -487,35 +527,35 @@ class DockerAPI(CoreSysAttributes):
         """Repair local docker overlayfs2 issues."""
         _LOGGER.info("Prune stale containers")
         try:
-            output = self.docker.api.prune_containers()
+            output = self.dockerpy.api.prune_containers()
             _LOGGER.debug("Containers prune: %s", output)
         except docker_errors.APIError as err:
             _LOGGER.warning("Error for containers prune: %s", err)
 
         _LOGGER.info("Prune stale images")
         try:
-            output = self.docker.api.prune_images(filters={"dangling": False})
+            output = self.dockerpy.api.prune_images(filters={"dangling": False})
             _LOGGER.debug("Images prune: %s", output)
         except docker_errors.APIError as err:
             _LOGGER.warning("Error for images prune: %s", err)
 
         _LOGGER.info("Prune stale builds")
         try:
-            output = self.docker.api.prune_builds()
+            output = self.dockerpy.api.prune_builds()
             _LOGGER.debug("Builds prune: %s", output)
         except docker_errors.APIError as err:
             _LOGGER.warning("Error for builds prune: %s", err)
 
         _LOGGER.info("Prune stale volumes")
         try:
-            output = self.docker.api.prune_builds()
+            output = self.dockerpy.api.prune_volumes()
             _LOGGER.debug("Volumes prune: %s", output)
         except docker_errors.APIError as err:
             _LOGGER.warning("Error for volumes prune: %s", err)
 
         _LOGGER.info("Prune stale networks")
         try:
-            output = self.docker.api.prune_networks()
+            output = self.dockerpy.api.prune_networks()
             _LOGGER.debug("Networks prune: %s", output)
         except docker_errors.APIError as err:
             _LOGGER.warning("Error for networks prune: %s", err)
@@ -537,11 +577,11 @@ class DockerAPI(CoreSysAttributes):
 
         Fix: https://github.com/moby/moby/issues/23302
         """
-        network: Network = self.docker.networks.get(network_name)
+        network: Network = self.dockerpy.networks.get(network_name)
 
         for cid, data in network.attrs.get("Containers", {}).items():
             try:
-                self.docker.containers.get(cid)
+                self.dockerpy.containers.get(cid)
                 continue
             except docker_errors.NotFound:
                 _LOGGER.debug(
@@ -556,22 +596,26 @@ class DockerAPI(CoreSysAttributes):
             with suppress(docker_errors.DockerException, requests.RequestException):
                 network.disconnect(data.get("Name", cid), force=True)
 
-    def container_is_initialized(
+    async def container_is_initialized(
         self, name: str, image: str, version: AwesomeVersion
     ) -> bool:
         """Return True if docker container exists in good state and is built from expected image."""
         try:
-            docker_container = self.containers.get(name)
-            docker_image = self.images.get(f"{image}:{version}")
-        except NotFound:
+            docker_container = await self.sys_run_in_executor(self.containers.get, name)
+            docker_image = await self.images.inspect(f"{image}:{version}")
+        except docker_errors.NotFound:
             return False
-        except (DockerException, requests.RequestException) as err:
+        except aiodocker.DockerError as err:
+            if err.status == HTTPStatus.NOT_FOUND:
+                return False
+            raise DockerError() from err
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         # Check the image is correct and state is good
         return (
             docker_container.image is not None
-            and docker_container.image.id == docker_image.id
+            and docker_container.image.id == docker_image["Id"]
             and docker_container.status in ("exited", "running", "created")
         )
 
@@ -581,18 +625,18 @@ class DockerAPI(CoreSysAttributes):
         """Stop/remove Docker container."""
         try:
             docker_container: Container = self.containers.get(name)
-        except NotFound:
+        except docker_errors.NotFound:
             raise DockerNotFound() from None
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         if docker_container.status == "running":
             _LOGGER.info("Stopping %s application", name)
-            with suppress(DockerException, requests.RequestException):
+            with suppress(docker_errors.DockerException, requests.RequestException):
                 docker_container.stop(timeout=timeout)
 
         if remove_container:
-            with suppress(DockerException, requests.RequestException):
+            with suppress(docker_errors.DockerException, requests.RequestException):
                 _LOGGER.info("Cleaning %s application", name)
                 docker_container.remove(force=True, v=True)
 
@@ -604,11 +648,11 @@ class DockerAPI(CoreSysAttributes):
         """Start Docker container."""
         try:
             docker_container: Container = self.containers.get(name)
-        except NotFound:
+        except docker_errors.NotFound:
             raise DockerNotFound(
                 f"{name} not found for starting up", _LOGGER.error
             ) from None
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError(
                 f"Could not get {name} for starting up", _LOGGER.error
             ) from err
@@ -616,36 +660,36 @@ class DockerAPI(CoreSysAttributes):
         _LOGGER.info("Starting %s", name)
         try:
             docker_container.start()
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError(f"Can't start {name}: {err}", _LOGGER.error) from err
 
     def restart_container(self, name: str, timeout: int) -> None:
         """Restart docker container."""
         try:
             container: Container = self.containers.get(name)
-        except NotFound:
+        except docker_errors.NotFound:
             raise DockerNotFound() from None
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         _LOGGER.info("Restarting %s", name)
         try:
             container.restart(timeout=timeout)
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError(f"Can't restart {name}: {err}", _LOGGER.warning) from err
 
     def container_logs(self, name: str, tail: int = 100) -> bytes:
         """Return Docker logs of container."""
         try:
             docker_container: Container = self.containers.get(name)
-        except NotFound:
+        except docker_errors.NotFound:
             raise DockerNotFound() from None
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         try:
             return docker_container.logs(tail=tail, stdout=True, stderr=True)
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError(
                 f"Can't grep logs from {name}: {err}", _LOGGER.warning
             ) from err
@@ -654,9 +698,9 @@ class DockerAPI(CoreSysAttributes):
         """Read and return stats from container."""
         try:
             docker_container: Container = self.containers.get(name)
-        except NotFound:
+        except docker_errors.NotFound:
             raise DockerNotFound() from None
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         # container is not running
@@ -665,7 +709,7 @@ class DockerAPI(CoreSysAttributes):
 
         try:
             return docker_container.stats(stream=False)
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError(
                 f"Can't read stats from {name}: {err}", _LOGGER.error
             ) from err
@@ -674,61 +718,84 @@ class DockerAPI(CoreSysAttributes):
         """Execute a command inside Docker container."""
         try:
             docker_container: Container = self.containers.get(name)
-        except NotFound:
+        except docker_errors.NotFound:
             raise DockerNotFound() from None
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         # Execute
         try:
             code, output = docker_container.exec_run(command)
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError() from err
 
         return CommandReturn(code, output)
 
-    def remove_image(
+    async def remove_image(
         self, image: str, version: AwesomeVersion, latest: bool = True
     ) -> None:
         """Remove a Docker image by version and latest."""
         try:
             if latest:
                 _LOGGER.info("Removing image %s with latest", image)
-                with suppress(ImageNotFound):
-                    self.images.remove(image=f"{image}:latest", force=True)
+                try:
+                    await self.images.delete(f"{image}:latest", force=True)
+                except aiodocker.DockerError as err:
+                    if err.status != HTTPStatus.NOT_FOUND:
+                        raise
 
             _LOGGER.info("Removing image %s with %s", image, version)
-            with suppress(ImageNotFound):
-                self.images.remove(image=f"{image}:{version!s}", force=True)
+            try:
+                await self.images.delete(f"{image}:{version!s}", force=True)
+            except aiodocker.DockerError as err:
+                if err.status != HTTPStatus.NOT_FOUND:
+                    raise
 
-        except (DockerException, requests.RequestException) as err:
+        except (aiodocker.DockerError, requests.RequestException) as err:
             raise DockerError(
                 f"Can't remove image {image}: {err}", _LOGGER.warning
             ) from err
 
-    def import_image(self, tar_file: Path) -> Image | None:
+    async def import_image(self, tar_file: Path) -> dict[str, Any] | None:
         """Import a tar file as image."""
         try:
             with tar_file.open("rb") as read_tar:
-                docker_image_list: list[Image] = self.images.load(read_tar)  # type: ignore
-
-            if len(docker_image_list) != 1:
-                _LOGGER.warning(
-                    "Unexpected image count %d while importing image from tar",
-                    len(docker_image_list),
-                )
-                return None
-            return docker_image_list[0]
-        except (DockerException, OSError) as err:
+                resp: list[dict[str, Any]] = self.images.import_image(read_tar)
+        except (aiodocker.DockerError, OSError) as err:
             raise DockerError(
                 f"Can't import image from tar: {err}", _LOGGER.error
             ) from err
 
+        docker_image_list: list[str] = []
+        for chunk in resp:
+            if "errorDetail" in chunk:
+                raise DockerError(
+                    f"Can't import image from tar: {chunk['errorDetail']['message']}",
+                    _LOGGER.error,
+                )
+            if "stream" in chunk:
+                if match := RE_IMPORT_IMAGE_STREAM.search(chunk["stream"]):
+                    docker_image_list.append(match.group(2))
+
+        if len(docker_image_list) != 1:
+            _LOGGER.warning(
+                "Unexpected image count %d while importing image from tar",
+                len(docker_image_list),
+            )
+            return None
+
+        try:
+            return await self.images.inspect(docker_image_list[0])
+        except (aiodocker.DockerError, requests.RequestException) as err:
+            raise DockerError(
+                f"Could not inspect imported image due to: {err!s}", _LOGGER.error
+            ) from err
+
     def export_image(self, image: str, version: AwesomeVersion, tar_file: Path) -> None:
         """Export current images into a tar file."""
         try:
             docker_image = self.api.get_image(f"{image}:{version}")
-        except (DockerException, requests.RequestException) as err:
+        except (docker_errors.DockerException, requests.RequestException) as err:
             raise DockerError(
                 f"Can't fetch image {image}: {err}", _LOGGER.error
             ) from err
@@ -745,7 +812,7 @@ class DockerAPI(CoreSysAttributes):
 
         _LOGGER.info("Export image %s done", image)
 
-    def cleanup_old_images(
+    async def cleanup_old_images(
         self,
         current_image: str,
         current_version: AwesomeVersion,
@@ -756,46 +823,57 @@ class DockerAPI(CoreSysAttributes):
         """Clean up old versions of an image."""
         image = f"{current_image}:{current_version!s}"
         try:
-            keep = {cast(str, self.images.get(image).id)}
-        except ImageNotFound:
-            raise DockerNotFound(
-                f"{current_image} not found for cleanup", _LOGGER.warning
-            ) from None
-        except (DockerException, requests.RequestException) as err:
+            try:
+                image_attr = await self.images.inspect(image)
+            except aiodocker.DockerError as err:
+                if err.status == HTTPStatus.NOT_FOUND:
+                    raise DockerNotFound(
+                        f"{current_image} not found for cleanup", _LOGGER.warning
+                    ) from None
+                raise
+        except (aiodocker.DockerError, requests.RequestException) as err:
             raise DockerError(
                 f"Can't get {current_image} for cleanup", _LOGGER.warning
             ) from err
+        keep = {cast(str, image_attr["Id"])}
 
         if keep_images:
             keep_images -= {image}
-            try:
-                for image in keep_images:
-                    # If its not found, no need to preserve it from getting removed
-                    with suppress(ImageNotFound):
-                        keep.add(cast(str, self.images.get(image).id))
-            except (DockerException, requests.RequestException) as err:
-                raise DockerError(
-                    f"Failed to get one or more images from {keep} during cleanup",
-                    _LOGGER.warning,
-                ) from err
+            results = await asyncio.gather(
+                *[self.images.inspect(image) for image in keep_images],
+                return_exceptions=True,
+            )
+            for result in results:
+                # If its not found, no need to preserve it from getting removed
+                if (
+                    isinstance(result, aiodocker.DockerError)
+                    and result.status == HTTPStatus.NOT_FOUND
+                ):
+                    continue
+                if isinstance(result, BaseException):
+                    raise DockerError(
+                        f"Failed to get one or more images from {keep} during cleanup",
+                        _LOGGER.warning,
+                    ) from result
+                keep.add(cast(str, result["Id"]))
 
         # Cleanup old and current
         image_names = list(
             old_images | {current_image} if old_images else {current_image}
         )
         try:
-            # This API accepts a list of image names. Tested and confirmed working on docker==7.1.0
-            # Its typing does say only `str` though. Bit concerning, could an update break this?
-            images_list = self.images.list(name=image_names)  # type: ignore
-        except (DockerException, requests.RequestException) as err:
+            images_list = await self.images.list(
+                filters=json.dumps({"reference": image_names})
+            )
+        except (aiodocker.DockerError, requests.RequestException) as err:
             raise DockerError(
                 f"Corrupt docker overlayfs found: {err}", _LOGGER.warning
             ) from err
 
         for docker_image in images_list:
-            if docker_image.id in keep:
+            if docker_image["Id"] in keep:
                 continue
 
-            with suppress(DockerException, requests.RequestException):
-                _LOGGER.info("Cleanup images: %s", docker_image.tags)
-                self.images.remove(docker_image.id, force=True)
+            with suppress(aiodocker.DockerError, requests.RequestException):
+                _LOGGER.info("Cleanup images: %s", docker_image["RepoTags"])
+                await self.images.delete(docker_image["Id"], force=True)

supervisor/docker/monitor.py

@@ -89,7 +89,7 @@ class DockerMonitor(CoreSysAttributes, Thread):
                         DockerContainerStateEvent(
                             name=attributes["name"],
                             state=container_state,
-                            id=event["id"],
+                            id=event["Actor"]["ID"],
                             time=event["time"],
                         ),
                     )

supervisor/docker/supervisor.py

@@ -1,10 +1,12 @@
 """Init file for Supervisor Docker object."""
 
+import asyncio
 from collections.abc import Awaitable
 from ipaddress import IPv4Address
 import logging
 import os
 
+import aiodocker
 from awesomeversion.awesomeversion import AwesomeVersion
 import docker
 import requests
@@ -112,19 +114,18 @@ class DockerSupervisor(DockerInterface):
         name="docker_supervisor_update_start_tag",
         concurrency=JobConcurrency.GROUP_QUEUE,
     )
-    def update_start_tag(self, image: str, version: AwesomeVersion) -> Awaitable[None]:
+    async def update_start_tag(self, image: str, version: AwesomeVersion) -> None:
         """Update start tag to new version."""
-        return self.sys_run_in_executor(self._update_start_tag, image, version)
-
-    def _update_start_tag(self, image: str, version: AwesomeVersion) -> None:
-        """Update start tag to new version.
-
-        Need run inside executor.
-        """
         try:
-            docker_container = self.sys_docker.containers.get(self.name)
-            docker_image = self.sys_docker.images.get(f"{image}:{version!s}")
-        except (docker.errors.DockerException, requests.RequestException) as err:
+            docker_container = await self.sys_run_in_executor(
+                self.sys_docker.containers.get, self.name
+            )
+            docker_image = await self.sys_docker.images.inspect(f"{image}:{version!s}")
+        except (
+            aiodocker.DockerError,
+            docker.errors.DockerException,
+            requests.RequestException,
+        ) as err:
             raise DockerError(
                 f"Can't get image or container to fix start tag: {err}", _LOGGER.error
             ) from err
@@ -144,8 +145,14 @@ class DockerSupervisor(DockerInterface):
                 # If version tag
                 if start_tag != "latest":
                     continue
-                docker_image.tag(start_image, start_tag)
-                docker_image.tag(start_image, version.string)
+                await asyncio.gather(
+                    self.sys_docker.images.tag(
+                        docker_image["Id"], start_image, tag=start_tag
+                    ),
+                    self.sys_docker.images.tag(
+                        docker_image["Id"], start_image, tag=version.string
+                    ),
+                )
 
-        except (docker.errors.DockerException, requests.RequestException) as err:
+        except (aiodocker.DockerError, requests.RequestException) as err:
             raise DockerError(f"Can't fix start tag: {err}", _LOGGER.error) from err

supervisor/exceptions.py

@@ -423,6 +423,12 @@ class APINotFound(APIError):
     status = 404
 
 
+class APIGone(APIError):
+    """API is no longer available."""
+
+    status = 410
+
+
 class APIAddonNotInstalled(APIError):
     """Not installed addon requested at addons API."""
 
@@ -577,21 +583,6 @@ class PwnedConnectivityError(PwnedError):
     """Connectivity errors while checking pwned passwords."""
 
 
-# util/codenotary
-
-
-class CodeNotaryError(HassioError):
-    """Error general with CodeNotary."""
-
-
-class CodeNotaryUntrusted(CodeNotaryError):
-    """Error on untrusted content."""
-
-
-class CodeNotaryBackendError(CodeNotaryError):
-    """CodeNotary backend error happening."""
-
-
 # util/whoami
 
 
@@ -648,9 +639,32 @@ class DockerLogOutOfOrder(DockerError):
 class DockerNoSpaceOnDevice(DockerError):
     """Raise if a docker pull fails due to available space."""
 
+    error_key = "docker_no_space_on_device"
+    message_template = "No space left on disk"
+
     def __init__(self, logger: Callable[..., None] | None = None) -> None:
         """Raise & log."""
-        super().__init__("No space left on disk", logger=logger)
+        super().__init__(None, logger=logger)
+
+
+class DockerHubRateLimitExceeded(DockerError):
+    """Raise for docker hub rate limit exceeded error."""
+
+    error_key = "dockerhub_rate_limit_exceeded"
+    message_template = (
+        "Your IP address has made too many requests to Docker Hub which activated a rate limit. "
+        "For more details see {dockerhub_rate_limit_url}"
+    )
+
+    def __init__(self, logger: Callable[..., None] | None = None) -> None:
+        """Raise & log."""
+        super().__init__(
+            None,
+            logger=logger,
+            extra_fields={
+                "dockerhub_rate_limit_url": "https://www.home-assistant.io/more-info/dockerhub-rate-limit"
+            },
+        )
 
 
 class DockerJobError(DockerError, JobException):

supervisor/hardware/disk.py

@@ -9,7 +9,12 @@ from typing import Any
 from supervisor.resolution.const import UnhealthyReason
 
 from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import DBusError, DBusObjectError, HardwareNotFound
+from ..exceptions import (
+    DBusError,
+    DBusNotConnectedError,
+    DBusObjectError,
+    HardwareNotFound,
+)
 from .const import UdevSubsystem
 from .data import Device
 
@@ -207,6 +212,8 @@ class HwDisk(CoreSysAttributes):
         try:
             block_device = self.sys_dbus.udisks2.get_block_device_by_path(device_path)
             drive = self.sys_dbus.udisks2.get_drive(block_device.drive)
+        except DBusNotConnectedError:
+            return None
         except DBusObjectError:
             _LOGGER.warning(
                 "Unable to find UDisks2 drive for device at %s", device_path.as_posix()

supervisor/homeassistant/core.py

@@ -28,6 +28,7 @@ from ..exceptions import (
     HomeAssistantUpdateError,
     JobException,
 )
+from ..jobs import ChildJobSyncFilter
 from ..jobs.const import JOB_GROUP_HOME_ASSISTANT_CORE, JobConcurrency, JobThrottle
 from ..jobs.decorator import Job, JobCondition
 from ..jobs.job_group import JobGroup
@@ -224,6 +225,13 @@ class HomeAssistantCore(JobGroup):
         ],
         on_condition=HomeAssistantJobError,
         concurrency=JobConcurrency.GROUP_REJECT,
+        # We assume for now the docker image pull is 100% of this task. But from
+        # a user perspective that isn't true. Other steps that take time which
+        # is not accounted for in progress include: partial backup, image
+        # cleanup, and Home Assistant restart
+        child_job_syncs=[
+            ChildJobSyncFilter("docker_interface_install", progress_allocation=1.0)
+        ],
     )
     async def update(
         self,
@@ -420,13 +428,6 @@ class HomeAssistantCore(JobGroup):
         """
         return self.instance.logs()
 
-    def check_trust(self) -> Awaitable[None]:
-        """Calculate HomeAssistant docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
     async def stats(self) -> DockerStats:
         """Return stats of Home Assistant."""
         try:

supervisor/jobs/__init__.py

@@ -9,7 +9,7 @@ from contextvars import Context, ContextVar, Token
 from dataclasses import dataclass
 from datetime import datetime
 import logging
-from typing import Any, Self
+from typing import Any, Self, cast
 from uuid import uuid4
 
 from attr.validators import gt, lt
@@ -98,7 +98,9 @@ class SupervisorJobError:
     """Representation of an error occurring during a supervisor job."""
 
     type_: type[HassioError] = HassioError
-    message: str = "Unknown error, see supervisor logs"
+    message: str = (
+        "Unknown error, see Supervisor logs (check with 'ha supervisor logs')"
+    )
     stage: str | None = None
 
     def as_dict(self) -> dict[str, str | None]:
@@ -194,7 +196,7 @@ class SupervisorJob:
         self,
         progress: float | None = None,
         stage: str | None = None,
-        extra: dict[str, Any] | None = DEFAULT,  # type: ignore
+        extra: dict[str, Any] | None | type[DEFAULT] = DEFAULT,
         done: bool | None = None,
     ) -> None:
         """Update multiple fields with one on change event."""
@@ -205,8 +207,8 @@ class SupervisorJob:
             self.progress = progress
         if stage is not None:
             self.stage = stage
-        if extra != DEFAULT:
-            self.extra = extra
+        if extra is not DEFAULT:
+            self.extra = cast(dict[str, Any] | None, extra)
 
         # Done has special event. use that to trigger on change if included
         # If not then just use any other field to trigger
@@ -282,8 +284,10 @@ class JobManager(FileConfiguration, CoreSysAttributes):
                 # reporting shouldn't raise and break the active job
                 continue
 
-            progress = sync.starting_progress + (
-                sync.progress_allocation * job_data["progress"]
+            progress = min(
+                100,
+                sync.starting_progress
+                + (sync.progress_allocation * job_data["progress"]),
             )
             # Using max would always trigger on change even if progress was unchanged
             # pylint: disable-next=R1731
@@ -302,19 +306,21 @@ class JobManager(FileConfiguration, CoreSysAttributes):
         reference: str | None = None,
         initial_stage: str | None = None,
         internal: bool = False,
-        parent_id: str | None = DEFAULT,  # type: ignore
+        parent_id: str | None | type[DEFAULT] = DEFAULT,
         child_job_syncs: list[ChildJobSyncFilter] | None = None,
     ) -> SupervisorJob:
         """Create a new job."""
-        job = SupervisorJob(
-            name,
-            reference=reference,
-            stage=initial_stage,
-            on_change=self._on_job_change,
-            internal=internal,
-            child_job_syncs=child_job_syncs,
-            **({} if parent_id == DEFAULT else {"parent_id": parent_id}),  # type: ignore
-        )
+        kwargs: dict[str, Any] = {
+            "reference": reference,
+            "stage": initial_stage,
+            "on_change": self._on_job_change,
+            "internal": internal,
+            "child_job_syncs": child_job_syncs,
+        }
+        if parent_id is not DEFAULT:
+            kwargs["parent_id"] = parent_id
+
+        job = SupervisorJob(name, **kwargs)
 
         # Shouldn't happen but inability to find a parent for progress reporting
         # shouldn't raise and break the active job
@@ -325,6 +331,17 @@ class JobManager(FileConfiguration, CoreSysAttributes):
                 if not curr_parent.child_job_syncs:
                     continue
 
+                # HACK: If parent trigger the same child job, we just skip this second
+                # sync. Maybe it would be better to have this reflected in the job stage
+                # and reset progress to 0 instead? There is no support for such stage
+                # information on Core update entities today though.
+                if curr_parent.done is True or curr_parent.progress >= 100:
+                    _LOGGER.debug(
+                        "Skipping parent job sync for done parent job %s",
+                        curr_parent.name,
+                    )
+                    continue
+
                 # Break after first match at each parent as it doesn't make sense
                 # to match twice. But it could match multiple parents
                 for sync in curr_parent.child_job_syncs:

supervisor/jobs/const.py

@@ -34,6 +34,7 @@ class JobCondition(StrEnum):
     PLUGINS_UPDATED = "plugins_updated"
     RUNNING = "running"
     SUPERVISOR_UPDATED = "supervisor_updated"
+    ARCHITECTURE_SUPPORTED = "architecture_supported"
 
 
 class JobConcurrency(StrEnum):

supervisor/jobs/decorator.py

@@ -441,6 +441,14 @@ class Job(CoreSysAttributes):
             raise JobConditionException(
                 f"'{method_name}' blocked from execution, supervisor needs to be updated first"
             )
+        if (
+            JobCondition.ARCHITECTURE_SUPPORTED in used_conditions
+            and UnsupportedReason.SYSTEM_ARCHITECTURE
+            in coresys.sys_resolution.unsupported
+        ):
+            raise JobConditionException(
+                f"'{method_name}' blocked from execution, unsupported system architecture"
+            )
 
         if JobCondition.PLUGINS_UPDATED in used_conditions and (
             out_of_date := [

supervisor/misc/filter.py

@@ -64,6 +64,19 @@ def filter_data(coresys: CoreSys, event: Event, hint: Hint) -> Event | None:
 
     # Not full startup - missing information
     if coresys.core.state in (CoreState.INITIALIZE, CoreState.SETUP):
+        # During SETUP, we have basic system info available for better debugging
+        if coresys.core.state == CoreState.SETUP:
+            event.setdefault("contexts", {}).update(
+                {
+                    "versions": {
+                        "docker": coresys.docker.info.version,
+                        "supervisor": coresys.supervisor.version,
+                    },
+                    "host": {
+                        "machine": coresys.machine,
+                    },
+                }
+            )
         return event
 
     # List installed addons

supervisor/misc/tasks.py

@@ -1,5 +1,6 @@
 """A collection of tasks."""
 
+from contextlib import suppress
 from datetime import datetime, timedelta
 import logging
 from typing import cast
@@ -13,6 +14,7 @@ from ..exceptions import (
     BackupFileNotFoundError,
     HomeAssistantError,
     ObserverError,
+    SupervisorUpdateError,
 )
 from ..homeassistant.const import LANDINGPAGE, WSType
 from ..jobs.const import JobConcurrency
@@ -161,6 +163,7 @@ class Tasks(CoreSysAttributes):
             JobCondition.INTERNET_HOST,
             JobCondition.OS_SUPPORTED,
             JobCondition.RUNNING,
+            JobCondition.ARCHITECTURE_SUPPORTED,
         ],
         concurrency=JobConcurrency.REJECT,
     )
@@ -173,7 +176,11 @@ class Tasks(CoreSysAttributes):
             "Found new Supervisor version %s, updating",
             self.sys_supervisor.latest_version,
         )
-        await self.sys_supervisor.update()
+
+        # Errors are logged by the exceptions, we can't really do something
+        # if an update fails here.
+        with suppress(SupervisorUpdateError):
+            await self.sys_supervisor.update()
 
     async def _watchdog_homeassistant_api(self):
         """Create scheduler task for monitoring running state of API.

supervisor/mounts/mount.py

@@ -135,7 +135,7 @@ class Mount(CoreSysAttributes, ABC):
     @property
     def state(self) -> UnitActiveState | None:
         """Get state of mount."""
-        return self._state
+        return UnitActiveState(self._state) if self._state is not None else None
 
     @cached_property
     def local_where(self) -> Path:

supervisor/plugins/base.py

@@ -76,13 +76,6 @@ class PluginBase(ABC, FileConfiguration, CoreSysAttributes):
         """Return True if a task is in progress."""
         return self.instance.in_progress
 
-    def check_trust(self) -> Awaitable[None]:
-        """Calculate plugin docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
     def logs(self) -> Awaitable[bytes]:
         """Get docker plugin logs.
 

supervisor/plugins/const.py

@@ -23,4 +23,5 @@ PLUGIN_UPDATE_CONDITIONS = [
     JobCondition.HEALTHY,
     JobCondition.INTERNET_HOST,
     JobCondition.SUPERVISOR_UPDATED,
+    JobCondition.ARCHITECTURE_SUPPORTED,
 ]

supervisor/resolution/checks/supervisor_trust.py

@@ -1,59 +0,0 @@
-"""Helpers to check supervisor trust."""
-
-import logging
-
-from ...const import CoreState
-from ...coresys import CoreSys
-from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
-from ..const import ContextType, IssueType, UnhealthyReason
-from .base import CheckBase
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-
-def setup(coresys: CoreSys) -> CheckBase:
-    """Check setup function."""
-    return CheckSupervisorTrust(coresys)
-
-
-class CheckSupervisorTrust(CheckBase):
-    """CheckSystemTrust class for check."""
-
-    async def run_check(self) -> None:
-        """Run check if not affected by issue."""
-        if not self.sys_security.content_trust:
-            _LOGGER.warning(
-                "Skipping %s, content_trust is globally disabled", self.slug
-            )
-            return
-
-        try:
-            await self.sys_supervisor.check_trust()
-        except CodeNotaryUntrusted:
-            self.sys_resolution.add_unhealthy_reason(UnhealthyReason.UNTRUSTED)
-            self.sys_resolution.create_issue(IssueType.TRUST, ContextType.SUPERVISOR)
-        except CodeNotaryError:
-            pass
-
-    async def approve_check(self, reference: str | None = None) -> bool:
-        """Approve check if it is affected by issue."""
-        try:
-            await self.sys_supervisor.check_trust()
-        except CodeNotaryError:
-            return True
-        return False
-
-    @property
-    def issue(self) -> IssueType:
-        """Return a IssueType enum."""
-        return IssueType.TRUST
-
-    @property
-    def context(self) -> ContextType:
-        """Return a ContextType enum."""
-        return ContextType.SUPERVISOR
-
-    @property
-    def states(self) -> list[CoreState]:
-        """Return a list of valid states when this check can run."""
-        return [CoreState.RUNNING, CoreState.STARTUP]

supervisor/resolution/const.py

@@ -39,7 +39,6 @@ class UnsupportedReason(StrEnum):
     APPARMOR = "apparmor"
     CGROUP_VERSION = "cgroup_version"
     CONNECTIVITY_CHECK = "connectivity_check"
-    CONTENT_TRUST = "content_trust"
     DBUS = "dbus"
     DNS_SERVER = "dns_server"
     DOCKER_CONFIGURATION = "docker_configuration"
@@ -54,12 +53,12 @@ class UnsupportedReason(StrEnum):
     PRIVILEGED = "privileged"
     RESTART_POLICY = "restart_policy"
     SOFTWARE = "software"
-    SOURCE_MODS = "source_mods"
     SUPERVISOR_VERSION = "supervisor_version"
     SYSTEMD = "systemd"
     SYSTEMD_JOURNAL = "systemd_journal"
     SYSTEMD_RESOLVED = "systemd_resolved"
     VIRTUALIZATION_IMAGE = "virtualization_image"
+    SYSTEM_ARCHITECTURE = "system_architecture"
 
 
 class UnhealthyReason(StrEnum):
@@ -103,7 +102,6 @@ class IssueType(StrEnum):
     PWNED = "pwned"
     REBOOT_REQUIRED = "reboot_required"
     SECURITY = "security"
-    TRUST = "trust"
     UPDATE_FAILED = "update_failed"
     UPDATE_ROLLBACK = "update_rollback"
 
@@ -115,7 +113,6 @@ class SuggestionType(StrEnum):
     CLEAR_FULL_BACKUP = "clear_full_backup"
     CREATE_FULL_BACKUP = "create_full_backup"
     DISABLE_BOOT = "disable_boot"
-    EXECUTE_INTEGRITY = "execute_integrity"
     EXECUTE_REBOOT = "execute_reboot"
     EXECUTE_REBUILD = "execute_rebuild"
     EXECUTE_RELOAD = "execute_reload"

supervisor/resolution/evaluate.py

@@ -13,7 +13,6 @@ from .validate import get_valid_modules
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
 UNHEALTHY = [
-    UnsupportedReason.DOCKER_VERSION,
     UnsupportedReason.LXC,
     UnsupportedReason.PRIVILEGED,
 ]

supervisor/resolution/evaluations/docker_configuration.py

@@ -8,7 +8,7 @@ from ..const import UnsupportedReason
 from .base import EvaluateBase
 
 EXPECTED_LOGGING = "journald"
-EXPECTED_STORAGE = "overlay2"
+EXPECTED_STORAGE = ("overlay2", "overlayfs")
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
@@ -41,14 +41,18 @@ class EvaluateDockerConfiguration(EvaluateBase):
         storage_driver = self.sys_docker.info.storage
         logging_driver = self.sys_docker.info.logging
 
-        if storage_driver != EXPECTED_STORAGE:
+        is_unsupported = False
+
+        if storage_driver not in EXPECTED_STORAGE:
+            is_unsupported = True
             _LOGGER.warning(
                 "Docker storage driver %s is not supported!", storage_driver
             )
 
         if logging_driver != EXPECTED_LOGGING:
+            is_unsupported = True
             _LOGGER.warning(
                 "Docker logging driver %s is not supported!", logging_driver
             )
 
-        return storage_driver != EXPECTED_STORAGE or logging_driver != EXPECTED_LOGGING
+        return is_unsupported

supervisor/resolution/evaluations/operating_system.py

@@ -5,8 +5,6 @@ from ...coresys import CoreSys
 from ..const import UnsupportedReason
 from .base import EvaluateBase
 
-SUPPORTED_OS = ["Debian GNU/Linux 12 (bookworm)"]
-
 
 def setup(coresys: CoreSys) -> EvaluateBase:
     """Initialize evaluation-setup function."""
@@ -33,6 +31,4 @@ class EvaluateOperatingSystem(EvaluateBase):
 
     async def evaluate(self) -> bool:
         """Run evaluation."""
-        if self.sys_os.available:
-            return False
-        return self.sys_host.info.operating_system not in SUPPORTED_OS
+        return not self.sys_os.available

supervisor/resolution/evaluations/source_mods.py

@@ -1,72 +0,0 @@
-"""Evaluation class for Content Trust."""
-
-import errno
-import logging
-from pathlib import Path
-
-from ...const import CoreState
-from ...coresys import CoreSys
-from ...exceptions import CodeNotaryError, CodeNotaryUntrusted
-from ...utils.codenotary import calc_checksum_path_sourcecode
-from ..const import ContextType, IssueType, UnhealthyReason, UnsupportedReason
-from .base import EvaluateBase
-
-_SUPERVISOR_SOURCE = Path("/usr/src/supervisor/supervisor")
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-
-def setup(coresys: CoreSys) -> EvaluateBase:
-    """Initialize evaluation-setup function."""
-    return EvaluateSourceMods(coresys)
-
-
-class EvaluateSourceMods(EvaluateBase):
-    """Evaluate supervisor source modifications."""
-
-    @property
-    def reason(self) -> UnsupportedReason:
-        """Return a UnsupportedReason enum."""
-        return UnsupportedReason.SOURCE_MODS
-
-    @property
-    def on_failure(self) -> str:
-        """Return a string that is printed when self.evaluate is True."""
-        return "System detect unauthorized source code modifications."
-
-    @property
-    def states(self) -> list[CoreState]:
-        """Return a list of valid states when this evaluation can run."""
-        return [CoreState.RUNNING]
-
-    async def evaluate(self) -> bool:
-        """Run evaluation."""
-        if not self.sys_security.content_trust:
-            _LOGGER.warning("Disabled content-trust, skipping evaluation")
-            return False
-
-        # Calculate sume of the sourcecode
-        try:
-            checksum = await self.sys_run_in_executor(
-                calc_checksum_path_sourcecode, _SUPERVISOR_SOURCE
-            )
-        except OSError as err:
-            if err.errno == errno.EBADMSG:
-                self.sys_resolution.add_unhealthy_reason(
-                    UnhealthyReason.OSERROR_BAD_MESSAGE
-                )
-
-            self.sys_resolution.create_issue(
-                IssueType.CORRUPT_FILESYSTEM, ContextType.SYSTEM
-            )
-            _LOGGER.error("Can't calculate checksum of source code: %s", err)
-            return False
-
-        # Validate checksum
-        try:
-            await self.sys_security.verify_own_content(checksum)
-        except CodeNotaryUntrusted:
-            return True
-        except CodeNotaryError:
-            pass
-
-        return False

supervisor/resolution/evaluations/system_architecture.py

@@ -1,4 +1,4 @@
-"""Evaluation class for Content Trust."""
+"""Evaluation class for system architecture support."""
 
 from ...const import CoreState
 from ...coresys import CoreSys
@@ -8,27 +8,31 @@ from .base import EvaluateBase
 
 def setup(coresys: CoreSys) -> EvaluateBase:
     """Initialize evaluation-setup function."""
-    return EvaluateContentTrust(coresys)
+    return EvaluateSystemArchitecture(coresys)
 
 
-class EvaluateContentTrust(EvaluateBase):
-    """Evaluate system content trust level."""
+class EvaluateSystemArchitecture(EvaluateBase):
+    """Evaluate if the current Supervisor architecture is supported."""
 
     @property
     def reason(self) -> UnsupportedReason:
         """Return a UnsupportedReason enum."""
-        return UnsupportedReason.CONTENT_TRUST
+        return UnsupportedReason.SYSTEM_ARCHITECTURE
 
     @property
     def on_failure(self) -> str:
         """Return a string that is printed when self.evaluate is True."""
-        return "System run with disabled trusted content security."
+        return "System architecture is no longer supported. Move to a supported system architecture."
 
     @property
     def states(self) -> list[CoreState]:
         """Return a list of valid states when this evaluation can run."""
-        return [CoreState.INITIALIZE, CoreState.SETUP, CoreState.RUNNING]
+        return [CoreState.INITIALIZE]
 
-    async def evaluate(self) -> bool:
+    async def evaluate(self):
         """Run evaluation."""
-        return not self.sys_security.content_trust
+        return self.sys_host.info.sys_arch.supervisor in {
+            "i386",
+            "armhf",
+            "armv7",
+        }

supervisor/resolution/fixups/system_execute_integrity.py

@@ -1,67 +0,0 @@
-"""Helpers to check and fix issues with free space."""
-
-from datetime import timedelta
-import logging
-
-from ...coresys import CoreSys
-from ...exceptions import ResolutionFixupError, ResolutionFixupJobError
-from ...jobs.const import JobCondition, JobThrottle
-from ...jobs.decorator import Job
-from ...security.const import ContentTrustResult
-from ..const import ContextType, IssueType, SuggestionType
-from .base import FixupBase
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-
-def setup(coresys: CoreSys) -> FixupBase:
-    """Check setup function."""
-    return FixupSystemExecuteIntegrity(coresys)
-
-
-class FixupSystemExecuteIntegrity(FixupBase):
-    """Storage class for fixup."""
-
-    @Job(
-        name="fixup_system_execute_integrity_process",
-        conditions=[JobCondition.INTERNET_SYSTEM],
-        on_condition=ResolutionFixupJobError,
-        throttle_period=timedelta(hours=8),
-        throttle=JobThrottle.THROTTLE,
-    )
-    async def process_fixup(self, reference: str | None = None) -> None:
-        """Initialize the fixup class."""
-        result = await self.sys_security.integrity_check()
-
-        if ContentTrustResult.FAILED in (result.core, result.supervisor):
-            raise ResolutionFixupError()
-
-        for plugin in result.plugins:
-            if plugin != ContentTrustResult.FAILED:
-                continue
-            raise ResolutionFixupError()
-
-        for addon in result.addons:
-            if addon != ContentTrustResult.FAILED:
-                continue
-            raise ResolutionFixupError()
-
-    @property
-    def suggestion(self) -> SuggestionType:
-        """Return a SuggestionType enum."""
-        return SuggestionType.EXECUTE_INTEGRITY
-
-    @property
-    def context(self) -> ContextType:
-        """Return a ContextType enum."""
-        return ContextType.SYSTEM
-
-    @property
-    def issues(self) -> list[IssueType]:
-        """Return a IssueType enum list."""
-        return [IssueType.TRUST]
-
-    @property
-    def auto(self) -> bool:
-        """Return if a fixup can be apply as auto fix."""
-        return True

supervisor/security/const.py

@@ -1,24 +0,0 @@
-"""Security constants."""
-
-from enum import StrEnum
-
-import attr
-
-
-class ContentTrustResult(StrEnum):
-    """Content trust result enum."""
-
-    PASS = "pass"
-    ERROR = "error"
-    FAILED = "failed"
-    UNTESTED = "untested"
-
-
-@attr.s
-class IntegrityResult:
-    """Result of a full integrity check."""
-
-    supervisor: ContentTrustResult = attr.ib(default=ContentTrustResult.UNTESTED)
-    core: ContentTrustResult = attr.ib(default=ContentTrustResult.UNTESTED)
-    plugins: dict[str, ContentTrustResult] = attr.ib(default={})
-    addons: dict[str, ContentTrustResult] = attr.ib(default={})

supervisor/security/module.py

@@ -4,27 +4,12 @@ from __future__ import annotations
 
 import logging
 
-from ..const import (
-    ATTR_CONTENT_TRUST,
-    ATTR_FORCE_SECURITY,
-    ATTR_PWNED,
-    FILE_HASSIO_SECURITY,
-)
+from ..const import ATTR_FORCE_SECURITY, ATTR_PWNED, FILE_HASSIO_SECURITY
 from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
-    PwnedError,
-    SecurityJobError,
-)
-from ..jobs.const import JobConcurrency
-from ..jobs.decorator import Job, JobCondition
-from ..resolution.const import ContextType, IssueType, SuggestionType
-from ..utils.codenotary import cas_validate
+from ..exceptions import PwnedError
 from ..utils.common import FileConfiguration
 from ..utils.pwned import check_pwned_password
 from ..validate import SCHEMA_SECURITY_CONFIG
-from .const import ContentTrustResult, IntegrityResult
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
 
@@ -37,16 +22,6 @@ class Security(FileConfiguration, CoreSysAttributes):
         super().__init__(FILE_HASSIO_SECURITY, SCHEMA_SECURITY_CONFIG)
         self.coresys = coresys
 
-    @property
-    def content_trust(self) -> bool:
-        """Return if content trust is enabled/disabled."""
-        return self._data[ATTR_CONTENT_TRUST]
-
-    @content_trust.setter
-    def content_trust(self, value: bool) -> None:
-        """Set content trust is enabled/disabled."""
-        self._data[ATTR_CONTENT_TRUST] = value
-
     @property
     def force(self) -> bool:
         """Return if force security is enabled/disabled."""
@@ -67,30 +42,6 @@ class Security(FileConfiguration, CoreSysAttributes):
         """Set pwned is enabled/disabled."""
         self._data[ATTR_PWNED] = value
 
-    async def verify_content(self, signer: str, checksum: str) -> None:
-        """Verify content on CAS."""
-        if not self.content_trust:
-            _LOGGER.warning("Disabled content-trust, skip validation")
-            return
-
-        try:
-            await cas_validate(signer, checksum)
-        except CodeNotaryUntrusted:
-            raise
-        except CodeNotaryError:
-            if self.force:
-                raise
-            self.sys_resolution.create_issue(
-                IssueType.TRUST,
-                ContextType.SYSTEM,
-                suggestions=[SuggestionType.EXECUTE_INTEGRITY],
-            )
-            return
-
-    async def verify_own_content(self, checksum: str) -> None:
-        """Verify content from HA org."""
-        return await self.verify_content("notary@home-assistant.io", checksum)
-
     async def verify_secret(self, pwned_hash: str) -> None:
         """Verify pwned state of a secret."""
         if not self.pwned:
@@ -103,73 +54,3 @@ class Security(FileConfiguration, CoreSysAttributes):
             if self.force:
                 raise
             return
-
-    @Job(
-        name="security_manager_integrity_check",
-        conditions=[JobCondition.INTERNET_SYSTEM],
-        on_condition=SecurityJobError,
-        concurrency=JobConcurrency.REJECT,
-    )
-    async def integrity_check(self) -> IntegrityResult:
-        """Run a full system integrity check of the platform.
-
-        We only allow to install trusted content.
-        This is a out of the band manual check.
-        """
-        result: IntegrityResult = IntegrityResult()
-        if not self.content_trust:
-            _LOGGER.warning(
-                "Skipping integrity check, content_trust is globally disabled"
-            )
-            return result
-
-        # Supervisor
-        try:
-            await self.sys_supervisor.check_trust()
-            result.supervisor = ContentTrustResult.PASS
-        except CodeNotaryUntrusted:
-            result.supervisor = ContentTrustResult.ERROR
-            self.sys_resolution.create_issue(IssueType.TRUST, ContextType.SUPERVISOR)
-        except CodeNotaryError:
-            result.supervisor = ContentTrustResult.FAILED
-
-        # Core
-        try:
-            await self.sys_homeassistant.core.check_trust()
-            result.core = ContentTrustResult.PASS
-        except CodeNotaryUntrusted:
-            result.core = ContentTrustResult.ERROR
-            self.sys_resolution.create_issue(IssueType.TRUST, ContextType.CORE)
-        except CodeNotaryError:
-            result.core = ContentTrustResult.FAILED
-
-        # Plugins
-        for plugin in self.sys_plugins.all_plugins:
-            try:
-                await plugin.check_trust()
-                result.plugins[plugin.slug] = ContentTrustResult.PASS
-            except CodeNotaryUntrusted:
-                result.plugins[plugin.slug] = ContentTrustResult.ERROR
-                self.sys_resolution.create_issue(
-                    IssueType.TRUST, ContextType.PLUGIN, reference=plugin.slug
-                )
-            except CodeNotaryError:
-                result.plugins[plugin.slug] = ContentTrustResult.FAILED
-
-        # Add-ons
-        for addon in self.sys_addons.installed:
-            if not addon.signed:
-                result.addons[addon.slug] = ContentTrustResult.UNTESTED
-                continue
-            try:
-                await addon.check_trust()
-                result.addons[addon.slug] = ContentTrustResult.PASS
-            except CodeNotaryUntrusted:
-                result.addons[addon.slug] = ContentTrustResult.ERROR
-                self.sys_resolution.create_issue(
-                    IssueType.TRUST, ContextType.ADDON, reference=addon.slug
-                )
-            except CodeNotaryError:
-                result.addons[addon.slug] = ContentTrustResult.FAILED
-
-        return result

supervisor/supervisor.py

@@ -13,6 +13,8 @@ import aiohttp
 from aiohttp.client_exceptions import ClientError
 from awesomeversion import AwesomeVersion, AwesomeVersionException
 
+from supervisor.jobs import ChildJobSyncFilter
+
 from .const import (
     ATTR_SUPERVISOR_INTERNET,
     SUPERVISOR_VERSION,
@@ -23,8 +25,6 @@ from .coresys import CoreSys, CoreSysAttributes
 from .docker.stats import DockerStats
 from .docker.supervisor import DockerSupervisor
 from .exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
     DockerError,
     HostAppArmorError,
     SupervisorAppArmorError,
@@ -35,7 +35,6 @@ from .exceptions import (
 from .jobs.const import JobCondition, JobThrottle
 from .jobs.decorator import Job
 from .resolution.const import ContextType, IssueType, UnhealthyReason
-from .utils.codenotary import calc_checksum
 from .utils.sentry import async_capture_exception
 
 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -148,20 +147,6 @@ class Supervisor(CoreSysAttributes):
                 _LOGGER.error,
             ) from err
 
-        # Validate
-        try:
-            await self.sys_security.verify_own_content(calc_checksum(data))
-        except CodeNotaryUntrusted as err:
-            raise SupervisorAppArmorError(
-                "Content-Trust is broken for the AppArmor profile fetch!",
-                _LOGGER.critical,
-            ) from err
-        except CodeNotaryError as err:
-            raise SupervisorAppArmorError(
-                f"CodeNotary error while processing AppArmor fetch: {err!s}",
-                _LOGGER.error,
-            ) from err
-
         # Load
         temp_dir: TemporaryDirectory | None = None
 
@@ -195,6 +180,15 @@ class Supervisor(CoreSysAttributes):
             if temp_dir:
                 await self.sys_run_in_executor(temp_dir.cleanup)
 
+    @Job(
+        name="supervisor_update",
+        # We assume for now the docker image pull is 100% of this task. But from
+        # a user perspective that isn't true.  Other steps that take time which
+        # is not accounted for in progress include: app armor update and restart
+        child_job_syncs=[
+            ChildJobSyncFilter("docker_interface_install", progress_allocation=1.0)
+        ],
+    )
     async def update(self, version: AwesomeVersion | None = None) -> None:
         """Update Supervisor version."""
         version = version or self.latest_version or self.version
@@ -221,6 +215,7 @@ class Supervisor(CoreSysAttributes):
 
         # Update container
         _LOGGER.info("Update Supervisor to version %s", version)
+
         try:
             await self.instance.install(version, image=image)
             await self.instance.update_start_tag(image, version)
@@ -261,13 +256,6 @@ class Supervisor(CoreSysAttributes):
         """
         return self.instance.logs()
 
-    def check_trust(self) -> Awaitable[None]:
-        """Calculate Supervisor docker content trust.
-
-        Return Coroutine.
-        """
-        return self.instance.check_trust()
-
     async def stats(self) -> DockerStats:
         """Return stats of Supervisor."""
         try:

supervisor/updater.py

@@ -31,14 +31,8 @@ from .const import (
     UpdateChannel,
 )
 from .coresys import CoreSys, CoreSysAttributes
-from .exceptions import (
-    CodeNotaryError,
-    CodeNotaryUntrusted,
-    UpdaterError,
-    UpdaterJobError,
-)
+from .exceptions import UpdaterError, UpdaterJobError
 from .jobs.decorator import Job, JobCondition
-from .utils.codenotary import calc_checksum
 from .utils.common import FileConfiguration
 from .validate import SCHEMA_UPDATER_CONFIG
 
@@ -248,9 +242,10 @@ class Updater(FileConfiguration, CoreSysAttributes):
     @Job(
         name="updater_fetch_data",
         conditions=[
+            JobCondition.ARCHITECTURE_SUPPORTED,
             JobCondition.INTERNET_SYSTEM,
-            JobCondition.OS_SUPPORTED,
             JobCondition.HOME_ASSISTANT_CORE_SUPPORTED,
+            JobCondition.OS_SUPPORTED,
         ],
         on_condition=UpdaterJobError,
         throttle_period=timedelta(seconds=30),
@@ -289,19 +284,6 @@ class Updater(FileConfiguration, CoreSysAttributes):
             self.sys_bus.remove_listener(self._connectivity_listener)
             self._connectivity_listener = None
 
-        # Validate
-        try:
-            await self.sys_security.verify_own_content(calc_checksum(data))
-        except CodeNotaryUntrusted as err:
-            raise UpdaterError(
-                "Content-Trust is broken for the version file fetch!", _LOGGER.critical
-            ) from err
-        except CodeNotaryError as err:
-            raise UpdaterError(
-                f"CodeNotary error while processing version fetch: {err!s}",
-                _LOGGER.error,
-            ) from err
-
         # Parse data
         try:
             data = json.loads(data)

supervisor/utils/codenotary.py

@@ -1,109 +0,0 @@
-"""Small wrapper for CodeNotary."""
-
-from __future__ import annotations
-
-import asyncio
-import hashlib
-import json
-import logging
-from pathlib import Path
-import shlex
-from typing import Final
-
-from dirhash import dirhash
-
-from ..exceptions import CodeNotaryBackendError, CodeNotaryError, CodeNotaryUntrusted
-from . import clean_env
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-_CAS_CMD: str = (
-    "cas authenticate --signerID {signer} --silent --output json --hash {sum}"
-)
-_CACHE: set[tuple[str, str]] = set()
-
-
-_ATTR_ERROR: Final = "error"
-_ATTR_STATUS: Final = "status"
-_FALLBACK_ERROR: Final = "Unknown CodeNotary backend issue"
-
-
-def calc_checksum(data: str | bytes) -> str:
-    """Generate checksum for CodeNotary."""
-    if isinstance(data, str):
-        return hashlib.sha256(data.encode()).hexdigest()
-    return hashlib.sha256(data).hexdigest()
-
-
-def calc_checksum_path_sourcecode(folder: Path) -> str:
-    """Calculate checksum for a path source code.
-
-    Need catch OSError.
-    """
-    return dirhash(folder.as_posix(), "sha256", match=["*.py"])
-
-
-# pylint: disable=unreachable
-async def cas_validate(
-    signer: str,
-    checksum: str,
-) -> None:
-    """Validate data against CodeNotary."""
-    return
-    if (checksum, signer) in _CACHE:
-        return
-
-    # Generate command for request
-    command = shlex.split(_CAS_CMD.format(signer=signer, sum=checksum))
-
-    # Request notary authorization
-    _LOGGER.debug("Send cas command: %s", command)
-    try:
-        proc = await asyncio.create_subprocess_exec(
-            *command,
-            stdin=asyncio.subprocess.DEVNULL,
-            stdout=asyncio.subprocess.PIPE,
-            stderr=asyncio.subprocess.PIPE,
-            env=clean_env(),
-        )
-
-        async with asyncio.timeout(15):
-            data, error = await proc.communicate()
-    except TimeoutError:
-        raise CodeNotaryBackendError(
-            "Timeout while processing CodeNotary", _LOGGER.warning
-        ) from None
-    except OSError as err:
-        raise CodeNotaryError(
-            f"CodeNotary fatal error: {err!s}", _LOGGER.critical
-        ) from err
-
-    # Check if Notarized
-    if proc.returncode != 0 and not data:
-        if error:
-            try:
-                error = error.decode("utf-8")
-            except UnicodeDecodeError as err:
-                raise CodeNotaryBackendError(_FALLBACK_ERROR, _LOGGER.warning) from err
-            if "not notarized" in error:
-                raise CodeNotaryUntrusted()
-        else:
-            error = _FALLBACK_ERROR
-        raise CodeNotaryBackendError(error, _LOGGER.warning)
-
-    # Parse data
-    try:
-        data_json = json.loads(data)
-        _LOGGER.debug("CodeNotary response with: %s", data_json)
-    except (json.JSONDecodeError, UnicodeDecodeError) as err:
-        raise CodeNotaryError(
-            f"Can't parse CodeNotary output: {data!s} - {err!s}", _LOGGER.error
-        ) from err
-
-    if _ATTR_ERROR in data_json:
-        raise CodeNotaryBackendError(data_json[_ATTR_ERROR], _LOGGER.warning)
-
-    if data_json[_ATTR_STATUS] == 0:
-        _CACHE.add((checksum, signer))
-    else:
-        raise CodeNotaryUntrusted()

supervisor/utils/dbus.py

@@ -7,13 +7,7 @@ from collections.abc import Awaitable, Callable
 import logging
 from typing import Any, Protocol, cast
 
-from dbus_fast import (
-    ErrorType,
-    InvalidIntrospectionError,
-    Message,
-    MessageType,
-    Variant,
-)
+from dbus_fast import ErrorType, InvalidIntrospectionError, Message, MessageType
 from dbus_fast.aio.message_bus import MessageBus
 from dbus_fast.aio.proxy_object import ProxyInterface, ProxyObject
 from dbus_fast.errors import DBusError as DBusFastDBusError
@@ -265,7 +259,7 @@ class DBus:
         """
 
         async def sync_property_change(
-            prop_interface: str, changed: dict[str, Variant], invalidated: list[str]
+            prop_interface: str, changed: dict[str, Any], invalidated: list[str]
         ) -> None:
             """Sync property changes to cache."""
             if interface != prop_interface:

supervisor/utils/systemd_journal.py

@@ -5,12 +5,20 @@ from collections.abc import AsyncGenerator
 from datetime import UTC, datetime
 from functools import wraps
 import json
+import re
 
 from aiohttp import ClientResponse
 
 from supervisor.exceptions import MalformedBinaryEntryError
 from supervisor.host.const import LogFormatter
 
+_RE_ANSI_CSI_COLORS_PATTERN = re.compile(r"\x1B\[[0-9;]*m")
+
+
+def _strip_ansi_colors(message: str) -> str:
+    """Remove ANSI color codes from a message string."""
+    return _RE_ANSI_CSI_COLORS_PATTERN.sub("", message)
+
 
 def formatter(required_fields: list[str]):
     """Decorate journal entry formatters with list of required fields.
@@ -31,9 +39,9 @@ def formatter(required_fields: list[str]):
 
 
 @formatter(["MESSAGE"])
-def journal_plain_formatter(entries: dict[str, str]) -> str:
+def journal_plain_formatter(entries: dict[str, str], no_colors: bool = False) -> str:
     """Format parsed journal entries as a plain message."""
-    return entries["MESSAGE"]
+    return _strip_ansi_colors(entries["MESSAGE"]) if no_colors else entries["MESSAGE"]
 
 
 @formatter(
@@ -45,7 +53,7 @@ def journal_plain_formatter(entries: dict[str, str]) -> str:
         "MESSAGE",
     ]
 )
-def journal_verbose_formatter(entries: dict[str, str]) -> str:
+def journal_verbose_formatter(entries: dict[str, str], no_colors: bool = False) -> str:
     """Format parsed journal entries to a journalctl-like format."""
     ts = datetime.fromtimestamp(
         int(entries["__REALTIME_TIMESTAMP"]) / 1e6, UTC
@@ -58,14 +66,24 @@ def journal_verbose_formatter(entries: dict[str, str]) -> str:
         else entries.get("SYSLOG_IDENTIFIER", "_UNKNOWN_")
     )
 
-    return f"{ts} {entries.get('_HOSTNAME', '')} {identifier}: {entries.get('MESSAGE', '')}"
+    message = (
+        _strip_ansi_colors(entries.get("MESSAGE", ""))
+        if no_colors
+        else entries.get("MESSAGE", "")
+    )
+
+    return f"{ts} {entries.get('_HOSTNAME', '')} {identifier}: {message}"
 
 
 async def journal_logs_reader(
-    journal_logs: ClientResponse, log_formatter: LogFormatter = LogFormatter.PLAIN
+    journal_logs: ClientResponse,
+    log_formatter: LogFormatter = LogFormatter.PLAIN,
+    no_colors: bool = False,
 ) -> AsyncGenerator[tuple[str | None, str]]:
     """Read logs from systemd journal line by line, formatted using the given formatter.
 
+    Optionally strip ANSI color codes from the entries' messages.
+
     Returns a generator of (cursor, formatted_entry) tuples.
     """
     match log_formatter:
@@ -84,7 +102,10 @@ async def journal_logs_reader(
             # at EOF (likely race between at_eof and EOF check in readuntil)
             if line == b"\n" or not line:
                 if entries:
-                    yield entries.get("__CURSOR"), formatter_(entries)
+                    yield (
+                        entries.get("__CURSOR"),
+                        formatter_(entries, no_colors=no_colors),
+                    )
                 entries = {}
                 continue
 

supervisor/validate.py

@@ -12,7 +12,6 @@ from .const import (
     ATTR_AUTO_UPDATE,
     ATTR_CHANNEL,
     ATTR_CLI,
-    ATTR_CONTENT_TRUST,
     ATTR_COUNTRY,
     ATTR_DEBUG,
     ATTR_DEBUG_BLOCK,
@@ -229,7 +228,6 @@ SCHEMA_INGRESS_CONFIG = vol.Schema(
 # pylint: disable=no-value-for-parameter
 SCHEMA_SECURITY_CONFIG = vol.Schema(
     {
-        vol.Optional(ATTR_CONTENT_TRUST, default=True): vol.Boolean(),
         vol.Optional(ATTR_PWNED, default=True): vol.Boolean(),
         vol.Optional(ATTR_FORCE_SECURITY, default=False): vol.Boolean(),
     },

tests/addons/test_addon.py

@@ -3,22 +3,25 @@
 import asyncio
 from datetime import timedelta
 import errno
+from http import HTTPStatus
 from pathlib import Path
-from unittest.mock import MagicMock, PropertyMock, patch
+from unittest.mock import MagicMock, PropertyMock, call, patch
 
+import aiodocker
 from awesomeversion import AwesomeVersion
-from docker.errors import DockerException, ImageNotFound, NotFound
+from docker.errors import APIError, DockerException, NotFound
 import pytest
 from securetar import SecureTarFile
 
 from supervisor.addons.addon import Addon
 from supervisor.addons.const import AddonBackupMode
 from supervisor.addons.model import AddonModel
+from supervisor.config import CoreConfig
 from supervisor.const import AddonBoot, AddonState, BusEvent
 from supervisor.coresys import CoreSys
 from supervisor.docker.addon import DockerAddon
 from supervisor.docker.const import ContainerState
-from supervisor.docker.manager import CommandReturn
+from supervisor.docker.manager import CommandReturn, DockerAPI
 from supervisor.docker.monitor import DockerContainerStateEvent
 from supervisor.exceptions import AddonsError, AddonsJobError, AudioUpdateError
 from supervisor.hardware.helper import HwHelper
@@ -861,16 +864,14 @@ async def test_addon_loads_wrong_image(
 
     container.remove.assert_called_with(force=True, v=True)
     # one for removing the addon, one for removing the addon builder
-    assert coresys.docker.images.remove.call_count == 2
+    assert coresys.docker.images.delete.call_count == 2
 
-    assert coresys.docker.images.remove.call_args_list[0].kwargs == {
-        "image": "local/aarch64-addon-ssh:latest",
-        "force": True,
-    }
-    assert coresys.docker.images.remove.call_args_list[1].kwargs == {
-        "image": "local/aarch64-addon-ssh:9.2.1",
-        "force": True,
-    }
+    assert coresys.docker.images.delete.call_args_list[0] == call(
+        "local/aarch64-addon-ssh:latest", force=True
+    )
+    assert coresys.docker.images.delete.call_args_list[1] == call(
+        "local/aarch64-addon-ssh:9.2.1", force=True
+    )
     mock_run_command.assert_called_once()
     assert mock_run_command.call_args.args[0] == "docker.io/library/docker"
     assert mock_run_command.call_args.kwargs["version"] == "1.0.0-cli"
@@ -894,7 +895,9 @@ async def test_addon_loads_missing_image(
     mock_amd64_arch_supported,
 ):
     """Test addon corrects a missing image on load."""
-    coresys.docker.images.get.side_effect = ImageNotFound("missing")
+    coresys.docker.images.inspect.side_effect = aiodocker.DockerError(
+        HTTPStatus.NOT_FOUND, {"message": "missing"}
+    )
 
     with (
         patch("pathlib.Path.is_file", return_value=True),
@@ -926,41 +929,51 @@ async def test_addon_loads_missing_image(
     assert install_addon_ssh.image == "local/amd64-addon-ssh"
 
 
+@pytest.mark.parametrize(
+    "pull_image_exc",
+    [APIError("error"), aiodocker.DockerError(400, {"message": "error"})],
+)
+@pytest.mark.usefixtures("container", "mock_amd64_arch_supported")
 async def test_addon_load_succeeds_with_docker_errors(
     coresys: CoreSys,
     install_addon_ssh: Addon,
-    container: MagicMock,
     caplog: pytest.LogCaptureFixture,
-    mock_amd64_arch_supported,
+    pull_image_exc: Exception,
 ):
     """Docker errors while building/pulling an image during load should not raise and fail setup."""
     # Build env invalid failure
-    coresys.docker.images.get.side_effect = ImageNotFound("missing")
+    coresys.docker.images.inspect.side_effect = aiodocker.DockerError(
+        HTTPStatus.NOT_FOUND, {"message": "missing"}
+    )
     caplog.clear()
     await install_addon_ssh.load()
     assert "Invalid build environment" in caplog.text
 
     # Image build failure
-    coresys.docker.images.build.side_effect = DockerException()
     caplog.clear()
     with (
         patch("pathlib.Path.is_file", return_value=True),
         patch.object(
-            type(coresys.config),
-            "local_to_extern_path",
-            return_value="/addon/path/on/host",
+            CoreConfig, "local_to_extern_path", return_value="/addon/path/on/host"
+        ),
+        patch.object(
+            DockerAPI,
+            "run_command",
+            return_value=MagicMock(exit_code=1, output=b"error"),
         ),
     ):
         await install_addon_ssh.load()
-    assert "Can't build local/amd64-addon-ssh:9.2.1" in caplog.text
+    assert (
+        "Can't build local/amd64-addon-ssh:9.2.1: Docker build failed for local/amd64-addon-ssh:9.2.1 (exit code 1). Build output:\nerror"
+        in caplog.text
+    )
 
     # Image pull failure
     install_addon_ssh.data["image"] = "test/amd64-addon-ssh"
-    coresys.docker.images.build.reset_mock(side_effect=True)
-    coresys.docker.pull_image.side_effect = DockerException()
     caplog.clear()
-    await install_addon_ssh.load()
-    assert "Unknown error with test/amd64-addon-ssh:9.2.1" in caplog.text
+    with patch.object(DockerAPI, "pull_image", side_effect=pull_image_exc):
+        await install_addon_ssh.load()
+    assert "Can't install test/amd64-addon-ssh:9.2.1:" in caplog.text
 
 
 async def test_addon_manual_only_boot(coresys: CoreSys, install_addon_example: Addon):

tests/addons/test_build.py

@@ -1,5 +1,8 @@
 """Test addon build."""
 
+import base64
+import json
+from pathlib import Path
 from unittest.mock import PropertyMock, patch
 
 from awesomeversion import AwesomeVersion
@@ -7,6 +10,7 @@ from awesomeversion import AwesomeVersion
 from supervisor.addons.addon import Addon
 from supervisor.addons.build import AddonBuild
 from supervisor.coresys import CoreSys
+from supervisor.docker.const import DOCKER_HUB
 
 from tests.common import is_in_list
 
@@ -29,7 +33,7 @@ async def test_platform_set(coresys: CoreSys, install_addon_ssh: Addon):
         ),
     ):
         args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
         )
 
     assert is_in_list(["--platform", "linux/amd64"], args["command"])
@@ -53,7 +57,7 @@ async def test_dockerfile_evaluation(coresys: CoreSys, install_addon_ssh: Addon)
         ),
     ):
         args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
         )
 
     assert is_in_list(["--file", "Dockerfile"], args["command"])
@@ -81,7 +85,7 @@ async def test_dockerfile_evaluation_arch(coresys: CoreSys, install_addon_ssh: A
         ),
     ):
         args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
         )
 
     assert is_in_list(["--file", "Dockerfile.aarch64"], args["command"])
@@ -117,3 +121,158 @@ async def test_build_invalid(coresys: CoreSys, install_addon_ssh: Addon):
         ),
     ):
         assert not await build.is_valid()
+
+
+async def test_docker_config_no_registries(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker config generation when no registries configured."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # No registries configured by default
+    assert build.get_docker_config_json() is None
+
+
+async def test_docker_config_no_matching_registry(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker config generation when registry doesn't match base image."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure a registry that doesn't match the base image
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        "some.other.registry": {"username": "user", "password": "pass"}
+    }
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+    ):
+        # Base image is ghcr.io/home-assistant/... which doesn't match
+        assert build.get_docker_config_json() is None
+
+
+async def test_docker_config_matching_registry(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker config generation when registry matches base image."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure ghcr.io registry which matches the default base image
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        "ghcr.io": {"username": "testuser", "password": "testpass"}
+    }
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+    ):
+        config_json = build.get_docker_config_json()
+        assert config_json is not None
+
+        config = json.loads(config_json)
+        assert "auths" in config
+        assert "ghcr.io" in config["auths"]
+
+        # Verify base64-encoded credentials
+        expected_auth = base64.b64encode(b"testuser:testpass").decode()
+        assert config["auths"]["ghcr.io"]["auth"] == expected_auth
+
+
+async def test_docker_config_docker_hub(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker config generation for Docker Hub registry."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure Docker Hub registry
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        DOCKER_HUB: {"username": "hubuser", "password": "hubpass"}
+    }
+
+    # Mock base_image to return a Docker Hub image (no registry prefix)
+    with patch.object(
+        type(build),
+        "base_image",
+        new=PropertyMock(return_value="library/alpine:latest"),
+    ):
+        config_json = build.get_docker_config_json()
+        assert config_json is not None
+
+        config = json.loads(config_json)
+        # Docker Hub uses special URL as key
+        assert "https://index.docker.io/v1/" in config["auths"]
+
+        expected_auth = base64.b64encode(b"hubuser:hubpass").decode()
+        assert config["auths"]["https://index.docker.io/v1/"]["auth"] == expected_auth
+
+
+async def test_docker_args_with_config_path(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker args include config volume when path provided."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+        patch.object(
+            type(coresys.config),
+            "local_to_extern_path",
+            side_effect=lambda p: f"/extern{p}",
+        ),
+    ):
+        config_path = Path("/data/supervisor/tmp/config.json")
+        args = await coresys.run_in_executor(
+            build.get_docker_args,
+            AwesomeVersion("latest"),
+            "test-image:latest",
+            config_path,
+        )
+
+    # Check that config is mounted
+    assert "/extern/data/supervisor/tmp/config.json" in args["volumes"]
+    assert (
+        args["volumes"]["/extern/data/supervisor/tmp/config.json"]["bind"]
+        == "/root/.docker/config.json"
+    )
+    assert args["volumes"]["/extern/data/supervisor/tmp/config.json"]["mode"] == "ro"
+
+
+async def test_docker_args_without_config_path(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker args don't include config volume when no path provided."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+        patch.object(
+            type(coresys.config),
+            "local_to_extern_path",
+            return_value="/addon/path/on/host",
+        ),
+    ):
+        args = await coresys.run_in_executor(
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
+        )
+
+    # Only docker socket and addon path should be mounted
+    assert len(args["volumes"]) == 2
+    # Verify no docker config mount
+    for bind in args["volumes"].values():
+        assert bind["bind"] != "/root/.docker/config.json"

tests/addons/test_config.py

@@ -419,3 +419,71 @@ def test_valid_schema():
     config["schema"] = {"field": "invalid"}
     with pytest.raises(vol.Invalid):
         assert vd.SCHEMA_ADDON_CONFIG(config)
+
+
+def test_ulimits_simple_format():
+    """Test ulimits simple format validation."""
+    config = load_json_fixture("basic-addon-config.json")
+
+    config["ulimits"] = {"nofile": 65535, "nproc": 32768, "memlock": 134217728}
+
+    valid_config = vd.SCHEMA_ADDON_CONFIG(config)
+    assert valid_config["ulimits"]["nofile"] == 65535
+    assert valid_config["ulimits"]["nproc"] == 32768
+    assert valid_config["ulimits"]["memlock"] == 134217728
+
+
+def test_ulimits_detailed_format():
+    """Test ulimits detailed format validation."""
+    config = load_json_fixture("basic-addon-config.json")
+
+    config["ulimits"] = {
+        "nofile": {"soft": 20000, "hard": 40000},
+        "nproc": 32768,  # Mixed format should work
+        "memlock": {"soft": 67108864, "hard": 134217728},
+    }
+
+    valid_config = vd.SCHEMA_ADDON_CONFIG(config)
+    assert valid_config["ulimits"]["nofile"]["soft"] == 20000
+    assert valid_config["ulimits"]["nofile"]["hard"] == 40000
+    assert valid_config["ulimits"]["nproc"] == 32768
+    assert valid_config["ulimits"]["memlock"]["soft"] == 67108864
+    assert valid_config["ulimits"]["memlock"]["hard"] == 134217728
+
+
+def test_ulimits_empty_dict():
+    """Test ulimits with empty dict (default)."""
+    config = load_json_fixture("basic-addon-config.json")
+
+    valid_config = vd.SCHEMA_ADDON_CONFIG(config)
+    assert valid_config["ulimits"] == {}
+
+
+def test_ulimits_invalid_values():
+    """Test ulimits with invalid values."""
+    config = load_json_fixture("basic-addon-config.json")
+
+    # Invalid string values
+    config["ulimits"] = {"nofile": "invalid"}
+    with pytest.raises(vol.Invalid):
+        vd.SCHEMA_ADDON_CONFIG(config)
+
+    # Invalid detailed format
+    config["ulimits"] = {"nofile": {"invalid_key": 1000}}
+    with pytest.raises(vol.Invalid):
+        vd.SCHEMA_ADDON_CONFIG(config)
+
+    # Missing hard value in detailed format
+    config["ulimits"] = {"nofile": {"soft": 1000}}
+    with pytest.raises(vol.Invalid):
+        vd.SCHEMA_ADDON_CONFIG(config)
+
+    # Missing soft value in detailed format
+    config["ulimits"] = {"nofile": {"hard": 1000}}
+    with pytest.raises(vol.Invalid):
+        vd.SCHEMA_ADDON_CONFIG(config)
+
+    # Empty dict in detailed format
+    config["ulimits"] = {"nofile": {}}
+    with pytest.raises(vol.Invalid):
+        vd.SCHEMA_ADDON_CONFIG(config)

tests/addons/test_manager.py

@@ -4,7 +4,7 @@ import asyncio
 from collections.abc import AsyncGenerator, Generator
 from copy import deepcopy
 from pathlib import Path
-from unittest.mock import AsyncMock, MagicMock, Mock, PropertyMock, patch
+from unittest.mock import AsyncMock, MagicMock, Mock, PropertyMock, call, patch
 
 from awesomeversion import AwesomeVersion
 import pytest
@@ -514,19 +514,13 @@ async def test_shared_image_kept_on_uninstall(
     latest = f"{install_addon_example.image}:latest"
 
     await coresys.addons.uninstall("local_example2")
-    coresys.docker.images.remove.assert_not_called()
+    coresys.docker.images.delete.assert_not_called()
     assert not coresys.addons.get("local_example2", local_only=True)
 
     await coresys.addons.uninstall("local_example")
-    assert coresys.docker.images.remove.call_count == 2
-    assert coresys.docker.images.remove.call_args_list[0].kwargs == {
-        "image": latest,
-        "force": True,
-    }
-    assert coresys.docker.images.remove.call_args_list[1].kwargs == {
-        "image": image,
-        "force": True,
-    }
+    assert coresys.docker.images.delete.call_count == 2
+    assert coresys.docker.images.delete.call_args_list[0] == call(latest, force=True)
+    assert coresys.docker.images.delete.call_args_list[1] == call(image, force=True)
     assert not coresys.addons.get("local_example", local_only=True)
 
 
@@ -554,19 +548,17 @@ async def test_shared_image_kept_on_update(
     assert example_2.version == "1.2.0"
     assert install_addon_example_image.version == "1.2.0"
 
-    image_new = MagicMock()
-    image_new.id = "image_new"
-    image_old = MagicMock()
-    image_old.id = "image_old"
-    docker.images.get.side_effect = [image_new, image_old]
+    image_new = {"Id": "image_new", "RepoTags": ["image_new:latest"]}
+    image_old = {"Id": "image_old", "RepoTags": ["image_old:latest"]}
+    docker.images.inspect.side_effect = [image_new, image_old]
     docker.images.list.return_value = [image_new, image_old]
 
     with patch.object(DockerAPI, "pull_image", return_value=image_new):
         await coresys.addons.update("local_example2")
-        docker.images.remove.assert_not_called()
+        docker.images.delete.assert_not_called()
         assert example_2.version == "1.3.0"
 
-        docker.images.get.side_effect = [image_new]
+        docker.images.inspect.side_effect = [image_new]
         await coresys.addons.update("local_example_image")
-        docker.images.remove.assert_called_once_with("image_old", force=True)
+        docker.images.delete.assert_called_once_with("image_old", force=True)
         assert install_addon_example_image.version == "1.3.0"

tests/api/__init__.py

@@ -1,95 +1 @@
 """Test for API calls."""
-
-from unittest.mock import AsyncMock, MagicMock
-
-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-from supervisor.host.const import LogFormat
-
-DEFAULT_LOG_RANGE = "entries=:-99:100"
-DEFAULT_LOG_RANGE_FOLLOW = "entries=:-99:18446744073709551615"
-
-
-async def common_test_api_advanced_logs(
-    path_prefix: str,
-    syslog_identifier: str,
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available: None,
-):
-    """Template for tests of endpoints using advanced logs."""
-    resp = await api_client.get(f"{path_prefix}/logs")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier},
-        range_header=DEFAULT_LOG_RANGE,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/follow")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier, "follow": ""},
-        range_header=DEFAULT_LOG_RANGE_FOLLOW,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    mock_response = MagicMock()
-    mock_response.text = AsyncMock(
-        return_value='{"CONTAINER_LOG_EPOCH": "12345"}\n{"CONTAINER_LOG_EPOCH": "12345"}\n'
-    )
-    journald_logs.return_value.__aenter__.return_value = mock_response
-
-    resp = await api_client.get(f"{path_prefix}/logs/latest")
-    assert resp.status == 200
-
-    assert journald_logs.call_count == 2
-
-    # Check the first call for getting epoch
-    epoch_call = journald_logs.call_args_list[0]
-    assert epoch_call[1]["params"] == {"CONTAINER_NAME": syslog_identifier}
-    assert epoch_call[1]["range_header"] == "entries=:-1:2"
-
-    # Check the second call for getting logs with the epoch
-    logs_call = journald_logs.call_args_list[1]
-    assert logs_call[1]["params"]["SYSLOG_IDENTIFIER"] == syslog_identifier
-    assert logs_call[1]["params"]["CONTAINER_LOG_EPOCH"] == "12345"
-    assert logs_call[1]["range_header"] == "entries=:0:18446744073709551615"
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/boots/0")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier, "_BOOT_ID": "ccc"},
-        range_header=DEFAULT_LOG_RANGE,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/boots/0/follow")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={
-            "SYSLOG_IDENTIFIER": syslog_identifier,
-            "_BOOT_ID": "ccc",
-            "follow": "",
-        },
-        range_header=DEFAULT_LOG_RANGE_FOLLOW,
-        accept=LogFormat.JOURNAL,
-    )

tests/api/conftest.py

@@ -0,0 +1,149 @@
+"""Fixtures for API tests."""
+
+from collections.abc import Awaitable, Callable
+from unittest.mock import ANY, AsyncMock, MagicMock
+
+from aiohttp.test_utils import TestClient
+import pytest
+
+from supervisor.coresys import CoreSys
+from supervisor.host.const import LogFormat, LogFormatter
+
+DEFAULT_LOG_RANGE = "entries=:-99:100"
+DEFAULT_LOG_RANGE_FOLLOW = "entries=:-99:18446744073709551615"
+
+
+async def _common_test_api_advanced_logs(
+    path_prefix: str,
+    syslog_identifier: str,
+    api_client: TestClient,
+    journald_logs: MagicMock,
+    coresys: CoreSys,
+    os_available: None,
+    journal_logs_reader: MagicMock,
+):
+    """Template for tests of endpoints using advanced logs."""
+    resp = await api_client.get(f"{path_prefix}/logs")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, False)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs?no_colors")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, True)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/follow")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier, "follow": ""},
+        range_header=DEFAULT_LOG_RANGE_FOLLOW,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, False)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    mock_response = MagicMock()
+    mock_response.text = AsyncMock(
+        return_value='{"CONTAINER_LOG_EPOCH": "12345"}\n{"CONTAINER_LOG_EPOCH": "12345"}\n'
+    )
+    journald_logs.return_value.__aenter__.return_value = mock_response
+
+    resp = await api_client.get(f"{path_prefix}/logs/latest")
+    assert resp.status == 200
+
+    assert journald_logs.call_count == 2
+
+    # Check the first call for getting epoch
+    epoch_call = journald_logs.call_args_list[0]
+    assert epoch_call[1]["params"] == {"CONTAINER_NAME": syslog_identifier}
+    assert epoch_call[1]["range_header"] == "entries=:-1:2"
+
+    # Check the second call for getting logs with the epoch
+    logs_call = journald_logs.call_args_list[1]
+    assert logs_call[1]["params"]["SYSLOG_IDENTIFIER"] == syslog_identifier
+    assert logs_call[1]["params"]["CONTAINER_LOG_EPOCH"] == "12345"
+    assert logs_call[1]["range_header"] == "entries=:0:18446744073709551615"
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, True)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/boots/0")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier, "_BOOT_ID": "ccc"},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+
+    journald_logs.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/boots/0/follow")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={
+            "SYSLOG_IDENTIFIER": syslog_identifier,
+            "_BOOT_ID": "ccc",
+            "follow": "",
+        },
+        range_header=DEFAULT_LOG_RANGE_FOLLOW,
+        accept=LogFormat.JOURNAL,
+    )
+
+
+@pytest.fixture
+async def advanced_logs_tester(
+    api_client: TestClient,
+    journald_logs: MagicMock,
+    coresys: CoreSys,
+    os_available,
+    journal_logs_reader: MagicMock,
+) -> Callable[[str, str], Awaitable[None]]:
+    """Fixture that returns a function to test advanced logs endpoints.
+
+    This allows tests to avoid explicitly passing all the required fixtures.
+
+    Usage:
+        async def test_my_logs(advanced_logs_tester):
+            await advanced_logs_tester("/path/prefix", "syslog_identifier")
+    """
+
+    async def test_logs(path_prefix: str, syslog_identifier: str):
+        await _common_test_api_advanced_logs(
+            path_prefix,
+            syslog_identifier,
+            api_client,
+            journald_logs,
+            coresys,
+            os_available,
+            journal_logs_reader,
+        )
+
+    return test_logs

tests/api/test_addons.py

@@ -20,7 +20,6 @@ from supervisor.exceptions import HassioError
 from supervisor.store.repository import Repository
 
 from ..const import TEST_ADDON_SLUG
-from . import common_test_api_advanced_logs
 
 
 def _create_test_event(name: str, state: ContainerState) -> DockerContainerStateEvent:
@@ -72,21 +71,11 @@ async def test_addons_info_not_installed(
 
 
 async def test_api_addon_logs(
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available,
+    advanced_logs_tester,
     install_addon_ssh: Addon,
 ):
     """Test addon logs."""
-    await common_test_api_advanced_logs(
-        "/addons/local_ssh",
-        "addon_local_ssh",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/addons/local_ssh", "addon_local_ssh")
 
 
 async def test_api_addon_logs_not_installed(api_client: TestClient):

tests/api/test_audio.py

@@ -1,18 +1,6 @@
 """Test audio api."""
 
-from unittest.mock import MagicMock
 
-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-
-from tests.api import common_test_api_advanced_logs
-
-
-async def test_api_audio_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_audio_logs(advanced_logs_tester) -> None:
     """Test audio logs."""
-    await common_test_api_advanced_logs(
-        "/audio", "hassio_audio", api_client, journald_logs, coresys, os_available
-    )
+    await advanced_logs_tester("/audio", "hassio_audio")

tests/api/test_dns.py

@@ -1,13 +1,12 @@
 """Test DNS API."""
 
-from unittest.mock import MagicMock, patch
+from unittest.mock import patch
 
 from aiohttp.test_utils import TestClient
 
 from supervisor.coresys import CoreSys
 from supervisor.dbus.resolved import Resolved
 
-from tests.api import common_test_api_advanced_logs
 from tests.dbus_service_mocks.base import DBusServiceMock
 from tests.dbus_service_mocks.resolved import Resolved as ResolvedService
 
@@ -66,15 +65,6 @@ async def test_options(api_client: TestClient, coresys: CoreSys):
         restart.assert_called_once()
 
 
-async def test_api_dns_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_dns_logs(advanced_logs_tester):
     """Test dns logs."""
-    await common_test_api_advanced_logs(
-        "/dns",
-        "hassio_dns",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/dns", "hassio_dns")

tests/api/test_docker.py

@@ -4,6 +4,11 @@ from aiohttp.test_utils import TestClient
 import pytest
 
 from supervisor.coresys import CoreSys
+from supervisor.resolution.const import ContextType, IssueType, SuggestionType
+from supervisor.resolution.data import Issue, Suggestion
+
+from tests.dbus_service_mocks.agent_system import System as SystemService
+from tests.dbus_service_mocks.base import DBusServiceMock
 
 
 @pytest.mark.asyncio
@@ -84,3 +89,79 @@ async def test_registry_not_found(api_client: TestClient):
     assert resp.status == 404
     body = await resp.json()
     assert body["message"] == "Hostname bad does not exist in registries"
+
+
+@pytest.mark.parametrize("os_available", ["17.0.rc1"], indirect=True)
+async def test_api_migrate_docker_storage_driver(
+    api_client: TestClient,
+    coresys: CoreSys,
+    os_agent_services: dict[str, DBusServiceMock],
+    os_available,
+):
+    """Test Docker storage driver migration."""
+    system_service: SystemService = os_agent_services["agent_system"]
+    system_service.MigrateDockerStorageDriver.calls.clear()
+
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlayfs"},
+    )
+    assert resp.status == 200
+
+    assert system_service.MigrateDockerStorageDriver.calls == [("overlayfs",)]
+    assert (
+        Issue(IssueType.REBOOT_REQUIRED, ContextType.SYSTEM)
+        in coresys.resolution.issues
+    )
+    assert (
+        Suggestion(SuggestionType.EXECUTE_REBOOT, ContextType.SYSTEM)
+        in coresys.resolution.suggestions
+    )
+
+    # Test migration back to overlay2 (graph driver)
+    system_service.MigrateDockerStorageDriver.calls.clear()
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlay2"},
+    )
+    assert resp.status == 200
+    assert system_service.MigrateDockerStorageDriver.calls == [("overlay2",)]
+
+
+@pytest.mark.parametrize("os_available", ["17.0.rc1"], indirect=True)
+async def test_api_migrate_docker_storage_driver_invalid_backend(
+    api_client: TestClient,
+    os_available,
+):
+    """Test 400 is returned for invalid storage driver."""
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "invalid"},
+    )
+    assert resp.status == 400
+
+
+async def test_api_migrate_docker_storage_driver_not_os(
+    api_client: TestClient,
+    coresys: CoreSys,
+):
+    """Test 404 is returned if not running on HAOS."""
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlayfs"},
+    )
+    assert resp.status == 404
+
+
+@pytest.mark.parametrize("os_available", ["16.2"], indirect=True)
+async def test_api_migrate_docker_storage_driver_old_os(
+    api_client: TestClient,
+    coresys: CoreSys,
+    os_available,
+):
+    """Test 404 is returned if OS is older than 17.0."""
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlayfs"},
+    )
+    assert resp.status == 404

tests/api/test_homeassistant.py

@@ -2,39 +2,34 @@
 
 import asyncio
 from pathlib import Path
-from unittest.mock import MagicMock, PropertyMock, patch
+from unittest.mock import AsyncMock, MagicMock, PropertyMock, patch
 
 from aiohttp.test_utils import TestClient
 from awesomeversion import AwesomeVersion
 import pytest
 
 from supervisor.backups.manager import BackupManager
+from supervisor.const import CoreState
 from supervisor.coresys import CoreSys
+from supervisor.docker.homeassistant import DockerHomeAssistant
 from supervisor.docker.interface import DockerInterface
-from supervisor.homeassistant.api import APIState
+from supervisor.homeassistant.api import APIState, HomeAssistantAPI
+from supervisor.homeassistant.const import WSEvent
 from supervisor.homeassistant.core import HomeAssistantCore
 from supervisor.homeassistant.module import HomeAssistant
 
-from tests.api import common_test_api_advanced_logs
-from tests.common import load_json_fixture
+from tests.common import AsyncIterator, load_json_fixture
 
 
 @pytest.mark.parametrize("legacy_route", [True, False])
 async def test_api_core_logs(
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available,
+    advanced_logs_tester: AsyncMock,
     legacy_route: bool,
 ):
     """Test core logs."""
-    await common_test_api_advanced_logs(
+    await advanced_logs_tester(
         f"/{'homeassistant' if legacy_route else 'core'}",
         "homeassistant",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
     )
 
 
@@ -271,3 +266,96 @@ async def test_background_home_assistant_update_fails_fast(
     assert resp.status == 400
     body = await resp.json()
     assert body["message"] == "Version 2025.8.3 is already installed"
+
+
+@pytest.mark.usefixtures("tmp_supervisor_data")
+async def test_api_progress_updates_home_assistant_update(
+    api_client: TestClient, coresys: CoreSys, ha_ws_client: AsyncMock
+):
+    """Test progress updates sent to Home Assistant for updates."""
+    coresys.hardware.disk.get_disk_free_space = lambda x: 5000
+    coresys.core.set_state(CoreState.RUNNING)
+
+    logs = load_json_fixture("docker_pull_image_log.json")
+    coresys.docker.images.pull.return_value = AsyncIterator(logs)
+    coresys.homeassistant.version = AwesomeVersion("2025.8.0")
+
+    with (
+        patch.object(
+            DockerHomeAssistant,
+            "version",
+            new=PropertyMock(return_value=AwesomeVersion("2025.8.0")),
+        ),
+        patch.object(
+            HomeAssistantAPI, "get_config", return_value={"components": ["frontend"]}
+        ),
+    ):
+        resp = await api_client.post("/core/update", json={"version": "2025.8.3"})
+
+    assert resp.status == 200
+
+    events = [
+        {
+            "stage": evt.args[0]["data"]["data"]["stage"],
+            "progress": evt.args[0]["data"]["data"]["progress"],
+            "done": evt.args[0]["data"]["data"]["done"],
+        }
+        for evt in ha_ws_client.async_send_command.call_args_list
+        if "data" in evt.args[0]
+        and evt.args[0]["data"]["event"] == WSEvent.JOB
+        and evt.args[0]["data"]["data"]["name"] == "home_assistant_core_update"
+    ]
+    assert events[:5] == [
+        {
+            "stage": None,
+            "progress": 0,
+            "done": None,
+        },
+        {
+            "stage": None,
+            "progress": 0,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 0.1,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 1.7,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 4.0,
+            "done": False,
+        },
+    ]
+    assert events[-5:] == [
+        {
+            "stage": None,
+            "progress": 98.2,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 98.3,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 99.3,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 100,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 100,
+            "done": True,
+        },
+    ]

tests/api/test_host.py

@@ -272,7 +272,7 @@ async def test_advaced_logs_query_parameters(
         range_header=DEFAULT_RANGE,
         accept=LogFormat.JOURNAL,
     )
-    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE, False)
 
     journal_logs_reader.reset_mock()
     journald_logs.reset_mock()
@@ -290,7 +290,19 @@ async def test_advaced_logs_query_parameters(
         range_header="entries=:-52:53",
         accept=LogFormat.JOURNAL,
     )
-    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE, False)
+
+    journal_logs_reader.reset_mock()
+    journald_logs.reset_mock()
+
+    # Check no_colors query parameter
+    await api_client.get("/host/logs?no_colors")
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": coresys.host.logs.default_identifiers},
+        range_header=DEFAULT_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE, True)
 
 
 async def test_advanced_logs_boot_id_offset(
@@ -343,24 +355,24 @@ async def test_advanced_logs_formatters(
     """Test advanced logs formatters varying on Accept header."""
 
     await api_client.get("/host/logs")
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE, False)
 
     journal_logs_reader.reset_mock()
 
     headers = {"Accept": "text/x-log"}
     await api_client.get("/host/logs", headers=headers)
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE, False)
 
     journal_logs_reader.reset_mock()
 
     await api_client.get("/host/logs/identifiers/test")
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.PLAIN)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.PLAIN, False)
 
     journal_logs_reader.reset_mock()
 
     headers = {"Accept": "text/x-log"}
     await api_client.get("/host/logs/identifiers/test", headers=headers)
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE, False)
 
 
 async def test_advanced_logs_errors(coresys: CoreSys, api_client: TestClient):

tests/api/test_ingress.py

@@ -1,12 +1,28 @@
 """Test ingress API."""
 
-from unittest.mock import AsyncMock, patch
+from collections.abc import AsyncGenerator
+from unittest.mock import AsyncMock, MagicMock, patch
 
-from aiohttp.test_utils import TestClient
+import aiohttp
+from aiohttp import hdrs, web
+from aiohttp.test_utils import TestClient, TestServer
+import pytest
 
+from supervisor.addons.addon import Addon
 from supervisor.coresys import CoreSys
 
 
+@pytest.fixture(name="real_websession")
+async def fixture_real_websession(
+    coresys: CoreSys,
+) -> AsyncGenerator[aiohttp.ClientSession]:
+    """Fixture for real aiohttp ClientSession for ingress proxy tests."""
+    session = aiohttp.ClientSession()
+    coresys._websession = session  # pylint: disable=W0212
+    yield session
+    await session.close()
+
+
 async def test_validate_session(api_client: TestClient, coresys: CoreSys):
     """Test validating ingress session."""
     with patch("aiohttp.web_request.BaseRequest.__getitem__", return_value=None):
@@ -86,3 +102,126 @@ async def test_validate_session_with_user_id(
         assert (
             coresys.ingress.get_session_data(session).user.display_name == "Some Name"
         )
+
+
+async def test_ingress_proxy_no_content_type_for_empty_body_responses(
+    api_client: TestClient, coresys: CoreSys, real_websession: aiohttp.ClientSession
+):
+    """Test that empty body responses don't get Content-Type header."""
+
+    # Create a mock add-on backend server that returns various status codes
+    async def mock_addon_handler(request: web.Request) -> web.Response:
+        """Mock add-on handler that returns different status codes based on path."""
+        path = request.path
+
+        if path == "/204":
+            # 204 No Content - should not have Content-Type
+            return web.Response(status=204)
+        elif path == "/304":
+            # 304 Not Modified - should not have Content-Type
+            return web.Response(status=304)
+        elif path == "/100":
+            # 100 Continue - should not have Content-Type
+            return web.Response(status=100)
+        elif path == "/head":
+            # HEAD request - should have Content-Type (same as GET would)
+            return web.Response(body=b"test", content_type="text/html")
+        elif path == "/200":
+            # 200 OK with body - should have Content-Type
+            return web.Response(body=b"test content", content_type="text/plain")
+        elif path == "/200-no-content-type":
+            # 200 OK without explicit Content-Type - should get default
+            return web.Response(body=b"test content")
+        elif path == "/200-json":
+            # 200 OK with JSON - should preserve Content-Type
+            return web.Response(
+                body=b'{"key": "value"}', content_type="application/json"
+            )
+        else:
+            return web.Response(body=b"default", content_type="text/html")
+
+    # Create test server for mock add-on
+    app = web.Application()
+    app.router.add_route("*", "/{tail:.*}", mock_addon_handler)
+    addon_server = TestServer(app)
+    await addon_server.start_server()
+
+    try:
+        # Create ingress session
+        resp = await api_client.post("/ingress/session")
+        result = await resp.json()
+        session = result["data"]["session"]
+
+        # Create a mock add-on
+        mock_addon = MagicMock(spec=Addon)
+        mock_addon.slug = "test_addon"
+        mock_addon.ip_address = addon_server.host
+        mock_addon.ingress_port = addon_server.port
+        mock_addon.ingress_stream = False
+
+        # Generate an ingress token and register the add-on
+        ingress_token = coresys.ingress.create_session()
+        with patch.object(coresys.ingress, "get", return_value=mock_addon):
+            # Test 204 No Content - should NOT have Content-Type
+            resp = await api_client.get(
+                f"/ingress/{ingress_token}/204",
+                cookies={"ingress_session": session},
+            )
+            assert resp.status == 204
+            assert hdrs.CONTENT_TYPE not in resp.headers
+
+            # Test 304 Not Modified - should NOT have Content-Type
+            resp = await api_client.get(
+                f"/ingress/{ingress_token}/304",
+                cookies={"ingress_session": session},
+            )
+            assert resp.status == 304
+            assert hdrs.CONTENT_TYPE not in resp.headers
+
+            # Test HEAD request - SHOULD have Content-Type (same as GET)
+            # per RFC 9110: HEAD should return same headers as GET
+            resp = await api_client.head(
+                f"/ingress/{ingress_token}/head",
+                cookies={"ingress_session": session},
+            )
+            assert resp.status == 200
+            assert hdrs.CONTENT_TYPE in resp.headers
+            assert "text/html" in resp.headers[hdrs.CONTENT_TYPE]
+            # Body should be empty for HEAD
+            body = await resp.read()
+            assert body == b""
+
+            # Test 200 OK with body - SHOULD have Content-Type
+            resp = await api_client.get(
+                f"/ingress/{ingress_token}/200",
+                cookies={"ingress_session": session},
+            )
+            assert resp.status == 200
+            assert hdrs.CONTENT_TYPE in resp.headers
+            assert resp.headers[hdrs.CONTENT_TYPE] == "text/plain"
+            body = await resp.read()
+            assert body == b"test content"
+
+            # Test 200 OK without explicit Content-Type - SHOULD get default
+            resp = await api_client.get(
+                f"/ingress/{ingress_token}/200-no-content-type",
+                cookies={"ingress_session": session},
+            )
+            assert resp.status == 200
+            assert hdrs.CONTENT_TYPE in resp.headers
+            # Should get application/octet-stream as default from aiohttp ClientResponse
+            assert "application/octet-stream" in resp.headers[hdrs.CONTENT_TYPE]
+
+            # Test 200 OK with JSON - SHOULD preserve Content-Type
+            resp = await api_client.get(
+                f"/ingress/{ingress_token}/200-json",
+                cookies={"ingress_session": session},
+            )
+            assert resp.status == 200
+            assert hdrs.CONTENT_TYPE in resp.headers
+            assert "application/json" in resp.headers[hdrs.CONTENT_TYPE]
+            body = await resp.read()
+            assert body == b'{"key": "value"}'
+
+    finally:
+        await addon_server.close()

tests/api/test_multicast.py

@@ -1,23 +1,6 @@
 """Test multicast api."""
 
-from unittest.mock import MagicMock
 
-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-
-from tests.api import common_test_api_advanced_logs
-
-
-async def test_api_multicast_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_multicast_logs(advanced_logs_tester):
     """Test multicast logs."""
-    await common_test_api_advanced_logs(
-        "/multicast",
-        "hassio_multicast",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/multicast", "hassio_multicast")

tests/api/test_security.py

@@ -17,16 +17,6 @@ async def test_api_security_options_force_security(api_client, coresys: CoreSys)
     assert coresys.security.force
 
 
-@pytest.mark.asyncio
-async def test_api_security_options_content_trust(api_client, coresys: CoreSys):
-    """Test security options content trust."""
-    assert coresys.security.content_trust
-
-    await api_client.post("/security/options", json={"content_trust": False})
-
-    assert not coresys.security.content_trust
-
-
 @pytest.mark.asyncio
 async def test_api_security_options_pwned(api_client, coresys: CoreSys):
     """Test security options pwned."""
@@ -41,11 +31,8 @@ async def test_api_security_options_pwned(api_client, coresys: CoreSys):
 async def test_api_integrity_check(
     api_client, coresys: CoreSys, supervisor_internet: AsyncMock
 ):
-    """Test security integrity check."""
-    coresys.security.content_trust = False
-
+    """Test security integrity check - now deprecated."""
     resp = await api_client.post("/security/integrity")
-    result = await resp.json()
 
-    assert result["data"]["core"] == "untested"
-    assert result["data"]["supervisor"] == "untested"
+    # CodeNotary integrity check has been removed, should return 410 Gone
+    assert resp.status == 410

tests/api/test_store.py

@@ -13,17 +13,18 @@ from supervisor.addons.addon import Addon
 from supervisor.arch import CpuArch
 from supervisor.backups.manager import BackupManager
 from supervisor.config import CoreConfig
-from supervisor.const import AddonState
+from supervisor.const import AddonState, CoreState
 from supervisor.coresys import CoreSys
 from supervisor.docker.addon import DockerAddon
 from supervisor.docker.const import ContainerState
 from supervisor.docker.interface import DockerInterface
 from supervisor.docker.monitor import DockerContainerStateEvent
+from supervisor.homeassistant.const import WSEvent
 from supervisor.homeassistant.module import HomeAssistant
 from supervisor.store.addon import AddonStore
 from supervisor.store.repository import Repository
 
-from tests.common import load_json_fixture
+from tests.common import AsyncIterator, load_json_fixture
 from tests.const import TEST_ADDON_SLUG
 
 REPO_URL = "https://github.com/awesome-developer/awesome-repo"
@@ -709,3 +710,102 @@ async def test_api_store_addons_addon_availability_installed_addon(
         assert (
             "requires Home Assistant version 2023.1.1 or greater" in result["message"]
         )
+
+
+@pytest.mark.parametrize(
+    ("action", "job_name", "addon_slug"),
+    [
+        ("install", "addon_manager_install", "local_ssh"),
+        ("update", "addon_manager_update", "local_example"),
+    ],
+)
+@pytest.mark.usefixtures("tmp_supervisor_data")
+async def test_api_progress_updates_addon_install_update(
+    api_client: TestClient,
+    coresys: CoreSys,
+    ha_ws_client: AsyncMock,
+    install_addon_example: Addon,
+    action: str,
+    job_name: str,
+    addon_slug: str,
+):
+    """Test progress updates sent to Home Assistant for installs/updates."""
+    coresys.hardware.disk.get_disk_free_space = lambda x: 5000
+    coresys.core.set_state(CoreState.RUNNING)
+
+    logs = load_json_fixture("docker_pull_image_log.json")
+    coresys.docker.images.pull.return_value = AsyncIterator(logs)
+
+    coresys.arch._supported_arch = ["amd64"]  # pylint: disable=protected-access
+    install_addon_example.data_store["version"] = AwesomeVersion("2.0.0")
+
+    with (
+        patch.object(Addon, "load"),
+        patch.object(Addon, "need_build", new=PropertyMock(return_value=False)),
+        patch.object(Addon, "latest_need_build", new=PropertyMock(return_value=False)),
+    ):
+        resp = await api_client.post(f"/store/addons/{addon_slug}/{action}")
+
+    assert resp.status == 200
+
+    events = [
+        {
+            "stage": evt.args[0]["data"]["data"]["stage"],
+            "progress": evt.args[0]["data"]["data"]["progress"],
+            "done": evt.args[0]["data"]["data"]["done"],
+        }
+        for evt in ha_ws_client.async_send_command.call_args_list
+        if "data" in evt.args[0]
+        and evt.args[0]["data"]["event"] == WSEvent.JOB
+        and evt.args[0]["data"]["data"]["name"] == job_name
+        and evt.args[0]["data"]["data"]["reference"] == addon_slug
+    ]
+    assert events[:4] == [
+        {
+            "stage": None,
+            "progress": 0,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 0.1,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 1.7,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 4.0,
+            "done": False,
+        },
+    ]
+    assert events[-5:] == [
+        {
+            "stage": None,
+            "progress": 98.2,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 98.3,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 99.3,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 100,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 100,
+            "done": True,
+        },
+    ]

tests/api/test_supervisor.py

@@ -2,17 +2,23 @@
 
 # pylint: disable=protected-access
 import time
-from unittest.mock import AsyncMock, MagicMock, patch
+from unittest.mock import AsyncMock, MagicMock, PropertyMock, patch
 
 from aiohttp.test_utils import TestClient
+from awesomeversion import AwesomeVersion
 from blockbuster import BlockingError
 import pytest
 
+from supervisor.const import CoreState
+from supervisor.core import Core
 from supervisor.coresys import CoreSys
 from supervisor.exceptions import HassioError, HostNotSupportedError, StoreGitError
+from supervisor.homeassistant.const import WSEvent
 from supervisor.store.repository import Repository
+from supervisor.supervisor import Supervisor
+from supervisor.updater import Updater
 
-from tests.api import common_test_api_advanced_logs
+from tests.common import AsyncIterator, load_json_fixture
 from tests.dbus_service_mocks.base import DBusServiceMock
 from tests.dbus_service_mocks.os_agent import OSAgent as OSAgentService
 
@@ -148,18 +154,9 @@ async def test_api_supervisor_options_diagnostics(
     assert coresys.dbus.agent.diagnostics is False
 
 
-async def test_api_supervisor_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_supervisor_logs(advanced_logs_tester):
     """Test supervisor logs."""
-    await common_test_api_advanced_logs(
-        "/supervisor",
-        "hassio_supervisor",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/supervisor", "hassio_supervisor")
 
 
 async def test_api_supervisor_fallback(
@@ -316,3 +313,97 @@ async def test_api_supervisor_options_blocking_io(
 
     # This should not raise blocking error anymore
     time.sleep(0)
+
+
+@pytest.mark.usefixtures("tmp_supervisor_data")
+async def test_api_progress_updates_supervisor_update(
+    api_client: TestClient, coresys: CoreSys, ha_ws_client: AsyncMock
+):
+    """Test progress updates sent to Home Assistant for updates."""
+    coresys.hardware.disk.get_disk_free_space = lambda x: 5000
+    coresys.core.set_state(CoreState.RUNNING)
+
+    logs = load_json_fixture("docker_pull_image_log.json")
+    coresys.docker.images.pull.return_value = AsyncIterator(logs)
+
+    with (
+        patch.object(
+            Supervisor,
+            "version",
+            new=PropertyMock(return_value=AwesomeVersion("2025.08.0")),
+        ),
+        patch.object(
+            Updater,
+            "version_supervisor",
+            new=PropertyMock(return_value=AwesomeVersion("2025.08.3")),
+        ),
+        patch.object(
+            Updater, "image_supervisor", new=PropertyMock(return_value="supervisor")
+        ),
+        patch.object(Supervisor, "update_apparmor"),
+        patch.object(Core, "stop"),
+    ):
+        resp = await api_client.post("/supervisor/update")
+
+    assert resp.status == 200
+
+    events = [
+        {
+            "stage": evt.args[0]["data"]["data"]["stage"],
+            "progress": evt.args[0]["data"]["data"]["progress"],
+            "done": evt.args[0]["data"]["data"]["done"],
+        }
+        for evt in ha_ws_client.async_send_command.call_args_list
+        if "data" in evt.args[0]
+        and evt.args[0]["data"]["event"] == WSEvent.JOB
+        and evt.args[0]["data"]["data"]["name"] == "supervisor_update"
+    ]
+    assert events[:4] == [
+        {
+            "stage": None,
+            "progress": 0,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 0.1,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 1.7,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 4.0,
+            "done": False,
+        },
+    ]
+    assert events[-5:] == [
+        {
+            "stage": None,
+            "progress": 98.2,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 98.3,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 99.3,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 100,
+            "done": False,
+        },
+        {
+            "stage": None,
+            "progress": 100,
+            "done": True,
+        },
+    ]

tests/common.py

@@ -1,13 +1,14 @@
 """Common test functions."""
 
 import asyncio
+from collections.abc import Sequence
 from datetime import datetime
 from functools import partial
 from importlib import import_module
 from inspect import getclosurevars
 import json
 from pathlib import Path
-from typing import Any
+from typing import Any, Self
 
 from dbus_fast.aio.message_bus import MessageBus
 
@@ -145,3 +146,22 @@ class MockResponse:
 
     async def __aexit__(self, exc_type, exc, tb):
         """Exit the context manager."""
+
+
+class AsyncIterator:
+    """Make list/fixture into async iterator for test mocks."""
+
+    def __init__(self, seq: Sequence[Any]) -> None:
+        """Initialize with sequence."""
+        self.iter = iter(seq)
+
+    def __aiter__(self) -> Self:
+        """Implement aiter."""
+        return self
+
+    async def __anext__(self) -> Any:
+        """Return next in sequence."""
+        try:
+            return next(self.iter)
+        except StopIteration:
+            raise StopAsyncIteration() from None

tests/conftest.py

@@ -9,6 +9,7 @@ import subprocess
 from unittest.mock import AsyncMock, MagicMock, Mock, PropertyMock, patch
 from uuid import uuid4
 
+from aiodocker.docker import DockerImages
 from aiohttp import ClientSession, web
 from aiohttp.test_utils import TestClient
 from awesomeversion import AwesomeVersion
@@ -55,6 +56,7 @@ from supervisor.store.repository import Repository
 from supervisor.utils.dt import utcnow
 
 from .common import (
+    AsyncIterator,
     MockResponse,
     load_binary_fixture,
     load_fixture,
@@ -112,40 +114,46 @@ async def supervisor_name() -> None:
 @pytest.fixture
 async def docker() -> DockerAPI:
     """Mock DockerAPI."""
-    images = [MagicMock(tags=["ghcr.io/home-assistant/amd64-hassio-supervisor:latest"])]
-    image = MagicMock()
-    image.attrs = {"Os": "linux", "Architecture": "amd64"}
+    image_inspect = {
+        "Os": "linux",
+        "Architecture": "amd64",
+        "Id": "test123",
+        "RepoTags": ["ghcr.io/home-assistant/amd64-hassio-supervisor:latest"],
+    }
 
     with (
         patch("supervisor.docker.manager.DockerClient", return_value=MagicMock()),
-        patch("supervisor.docker.manager.DockerAPI.images", return_value=MagicMock()),
         patch(
             "supervisor.docker.manager.DockerAPI.containers", return_value=MagicMock()
         ),
-        patch(
-            "supervisor.docker.manager.DockerAPI.api",
-            return_value=(api_mock := MagicMock()),
-        ),
-        patch("supervisor.docker.manager.DockerAPI.images.get", return_value=image),
-        patch("supervisor.docker.manager.DockerAPI.images.list", return_value=images),
-        patch(
-            "supervisor.docker.manager.DockerAPI.info",
-            return_value=MagicMock(),
-        ),
+        patch("supervisor.docker.manager.DockerAPI.api", return_value=MagicMock()),
+        patch("supervisor.docker.manager.DockerAPI.info", return_value=MagicMock()),
         patch("supervisor.docker.manager.DockerAPI.unload"),
+        patch("supervisor.docker.manager.aiodocker.Docker", return_value=MagicMock()),
+        patch(
+            "supervisor.docker.manager.DockerAPI.images",
+            new=PropertyMock(
+                return_value=(docker_images := MagicMock(spec=DockerImages))
+            ),
+        ),
     ):
         docker_obj = await DockerAPI(MagicMock()).post_init()
         docker_obj.config._data = {"registries": {}}
         with patch("supervisor.docker.monitor.DockerMonitor.load"):
             await docker_obj.load()
 
+        docker_images.inspect.return_value = image_inspect
+        docker_images.list.return_value = [image_inspect]
+        docker_images.import_image.return_value = [
+            {"stream": "Loaded image: test:latest\n"}
+        ]
+
+        docker_images.pull.return_value = AsyncIterator([{}])
+
         docker_obj.info.logging = "journald"
         docker_obj.info.storage = "overlay2"
         docker_obj.info.version = AwesomeVersion("1.0.0")
 
-        # Need an iterable for logs
-        api_mock.pull.return_value = []
-
         yield docker_obj
 
 
@@ -838,11 +846,9 @@ async def container(docker: DockerAPI) -> MagicMock:
     """Mock attrs and status for container on attach."""
     docker.containers.get.return_value = addon = MagicMock()
     docker.containers.create.return_value = addon
-    docker.images.build.return_value = (addon, "")
     addon.status = "stopped"
     addon.attrs = {"State": {"ExitCode": 0}}
-    with patch.object(DockerAPI, "pull_image", return_value=addon):
-        yield addon
+    yield addon
 
 
 @pytest.fixture

tests/dbus/network/test_interface.py

@@ -184,3 +184,20 @@ async def test_interface_becomes_unmanaged(
     assert wireless.is_connected is False
     assert eth0.connection is None
     assert connection.is_connected is False
+
+
+async def test_unknown_device_type(
+    device_eth0_service: DeviceService, dbus_session_bus: MessageBus
+):
+    """Test unknown device types are handled gracefully."""
+    interface = NetworkInterface("/org/freedesktop/NetworkManager/Devices/1")
+    await interface.connect(dbus_session_bus)
+
+    # Emit an unknown device type (e.g., 1000 which doesn't exist in the enum)
+    device_eth0_service.emit_properties_changed({"DeviceType": 1000})
+    await device_eth0_service.ping()
+
+    # Should return UNKNOWN instead of crashing
+    assert interface.type == DeviceType.UNKNOWN
+    # Wireless should be None since it's not a wireless device
+    assert interface.wireless is None

tests/dbus/test_resolved.py

@@ -41,51 +41,51 @@ async def test_dbus_resolved_info(
     assert resolved.dns_over_tls == DNSOverTLSEnabled.NO
 
     assert len(resolved.dns) == 2
-    assert resolved.dns[0] == [0, 2, inet_aton("127.0.0.1")]
-    assert resolved.dns[1] == [0, 10, inet_pton(AF_INET6, "::1")]
+    assert resolved.dns[0] == (0, 2, inet_aton("127.0.0.1"))
+    assert resolved.dns[1] == (0, 10, inet_pton(AF_INET6, "::1"))
     assert len(resolved.dns_ex) == 2
-    assert resolved.dns_ex[0] == [0, 2, inet_aton("127.0.0.1"), 0, ""]
-    assert resolved.dns_ex[1] == [0, 10, inet_pton(AF_INET6, "::1"), 0, ""]
+    assert resolved.dns_ex[0] == (0, 2, inet_aton("127.0.0.1"), 0, "")
+    assert resolved.dns_ex[1] == (0, 10, inet_pton(AF_INET6, "::1"), 0, "")
 
     assert len(resolved.fallback_dns) == 2
-    assert resolved.fallback_dns[0] == [0, 2, inet_aton("1.1.1.1")]
-    assert resolved.fallback_dns[1] == [
+    assert resolved.fallback_dns[0] == (0, 2, inet_aton("1.1.1.1"))
+    assert resolved.fallback_dns[1] == (
         0,
         10,
         inet_pton(AF_INET6, "2606:4700:4700::1111"),
-    ]
+    )
     assert len(resolved.fallback_dns_ex) == 2
-    assert resolved.fallback_dns_ex[0] == [
+    assert resolved.fallback_dns_ex[0] == (
         0,
         2,
         inet_aton("1.1.1.1"),
         0,
         "cloudflare-dns.com",
-    ]
-    assert resolved.fallback_dns_ex[1] == [
+    )
+    assert resolved.fallback_dns_ex[1] == (
         0,
         10,
         inet_pton(AF_INET6, "2606:4700:4700::1111"),
         0,
         "cloudflare-dns.com",
-    ]
+    )
 
-    assert resolved.current_dns_server == [0, 2, inet_aton("127.0.0.1")]
-    assert resolved.current_dns_server_ex == [
+    assert resolved.current_dns_server == (0, 2, inet_aton("127.0.0.1"))
+    assert resolved.current_dns_server_ex == (
         0,
         2,
         inet_aton("127.0.0.1"),
         0,
         "",
-    ]
+    )
 
     assert len(resolved.domains) == 1
-    assert resolved.domains[0] == [0, "local.hass.io", False]
+    assert resolved.domains[0] == (0, "local.hass.io", False)
 
-    assert resolved.transaction_statistics == [0, 100000]
-    assert resolved.cache_statistics == [10, 50000, 10000]
+    assert resolved.transaction_statistics == (0, 100000)
+    assert resolved.cache_statistics == (10, 50000, 10000)
     assert resolved.dnssec == DNSSECValidation.NO
-    assert resolved.dnssec_statistics == [0, 0, 0, 0]
+    assert resolved.dnssec_statistics == (0, 0, 0, 0)
     assert resolved.dnssec_supported is False
     assert resolved.dnssec_negative_trust_anchors == [
         "168.192.in-addr.arpa",

tests/dbus/test_systemd.py

@@ -185,10 +185,10 @@ async def test_start_transient_unit(
             "tmp-test.mount",
             "fail",
             [
-                ["Description", Variant("s", "Test")],
-                ["What", Variant("s", "//homeassistant/config")],
-                ["Type", Variant("s", "cifs")],
-                ["Options", Variant("s", "username=homeassistant,password=password")],
+                ("Description", Variant("s", "Test")),
+                ("What", Variant("s", "//homeassistant/config")),
+                ("Type", Variant("s", "cifs")),
+                ("Options", Variant("s", "username=homeassistant,password=password")),
             ],
             [],
         )

tests/dbus_service_mocks/agent_system.py

@@ -1,6 +1,6 @@
 """Mock of OS Agent System dbus service."""
 
-from dbus_fast import DBusError
+from dbus_fast import DBusError, ErrorType
 
 from .base import DBusServiceMock, dbus_method
 
@@ -21,6 +21,7 @@ class System(DBusServiceMock):
     object_path = "/io/hass/os/System"
     interface = "io.hass.os.System"
     response_schedule_wipe_device: bool | DBusError = True
+    response_migrate_docker_storage_driver: None | DBusError = None
 
     @dbus_method()
     def ScheduleWipeDevice(self) -> "b":
@@ -28,3 +29,14 @@ class System(DBusServiceMock):
         if isinstance(self.response_schedule_wipe_device, DBusError):
             raise self.response_schedule_wipe_device  # pylint: disable=raising-bad-type
         return self.response_schedule_wipe_device
+
+    @dbus_method()
+    def MigrateDockerStorageDriver(self, backend: "s") -> None:
+        """Migrate Docker storage driver."""
+        if isinstance(self.response_migrate_docker_storage_driver, DBusError):
+            raise self.response_migrate_docker_storage_driver  # pylint: disable=raising-bad-type
+        if backend not in ("overlayfs", "overlay2"):
+            raise DBusError(
+                ErrorType.FAILED,
+                f"unsupported driver: {backend} (only 'overlayfs' and 'overlay2' are supported)",
+            )

tests/dbus_service_mocks/resolved.py

@@ -45,8 +45,8 @@ class Resolved(DBusServiceMock):
     def DNS(self) -> "a(iiay)":
         """Get DNS."""
         return [
-            [0, 2, bytes([127, 0, 0, 1])],
-            [
+            (0, 2, bytes([127, 0, 0, 1])),
+            (
                 0,
                 10,
                 bytes(
@@ -69,15 +69,15 @@ class Resolved(DBusServiceMock):
                         0x1,
                     ]
                 ),
-            ],
+            ),
         ]
 
     @dbus_property(access=PropertyAccess.READ)
     def DNSEx(self) -> "a(iiayqs)":
         """Get DNSEx."""
         return [
-            [0, 2, bytes([127, 0, 0, 1]), 0, ""],
-            [
+            (0, 2, bytes([127, 0, 0, 1]), 0, ""),
+            (
                 0,
                 10,
                 bytes(
@@ -102,15 +102,15 @@ class Resolved(DBusServiceMock):
                 ),
                 0,
                 "",
-            ],
+            ),
         ]
 
     @dbus_property(access=PropertyAccess.READ)
     def FallbackDNS(self) -> "a(iiay)":
         """Get FallbackDNS."""
         return [
-            [0, 2, bytes([1, 1, 1, 1])],
-            [
+            (0, 2, bytes([1, 1, 1, 1])),
+            (
                 0,
                 10,
                 bytes(
@@ -133,15 +133,15 @@ class Resolved(DBusServiceMock):
                         0x11,
                     ]
                 ),
-            ],
+            ),
         ]
 
     @dbus_property(access=PropertyAccess.READ)
     def FallbackDNSEx(self) -> "a(iiayqs)":
         """Get FallbackDNSEx."""
         return [
-            [0, 2, bytes([1, 1, 1, 1]), 0, "cloudflare-dns.com"],
-            [
+            (0, 2, bytes([1, 1, 1, 1]), 0, "cloudflare-dns.com"),
+            (
                 0,
                 10,
                 bytes(
@@ -166,33 +166,33 @@ class Resolved(DBusServiceMock):
                 ),
                 0,
                 "cloudflare-dns.com",
-            ],
+            ),
         ]
 
     @dbus_property(access=PropertyAccess.READ)
     def CurrentDNSServer(self) -> "(iiay)":
         """Get CurrentDNSServer."""
-        return [0, 2, bytes([127, 0, 0, 1])]
+        return (0, 2, bytes([127, 0, 0, 1]))
 
     @dbus_property(access=PropertyAccess.READ)
     def CurrentDNSServerEx(self) -> "(iiayqs)":
         """Get CurrentDNSServerEx."""
-        return [0, 2, bytes([127, 0, 0, 1]), 0, ""]
+        return (0, 2, bytes([127, 0, 0, 1]), 0, "")
 
     @dbus_property(access=PropertyAccess.READ)
     def Domains(self) -> "a(isb)":
         """Get Domains."""
-        return [[0, "local.hass.io", False]]
+        return [(0, "local.hass.io", False)]
 
     @dbus_property(access=PropertyAccess.READ)
     def TransactionStatistics(self) -> "(tt)":
         """Get TransactionStatistics."""
-        return [0, 100000]
+        return (0, 100000)
 
     @dbus_property(access=PropertyAccess.READ)
     def CacheStatistics(self) -> "(ttt)":
         """Get CacheStatistics."""
-        return [10, 50000, 10000]
+        return (10, 50000, 10000)
 
     @dbus_property(access=PropertyAccess.READ)
     def DNSSEC(self) -> "s":
@@ -202,7 +202,7 @@ class Resolved(DBusServiceMock):
     @dbus_property(access=PropertyAccess.READ)
     def DNSSECStatistics(self) -> "(tttt)":
         """Get DNSSECStatistics."""
-        return [0, 0, 0, 0]
+        return (0, 0, 0, 0)
 
     @dbus_property(access=PropertyAccess.READ)
     def DNSSECSupported(self) -> "b":

tests/docker/test_addon.py

@@ -503,3 +503,93 @@ async def test_addon_new_device_no_haos(
     await install_addon_ssh.stop()
     assert coresys.resolution.issues == []
     assert coresys.resolution.suggestions == []
+
+
+async def test_ulimits_integration(
+    coresys: CoreSys,
+    install_addon_ssh: Addon,
+):
+    """Test ulimits integration with Docker addon."""
+    docker_addon = DockerAddon(coresys, install_addon_ssh)
+
+    # Test default case (no ulimits, no realtime)
+    assert docker_addon.ulimits is None
+
+    # Test with realtime enabled (should have built-in ulimits)
+    install_addon_ssh.data["realtime"] = True
+    ulimits = docker_addon.ulimits
+    assert ulimits is not None
+    assert len(ulimits) == 2
+    # Check for rtprio limit
+    rtprio_limit = next((u for u in ulimits if u.name == "rtprio"), None)
+    assert rtprio_limit is not None
+    assert rtprio_limit.soft == 90
+    assert rtprio_limit.hard == 99
+    # Check for memlock limit
+    memlock_limit = next((u for u in ulimits if u.name == "memlock"), None)
+    assert memlock_limit is not None
+    assert memlock_limit.soft == 128 * 1024 * 1024
+    assert memlock_limit.hard == 128 * 1024 * 1024
+
+    # Test with configurable ulimits (simple format)
+    install_addon_ssh.data["realtime"] = False
+    install_addon_ssh.data["ulimits"] = {"nofile": 65535, "nproc": 32768}
+    ulimits = docker_addon.ulimits
+    assert ulimits is not None
+    assert len(ulimits) == 2
+
+    nofile_limit = next((u for u in ulimits if u.name == "nofile"), None)
+    assert nofile_limit is not None
+    assert nofile_limit.soft == 65535
+    assert nofile_limit.hard == 65535
+
+    nproc_limit = next((u for u in ulimits if u.name == "nproc"), None)
+    assert nproc_limit is not None
+    assert nproc_limit.soft == 32768
+    assert nproc_limit.hard == 32768
+
+    # Test with configurable ulimits (detailed format)
+    install_addon_ssh.data["ulimits"] = {
+        "nofile": {"soft": 20000, "hard": 40000},
+        "memlock": {"soft": 67108864, "hard": 134217728},
+    }
+    ulimits = docker_addon.ulimits
+    assert ulimits is not None
+    assert len(ulimits) == 2
+
+    nofile_limit = next((u for u in ulimits if u.name == "nofile"), None)
+    assert nofile_limit is not None
+    assert nofile_limit.soft == 20000
+    assert nofile_limit.hard == 40000
+
+    memlock_limit = next((u for u in ulimits if u.name == "memlock"), None)
+    assert memlock_limit is not None
+    assert memlock_limit.soft == 67108864
+    assert memlock_limit.hard == 134217728
+
+    # Test mixed format and realtime (realtime + custom ulimits)
+    install_addon_ssh.data["realtime"] = True
+    install_addon_ssh.data["ulimits"] = {
+        "nofile": 65535,
+        "core": {"soft": 0, "hard": 0},  # Disable core dumps
+    }
+    ulimits = docker_addon.ulimits
+    assert ulimits is not None
+    assert (
+        len(ulimits) == 4
+    )  # rtprio, memlock (from realtime) + nofile, core (from config)
+
+    # Check realtime limits still present
+    rtprio_limit = next((u for u in ulimits if u.name == "rtprio"), None)
+    assert rtprio_limit is not None
+
+    # Check custom limits added
+    nofile_limit = next((u for u in ulimits if u.name == "nofile"), None)
+    assert nofile_limit is not None
+    assert nofile_limit.soft == 65535
+    assert nofile_limit.hard == 65535
+
+    core_limit = next((u for u in ulimits if u.name == "core"), None)
+    assert core_limit is not None
+    assert core_limit.soft == 0
+    assert core_limit.hard == 0

tests/docker/test_credentials.py

@@ -2,7 +2,8 @@
 
 # pylint: disable=protected-access
 from supervisor.coresys import CoreSys
-from supervisor.docker.interface import DOCKER_HUB, DockerInterface
+from supervisor.docker.const import DOCKER_HUB
+from supervisor.docker.interface import DockerInterface
 
 
 def test_no_credentials(coresys: CoreSys, test_docker_interface: DockerInterface):

tests/docker/test_manager.py

@@ -1,9 +1,10 @@
 """Test Docker manager."""
 
 import asyncio
+from pathlib import Path
 from unittest.mock import MagicMock, patch
 
-from docker.errors import DockerException
+from docker.errors import APIError, DockerException, NotFound
 import pytest
 from requests import RequestException
 
@@ -20,7 +21,7 @@ async def test_run_command_success(docker: DockerAPI):
     mock_container.logs.return_value = b"command output"
 
     # Mock docker containers.run to return our mock container
-    docker.docker.containers.run.return_value = mock_container
+    docker.dockerpy.containers.run.return_value = mock_container
 
     # Execute the command
     result = docker.run_command(
@@ -33,7 +34,7 @@ async def test_run_command_success(docker: DockerAPI):
     assert result.output == b"command output"
 
     # Verify docker.containers.run was called correctly
-    docker.docker.containers.run.assert_called_once_with(
+    docker.dockerpy.containers.run.assert_called_once_with(
         "alpine:3.18",
         command="echo hello",
         detach=True,
@@ -55,7 +56,7 @@ async def test_run_command_with_defaults(docker: DockerAPI):
     mock_container.logs.return_value = b"error output"
 
     # Mock docker containers.run to return our mock container
-    docker.docker.containers.run.return_value = mock_container
+    docker.dockerpy.containers.run.return_value = mock_container
 
     # Execute the command with minimal parameters
     result = docker.run_command(image="ubuntu")
@@ -66,7 +67,7 @@ async def test_run_command_with_defaults(docker: DockerAPI):
     assert result.output == b"error output"
 
     # Verify docker.containers.run was called with defaults
-    docker.docker.containers.run.assert_called_once_with(
+    docker.dockerpy.containers.run.assert_called_once_with(
         "ubuntu:latest",  # default tag
         command=None,  # default command
         detach=True,
@@ -81,7 +82,7 @@ async def test_run_command_with_defaults(docker: DockerAPI):
 async def test_run_command_docker_exception(docker: DockerAPI):
     """Test command execution when Docker raises an exception."""
     # Mock docker containers.run to raise DockerException
-    docker.docker.containers.run.side_effect = DockerException("Docker error")
+    docker.dockerpy.containers.run.side_effect = DockerException("Docker error")
 
     # Execute the command and expect DockerError
     with pytest.raises(DockerError, match="Can't execute command: Docker error"):
@@ -91,7 +92,7 @@ async def test_run_command_docker_exception(docker: DockerAPI):
 async def test_run_command_request_exception(docker: DockerAPI):
     """Test command execution when requests raises an exception."""
     # Mock docker containers.run to raise RequestException
-    docker.docker.containers.run.side_effect = RequestException("Connection error")
+    docker.dockerpy.containers.run.side_effect = RequestException("Connection error")
 
     # Execute the command and expect DockerError
     with pytest.raises(DockerError, match="Can't execute command: Connection error"):
@@ -104,7 +105,7 @@ async def test_run_command_cleanup_on_exception(docker: DockerAPI):
     mock_container = MagicMock()
 
     # Mock docker.containers.run to return container, but container.wait to raise exception
-    docker.docker.containers.run.return_value = mock_container
+    docker.dockerpy.containers.run.return_value = mock_container
     mock_container.wait.side_effect = DockerException("Wait failed")
 
     # Execute the command and expect DockerError
@@ -123,7 +124,7 @@ async def test_run_command_custom_stdout_stderr(docker: DockerAPI):
     mock_container.logs.return_value = b"output"
 
     # Mock docker containers.run to return our mock container
-    docker.docker.containers.run.return_value = mock_container
+    docker.dockerpy.containers.run.return_value = mock_container
 
     # Execute the command with custom stdout/stderr
     result = docker.run_command(
@@ -150,7 +151,7 @@ async def test_run_container_with_cidfile(
     cidfile_path = coresys.config.path_cid_files / f"{container_name}.cid"
     extern_cidfile_path = coresys.config.path_extern_cid_files / f"{container_name}.cid"
 
-    docker.docker.containers.run.return_value = mock_container
+    docker.dockerpy.containers.run.return_value = mock_container
 
     # Mock container creation
     with patch.object(
@@ -351,3 +352,101 @@ async def test_run_container_with_leftover_cidfile_directory(
         assert cidfile_path.read_text() == mock_container.id
 
         assert result == mock_container
+
+
+async def test_repair(coresys: CoreSys, caplog: pytest.LogCaptureFixture):
+    """Test repair API."""
+    coresys.docker.dockerpy.networks.get.side_effect = [
+        hassio := MagicMock(
+            attrs={
+                "Containers": {
+                    "good": {"Name": "good"},
+                    "corrupt": {"Name": "corrupt"},
+                    "fail": {"Name": "fail"},
+                }
+            }
+        ),
+        host := MagicMock(attrs={"Containers": {}}),
+    ]
+    coresys.docker.dockerpy.containers.get.side_effect = [
+        MagicMock(),
+        NotFound("corrupt"),
+        DockerException("fail"),
+    ]
+
+    await coresys.run_in_executor(coresys.docker.repair)
+
+    coresys.docker.dockerpy.api.prune_containers.assert_called_once()
+    coresys.docker.dockerpy.api.prune_images.assert_called_once_with(
+        filters={"dangling": False}
+    )
+    coresys.docker.dockerpy.api.prune_builds.assert_called_once()
+    coresys.docker.dockerpy.api.prune_volumes.assert_called_once()
+    coresys.docker.dockerpy.api.prune_networks.assert_called_once()
+    hassio.disconnect.assert_called_once_with("corrupt", force=True)
+    host.disconnect.assert_not_called()
+    assert "Docker fatal error on container fail on hassio" in caplog.text
+
+
+async def test_repair_failures(coresys: CoreSys, caplog: pytest.LogCaptureFixture):
+    """Test repair proceeds best it can through failures."""
+    coresys.docker.dockerpy.api.prune_containers.side_effect = APIError("fail")
+    coresys.docker.dockerpy.api.prune_images.side_effect = APIError("fail")
+    coresys.docker.dockerpy.api.prune_builds.side_effect = APIError("fail")
+    coresys.docker.dockerpy.api.prune_volumes.side_effect = APIError("fail")
+    coresys.docker.dockerpy.api.prune_networks.side_effect = APIError("fail")
+    coresys.docker.dockerpy.networks.get.side_effect = NotFound("missing")
+
+    await coresys.run_in_executor(coresys.docker.repair)
+
+    assert "Error for containers prune: fail" in caplog.text
+    assert "Error for images prune: fail" in caplog.text
+    assert "Error for builds prune: fail" in caplog.text
+    assert "Error for volumes prune: fail" in caplog.text
+    assert "Error for networks prune: fail" in caplog.text
+    assert "Error for networks hassio prune: missing" in caplog.text
+    assert "Error for networks host prune: missing" in caplog.text
+
+
+@pytest.mark.parametrize("log_starter", [("Loaded image ID"), ("Loaded image")])
+async def test_import_image(coresys: CoreSys, tmp_path: Path, log_starter: str):
+    """Test importing an image into docker."""
+    (test_tar := tmp_path / "test.tar").touch()
+    coresys.docker.images.import_image.return_value = [
+        {"stream": f"{log_starter}: imported"}
+    ]
+    coresys.docker.images.inspect.return_value = {"Id": "imported"}
+
+    image = await coresys.docker.import_image(test_tar)
+
+    assert image["Id"] == "imported"
+    coresys.docker.images.inspect.assert_called_once_with("imported")
+
+
+async def test_import_image_error(coresys: CoreSys, tmp_path: Path):
+    """Test failure importing an image into docker."""
+    (test_tar := tmp_path / "test.tar").touch()
+    coresys.docker.images.import_image.return_value = [
+        {"errorDetail": {"message": "fail"}}
+    ]
+
+    with pytest.raises(DockerError, match="Can't import image from tar: fail"):
+        await coresys.docker.import_image(test_tar)
+
+    coresys.docker.images.inspect.assert_not_called()
+
+
+async def test_import_multiple_images_in_tar(
+    coresys: CoreSys, tmp_path: Path, caplog: pytest.LogCaptureFixture
+):
+    """Test importing an image into docker."""
+    (test_tar := tmp_path / "test.tar").touch()
+    coresys.docker.images.import_image.return_value = [
+        {"stream": "Loaded image: imported-1"},
+        {"stream": "Loaded image: imported-2"},
+    ]
+
+    assert await coresys.docker.import_image(test_tar) is None
+
+    assert "Unexpected image count 2 while importing image from tar" in caplog.text
+    coresys.docker.images.inspect.assert_not_called()

tests/docker/test_monitor.py

@@ -88,7 +88,7 @@ async def test_events(
 ):
     """Test events created from docker events."""
     event["Actor"]["Attributes"]["name"] = "some_container"
-    event["id"] = "abc123"
+    event["Actor"]["ID"] = "abc123"
     event["time"] = 123
     with (
         patch(
@@ -131,12 +131,12 @@ async def test_unlabeled_container(coresys: CoreSys):
             new=PropertyMock(
                 return_value=[
                     {
-                        "id": "abc123",
                         "time": 123,
                         "Type": "container",
                         "Action": "die",
                         "Actor": {
-                            "Attributes": {"name": "homeassistant", "exitCode": "137"}
+                            "ID": "abc123",
+                            "Attributes": {"name": "homeassistant", "exitCode": "137"},
                         },
                     }
                 ]

tests/fixtures/docker_pull_image_log_containerd_snapshot.json

@@ -0,0 +1,196 @@
+[
+  {
+    "status": "Pulling from home-assistant/home-assistant",
+    "id": "2025.12.0.dev202511080235"
+  },
+  { "status": "Pulling fs layer", "progressDetail": {}, "id": "eafecc6b43cc" },
+  { "status": "Pulling fs layer", "progressDetail": {}, "id": "333270549f95" },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 1048576, "total": 21863319 },
+    "progress": "[==\u003e                                                ]  1.049MB/21.86MB",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 1048576, "total": 21179924 },
+    "progress": "[==\u003e                                                ]  1.049MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 4194304, "total": 21863319 },
+    "progress": "[=========\u003e                                         ]  4.194MB/21.86MB",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 2097152, "total": 21179924 },
+    "progress": "[====\u003e                                              ]  2.097MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 7340032, "total": 21863319 },
+    "progress": "[================\u003e                                  ]   7.34MB/21.86MB",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 4194304, "total": 21179924 },
+    "progress": "[=========\u003e                                         ]  4.194MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 13631488, "total": 21863319 },
+    "progress": "[===============================\u003e                   ]  13.63MB/21.86MB",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 8388608, "total": 21179924 },
+    "progress": "[===================\u003e                               ]  8.389MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 17825792, "total": 21863319 },
+    "progress": "[========================================\u003e          ]  17.83MB/21.86MB",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 12582912, "total": 21179924 },
+    "progress": "[=============================\u003e                     ]  12.58MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 21863319, "total": 21863319 },
+    "progress": "[==================================================\u003e]  21.86MB/21.86MB",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 16777216, "total": 21179924 },
+    "progress": "[=======================================\u003e           ]  16.78MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Downloading",
+    "progressDetail": { "current": 21179924, "total": 21179924 },
+    "progress": "[==================================================\u003e]  21.18MB/21.18MB",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Download complete",
+    "progressDetail": { "hidecounts": true },
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Download complete",
+    "progressDetail": { "hidecounts": true },
+    "id": "333270549f95"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 1, "units": "s" },
+    "progress": "1 s",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 1, "units": "s" },
+    "progress": "1 s",
+    "id": "333270549f95"
+  },
+  {
+    "status": "Pull complete",
+    "progressDetail": { "hidecounts": true },
+    "id": "333270549f95"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 1, "units": "s" },
+    "progress": "1 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 1, "units": "s" },
+    "progress": "1 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 2, "units": "s" },
+    "progress": "2 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 2, "units": "s" },
+    "progress": "2 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 3, "units": "s" },
+    "progress": "3 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 3, "units": "s" },
+    "progress": "3 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 4, "units": "s" },
+    "progress": "4 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 4, "units": "s" },
+    "progress": "4 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 5, "units": "s" },
+    "progress": "5 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 5, "units": "s" },
+    "progress": "5 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 6, "units": "s" },
+    "progress": "6 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Extracting",
+    "progressDetail": { "current": 6, "units": "s" },
+    "progress": "6 s",
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Pull complete",
+    "progressDetail": { "hidecounts": true },
+    "id": "eafecc6b43cc"
+  },
+  {
+    "status": "Digest: sha256:bfc9efc13552c0c228f3d9d35987331cce68b43c9bc79c80a57eeadadd44cccf"
+  },
+  {
+    "status": "Status: Downloaded newer image for ghcr.io/home-assistant/home-assistant:2025.12.0.dev202511080235"
+  }
+]