Merge branch 'main' into container-create-to-aiodocker

Bump aiodns from 3.6.0 to 3.6.1 (#6423 )
Bumps [aiodns](https://github.com/saghul/aiodns) from 3.6.0 to 3.6.1. - [Release notes](https://github.com/saghul/aiodns/releases) - [Changelog](https://github.com/aio-libs/aiodns/blob/master/ChangeLog) - [Commits](https://github.com/saghul/aiodns/compare/v3.6.0...v3.6.1) --- updated-dependencies: - dependency-name: aiodns dependency-version: 3.6.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-12 10:58:41 +00:00 · 2025-12-11 23:45:39 +01:00 · 2025-12-11 23:42:40 +01:00 · 2025-12-11 20:10:12 +00:00 · 2025-12-11 20:04:55 +00:00 · 2025-12-11 20:04:54 +00:00
133 changed files with 3945 additions and 1485 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,7 @@
 # General files
 .git
 .github
+.gitkeep
 .devcontainer
 .vscode

--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -34,6 +34,9 @@ on:

 env:
  DEFAULT_PYTHON: "3.13"
+  COSIGN_VERSION: "v2.5.3"
+  CRANE_VERSION: "v0.20.7"
+  CRANE_SHA256: "8ef3564d264e6b5ca93f7b7f5652704c4dd29d33935aff6947dd5adefd05953e"
  BUILD_NAME: supervisor
  BUILD_TYPE: supervisor

@@ -50,10 +53,10 @@ jobs:
      version: ${{ steps.version.outputs.version }}
      channel: ${{ steps.version.outputs.channel }}
      publish: ${{ steps.version.outputs.publish }}
-      requirements: ${{ steps.requirements.outputs.changed }}
+      build_wheels: ${{ steps.requirements.outputs.build_wheels }}
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

@@ -69,20 +72,25 @@ jobs:

      - name: Get changed files
        id: changed_files
-        if: steps.version.outputs.publish == 'false'
+        if: github.event_name != 'release'
        uses: masesgroup/retrieve-changed-files@491e80760c0e28d36ca6240a27b1ccb8e1402c13 # v3.0.0

      - name: Check if requirements files changed
        id: requirements
        run: |
-          if [[ "${{ steps.changed_files.outputs.all }}" =~ (requirements.txt|build.yaml) ]]; then
-            echo "changed=true" >> "$GITHUB_OUTPUT"
+          # No wheels build necessary for releases
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "build_wheels=false" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ steps.changed_files.outputs.all }}" =~ (requirements\.txt|build\.yaml|\.github/workflows/builder\.yml) ]]; then
+            echo "build_wheels=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "build_wheels=false" >> "$GITHUB_OUTPUT"
          fi

  build:
    name: Build ${{ matrix.arch }} supervisor
    needs: init
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runs-on }}
    permissions:
      contents: read
      id-token: write
@@ -90,34 +98,66 @@ jobs:
    strategy:
      matrix:
        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+        include:
+          - runs-on: ubuntu-24.04
+          - runs-on: ubuntu-24.04-arm
+            arch: aarch64
+    env:
+      WHEELS_ABI: cp313
+      WHEELS_TAG: musllinux_1_2
+      WHEELS_APK_DEPS: "libffi-dev;openssl-dev;yaml-dev"
+      WHEELS_SKIP_BINARY: aiohttp
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

-      - name: Write env-file
-        if: needs.init.outputs.requirements == 'true'
+      - name: Write env-file for wheels build
+        if: needs.init.outputs.build_wheels == 'true'
        run: |
          (
            # Fix out of memory issues with rust
            echo "CARGO_NET_GIT_FETCH_WITH_CLI=true"
          ) > .env_file

-      # home-assistant/wheels doesn't support sha pinning
-      - name: Build wheels
-        if: needs.init.outputs.requirements == 'true'
-        uses: home-assistant/wheels@2025.10.0
+      - name: Build and publish wheels
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'true'
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
        with:
-          abi: cp313
-          tag: musllinux_1_2
-          arch: ${{ matrix.arch }}
          wheels-key: ${{ secrets.WHEELS_KEY }}
-          apk: "libffi-dev;openssl-dev;yaml-dev"
-          skip-binary: aiohttp
+          abi: ${{ env.WHEELS_ABI }}
+          tag: ${{ env.WHEELS_TAG }}
+          arch: ${{ matrix.arch }}
+          apk: ${{ env.WHEELS_APK_DEPS }}
+          skip-binary: ${{ env.WHEELS_SKIP_BINARY }}
          env-file: true
          requirements: "requirements.txt"

+      - name: Build local wheels
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
+        with:
+          wheels-host: ""
+          wheels-user: ""
+          wheels-key: ""
+          local-wheels-repo-path: "wheels/"
+          abi: ${{ env.WHEELS_ABI }}
+          tag: ${{ env.WHEELS_TAG }}
+          arch: ${{ matrix.arch }}
+          apk: ${{ env.WHEELS_APK_DEPS }}
+          skip-binary: ${{ env.WHEELS_SKIP_BINARY }}
+          env-file: true
+          requirements: "requirements.txt"
+
+      - name: Upload local wheels artifact
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: wheels-${{ matrix.arch }}
+          path: wheels
+          retention-days: 1
+
      - name: Set version
        if: needs.init.outputs.publish == 'true'
        uses: home-assistant/actions/helpers/version@master
@@ -126,7 +166,7 @@ jobs:

      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
        if: needs.init.outputs.publish == 'true'
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}

@@ -134,7 +174,7 @@ jobs:
        if: needs.init.outputs.publish == 'true'
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
-          cosign-release: "v2.5.3"
+          cosign-release: ${{ env.COSIGN_VERSION }}

      - name: Install dirhash and calc hash
        if: needs.init.outputs.publish == 'true'
@@ -162,8 +202,9 @@ jobs:

      # home-assistant/builder doesn't support sha pinning
      - name: Build supervisor
-        uses: home-assistant/builder@2025.09.0
+        uses: home-assistant/builder@2025.11.0
        with:
+          image: ${{ matrix.arch }}
          args: |
            $BUILD_ARGS \
            --${{ matrix.arch }} \
@@ -173,12 +214,12 @@ jobs:

  version:
    name: Update version
-    needs: ["init", "run_supervisor"]
+    needs: ["init", "run_supervisor", "retag_deprecated"]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
        if: needs.init.outputs.publish == 'true'
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Initialize git
        if: needs.init.outputs.publish == 'true'
@@ -203,12 +244,19 @@ jobs:
    timeout-minutes: 60
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Download local wheels artifact
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+          name: wheels-amd64
+          path: wheels

      # home-assistant/builder doesn't support sha pinning
      - name: Build the Supervisor
        if: needs.init.outputs.publish != 'true'
-        uses: home-assistant/builder@2025.09.0
+        uses: home-assistant/builder@2025.11.0
        with:
          args: |
            --test \
@@ -352,3 +400,50 @@ jobs:
      - name: Get supervisor logs on failiure
        if: ${{ cancelled() || failure() }}
        run: docker logs hassio_supervisor
+
+  retag_deprecated:
+    needs: ["build", "init"]
+    name: Re-tag deprecated ${{ matrix.arch }} images
+    if: needs.init.outputs.publish == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    strategy:
+      matrix:
+        arch: ["armhf", "armv7", "i386"]
+    env:
+      # Last available release for deprecated architectures
+      FROZEN_VERSION: "2025.11.5"
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: ${{ env.COSIGN_VERSION }}
+
+      - name: Install crane
+        run: |
+          curl -sLO https://github.com/google/go-containerregistry/releases/download/${{ env.CRANE_VERSION }}/go-containerregistry_Linux_x86_64.tar.gz
+          echo "${{ env.CRANE_SHA256 }}  go-containerregistry_Linux_x86_64.tar.gz" | sha256sum -c -
+          tar xzf go-containerregistry_Linux_x86_64.tar.gz crane
+          sudo mv crane /usr/local/bin/
+
+      - name: Re-tag deprecated image with updated version label
+        run: |
+          crane auth login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
+          crane mutate \
+            --label io.hass.version=${{ needs.init.outputs.version }} \
+            --tag ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }} \
+            ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ env.FROZEN_VERSION }}
+
+      - name: Sign image with Cosign
+        run: |
+          cosign sign --yes ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -26,10 +26,10 @@ jobs:
    name: Prepare Python dependencies
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python
        id: python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}
      - name: Restore Python virtual environment
@@ -68,9 +68,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -111,9 +111,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -154,7 +154,7 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Register hadolint problem matcher
        run: |
          echo "::add-matcher::.github/workflows/matchers/hadolint.json"
@@ -169,9 +169,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -213,9 +213,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -257,9 +257,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -293,9 +293,9 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -339,9 +339,9 @@ jobs:
    name: Run tests Python ${{ needs.prepare.outputs.python-version }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -398,9 +398,9 @@ jobs:
    needs: ["pytest", "prepare"]
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
@@ -428,4 +428,4 @@ jobs:
          coverage report
          coverage xml
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -11,7 +11,7 @@ jobs:
    name: Release Drafter
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0

--- a/.github/workflows/sentry.yaml
+++ b/.github/workflows/sentry.yaml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Sentry Release
        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3.4.0
        env:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
--- a/.github/workflows/update_frontend.yml
+++ b/.github/workflows/update_frontend.yml
@@ -14,7 +14,7 @@ jobs:
      latest_version: ${{ steps.latest_frontend_version.outputs.latest_tag }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Get latest frontend release
        id: latest_frontend_version
        uses: abatilo/release-info-action@32cb932219f1cee3fc4f4a298fd65ead5d35b661 # v1.3.3
@@ -49,7 +49,7 @@ jobs:
    if: needs.check-version.outputs.skip != 'true'
    steps:
      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Clear www folder
        run: |
          rm -rf supervisor/api/panel/*
@@ -68,7 +68,7 @@ jobs:
        run: |
          rm -f supervisor/api/panel/home_assistant_frontend_supervisor-*.tar.gz
      - name: Create PR
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
        with:
          commit-message: "Update frontend to version ${{ needs.check-version.outputs.latest_version }}"
          branch: autoupdate-frontend
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,9 @@ var/
 .installed.cfg
 *.egg

+# Local wheels
+wheels/**/*.whl
+
 # PyInstaller
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
@@ -102,4 +105,4 @@ ENV/
 /.dmypy.json

 # Mac
-.DS_Store
+.DS_Store
--- a/22
+++ b/22
@@ -8,9 +8,7 @@ ENV \
    UV_SYSTEM_PYTHON=true

 ARG \
-    COSIGN_VERSION \
-    BUILD_ARCH \
-    QEMU_CPU
+    COSIGN_VERSION

 # Install base
 WORKDIR /usr/src
@@ -32,15 +30,19 @@ RUN \
    && pip3 install uv==0.8.9

 # Install requirements
-COPY requirements.txt .
 RUN \
-    if [ "${BUILD_ARCH}" = "i386" ]; then \
-        setarch="linux32"; \
+    --mount=type=bind,source=./requirements.txt,target=/usr/src/requirements.txt \
+    --mount=type=bind,source=./wheels,target=/usr/src/wheels \
+    if ls /usr/src/wheels/musllinux/* >/dev/null 2>&1; then \
+        LOCAL_WHEELS=/usr/src/wheels/musllinux; \
+        echo "Using local wheels from: $LOCAL_WHEELS"; \
    else \
-        setarch=""; \
-    fi \
-    && ${setarch} uv pip install --compile-bytecode --no-cache --no-build -r requirements.txt \
-    && rm -f requirements.txt
+        LOCAL_WHEELS=; \
+        echo "No local wheels found"; \
+    fi && \
+    uv pip install --compile-bytecode --no-cache --no-build \
+        -r requirements.txt \
+        ${LOCAL_WHEELS:+--find-links $LOCAL_WHEELS}

 # Install Home Assistant Supervisor
 COPY . supervisor
--- a/build.yaml
+++ b/build.yaml
@@ -1,13 +1,7 @@
 image: ghcr.io/home-assistant/{arch}-hassio-supervisor
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.13-alpine3.22
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.13-alpine3.22
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22
-  i386: ghcr.io/home-assistant/i386-base-python:3.13-alpine3.22
-codenotary:
-  signer: notary@home-assistant.io
-  base_image: notary@home-assistant.io
+  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22-2025.11.1
+  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22-2025.11.1
 cosign:
  base_identity: https://github.com/home-assistant/docker-base/.*
  identity: https://github.com/home-assistant/supervisor/.*
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -321,8 +321,6 @@ lint.ignore = [
    "PLW2901", # Outer {outer_kind} variable {name} overwritten by inner {inner_kind} target
    "UP006",   # keep type annotation style as is
    "UP007",   # keep type annotation style as is
-    # Ignored due to performance: https://github.com/charliermarsh/ruff/issues/2923
-    "UP038", # Use `X | Y` in `isinstance` call instead of `(X, Y)`

    # May conflict with the formatter, https://docs.astral.sh/ruff/formatter/#conflicting-lint-rules
    "W191",
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,11 +1,11 @@
-aiodns==3.5.0
+aiodns==3.6.1
 aiodocker==0.24.0
 aiohttp==3.13.2
 atomicwrites-homeassistant==1.4.1
 attrs==25.4.0
 awesomeversion==25.8.0
-backports.zstd==1.0.0
-blockbuster==1.5.25
+backports.zstd==1.2.0
+blockbuster==1.5.26
 brotli==1.2.0
 ciso8601==2.3.3
 colorlog==6.10.1
@@ -19,14 +19,14 @@ faust-cchardet==2.1.19
 gitpython==3.1.45
 jinja2==3.1.6
 log-rate-limit==1.4.2
-orjson==3.11.4
+orjson==3.11.5
 pulsectl==24.12.0
 pyudev==0.24.4
 PyYAML==6.0.3
 requests==2.32.5
-securetar==2025.2.1
-sentry-sdk==2.44.0
+securetar==2025.12.0
+sentry-sdk==2.47.0
 setuptools==80.9.0
 voluptuous==0.15.2
-dbus-fast==2.45.1
+dbus-fast==3.1.2
 zlib-fast==0.2.1
--- a/requirements_tests.txt
+++ b/requirements_tests.txt
@@ -1,16 +1,16 @@
 astroid==4.0.2
-coverage==7.11.3
-mypy==1.18.2
-pre-commit==4.4.0
-pylint==4.0.2
+coverage==7.13.0
+mypy==1.19.0
+pre-commit==4.5.0
+pylint==4.0.4
 pytest-aiohttp==1.1.0
 pytest-asyncio==1.3.0
 pytest-cov==7.0.0
 pytest-timeout==2.4.0
-pytest==9.0.1
-ruff==0.14.4
-time-machine==2.19.0
-types-docker==7.1.0.20251009
+pytest==9.0.2
+ruff==0.14.8
+time-machine==3.1.0
+types-docker==7.1.0.20251202
 types-pyyaml==6.0.12.20250915
 types-requests==2.32.4.20250913
-urllib3==2.5.0
+urllib3==2.6.1
--- a/supervisor/addons/addon.py
+++ b/supervisor/addons/addon.py
@@ -66,13 +66,22 @@ from ..docker.const import ContainerState
 from ..docker.monitor import DockerContainerStateEvent
 from ..docker.stats import DockerStats
 from ..exceptions import (
-    AddonConfigurationError,
+    AddonBackupMetadataInvalidError,
+    AddonBuildFailedUnknownError,
+    AddonConfigurationInvalidError,
+    AddonNotRunningError,
    AddonNotSupportedError,
+    AddonNotSupportedWriteStdinError,
+    AddonPrePostBackupCommandReturnedError,
    AddonsError,
    AddonsJobError,
+    AddonUnknownError,
+    BackupRestoreUnknownError,
    ConfigurationFileError,
+    DockerBuildError,
    DockerError,
    HostAppArmorError,
+    StoreAddonNotFoundError,
 )
 from ..hardware.data import Device
 from ..homeassistant.const import WSEvent
@@ -235,7 +244,7 @@ class Addon(AddonModel):
            await self.instance.check_image(self.version, default_image, self.arch)
        except DockerError:
            _LOGGER.info("No %s addon Docker image %s found", self.slug, self.image)
-            with suppress(DockerError):
+            with suppress(DockerError, AddonNotSupportedError):
                await self.instance.install(self.version, default_image, arch=self.arch)

        self.persist[ATTR_IMAGE] = default_image
@@ -718,18 +727,16 @@ class Addon(AddonModel):
            options = self.schema.validate(self.options)
            await self.sys_run_in_executor(write_json_file, self.path_options, options)
        except vol.Invalid as ex:
-            _LOGGER.error(
-                "Add-on %s has invalid options: %s",
-                self.slug,
-                humanize_error(self.options, ex),
-            )
-        except ConfigurationFileError:
+            raise AddonConfigurationInvalidError(
+                _LOGGER.error,
+                addon=self.slug,
+                validation_error=humanize_error(self.options, ex),
+            ) from None
+        except ConfigurationFileError as err:
            _LOGGER.error("Add-on %s can't write options", self.slug)
-        else:
-            _LOGGER.debug("Add-on %s write options: %s", self.slug, options)
-            return
+            raise AddonUnknownError(addon=self.slug) from err

-        raise AddonConfigurationError()
+        _LOGGER.debug("Add-on %s write options: %s", self.slug, options)

    @Job(
        name="addon_unload",
@@ -772,7 +779,7 @@ class Addon(AddonModel):
    async def install(self) -> None:
        """Install and setup this addon."""
        if not self.addon_store:
-            raise AddonsError("Missing from store, cannot install!")
+            raise StoreAddonNotFoundError(addon=self.slug)

        await self.sys_addons.data.install(self.addon_store)

@@ -793,9 +800,17 @@ class Addon(AddonModel):
            await self.instance.install(
                self.latest_version, self.addon_store.image, arch=self.arch
            )
-        except DockerError as err:
+        except AddonsError:
            await self.sys_addons.data.uninstall(self)
-            raise AddonsError() from err
+            raise
+        except DockerBuildError as err:
+            _LOGGER.error("Could not build image for addon %s: %s", self.slug, err)
+            await self.sys_addons.data.uninstall(self)
+            raise AddonBuildFailedUnknownError(addon=self.slug) from err
+        except DockerError as err:
+            _LOGGER.error("Could not pull image to update addon %s: %s", self.slug, err)
+            await self.sys_addons.data.uninstall(self)
+            raise AddonUnknownError(addon=self.slug) from err

        # Finish initialization and set up listeners
        await self.load()
@@ -819,7 +834,8 @@ class Addon(AddonModel):
        try:
            await self.instance.remove(remove_image=remove_image)
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error("Could not remove image for addon %s: %s", self.slug, err)
+            raise AddonUnknownError(addon=self.slug) from err

        self.state = AddonState.UNKNOWN

@@ -884,7 +900,7 @@ class Addon(AddonModel):
        if it was running. Else nothing is returned.
        """
        if not self.addon_store:
-            raise AddonsError("Missing from store, cannot update!")
+            raise StoreAddonNotFoundError(addon=self.slug)

        old_image = self.image
        # Cache data to prevent races with other updates to global
@@ -892,8 +908,12 @@ class Addon(AddonModel):

        try:
            await self.instance.update(store.version, store.image, arch=self.arch)
+        except DockerBuildError as err:
+            _LOGGER.error("Could not build image for addon %s: %s", self.slug, err)
+            raise AddonBuildFailedUnknownError(addon=self.slug) from err
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error("Could not pull image to update addon %s: %s", self.slug, err)
+            raise AddonUnknownError(addon=self.slug) from err

        # Stop the addon if running
        if (last_state := self.state) in {AddonState.STARTED, AddonState.STARTUP}:
@@ -935,12 +955,23 @@ class Addon(AddonModel):
        """
        last_state: AddonState = self.state
        try:
-            # remove docker container but not addon config
+            # remove docker container and image but not addon config
            try:
                await self.instance.remove()
-                await self.instance.install(self.version)
            except DockerError as err:
-                raise AddonsError() from err
+                _LOGGER.error("Could not remove image for addon %s: %s", self.slug, err)
+                raise AddonUnknownError(addon=self.slug) from err
+
+            try:
+                await self.instance.install(self.version)
+            except DockerBuildError as err:
+                _LOGGER.error("Could not build image for addon %s: %s", self.slug, err)
+                raise AddonBuildFailedUnknownError(addon=self.slug) from err
+            except DockerError as err:
+                _LOGGER.error(
+                    "Could not pull image to update addon %s: %s", self.slug, err
+                )
+                raise AddonUnknownError(addon=self.slug) from err

            if self.addon_store:
                await self.sys_addons.data.update(self.addon_store)
@@ -1111,8 +1142,9 @@ class Addon(AddonModel):
        try:
            await self.instance.run()
        except DockerError as err:
+            _LOGGER.error("Could not start container for addon %s: %s", self.slug, err)
            self.state = AddonState.ERROR
-            raise AddonsError() from err
+            raise AddonUnknownError(addon=self.slug) from err

        return self.sys_create_task(self._wait_for_startup())

@@ -1127,8 +1159,9 @@ class Addon(AddonModel):
        try:
            await self.instance.stop()
        except DockerError as err:
+            _LOGGER.error("Could not stop container for addon %s: %s", self.slug, err)
            self.state = AddonState.ERROR
-            raise AddonsError() from err
+            raise AddonUnknownError(addon=self.slug) from err

    @Job(
        name="addon_restart",
@@ -1161,9 +1194,15 @@ class Addon(AddonModel):
    async def stats(self) -> DockerStats:
        """Return stats of container."""
        try:
+            if not await self.is_running():
+                raise AddonNotRunningError(_LOGGER.warning, addon=self.slug)
+
            return await self.instance.stats()
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error(
+                "Could not get stats of container for addon %s: %s", self.slug, err
+            )
+            raise AddonUnknownError(addon=self.slug) from err

    @Job(
        name="addon_write_stdin",
@@ -1173,14 +1212,18 @@ class Addon(AddonModel):
    async def write_stdin(self, data) -> None:
        """Write data to add-on stdin."""
        if not self.with_stdin:
-            raise AddonNotSupportedError(
-                f"Add-on {self.slug} does not support writing to stdin!", _LOGGER.error
-            )
+            raise AddonNotSupportedWriteStdinError(_LOGGER.error, addon=self.slug)

        try:
-            return await self.instance.write_stdin(data)
+            if not await self.is_running():
+                raise AddonNotRunningError(_LOGGER.warning, addon=self.slug)
+
+            await self.instance.write_stdin(data)
        except DockerError as err:
-            raise AddonsError() from err
+            _LOGGER.error(
+                "Could not write stdin to container for addon %s: %s", self.slug, err
+            )
+            raise AddonUnknownError(addon=self.slug) from err

    async def _backup_command(self, command: str) -> None:
        try:
@@ -1189,15 +1232,14 @@ class Addon(AddonModel):
                _LOGGER.debug(
                    "Pre-/Post backup command failed with: %s", command_return.output
                )
-                raise AddonsError(
-                    f"Pre-/Post backup command returned error code: {command_return.exit_code}",
-                    _LOGGER.error,
+                raise AddonPrePostBackupCommandReturnedError(
+                    _LOGGER.error, addon=self.slug, exit_code=command_return.exit_code
                )
        except DockerError as err:
-            raise AddonsError(
-                f"Failed running pre-/post backup command {command}: {str(err)}",
-                _LOGGER.error,
-            ) from err
+            _LOGGER.error(
+                "Failed running pre-/post backup command %s: %s", command, err
+            )
+            raise AddonUnknownError(addon=self.slug) from err

    @Job(
        name="addon_begin_backup",
@@ -1286,15 +1328,14 @@ class Addon(AddonModel):
                    try:
                        self.instance.export_image(temp_path.joinpath("image.tar"))
                    except DockerError as err:
-                        raise AddonsError() from err
+                        raise BackupRestoreUnknownError() from err

                # Store local configs/state
                try:
                    write_json_file(temp_path.joinpath("addon.json"), metadata)
                except ConfigurationFileError as err:
-                    raise AddonsError(
-                        f"Can't save meta for {self.slug}", _LOGGER.error
-                    ) from err
+                    _LOGGER.error("Can't save meta for %s: %s", self.slug, err)
+                    raise BackupRestoreUnknownError() from err

                # Store AppArmor Profile
                if apparmor_profile:
@@ -1304,9 +1345,7 @@ class Addon(AddonModel):
                            apparmor_profile, profile_backup_file
                        )
                    except HostAppArmorError as err:
-                        raise AddonsError(
-                            "Can't backup AppArmor profile", _LOGGER.error
-                        ) from err
+                        raise BackupRestoreUnknownError() from err

                # Write tarfile
                with tar_file as backup:
@@ -1360,7 +1399,8 @@ class Addon(AddonModel):
            )
            _LOGGER.info("Finish backup for addon %s", self.slug)
        except (tarfile.TarError, OSError, AddFileError) as err:
-            raise AddonsError(f"Can't write tarfile: {err}", _LOGGER.error) from err
+            _LOGGER.error("Can't write backup tarfile for addon %s: %s", self.slug, err)
+            raise BackupRestoreUnknownError() from err
        finally:
            if was_running:
                wait_for_start = await self.end_backup()
@@ -1402,28 +1442,24 @@ class Addon(AddonModel):
        try:
            tmp, data = await self.sys_run_in_executor(_extract_tarfile)
        except tarfile.TarError as err:
-            raise AddonsError(
-                f"Can't read tarfile {tar_file}: {err}", _LOGGER.error
-            ) from err
+            _LOGGER.error("Can't extract backup tarfile for %s: %s", self.slug, err)
+            raise BackupRestoreUnknownError() from err
        except ConfigurationFileError as err:
-            raise AddonsError() from err
+            raise AddonUnknownError(addon=self.slug) from err

        try:
            # Validate
            try:
                data = SCHEMA_ADDON_BACKUP(data)
            except vol.Invalid as err:
-                raise AddonsError(
-                    f"Can't validate {self.slug}, backup data: {humanize_error(data, err)}",
+                raise AddonBackupMetadataInvalidError(
                    _LOGGER.error,
+                    addon=self.slug,
+                    validation_error=humanize_error(data, err),
                ) from err

-            # If available
-            if not self._available(data[ATTR_SYSTEM]):
-                raise AddonNotSupportedError(
-                    f"Add-on {self.slug} is not available for this platform",
-                    _LOGGER.error,
-                )
+            # Validate availability. Raises if not
+            self._validate_availability(data[ATTR_SYSTEM], logger=_LOGGER.error)

            # Restore local add-on information
            _LOGGER.info("Restore config for addon %s", self.slug)
@@ -1482,9 +1518,10 @@ class Addon(AddonModel):
                try:
                    await self.sys_run_in_executor(_restore_data)
                except shutil.Error as err:
-                    raise AddonsError(
-                        f"Can't restore origin data: {err}", _LOGGER.error
-                    ) from err
+                    _LOGGER.error(
+                        "Can't restore origin data for %s: %s", self.slug, err
+                    )
+                    raise BackupRestoreUnknownError() from err

                # Restore AppArmor
                profile_file = Path(tmp.name, "apparmor.txt")
@@ -1495,10 +1532,11 @@ class Addon(AddonModel):
                        )
                    except HostAppArmorError as err:
                        _LOGGER.error(
-                            "Can't restore AppArmor profile for add-on %s",
+                            "Can't restore AppArmor profile for add-on %s: %s",
                            self.slug,
+                            err,
                        )
-                        raise AddonsError() from err
+                        raise BackupRestoreUnknownError() from err

            finally:
                # Is add-on loaded
--- a/supervisor/addons/build.py
+++ b/supervisor/addons/build.py
@@ -2,7 +2,10 @@

 from __future__ import annotations

+import base64
 from functools import cached_property
+import json
+import logging
 from pathlib import Path
 from typing import TYPE_CHECKING, Any

@@ -12,20 +15,31 @@ from ..const import (
    ATTR_ARGS,
    ATTR_BUILD_FROM,
    ATTR_LABELS,
+    ATTR_PASSWORD,
    ATTR_SQUASH,
+    ATTR_USERNAME,
    FILE_SUFFIX_CONFIGURATION,
    META_ADDON,
    SOCKET_DOCKER,
+    CpuArch,
 )
 from ..coresys import CoreSys, CoreSysAttributes
+from ..docker.const import DOCKER_HUB, DOCKER_HUB_LEGACY
 from ..docker.interface import MAP_ARCH
-from ..exceptions import ConfigurationFileError, HassioArchNotFound
+from ..exceptions import (
+    AddonBuildArchitectureNotSupportedError,
+    AddonBuildDockerfileMissingError,
+    ConfigurationFileError,
+    HassioArchNotFound,
+)
 from ..utils.common import FileConfiguration, find_one_filetype
 from .validate import SCHEMA_BUILD_CONFIG

 if TYPE_CHECKING:
    from .manager import AnyAddon

+_LOGGER: logging.Logger = logging.getLogger(__name__)
+

 class AddonBuild(FileConfiguration, CoreSysAttributes):
    """Handle build options for add-ons."""
@@ -62,7 +76,7 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
        raise RuntimeError()

    @cached_property
-    def arch(self) -> str:
+    def arch(self) -> CpuArch:
        """Return arch of the add-on."""
        return self.sys_arch.match([self.addon.arch])

@@ -106,7 +120,7 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
            return self.addon.path_location.joinpath(f"Dockerfile.{self.arch}")
        return self.addon.path_location.joinpath("Dockerfile")

-    async def is_valid(self) -> bool:
+    async def is_valid(self) -> None:
        """Return true if the build env is valid."""

        def build_is_valid() -> bool:
@@ -118,12 +132,58 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
            )

        try:
-            return await self.sys_run_in_executor(build_is_valid)
+            if not await self.sys_run_in_executor(build_is_valid):
+                raise AddonBuildDockerfileMissingError(
+                    _LOGGER.error, addon=self.addon.slug
+                )
        except HassioArchNotFound:
-            return False
+            raise AddonBuildArchitectureNotSupportedError(
+                _LOGGER.error,
+                addon=self.addon.slug,
+                addon_arch_list=self.addon.supported_arch,
+                system_arch_list=[arch.value for arch in self.sys_arch.supported],
+            ) from None
+
+    def get_docker_config_json(self) -> str | None:
+        """Generate Docker config.json content with registry credentials for base image.
+
+        Returns a JSON string with registry credentials for the base image's registry,
+        or None if no matching registry is configured.
+
+        Raises:
+            HassioArchNotFound: If the add-on is not supported on the current architecture.
+
+        """
+        # Early return before accessing base_image to avoid unnecessary arch lookup
+        if not self.sys_docker.config.registries:
+            return None
+
+        registry = self.sys_docker.config.get_registry_for_image(self.base_image)
+        if not registry:
+            return None
+
+        stored = self.sys_docker.config.registries[registry]
+        username = stored[ATTR_USERNAME]
+        password = stored[ATTR_PASSWORD]
+
+        # Docker config.json uses base64-encoded "username:password" for auth
+        auth_string = base64.b64encode(f"{username}:{password}".encode()).decode()
+
+        # Use the actual registry URL for the key
+        # Docker Hub uses "https://index.docker.io/v1/" as the key
+        # Support both docker.io (official) and hub.docker.com (legacy)
+        registry_key = (
+            "https://index.docker.io/v1/"
+            if registry in (DOCKER_HUB, DOCKER_HUB_LEGACY)
+            else registry
+        )
+
+        config = {"auths": {registry_key: {"auth": auth_string}}}
+
+        return json.dumps(config)

    def get_docker_args(
-        self, version: AwesomeVersion, image_tag: str
+        self, version: AwesomeVersion, image_tag: str, docker_config_path: Path | None
    ) -> dict[str, Any]:
        """Create a dict with Docker run args."""
        dockerfile_path = self.get_dockerfile().relative_to(self.addon.path_location)
@@ -172,12 +232,24 @@ class AddonBuild(FileConfiguration, CoreSysAttributes):
            self.addon.path_location
        )

+        volumes = {
+            SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
+            addon_extern_path: {"bind": "/addon", "mode": "ro"},
+        }
+
+        # Mount Docker config with registry credentials if available
+        if docker_config_path:
+            docker_config_extern_path = self.sys_config.local_to_extern_path(
+                docker_config_path
+            )
+            volumes[docker_config_extern_path] = {
+                "bind": "/root/.docker/config.json",
+                "mode": "ro",
+            }
+
        return {
            "command": build_cmd,
-            "volumes": {
-                SOCKET_DOCKER: {"bind": "/var/run/docker.sock", "mode": "rw"},
-                addon_extern_path: {"bind": "/addon", "mode": "ro"},
-            },
+            "volumes": volumes,
            "working_dir": "/addon",
        }

--- a/supervisor/addons/model.py
+++ b/supervisor/addons/model.py
@@ -87,6 +87,7 @@ from ..const import (
    AddonBootConfig,
    AddonStage,
    AddonStartup,
+    CpuArch,
 )
 from ..coresys import CoreSys
 from ..docker.const import Capabilities
@@ -315,12 +316,12 @@ class AddonModel(JobGroup, ABC):

    @property
    def panel_title(self) -> str:
-        """Return panel icon for Ingress frame."""
+        """Return panel title for Ingress frame."""
        return self.data.get(ATTR_PANEL_TITLE, self.name)

    @property
-    def panel_admin(self) -> str:
-        """Return panel icon for Ingress frame."""
+    def panel_admin(self) -> bool:
+        """Return if panel is only available for admin users."""
        return self.data[ATTR_PANEL_ADMIN]

    @property
@@ -488,7 +489,7 @@ class AddonModel(JobGroup, ABC):
        return self.data[ATTR_DEVICETREE]

    @property
-    def with_tmpfs(self) -> str | None:
+    def with_tmpfs(self) -> bool:
        """Return if tmp is in memory of add-on."""
        return self.data[ATTR_TMPFS]

@@ -508,7 +509,7 @@ class AddonModel(JobGroup, ABC):
        return self.data[ATTR_VIDEO]

    @property
-    def homeassistant_version(self) -> str | None:
+    def homeassistant_version(self) -> AwesomeVersion | None:
        """Return min Home Assistant version they needed by Add-on."""
        return self.data.get(ATTR_HOMEASSISTANT)

@@ -548,7 +549,7 @@ class AddonModel(JobGroup, ABC):
        return self.data.get(ATTR_MACHINE, [])

    @property
-    def arch(self) -> str:
+    def arch(self) -> CpuArch:
        """Return architecture to use for the addon's image."""
        if ATTR_IMAGE in self.data:
            return self.sys_arch.match(self.data[ATTR_ARCH])
--- a/supervisor/addons/options.py
+++ b/supervisor/addons/options.py
@@ -75,7 +75,7 @@ class AddonOptions(CoreSysAttributes):
        """Create a schema for add-on options."""
        return vol.Schema(vol.All(dict, self))

-    def __call__(self, struct):
+    def __call__(self, struct: dict[str, Any]) -> dict[str, Any]:
        """Create schema validator for add-ons options."""
        options = {}

@@ -193,9 +193,7 @@ class AddonOptions(CoreSysAttributes):
            f"Fatal error for option '{key}' with type '{typ}' in {self._name} ({self._slug})"
        ) from None

-    def _nested_validate_list(
-        self, typ: Any, data_list: list[Any], key: str
-    ) -> list[Any]:
+    def _nested_validate_list(self, typ: Any, data_list: Any, key: str) -> list[Any]:
        """Validate nested items."""
        options = []

@@ -213,7 +211,7 @@ class AddonOptions(CoreSysAttributes):
        return options

    def _nested_validate_dict(
-        self, typ: dict[Any, Any], data_dict: dict[Any, Any], key: str
+        self, typ: dict[Any, Any], data_dict: Any, key: str
    ) -> dict[Any, Any]:
        """Validate nested items."""
        options = {}
@@ -264,7 +262,7 @@ class UiOptions(CoreSysAttributes):

    def __init__(self, coresys: CoreSys) -> None:
        """Initialize UI option render."""
-        self.coresys = coresys
+        self.coresys: CoreSys = coresys

    def __call__(self, raw_schema: dict[str, Any]) -> list[dict[str, Any]]:
        """Generate UI schema."""
@@ -279,10 +277,10 @@ class UiOptions(CoreSysAttributes):
    def _ui_schema_element(
        self,
        ui_schema: list[dict[str, Any]],
-        value: str,
+        value: str | list[Any] | dict[str, Any],
        key: str,
        multiple: bool = False,
-    ):
+    ) -> None:
        if isinstance(value, list):
            # nested value list
            assert not multiple
--- a/supervisor/api/init.py
+++ b/supervisor/api/init.py
@@ -152,6 +152,7 @@ class RestAPI(CoreSysAttributes):
                        self._api_host.advanced_logs,
                        identifier=syslog_identifier,
                        latest=True,
+                        no_colors=True,
                    ),
                ),
                web.get(
@@ -449,6 +450,7 @@ class RestAPI(CoreSysAttributes):
                    await async_capture_exception(err)
                kwargs.pop("follow", None)  # Follow is not supported for Docker logs
                kwargs.pop("latest", None)  # Latest is not supported for Docker logs
+                kwargs.pop("no_colors", None)  # no_colors not supported for Docker logs
                return await api_supervisor.logs(*args, **kwargs)

        self.webapp.add_routes(
@@ -460,7 +462,7 @@ class RestAPI(CoreSysAttributes):
                ),
                web.get(
                    "/supervisor/logs/latest",
-                    partial(get_supervisor_logs, latest=True),
+                    partial(get_supervisor_logs, latest=True, no_colors=True),
                ),
                web.get("/supervisor/logs/boots/{bootid}", get_supervisor_logs),
                web.get(
@@ -576,7 +578,7 @@ class RestAPI(CoreSysAttributes):
                ),
                web.get(
                    "/addons/{addon}/logs/latest",
-                    partial(get_addon_logs, latest=True),
+                    partial(get_addon_logs, latest=True, no_colors=True),
                ),
                web.get("/addons/{addon}/logs/boots/{bootid}", get_addon_logs),
                web.get(
@@ -811,6 +813,10 @@ class RestAPI(CoreSysAttributes):
        self.webapp.add_routes(
            [
                web.get("/docker/info", api_docker.info),
+                web.post(
+                    "/docker/migrate-storage-driver",
+                    api_docker.migrate_docker_storage_driver,
+                ),
                web.post("/docker/options", api_docker.options),
                web.get("/docker/registries", api_docker.registries),
                web.post("/docker/registries", api_docker.create_registry),
--- a/supervisor/api/addons.py
+++ b/supervisor/api/addons.py
@@ -100,6 +100,9 @@ from ..const import (
 from ..coresys import CoreSysAttributes
 from ..docker.stats import DockerStats
 from ..exceptions import (
+    AddonBootConfigCannotChangeError,
+    AddonConfigurationInvalidError,
+    AddonNotSupportedWriteStdinError,
    APIAddonNotInstalled,
    APIError,
    APIForbidden,
@@ -125,6 +128,7 @@ SCHEMA_OPTIONS = vol.Schema(
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_INGRESS_PANEL): vol.Boolean(),
        vol.Optional(ATTR_WATCHDOG): vol.Boolean(),
+        vol.Optional(ATTR_OPTIONS): vol.Maybe(dict),
    }
 )

@@ -300,19 +304,24 @@ class APIAddons(CoreSysAttributes):
        # Update secrets for validation
        await self.sys_homeassistant.secrets.reload()

-        # Extend schema with add-on specific validation
-        addon_schema = SCHEMA_OPTIONS.extend(
-            {vol.Optional(ATTR_OPTIONS): vol.Maybe(addon.schema)}
-        )
-
        # Validate/Process Body
-        body = await api_validate(addon_schema, request)
+        body = await api_validate(SCHEMA_OPTIONS, request)
        if ATTR_OPTIONS in body:
-            addon.options = body[ATTR_OPTIONS]
+            # None resets options to defaults, otherwise validate the options
+            if body[ATTR_OPTIONS] is None:
+                addon.options = None
+            else:
+                try:
+                    addon.options = addon.schema(body[ATTR_OPTIONS])
+                except vol.Invalid as ex:
+                    raise AddonConfigurationInvalidError(
+                        addon=addon.slug,
+                        validation_error=humanize_error(body[ATTR_OPTIONS], ex),
+                    ) from None
        if ATTR_BOOT in body:
            if addon.boot_config == AddonBootConfig.MANUAL_ONLY:
-                raise APIError(
-                    f"Addon {addon.slug} boot option is set to {addon.boot_config} so it cannot be changed"
+                raise AddonBootConfigCannotChangeError(
+                    addon=addon.slug, boot_config=addon.boot_config.value
                )
            addon.boot = body[ATTR_BOOT]
        if ATTR_AUTO_UPDATE in body:
@@ -385,7 +394,7 @@ class APIAddons(CoreSysAttributes):
        return data

    @api_process
-    async def options_config(self, request: web.Request) -> None:
+    async def options_config(self, request: web.Request) -> dict[str, Any]:
        """Validate user options for add-on."""
        slug: str = request.match_info["addon"]
        if slug != "self":
@@ -430,11 +439,11 @@ class APIAddons(CoreSysAttributes):
        }

    @api_process
-    async def uninstall(self, request: web.Request) -> Awaitable[None]:
+    async def uninstall(self, request: web.Request) -> None:
        """Uninstall add-on."""
        addon = self.get_addon_for_request(request)
        body: dict[str, Any] = await api_validate(SCHEMA_UNINSTALL, request)
-        return await asyncio.shield(
+        await asyncio.shield(
            self.sys_addons.uninstall(
                addon.slug, remove_config=body[ATTR_REMOVE_CONFIG]
            )
@@ -476,7 +485,7 @@ class APIAddons(CoreSysAttributes):
        """Write to stdin of add-on."""
        addon = self.get_addon_for_request(request)
        if not addon.with_stdin:
-            raise APIError(f"STDIN not supported the {addon.slug} add-on")
+            raise AddonNotSupportedWriteStdinError(_LOGGER.error, addon=addon.slug)

        data = await request.read()
        await asyncio.shield(addon.write_stdin(data))
--- a/supervisor/api/auth.py
+++ b/supervisor/api/auth.py
@@ -15,7 +15,7 @@ import voluptuous as vol
 from ..addons.addon import Addon
 from ..const import ATTR_NAME, ATTR_PASSWORD, ATTR_USERNAME, REQUEST_FROM
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIForbidden
+from ..exceptions import APIForbidden, AuthInvalidNonStringValueError
 from .const import (
    ATTR_GROUP_IDS,
    ATTR_IS_ACTIVE,
@@ -69,7 +69,9 @@ class APIAuth(CoreSysAttributes):
        try:
            _ = username.encode and password.encode  # type: ignore
        except AttributeError:
-            raise HTTPUnauthorized(headers=REALM_HEADER) from None
+            raise AuthInvalidNonStringValueError(
+                _LOGGER.error, headers=REALM_HEADER
+            ) from None

        return self.sys_auth.check_login(
            addon, cast(str, username), cast(str, password)
--- a/supervisor/api/backups.py
+++ b/supervisor/api/backups.py
@@ -211,7 +211,7 @@ class APIBackups(CoreSysAttributes):
        await self.sys_backups.save_data()

    @api_process
-    async def reload(self, _):
+    async def reload(self, _: web.Request) -> bool:
        """Reload backup list."""
        await asyncio.shield(self.sys_backups.reload())
        return True
@@ -421,7 +421,7 @@ class APIBackups(CoreSysAttributes):
        await self.sys_backups.remove(backup, locations=locations)

    @api_process
-    async def download(self, request: web.Request):
+    async def download(self, request: web.Request) -> web.StreamResponse:
        """Download a backup file."""
        backup = self._extract_slug(request)
        # Query will give us '' for /backups, convert value to None
@@ -451,7 +451,7 @@ class APIBackups(CoreSysAttributes):
        return response

    @api_process
-    async def upload(self, request: web.Request):
+    async def upload(self, request: web.Request) -> dict[str, str] | bool:
        """Upload a backup file."""
        location: LOCATION_TYPE = None
        locations: list[LOCATION_TYPE] | None = None
--- a/supervisor/api/docker.py
+++ b/supervisor/api/docker.py
@@ -4,6 +4,7 @@ import logging
 from typing import Any

 from aiohttp import web
+from awesomeversion import AwesomeVersion
 import voluptuous as vol

 from supervisor.resolution.const import ContextType, IssueType, SuggestionType
@@ -16,6 +17,7 @@ from ..const import (
    ATTR_PASSWORD,
    ATTR_REGISTRIES,
    ATTR_STORAGE,
+    ATTR_STORAGE_DRIVER,
    ATTR_USERNAME,
    ATTR_VERSION,
 )
@@ -42,12 +44,18 @@ SCHEMA_OPTIONS = vol.Schema(
    }
 )

+SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER = vol.Schema(
+    {
+        vol.Required(ATTR_STORAGE_DRIVER): vol.In(["overlayfs"]),
+    }
+)
+

 class APIDocker(CoreSysAttributes):
    """Handle RESTful API for Docker configuration."""

    @api_process
-    async def info(self, request: web.Request):
+    async def info(self, request: web.Request) -> dict[str, Any]:
        """Get docker info."""
        data_registries = {}
        for hostname, registry in self.sys_docker.config.registries.items():
@@ -105,7 +113,7 @@ class APIDocker(CoreSysAttributes):
        return {ATTR_REGISTRIES: data_registries}

    @api_process
-    async def create_registry(self, request: web.Request):
+    async def create_registry(self, request: web.Request) -> None:
        """Create a new docker registry."""
        body = await api_validate(SCHEMA_DOCKER_REGISTRY, request)

@@ -115,7 +123,7 @@ class APIDocker(CoreSysAttributes):
        await self.sys_docker.config.save_data()

    @api_process
-    async def remove_registry(self, request: web.Request):
+    async def remove_registry(self, request: web.Request) -> None:
        """Delete a docker registry."""
        hostname = request.match_info.get(ATTR_HOSTNAME)
        if hostname not in self.sys_docker.config.registries:
@@ -123,3 +131,27 @@ class APIDocker(CoreSysAttributes):

        del self.sys_docker.config.registries[hostname]
        await self.sys_docker.config.save_data()
+
+    @api_process
+    async def migrate_docker_storage_driver(self, request: web.Request) -> None:
+        """Migrate Docker storage driver."""
+        if (
+            not self.coresys.os.available
+            or not self.coresys.os.version
+            or self.coresys.os.version < AwesomeVersion("17.0.dev0")
+        ):
+            raise APINotFound(
+                "Home Assistant OS 17.0 or newer required for Docker storage driver migration"
+            )
+
+        body = await api_validate(SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER, request)
+        await self.sys_dbus.agent.system.migrate_docker_storage_driver(
+            body[ATTR_STORAGE_DRIVER]
+        )
+
+        _LOGGER.info("Host system reboot required to apply Docker storage migration")
+        self.sys_resolution.create_issue(
+            IssueType.REBOOT_REQUIRED,
+            ContextType.SYSTEM,
+            suggestions=[SuggestionType.EXECUTE_REBOOT],
+        )
--- a/supervisor/api/homeassistant.py
+++ b/supervisor/api/homeassistant.py
@@ -18,6 +18,7 @@ from ..const import (
    ATTR_BLK_WRITE,
    ATTR_BOOT,
    ATTR_CPU_PERCENT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_IP_ADDRESS,
    ATTR_JOB_ID,
@@ -55,6 +56,7 @@ SCHEMA_OPTIONS = vol.Schema(
        vol.Optional(ATTR_AUDIO_OUTPUT): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_BACKUPS_EXCLUDE_DATABASE): vol.Boolean(),
+        vol.Optional(ATTR_DUPLICATE_LOG_FILE): vol.Boolean(),
    }
 )

@@ -112,6 +114,7 @@ class APIHomeAssistant(CoreSysAttributes):
            ATTR_AUDIO_INPUT: self.sys_homeassistant.audio_input,
            ATTR_AUDIO_OUTPUT: self.sys_homeassistant.audio_output,
            ATTR_BACKUPS_EXCLUDE_DATABASE: self.sys_homeassistant.backups_exclude_database,
+            ATTR_DUPLICATE_LOG_FILE: self.sys_homeassistant.duplicate_log_file,
        }

    @api_process
@@ -151,10 +154,13 @@ class APIHomeAssistant(CoreSysAttributes):
                ATTR_BACKUPS_EXCLUDE_DATABASE
            ]

+        if ATTR_DUPLICATE_LOG_FILE in body:
+            self.sys_homeassistant.duplicate_log_file = body[ATTR_DUPLICATE_LOG_FILE]
+
        await self.sys_homeassistant.save_data()

    @api_process
-    async def stats(self, request: web.Request) -> dict[Any, str]:
+    async def stats(self, request: web.Request) -> dict[str, Any]:
        """Return resource information."""
        stats = await self.sys_homeassistant.core.stats()
        if not stats:
@@ -191,7 +197,7 @@ class APIHomeAssistant(CoreSysAttributes):
        return await update_task

    @api_process
-    async def stop(self, request: web.Request) -> Awaitable[None]:
+    async def stop(self, request: web.Request) -> None:
        """Stop Home Assistant."""
        body = await api_validate(SCHEMA_STOP, request)
        await self._check_offline_migration(force=body[ATTR_FORCE])
--- a/supervisor/api/host.py
+++ b/supervisor/api/host.py
@@ -1,6 +1,7 @@
 """Init file for Supervisor host RESTful API."""

 import asyncio
+from collections.abc import Awaitable
 from contextlib import suppress
 import json
 import logging
@@ -99,7 +100,7 @@ class APIHost(CoreSysAttributes):
            )

    @api_process
-    async def info(self, request):
+    async def info(self, request: web.Request) -> dict[str, Any]:
        """Return host information."""
        return {
            ATTR_AGENT_VERSION: self.sys_dbus.agent.version,
@@ -128,7 +129,7 @@ class APIHost(CoreSysAttributes):
        }

    @api_process
-    async def options(self, request):
+    async def options(self, request: web.Request) -> None:
        """Edit host settings."""
        body = await api_validate(SCHEMA_OPTIONS, request)

@@ -139,7 +140,7 @@ class APIHost(CoreSysAttributes):
            )

    @api_process
-    async def reboot(self, request):
+    async def reboot(self, request: web.Request) -> None:
        """Reboot host."""
        body = await api_validate(SCHEMA_SHUTDOWN, request)
        await self._check_ha_offline_migration(force=body[ATTR_FORCE])
@@ -147,7 +148,7 @@ class APIHost(CoreSysAttributes):
        return await asyncio.shield(self.sys_host.control.reboot())

    @api_process
-    async def shutdown(self, request):
+    async def shutdown(self, request: web.Request) -> None:
        """Poweroff host."""
        body = await api_validate(SCHEMA_SHUTDOWN, request)
        await self._check_ha_offline_migration(force=body[ATTR_FORCE])
@@ -155,12 +156,12 @@ class APIHost(CoreSysAttributes):
        return await asyncio.shield(self.sys_host.control.shutdown())

    @api_process
-    def reload(self, request):
+    def reload(self, request: web.Request) -> Awaitable[None]:
        """Reload host data."""
        return asyncio.shield(self.sys_host.reload())

    @api_process
-    async def services(self, request):
+    async def services(self, request: web.Request) -> dict[str, Any]:
        """Return list of available services."""
        services = []
        for unit in self.sys_host.services:
@@ -175,7 +176,7 @@ class APIHost(CoreSysAttributes):
        return {ATTR_SERVICES: services}

    @api_process
-    async def list_boots(self, _: web.Request):
+    async def list_boots(self, _: web.Request) -> dict[str, Any]:
        """Return a list of boot IDs."""
        boot_ids = await self.sys_host.logs.get_boot_ids()
        return {
@@ -186,7 +187,7 @@ class APIHost(CoreSysAttributes):
        }

    @api_process
-    async def list_identifiers(self, _: web.Request):
+    async def list_identifiers(self, _: web.Request) -> dict[str, list[str]]:
        """Return a list of syslog identifiers."""
        return {ATTR_IDENTIFIERS: await self.sys_host.logs.get_identifiers()}

@@ -206,6 +207,7 @@ class APIHost(CoreSysAttributes):
        identifier: str | None = None,
        follow: bool = False,
        latest: bool = False,
+        no_colors: bool = False,
    ) -> web.StreamResponse:
        """Return systemd-journald logs."""
        log_formatter = LogFormatter.PLAIN
@@ -251,6 +253,9 @@ class APIHost(CoreSysAttributes):
        if "verbose" in request.query or request.headers[ACCEPT] == CONTENT_TYPE_X_LOG:
            log_formatter = LogFormatter.VERBOSE

+        if "no_colors" in request.query:
+            no_colors = True
+
        if "lines" in request.query:
            lines = request.query.get("lines", DEFAULT_LINES)
            try:
@@ -280,7 +285,9 @@ class APIHost(CoreSysAttributes):
                response = web.StreamResponse()
                response.content_type = CONTENT_TYPE_TEXT
                headers_returned = False
-                async for cursor, line in journal_logs_reader(resp, log_formatter):
+                async for cursor, line in journal_logs_reader(
+                    resp, log_formatter, no_colors
+                ):
                    try:
                        if not headers_returned:
                            if cursor:
@@ -318,12 +325,15 @@ class APIHost(CoreSysAttributes):
        identifier: str | None = None,
        follow: bool = False,
        latest: bool = False,
+        no_colors: bool = False,
    ) -> web.StreamResponse:
        """Return systemd-journald logs. Wrapped as standard API handler."""
-        return await self.advanced_logs_handler(request, identifier, follow, latest)
+        return await self.advanced_logs_handler(
+            request, identifier, follow, latest, no_colors
+        )

    @api_process
-    async def disk_usage(self, request: web.Request) -> dict:
+    async def disk_usage(self, request: web.Request) -> dict[str, Any]:
        """Return a breakdown of storage usage for the system."""

        max_depth = request.query.get(ATTR_MAX_DEPTH, 1)
@@ -334,10 +344,14 @@ class APIHost(CoreSysAttributes):

        disk = self.sys_hardware.disk

-        total, used, _ = await self.sys_run_in_executor(
+        total, _, free = await self.sys_run_in_executor(
            disk.disk_usage, self.sys_config.path_supervisor
        )

+        # Calculate used by subtracting free makes sure we include reserved space
+        # in used space reporting.
+        used = total - free
+
        known_paths = await self.sys_run_in_executor(
            disk.get_dir_sizes,
            {
--- a/supervisor/api/middleware/security.py
+++ b/supervisor/api/middleware/security.py
@@ -1,12 +1,12 @@
 """Handle security part of this API."""

-from collections.abc import Callable
+from collections.abc import Awaitable, Callable
 import logging
 import re
 from typing import Final
 from urllib.parse import unquote

-from aiohttp.web import Request, Response, middleware
+from aiohttp.web import Request, StreamResponse, middleware
 from aiohttp.web_exceptions import HTTPBadRequest, HTTPForbidden, HTTPUnauthorized
 from awesomeversion import AwesomeVersion

@@ -89,7 +89,7 @@ CORE_ONLY_PATHS: Final = re.compile(
 )

 # Policy role add-on API access
-ADDONS_ROLE_ACCESS: dict[str, re.Pattern] = {
+ADDONS_ROLE_ACCESS: dict[str, re.Pattern[str]] = {
    ROLE_DEFAULT: re.compile(
        r"^(?:"
        r"|/.+/info"
@@ -180,7 +180,9 @@ class SecurityMiddleware(CoreSysAttributes):
        return unquoted

    @middleware
-    async def block_bad_requests(self, request: Request, handler: Callable) -> Response:
+    async def block_bad_requests(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Process request and tblock commonly known exploit attempts."""
        if FILTERS.search(self._recursive_unquote(request.path)):
            _LOGGER.warning(
@@ -198,7 +200,9 @@ class SecurityMiddleware(CoreSysAttributes):
        return await handler(request)

    @middleware
-    async def system_validation(self, request: Request, handler: Callable) -> Response:
+    async def system_validation(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Check if core is ready to response."""
        if self.sys_core.state not in VALID_API_STATES:
            return api_return_error(
@@ -208,7 +212,9 @@ class SecurityMiddleware(CoreSysAttributes):
        return await handler(request)

    @middleware
-    async def token_validation(self, request: Request, handler: Callable) -> Response:
+    async def token_validation(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Check security access of this layer."""
        request_from: CoreSysAttributes | None = None
        supervisor_token = extract_supervisor_token(request)
@@ -279,7 +285,9 @@ class SecurityMiddleware(CoreSysAttributes):
        raise HTTPForbidden()

    @middleware
-    async def core_proxy(self, request: Request, handler: Callable) -> Response:
+    async def core_proxy(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Validate user from Core API proxy."""
        if (
            request[REQUEST_FROM] != self.sys_homeassistant
--- a/supervisor/api/services.py
+++ b/supervisor/api/services.py
@@ -1,5 +1,9 @@
 """Init file for Supervisor network RESTful API."""

+from typing import Any
+
+from aiohttp import web
+
 from ..const import (
    ATTR_AVAILABLE,
    ATTR_PROVIDERS,
@@ -25,7 +29,7 @@ class APIServices(CoreSysAttributes):
        return service

    @api_process
-    async def list_services(self, request):
+    async def list_services(self, request: web.Request) -> dict[str, Any]:
        """Show register services."""
        services = []
        for service in self.sys_services.list_services:
@@ -40,7 +44,7 @@ class APIServices(CoreSysAttributes):
        return {ATTR_SERVICES: services}

    @api_process
-    async def set_service(self, request):
+    async def set_service(self, request: web.Request) -> None:
        """Write data into a service."""
        service = self._extract_service(request)
        body = await api_validate(service.schema, request)
@@ -50,7 +54,7 @@ class APIServices(CoreSysAttributes):
        await service.set_service_data(addon, body)

    @api_process
-    async def get_service(self, request):
+    async def get_service(self, request: web.Request) -> dict[str, Any]:
        """Read data into a service."""
        service = self._extract_service(request)

@@ -62,7 +66,7 @@ class APIServices(CoreSysAttributes):
        return service.get_service_data()

    @api_process
-    async def del_service(self, request):
+    async def del_service(self, request: web.Request) -> None:
        """Delete data into a service."""
        service = self._extract_service(request)
        addon = request[REQUEST_FROM]
--- a/supervisor/api/store.py
+++ b/supervisor/api/store.py
@@ -53,7 +53,7 @@ from ..const import (
    REQUEST_FROM,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError, APIForbidden, APINotFound
+from ..exceptions import APIError, APIForbidden, APINotFound, StoreAddonNotFoundError
 from ..store.addon import AddonStore
 from ..store.repository import Repository
 from ..store.validate import validate_repository
@@ -104,7 +104,7 @@ class APIStore(CoreSysAttributes):
        addon_slug: str = request.match_info["addon"]

        if not (addon := self.sys_addons.get(addon_slug)):
-            raise APINotFound(f"Addon {addon_slug} does not exist")
+            raise StoreAddonNotFoundError(addon=addon_slug)

        if installed and not addon.is_installed:
            raise APIError(f"Addon {addon_slug} is not installed")
@@ -112,7 +112,7 @@ class APIStore(CoreSysAttributes):
        if not installed and addon.is_installed:
            addon = cast(Addon, addon)
            if not addon.addon_store:
-                raise APINotFound(f"Addon {addon_slug} does not exist in the store")
+                raise StoreAddonNotFoundError(addon=addon_slug)
            return addon.addon_store

        return addon
@@ -349,13 +349,13 @@ class APIStore(CoreSysAttributes):
        return self._generate_repository_information(repository)

    @api_process
-    async def add_repository(self, request: web.Request):
+    async def add_repository(self, request: web.Request) -> None:
        """Add repository to the store."""
        body = await api_validate(SCHEMA_ADD_REPOSITORY, request)
        await asyncio.shield(self.sys_store.add_repository(body[ATTR_REPOSITORY]))

    @api_process
-    async def remove_repository(self, request: web.Request):
+    async def remove_repository(self, request: web.Request) -> None:
        """Remove repository from the store."""
        repository: Repository = self._extract_repository(request)
        await asyncio.shield(self.sys_store.remove_repository(repository))
--- a/supervisor/api/supervisor.py
+++ b/supervisor/api/supervisor.py
@@ -80,7 +80,7 @@ class APISupervisor(CoreSysAttributes):
    """Handle RESTful API for Supervisor functions."""

    @api_process
-    async def ping(self, request):
+    async def ping(self, request: web.Request) -> bool:
        """Return ok for signal that the API is ready."""
        return True

--- a/supervisor/api/utils.py
+++ b/supervisor/api/utils.py
@@ -1,7 +1,7 @@
 """Init file for Supervisor util for RESTful API."""

 import asyncio
-from collections.abc import Callable
+from collections.abc import Callable, Mapping
 import json
 from typing import Any, cast

@@ -26,7 +26,7 @@ from ..const import (
    RESULT_OK,
 )
 from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import APIError, BackupFileNotFoundError, DockerAPIError, HassioError
+from ..exceptions import APIError, DockerAPIError, HassioError
 from ..jobs import JobSchedulerOptions, SupervisorJob
 from ..utils import check_exception_chain, get_message_from_exception_chain
 from ..utils.json import json_dumps, json_loads as json_loads_util
@@ -63,16 +63,14 @@ def json_loads(data: Any) -> dict[str, Any]:
 def api_process(method):
    """Wrap function with true/false calls to rest api."""

-    async def wrap_api(
-        api: CoreSysAttributes, *args, **kwargs
-    ) -> web.Response | web.StreamResponse:
+    async def wrap_api(*args, **kwargs) -> web.Response | web.StreamResponse:
        """Return API information."""
        try:
-            answer = await method(api, *args, **kwargs)
-        except BackupFileNotFoundError as err:
-            return api_return_error(err, status=404)
+            answer = await method(*args, **kwargs)
        except APIError as err:
-            return api_return_error(err, status=err.status, job_id=err.job_id)
+            return api_return_error(
+                err, status=err.status, job_id=err.job_id, headers=err.headers
+            )
        except HassioError as err:
            return api_return_error(err)

@@ -109,12 +107,10 @@ def api_process_raw(content, *, error_type=None):
    def wrap_method(method):
        """Wrap function with raw output to rest api."""

-        async def wrap_api(
-            api: CoreSysAttributes, *args, **kwargs
-        ) -> web.Response | web.StreamResponse:
+        async def wrap_api(*args, **kwargs) -> web.Response | web.StreamResponse:
            """Return api information."""
            try:
-                msg_data = await method(api, *args, **kwargs)
+                msg_data = await method(*args, **kwargs)
            except APIError as err:
                return api_return_error(
                    err,
@@ -143,6 +139,7 @@ def api_return_error(
    error_type: str | None = None,
    status: int = 400,
    *,
+    headers: Mapping[str, str] | None = None,
    job_id: str | None = None,
 ) -> web.Response:
    """Return an API error message."""
@@ -155,10 +152,15 @@ def api_return_error(

    match error_type:
        case const.CONTENT_TYPE_TEXT:
-            return web.Response(body=message, content_type=error_type, status=status)
+            return web.Response(
+                body=message, content_type=error_type, status=status, headers=headers
+            )
        case const.CONTENT_TYPE_BINARY:
            return web.Response(
-                body=message.encode(), content_type=error_type, status=status
+                body=message.encode(),
+                content_type=error_type,
+                status=status,
+                headers=headers,
            )
        case _:
            result: dict[str, Any] = {
@@ -176,6 +178,7 @@ def api_return_error(
        result,
        status=status,
        dumps=json_dumps,
+        headers=headers,
    )


--- a/supervisor/arch.py
+++ b/supervisor/arch.py
@@ -4,6 +4,7 @@ import logging
 from pathlib import Path
 import platform

+from .const import CpuArch
 from .coresys import CoreSys, CoreSysAttributes
 from .exceptions import ConfigurationFileError, HassioArchNotFound
 from .utils.json import read_json_file
@@ -12,38 +13,40 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)

 ARCH_JSON: Path = Path(__file__).parent.joinpath("data/arch.json")

-MAP_CPU = {
-    "armv7": "armv7",
-    "armv6": "armhf",
-    "armv8": "aarch64",
-    "aarch64": "aarch64",
-    "i686": "i386",
-    "x86_64": "amd64",
+MAP_CPU: dict[str, CpuArch] = {
+    "armv7": CpuArch.ARMV7,
+    "armv6": CpuArch.ARMHF,
+    "armv8": CpuArch.AARCH64,
+    "aarch64": CpuArch.AARCH64,
+    "i686": CpuArch.I386,
+    "x86_64": CpuArch.AMD64,
 }


-class CpuArch(CoreSysAttributes):
+class CpuArchManager(CoreSysAttributes):
    """Manage available architectures."""

    def __init__(self, coresys: CoreSys) -> None:
        """Initialize CPU Architecture handler."""
        self.coresys = coresys
-        self._supported_arch: list[str] = []
-        self._supported_set: set[str] = set()
-        self._default_arch: str
+        self._supported_arch: list[CpuArch] = []
+        self._supported_set: set[CpuArch] = set()
+        self._default_arch: CpuArch

    @property
-    def default(self) -> str:
+    def default(self) -> CpuArch:
        """Return system default arch."""
        return self._default_arch

    @property
-    def supervisor(self) -> str:
+    def supervisor(self) -> CpuArch:
        """Return supervisor arch."""
-        return self.sys_supervisor.arch or self._default_arch
+        if self.sys_supervisor.arch:
+            return CpuArch(self.sys_supervisor.arch)
+        return self._default_arch

    @property
-    def supported(self) -> list[str]:
+    def supported(self) -> list[CpuArch]:
        """Return support arch by CPU/Machine."""
        return self._supported_arch

@@ -65,7 +68,7 @@ class CpuArch(CoreSysAttributes):
            return

        # Use configs from arch.json
-        self._supported_arch.extend(arch_data[self.sys_machine])
+        self._supported_arch.extend(CpuArch(a) for a in arch_data[self.sys_machine])
        self._default_arch = self.supported[0]

        # Make sure native support is in supported list
@@ -78,14 +81,14 @@ class CpuArch(CoreSysAttributes):
        """Return True if there is a supported arch by this platform."""
        return not self._supported_set.isdisjoint(arch_list)

-    def match(self, arch_list: list[str]) -> str:
+    def match(self, arch_list: list[str]) -> CpuArch:
        """Return best match for this CPU/Platform."""
        for self_arch in self.supported:
            if self_arch in arch_list:
                return self_arch
        raise HassioArchNotFound()

-    def detect_cpu(self) -> str:
+    def detect_cpu(self) -> CpuArch:
        """Return the arch type of local CPU."""
        cpu = platform.machine()
        for check, value in MAP_CPU.items():
@@ -96,9 +99,10 @@ class CpuArch(CoreSysAttributes):
                "Unknown CPU architecture %s, falling back to Supervisor architecture.",
                cpu,
            )
-            return self.sys_supervisor.arch
+            return CpuArch(self.sys_supervisor.arch)
        _LOGGER.warning(
            "Unknown CPU architecture %s, assuming CPU architecture equals Supervisor architecture.",
            cpu,
        )
-        return cpu
+        # Return the cpu string as-is, wrapped in CpuArch (may fail if invalid)
+        return CpuArch(cpu)
--- a/supervisor/auth.py
+++ b/supervisor/auth.py
@@ -9,8 +9,10 @@ from .addons.addon import Addon
 from .const import ATTR_PASSWORD, ATTR_TYPE, ATTR_USERNAME, FILE_HASSIO_AUTH
 from .coresys import CoreSys, CoreSysAttributes
 from .exceptions import (
-    AuthError,
+    AuthHomeAssistantAPIValidationError,
+    AuthInvalidNonStringValueError,
    AuthListUsersError,
+    AuthListUsersNoneResponseError,
    AuthPasswordResetError,
    HomeAssistantAPIError,
    HomeAssistantWSError,
@@ -83,10 +85,8 @@ class Auth(FileConfiguration, CoreSysAttributes):
        self, addon: Addon, username: str | None, password: str | None
    ) -> bool:
        """Check username login."""
-        if password is None:
-            raise AuthError("None as password is not supported!", _LOGGER.error)
-        if username is None:
-            raise AuthError("None as username is not supported!", _LOGGER.error)
+        if username is None or password is None:
+            raise AuthInvalidNonStringValueError(_LOGGER.error)

        _LOGGER.info("Auth request from '%s' for '%s'", addon.slug, username)

@@ -137,7 +137,7 @@ class Auth(FileConfiguration, CoreSysAttributes):
        finally:
            self._running.pop(username, None)

-        raise AuthError()
+        raise AuthHomeAssistantAPIValidationError()

    async def change_password(self, username: str, password: str) -> None:
        """Change user password login."""
@@ -155,7 +155,7 @@ class Auth(FileConfiguration, CoreSysAttributes):
        except HomeAssistantAPIError as err:
            _LOGGER.error("Can't request password reset on Home Assistant: %s", err)

-        raise AuthPasswordResetError()
+        raise AuthPasswordResetError(user=username)

    async def list_users(self) -> list[dict[str, Any]]:
        """List users on the Home Assistant instance."""
@@ -166,15 +166,12 @@ class Auth(FileConfiguration, CoreSysAttributes):
                {ATTR_TYPE: "config/auth/list"}
            )
        except HomeAssistantWSError as err:
-            raise AuthListUsersError(
-                f"Can't request listing users on Home Assistant: {err}", _LOGGER.error
-            ) from err
+            _LOGGER.error("Can't request listing users on Home Assistant: %s", err)
+            raise AuthListUsersError() from err

        if users is not None:
            return users
-        raise AuthListUsersError(
-            "Can't request listing users on Home Assistant!", _LOGGER.error
-        )
+        raise AuthListUsersNoneResponseError(_LOGGER.error)

    @staticmethod
    def _rehash(value: str, salt2: str = "") -> str:
--- a/supervisor/backups/backup.py
+++ b/supervisor/backups/backup.py
@@ -60,7 +60,6 @@ from ..utils.dt import parse_datetime, utcnow
 from ..utils.json import json_bytes
 from ..utils.sentinel import DEFAULT
 from .const import BUF_SIZE, LOCATION_CLOUD_BACKUP, BackupType
-from .utils import password_to_key
 from .validate import SCHEMA_BACKUP

 IGNORED_COMPARISON_FIELDS = {ATTR_PROTECTED, ATTR_CRYPTO, ATTR_DOCKER}
@@ -101,7 +100,7 @@ class Backup(JobGroup):
        self._data: dict[str, Any] = data or {ATTR_SLUG: slug}
        self._tmp: TemporaryDirectory | None = None
        self._outer_secure_tarfile: SecureTarFile | None = None
-        self._key: bytes | None = None
+        self._password: str | None = None
        self._locations: dict[str | None, BackupLocation] = {
            location: BackupLocation(
                path=tar_file,
@@ -327,7 +326,7 @@ class Backup(JobGroup):

        # Set password
        if password:
-            self._init_password(password)
+            self._password = password
            self._data[ATTR_PROTECTED] = True
            self._data[ATTR_CRYPTO] = CRYPTO_AES128
            self._locations[self.location].protected = True
@@ -337,14 +336,7 @@ class Backup(JobGroup):

    def set_password(self, password: str | None) -> None:
        """Set the password for an existing backup."""
-        if password:
-            self._init_password(password)
-        else:
-            self._key = None
-
-    def _init_password(self, password: str) -> None:
-        """Create key from password."""
-        self._key = password_to_key(password)
+        self._password = password

    async def validate_backup(self, location: str | None) -> None:
        """Validate backup.
@@ -374,9 +366,9 @@ class Backup(JobGroup):
                    with SecureTarFile(
                        ending,  # Not used
                        gzip=self.compressed,
-                        key=self._key,
                        mode="r",
                        fileobj=test_tar_file,
+                        password=self._password,
                    ):
                        # If we can read the tar file, the password is correct
                        return
@@ -592,7 +584,7 @@ class Backup(JobGroup):
        addon_file = self._outer_secure_tarfile.create_inner_tar(
            f"./{tar_name}",
            gzip=self.compressed,
-            key=self._key,
+            password=self._password,
        )
        # Take backup
        try:
@@ -628,9 +620,6 @@ class Backup(JobGroup):
                if start_task := await self._addon_save(addon):
                    start_tasks.append(start_task)
            except BackupError as err:
-                err = BackupError(
-                    f"Can't backup add-on {addon.slug}: {str(err)}", _LOGGER.error
-                )
                self.sys_jobs.current.capture_error(err)

        return start_tasks
@@ -646,9 +635,9 @@ class Backup(JobGroup):
        addon_file = SecureTarFile(
            Path(self._tmp.name, tar_name),
            "r",
-            key=self._key,
            gzip=self.compressed,
            bufsize=BUF_SIZE,
+            password=self._password,
        )

        # If exists inside backup
@@ -744,7 +733,7 @@ class Backup(JobGroup):
            with outer_secure_tarfile.create_inner_tar(
                f"./{tar_name}",
                gzip=self.compressed,
-                key=self._key,
+                password=self._password,
            ) as tar_file:
                atomic_contents_add(
                    tar_file,
@@ -805,9 +794,9 @@ class Backup(JobGroup):
                with SecureTarFile(
                    tar_name,
                    "r",
-                    key=self._key,
                    gzip=self.compressed,
                    bufsize=BUF_SIZE,
+                    password=self._password,
                ) as tar_file:
                    tar_file.extractall(
                        path=origin_dir, members=tar_file, filter="fully_trusted"
@@ -868,7 +857,7 @@ class Backup(JobGroup):
        homeassistant_file = self._outer_secure_tarfile.create_inner_tar(
            f"./{tar_name}",
            gzip=self.compressed,
-            key=self._key,
+            password=self._password,
        )

        await self.sys_homeassistant.backup(homeassistant_file, exclude_database)
@@ -891,7 +880,11 @@ class Backup(JobGroup):
            self._tmp.name, f"homeassistant.tar{'.gz' if self.compressed else ''}"
        )
        homeassistant_file = SecureTarFile(
-            tar_name, "r", key=self._key, gzip=self.compressed, bufsize=BUF_SIZE
+            tar_name,
+            "r",
+            gzip=self.compressed,
+            bufsize=BUF_SIZE,
+            password=self._password,
        )

        await self.sys_homeassistant.restore(
--- a/supervisor/backups/utils.py
+++ b/supervisor/backups/utils.py
@@ -6,21 +6,6 @@ import re
 RE_DIGITS = re.compile(r"\d+")


-def password_to_key(password: str) -> bytes:
-    """Generate a AES Key from password."""
-    key: bytes = password.encode()
-    for _ in range(100):
-        key = hashlib.sha256(key).digest()
-    return key[:16]
-
-
-def key_to_iv(key: bytes) -> bytes:
-    """Generate an iv from Key."""
-    for _ in range(100):
-        key = hashlib.sha256(key).digest()
-    return key[:16]
-
-
 def create_slug(name: str, date_str: str) -> str:
    """Generate a hash from repository."""
    key = f"{date_str} - {name}".lower().encode()
--- a/supervisor/bootstrap.py
+++ b/supervisor/bootstrap.py
@@ -13,7 +13,7 @@ from colorlog import ColoredFormatter

 from .addons.manager import AddonManager
 from .api import RestAPI
-from .arch import CpuArch
+from .arch import CpuArchManager
 from .auth import Auth
 from .backups.manager import BackupManager
 from .bus import Bus
@@ -71,7 +71,7 @@ async def initialize_coresys() -> CoreSys:
    coresys.jobs = await JobManager(coresys).load_config()
    coresys.core = await Core(coresys).post_init()
    coresys.plugins = await PluginManager(coresys).load_config()
-    coresys.arch = CpuArch(coresys)
+    coresys.arch = CpuArchManager(coresys)
    coresys.auth = await Auth(coresys).load_config()
    coresys.updater = await Updater(coresys).load_config()
    coresys.api = RestAPI(coresys)
--- a/supervisor/const.py
+++ b/supervisor/const.py
@@ -179,6 +179,7 @@ ATTR_DOCKER = "docker"
 ATTR_DOCKER_API = "docker_api"
 ATTR_DOCUMENTATION = "documentation"
 ATTR_DOMAINS = "domains"
+ATTR_DUPLICATE_LOG_FILE = "duplicate_log_file"
 ATTR_ENABLE = "enable"
 ATTR_ENABLE_IPV6 = "enable_ipv6"
 ATTR_ENABLED = "enabled"
@@ -328,6 +329,7 @@ ATTR_STATE = "state"
 ATTR_STATIC = "static"
 ATTR_STDIN = "stdin"
 ATTR_STORAGE = "storage"
+ATTR_STORAGE_DRIVER = "storage_driver"
 ATTR_SUGGESTIONS = "suggestions"
 ATTR_SUPERVISOR = "supervisor"
 ATTR_SUPERVISOR_INTERNET = "supervisor_internet"
--- a/supervisor/coresys.py
+++ b/supervisor/coresys.py
@@ -9,6 +9,7 @@ from datetime import UTC, datetime, tzinfo
 from functools import partial
 import logging
 import os
+import time
 from types import MappingProxyType
 from typing import TYPE_CHECKING, Any, Self, TypeVar

@@ -28,7 +29,7 @@ from .const import (
 if TYPE_CHECKING:
    from .addons.manager import AddonManager
    from .api import RestAPI
-    from .arch import CpuArch
+    from .arch import CpuArchManager
    from .auth import Auth
    from .backups.manager import BackupManager
    from .bus import Bus
@@ -77,7 +78,7 @@ class CoreSys:
        # Internal objects pointers
        self._docker: DockerAPI | None = None
        self._core: Core | None = None
-        self._arch: CpuArch | None = None
+        self._arch: CpuArchManager | None = None
        self._auth: Auth | None = None
        self._homeassistant: HomeAssistant | None = None
        self._supervisor: Supervisor | None = None
@@ -265,17 +266,17 @@ class CoreSys:
        self._plugins = value

    @property
-    def arch(self) -> CpuArch:
-        """Return CpuArch object."""
+    def arch(self) -> CpuArchManager:
+        """Return CpuArchManager object."""
        if self._arch is None:
-            raise RuntimeError("CpuArch not set!")
+            raise RuntimeError("CpuArchManager not set!")
        return self._arch

    @arch.setter
-    def arch(self, value: CpuArch) -> None:
-        """Set a CpuArch object."""
+    def arch(self, value: CpuArchManager) -> None:
+        """Set a CpuArchManager object."""
        if self._arch:
-            raise RuntimeError("CpuArch already set!")
+            raise RuntimeError("CpuArchManager already set!")
        self._arch = value

    @property
@@ -655,8 +656,14 @@ class CoreSys:
        if kwargs:
            funct = partial(funct, **kwargs)

+        # Convert datetime to event loop time base
+        # If datetime is in the past, delay will be negative and call_at will
+        # schedule the call as soon as possible.
+        delay = when.timestamp() - time.time()
+        loop_time = self.loop.time() + delay
+
        return self.loop.call_at(
-            when.timestamp(), funct, *args, context=self._create_context()
+            loop_time, funct, *args, context=self._create_context()
        )


@@ -726,8 +733,8 @@ class CoreSysAttributes:
        return self.coresys.plugins

    @property
-    def sys_arch(self) -> CpuArch:
-        """Return CpuArch object."""
+    def sys_arch(self) -> CpuArchManager:
+        """Return CpuArchManager object."""
        return self.coresys.arch

    @property
--- a/supervisor/dbus/agent/system.py
+++ b/supervisor/dbus/agent/system.py
@@ -15,3 +15,8 @@ class System(DBusInterface):
    async def schedule_wipe_device(self) -> bool:
        """Schedule a factory reset on next system boot."""
        return await self.connected_dbus.System.call("schedule_wipe_device")
+
+    @dbus_connected
+    async def migrate_docker_storage_driver(self, backend: str) -> None:
+        """Migrate Docker storage driver."""
+        await self.connected_dbus.System.call("migrate_docker_storage_driver", backend)
--- a/supervisor/dbus/const.py
+++ b/supervisor/dbus/const.py
@@ -250,7 +250,7 @@ class ConnectionType(StrEnum):
    WIRELESS = "802-11-wireless"


-class ConnectionStateType(IntEnum):
+class ConnectionState(IntEnum):
    """Connection states.

    https://networkmanager.dev/docs/api/latest/nm-dbus-types.html#NMActiveConnectionState
@@ -306,6 +306,8 @@ class DeviceType(IntEnum):
    VLAN = 11
    TUN = 16
    VETH = 20
+    WIREGUARD = 29
+    LOOPBACK = 32


 class WirelessMethodType(IntEnum):
--- a/supervisor/dbus/manager.py
+++ b/supervisor/dbus/manager.py
@@ -115,7 +115,7 @@ class DBusManager(CoreSysAttributes):

    async def load(self) -> None:
        """Connect interfaces to D-Bus."""
-        if not SOCKET_DBUS.exists():
+        if not await self.sys_run_in_executor(SOCKET_DBUS.exists):
            _LOGGER.error(
                "No D-Bus support on Host. Disabled any kind of host control!"
            )
--- a/supervisor/dbus/network/init.py
+++ b/supervisor/dbus/network/init.py
@@ -134,9 +134,10 @@ class NetworkManager(DBusInterfaceProxy):
    async def check_connectivity(self, *, force: bool = False) -> ConnectivityState:
        """Check the connectivity of the host."""
        if force:
-            return await self.connected_dbus.call("check_connectivity")
-        else:
-            return await self.connected_dbus.get("connectivity")
+            return ConnectivityState(
+                await self.connected_dbus.call("check_connectivity")
+            )
+        return ConnectivityState(await self.connected_dbus.get("connectivity"))

    async def connect(self, bus: MessageBus) -> None:
        """Connect to system's D-Bus."""
--- a/supervisor/dbus/network/configuration.py
+++ b/supervisor/dbus/network/configuration.py
@@ -90,8 +90,8 @@ class Ip4Properties(IpProperties):
 class Ip6Properties(IpProperties):
    """IPv6 properties object for Network Manager."""

-    addr_gen_mode: int
-    ip6_privacy: int
+    addr_gen_mode: int | None
+    ip6_privacy: int | None
    dns: list[bytes] | None


--- a/supervisor/dbus/network/connection.py
+++ b/supervisor/dbus/network/connection.py
@@ -16,8 +16,8 @@ from ..const import (
    DBUS_IFACE_CONNECTION_ACTIVE,
    DBUS_NAME_NM,
    DBUS_OBJECT_BASE,
+    ConnectionState,
    ConnectionStateFlags,
-    ConnectionStateType,
 )
 from ..interface import DBusInterfaceProxy, dbus_property
 from ..utils import dbus_connected
@@ -67,9 +67,9 @@ class NetworkConnection(DBusInterfaceProxy):

    @property
    @dbus_property
-    def state(self) -> ConnectionStateType:
+    def state(self) -> ConnectionState:
        """Return the state of the connection."""
-        return self.properties[DBUS_ATTR_STATE]
+        return ConnectionState(self.properties[DBUS_ATTR_STATE])

    @property
    def state_flags(self) -> set[ConnectionStateFlags]:
--- a/supervisor/dbus/network/interface.py
+++ b/supervisor/dbus/network/interface.py
@@ -1,5 +1,6 @@
 """NetworkInterface object for Network Manager."""

+import logging
 from typing import Any

 from dbus_fast.aio.message_bus import MessageBus
@@ -23,6 +24,8 @@ from .connection import NetworkConnection
 from .setting import NetworkSetting
 from .wireless import NetworkWireless

+_LOGGER: logging.Logger = logging.getLogger(__name__)
+

 class NetworkInterface(DBusInterfaceProxy):
    """NetworkInterface object represents Network Manager Device objects.
@@ -57,7 +60,15 @@ class NetworkInterface(DBusInterfaceProxy):
    @dbus_property
    def type(self) -> DeviceType:
        """Return interface type."""
-        return self.properties[DBUS_ATTR_DEVICE_TYPE]
+        try:
+            return DeviceType(self.properties[DBUS_ATTR_DEVICE_TYPE])
+        except ValueError:
+            _LOGGER.debug(
+                "Unknown device type %s for %s, treating as UNKNOWN",
+                self.properties[DBUS_ATTR_DEVICE_TYPE],
+                self.object_path,
+            )
+            return DeviceType.UNKNOWN

    @property
    @dbus_property
--- a/supervisor/dbus/network/setting/generate.py
+++ b/supervisor/dbus/network/setting/generate.py
@@ -16,7 +16,11 @@ from ....host.const import (
    InterfaceType,
    MulticastDnsMode,
 )
-from ...const import MulticastDnsValue
+from ...const import (
+    InterfaceAddrGenMode as NMInterfaceAddrGenMode,
+    InterfaceIp6Privacy as NMInterfaceIp6Privacy,
+    MulticastDnsValue,
+)
 from .. import NetworkManager
 from . import (
    CONF_ATTR_802_ETHERNET,
@@ -118,24 +122,41 @@ def _get_ipv6_connection_settings(
        ipv6[CONF_ATTR_IPV6_METHOD] = Variant("s", "auto")
        if ipv6setting:
            if ipv6setting.addr_gen_mode == InterfaceAddrGenMode.EUI64:
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 0)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.EUI64.value
+                )
            elif (
                not support_addr_gen_mode_defaults
                or ipv6setting.addr_gen_mode == InterfaceAddrGenMode.STABLE_PRIVACY
            ):
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 1)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.STABLE_PRIVACY.value
+                )
            elif ipv6setting.addr_gen_mode == InterfaceAddrGenMode.DEFAULT_OR_EUI64:
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 2)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.DEFAULT_OR_EUI64.value
+                )
            else:
-                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant("i", 3)
+                ipv6[CONF_ATTR_IPV6_ADDR_GEN_MODE] = Variant(
+                    "i", NMInterfaceAddrGenMode.DEFAULT.value
+                )
+
            if ipv6setting.ip6_privacy == InterfaceIp6Privacy.DISABLED:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", 0)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.DISABLED.value
+                )
            elif ipv6setting.ip6_privacy == InterfaceIp6Privacy.ENABLED_PREFER_PUBLIC:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", 1)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.ENABLED_PREFER_PUBLIC.value
+                )
            elif ipv6setting.ip6_privacy == InterfaceIp6Privacy.ENABLED:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", 2)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.ENABLED.value
+                )
            else:
-                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant("i", -1)
+                ipv6[CONF_ATTR_IPV6_PRIVACY] = Variant(
+                    "i", NMInterfaceIp6Privacy.DEFAULT.value
+                )
    elif ipv6setting.method == InterfaceMethod.DISABLED:
        ipv6[CONF_ATTR_IPV6_METHOD] = Variant("s", "link-local")
    elif ipv6setting.method == InterfaceMethod.STATIC:
--- a/supervisor/dbus/resolved.py
+++ b/supervisor/dbus/resolved.py
@@ -75,7 +75,7 @@ class Resolved(DBusInterfaceProxy):
    @dbus_property
    def current_dns_server(
        self,
-    ) -> list[tuple[int, DNSAddressFamily, bytes]] | None:
+    ) -> tuple[int, DNSAddressFamily, bytes] | None:
        """Return current DNS server."""
        return self.properties[DBUS_ATTR_CURRENT_DNS_SERVER]

@@ -83,7 +83,7 @@ class Resolved(DBusInterfaceProxy):
    @dbus_property
    def current_dns_server_ex(
        self,
-    ) -> list[tuple[int, DNSAddressFamily, bytes, int, str]] | None:
+    ) -> tuple[int, DNSAddressFamily, bytes, int, str] | None:
        """Return current DNS server including port and server name."""
        return self.properties[DBUS_ATTR_CURRENT_DNS_SERVER_EX]

--- a/supervisor/dbus/systemd.py
+++ b/supervisor/dbus/systemd.py
@@ -70,7 +70,7 @@ class SystemdUnit(DBusInterface):
    @dbus_connected
    async def get_active_state(self) -> UnitActiveState:
        """Get active state of the unit."""
-        return await self.connected_dbus.Unit.get("active_state")
+        return UnitActiveState(await self.connected_dbus.Unit.get("active_state"))

    @dbus_connected
    def properties_changed(self) -> DBusSignalWrapper:
--- a/supervisor/dbus/udisks2/data.py
+++ b/supervisor/dbus/udisks2/data.py
@@ -9,7 +9,7 @@ from dbus_fast import Variant
 from .const import EncryptType, EraseMode


-def udisks2_bytes_to_path(path_bytes: bytearray) -> Path:
+def udisks2_bytes_to_path(path_bytes: bytes) -> Path:
    """Convert bytes to path object without null character on end."""
    if path_bytes and path_bytes[-1] == 0:
        return Path(path_bytes[:-1].decode())
@@ -73,7 +73,7 @@ FormatOptionsDataType = TypedDict(
    {
        "label": NotRequired[str],
        "take-ownership": NotRequired[bool],
-        "encrypt.passphrase": NotRequired[bytearray],
+        "encrypt.passphrase": NotRequired[bytes],
        "encrypt.type": NotRequired[str],
        "erase": NotRequired[str],
        "update-partition-type": NotRequired[bool],
--- a/supervisor/docker/addon.py
+++ b/supervisor/docker/addon.py
@@ -2,19 +2,21 @@

 from __future__ import annotations

+from collections.abc import Awaitable
 from contextlib import suppress
 from ipaddress import IPv4Address
 import logging
 import os
 from pathlib import Path
-from typing import TYPE_CHECKING, cast
+from socket import SocketIO
+import tempfile
+from typing import TYPE_CHECKING, Literal, cast

 import aiodocker
 from attr import evolve
 from awesomeversion import AwesomeVersion
 import docker
 import docker.errors
-from docker.types import Mount
 import requests

 from ..addons.build import AddonBuild
@@ -33,6 +35,7 @@ from ..coresys import CoreSys
 from ..exceptions import (
    CoreDNSError,
    DBusError,
+    DockerBuildError,
    DockerError,
    DockerJobError,
    DockerNotFound,
@@ -64,8 +67,11 @@ from .const import (
    PATH_SHARE,
    PATH_SSL,
    Capabilities,
+    DockerMount,
+    MountBindOptions,
    MountType,
    PropagationMode,
+    Ulimit,
 )
 from .interface import DockerInterface

@@ -268,7 +274,7 @@ class DockerAddon(DockerInterface):
        }

    @property
-    def network_mode(self) -> str | None:
+    def network_mode(self) -> Literal["host"] | None:
        """Return network mode for add-on."""
        if self.addon.host_network:
            return "host"
@@ -307,28 +313,28 @@ class DockerAddon(DockerInterface):
        return None

    @property
-    def ulimits(self) -> list[docker.types.Ulimit] | None:
+    def ulimits(self) -> list[Ulimit] | None:
        """Generate ulimits for add-on."""
-        limits: list[docker.types.Ulimit] = []
+        limits: list[Ulimit] = []

        # Need schedule functions
        if self.addon.with_realtime:
-            limits.append(docker.types.Ulimit(name="rtprio", soft=90, hard=99))
+            limits.append(Ulimit(name="rtprio", soft=90, hard=99))

            # Set available memory for memlock to 128MB
            mem = 128 * 1024 * 1024
-            limits.append(docker.types.Ulimit(name="memlock", soft=mem, hard=mem))
+            limits.append(Ulimit(name="memlock", soft=mem, hard=mem))

        # Add configurable ulimits from add-on config
        for name, config in self.addon.ulimits.items():
            if isinstance(config, int):
                # Simple format: both soft and hard limits are the same
-                limits.append(docker.types.Ulimit(name=name, soft=config, hard=config))
+                limits.append(Ulimit(name=name, soft=config, hard=config))
            elif isinstance(config, dict):
                # Detailed format: both soft and hard limits are mandatory
                soft = config["soft"]
                hard = config["hard"]
-                limits.append(docker.types.Ulimit(name=name, soft=soft, hard=hard))
+                limits.append(Ulimit(name=name, soft=soft, hard=hard))

        # Return None if no ulimits are present
        if limits:
@@ -347,7 +353,7 @@ class DockerAddon(DockerInterface):
        return None

    @property
-    def mounts(self) -> list[Mount]:
+    def mounts(self) -> list[DockerMount]:
        """Return mounts for container."""
        addon_mapping = self.addon.map_volumes

@@ -357,8 +363,8 @@ class DockerAddon(DockerInterface):

        mounts = [
            MOUNT_DEV,
-            Mount(
-                type=MountType.BIND.value,
+            DockerMount(
+                type=MountType.BIND,
                source=self.addon.path_extern_data.as_posix(),
                target=target_data_path or PATH_PRIVATE_DATA.as_posix(),
                read_only=False,
@@ -368,8 +374,8 @@ class DockerAddon(DockerInterface):
        # setup config mappings
        if MappingType.CONFIG in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_homeassistant.as_posix(),
                    target=addon_mapping[MappingType.CONFIG].path
                    or PATH_HOMEASSISTANT_CONFIG_LEGACY.as_posix(),
@@ -381,8 +387,8 @@ class DockerAddon(DockerInterface):
            # Map addon's public config folder if not using deprecated config option
            if self.addon.addon_config_used:
                mounts.append(
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.addon.path_extern_config.as_posix(),
                        target=addon_mapping[MappingType.ADDON_CONFIG].path
                        or PATH_PUBLIC_CONFIG.as_posix(),
@@ -393,8 +399,8 @@ class DockerAddon(DockerInterface):
            # Map Home Assistant config in new way
            if MappingType.HOMEASSISTANT_CONFIG in addon_mapping:
                mounts.append(
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_homeassistant.as_posix(),
                        target=addon_mapping[MappingType.HOMEASSISTANT_CONFIG].path
                        or PATH_HOMEASSISTANT_CONFIG.as_posix(),
@@ -406,8 +412,8 @@ class DockerAddon(DockerInterface):

        if MappingType.ALL_ADDON_CONFIGS in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_addon_configs.as_posix(),
                    target=addon_mapping[MappingType.ALL_ADDON_CONFIGS].path
                    or PATH_ALL_ADDON_CONFIGS.as_posix(),
@@ -417,8 +423,8 @@ class DockerAddon(DockerInterface):

        if MappingType.SSL in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_ssl.as_posix(),
                    target=addon_mapping[MappingType.SSL].path or PATH_SSL.as_posix(),
                    read_only=addon_mapping[MappingType.SSL].read_only,
@@ -427,8 +433,8 @@ class DockerAddon(DockerInterface):

        if MappingType.ADDONS in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_addons_local.as_posix(),
                    target=addon_mapping[MappingType.ADDONS].path
                    or PATH_LOCAL_ADDONS.as_posix(),
@@ -438,8 +444,8 @@ class DockerAddon(DockerInterface):

        if MappingType.BACKUP in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_backup.as_posix(),
                    target=addon_mapping[MappingType.BACKUP].path
                    or PATH_BACKUP.as_posix(),
@@ -449,25 +455,25 @@ class DockerAddon(DockerInterface):

        if MappingType.SHARE in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_share.as_posix(),
                    target=addon_mapping[MappingType.SHARE].path
                    or PATH_SHARE.as_posix(),
                    read_only=addon_mapping[MappingType.SHARE].read_only,
-                    propagation=PropagationMode.RSLAVE,
+                    bind_options=MountBindOptions(propagation=PropagationMode.RSLAVE),
                )
            )

        if MappingType.MEDIA in addon_mapping:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_media.as_posix(),
                    target=addon_mapping[MappingType.MEDIA].path
                    or PATH_MEDIA.as_posix(),
                    read_only=addon_mapping[MappingType.MEDIA].read_only,
-                    propagation=PropagationMode.RSLAVE,
+                    bind_options=MountBindOptions(propagation=PropagationMode.RSLAVE),
                )
            )

@@ -479,8 +485,8 @@ class DockerAddon(DockerInterface):
                if not Path(gpio_path).exists():
                    continue
                mounts.append(
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=gpio_path,
                        target=gpio_path,
                        read_only=False,
@@ -490,8 +496,8 @@ class DockerAddon(DockerInterface):
        # DeviceTree support
        if self.addon.with_devicetree:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source="/sys/firmware/devicetree/base",
                    target="/device-tree",
                    read_only=True,
@@ -505,8 +511,8 @@ class DockerAddon(DockerInterface):
        # Kernel Modules support
        if self.addon.with_kernel_modules:
            mounts.append(
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source="/lib/modules",
                    target="/lib/modules",
                    read_only=True,
@@ -524,20 +530,20 @@ class DockerAddon(DockerInterface):
        # Configuration Audio
        if self.addon.with_audio:
            mounts += [
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.addon.path_extern_pulse.as_posix(),
                    target="/etc/pulse/client.conf",
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_plugins.audio.path_extern_pulse.as_posix(),
                    target="/run/audio",
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_plugins.audio.path_extern_asound.as_posix(),
                    target="/etc/asound.conf",
                    read_only=True,
@@ -547,14 +553,14 @@ class DockerAddon(DockerInterface):
        # System Journal access
        if self.addon.with_journald:
            mounts += [
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=SYSTEMD_JOURNAL_PERSISTENT.as_posix(),
                    target=SYSTEMD_JOURNAL_PERSISTENT.as_posix(),
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=SYSTEMD_JOURNAL_VOLATILE.as_posix(),
                    target=SYSTEMD_JOURNAL_VOLATILE.as_posix(),
                    read_only=True,
@@ -680,13 +686,12 @@ class DockerAddon(DockerInterface):
    async def _build(self, version: AwesomeVersion, image: str | None = None) -> None:
        """Build a Docker container."""
        build_env = await AddonBuild(self.coresys, self.addon).load_config()
-        if not await build_env.is_valid():
-            _LOGGER.error("Invalid build environment, can't build this add-on!")
-            raise DockerError()
+        # Check if the build environment is valid, raises if not
+        await build_env.is_valid()

        _LOGGER.info("Starting build for %s:%s", self.image, version)

-        def build_image():
+        def build_image() -> tuple[str, str]:
            if build_env.squash:
                _LOGGER.warning(
                    "Ignoring squash build option for %s as Docker BuildKit does not support it.",
@@ -703,14 +708,42 @@ class DockerAddon(DockerInterface):
            # Remove dangling builder container if it exists by any chance
            # E.g. because of an abrupt host shutdown/reboot during a build
            with suppress(docker.errors.NotFound):
-                self.sys_docker.containers.get(builder_name).remove(force=True, v=True)
+                self.sys_docker.containers_legacy.get(builder_name).remove(
+                    force=True, v=True
+                )

-            result = self.sys_docker.run_command(
-                ADDON_BUILDER_IMAGE,
-                version=builder_version_tag,
-                name=builder_name,
-                **build_env.get_docker_args(version, addon_image_tag),
-            )
+            # Generate Docker config with registry credentials for base image if needed
+            docker_config_path: Path | None = None
+            docker_config_content = build_env.get_docker_config_json()
+            temp_dir: tempfile.TemporaryDirectory | None = None
+
+            try:
+                if docker_config_content:
+                    # Create temporary directory for docker config
+                    temp_dir = tempfile.TemporaryDirectory(
+                        prefix="hassio_build_", dir=self.sys_config.path_tmp
+                    )
+                    docker_config_path = Path(temp_dir.name) / "config.json"
+                    docker_config_path.write_text(
+                        docker_config_content, encoding="utf-8"
+                    )
+                    _LOGGER.debug(
+                        "Created temporary Docker config for build at %s",
+                        docker_config_path,
+                    )
+
+                result = self.sys_docker.run_command(
+                    ADDON_BUILDER_IMAGE,
+                    version=builder_version_tag,
+                    name=builder_name,
+                    **build_env.get_docker_args(
+                        version, addon_image_tag, docker_config_path
+                    ),
+                )
+            finally:
+                # Clean up temporary directory
+                if temp_dir:
+                    temp_dir.cleanup()

            logs = result.output.decode("utf-8")

@@ -733,8 +766,9 @@ class DockerAddon(DockerInterface):
            requests.RequestException,
            aiodocker.DockerError,
        ) as err:
-            _LOGGER.error("Can't build %s:%s: %s", self.image, version, err)
-            raise DockerError() from err
+            raise DockerBuildError(
+                f"Can't build {self.image}:{version}: {err!s}", _LOGGER.error
+            ) from err

        _LOGGER.info("Build %s:%s done", self.image, version)

@@ -792,12 +826,9 @@ class DockerAddon(DockerInterface):
        on_condition=DockerJobError,
        concurrency=JobConcurrency.GROUP_REJECT,
    )
-    async def write_stdin(self, data: bytes) -> None:
+    def write_stdin(self, data: bytes) -> Awaitable[None]:
        """Write to add-on stdin."""
-        if not await self.is_running():
-            raise DockerError()
-
-        await self.sys_run_in_executor(self._write_stdin, data)
+        return self.sys_run_in_executor(self._write_stdin, data)

    def _write_stdin(self, data: bytes) -> None:
        """Write to add-on stdin.
@@ -806,8 +837,11 @@ class DockerAddon(DockerInterface):
        """
        try:
            # Load needed docker objects
-            container = self.sys_docker.containers.get(self.name)
-            socket = container.attach_socket(params={"stdin": 1, "stream": 1})
+            container = self.sys_docker.containers_legacy.get(self.name)
+            # attach_socket returns SocketIO for local Docker connections (Unix socket)
+            socket = cast(
+                SocketIO, container.attach_socket(params={"stdin": 1, "stream": 1})
+            )
        except (docker.errors.DockerException, requests.RequestException) as err:
            _LOGGER.error("Can't attach to %s stdin: %s", self.name, err)
            raise DockerError() from err
@@ -866,7 +900,7 @@ class DockerAddon(DockerInterface):

        try:
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
        except docker.errors.NotFound:
            if self._hw_listener:
--- a/supervisor/docker/audio.py
+++ b/supervisor/docker/audio.py
@@ -2,9 +2,6 @@

 import logging

-import docker
-from docker.types import Mount
-
 from ..const import DOCKER_CPU_RUNTIME_ALLOCATION
 from ..coresys import CoreSysAttributes
 from ..exceptions import DockerJobError
@@ -19,7 +16,9 @@ from .const import (
    MOUNT_UDEV,
    PATH_PRIVATE_DATA,
    Capabilities,
+    DockerMount,
    MountType,
+    Ulimit,
 )
 from .interface import DockerInterface

@@ -42,12 +41,12 @@ class DockerAudio(DockerInterface, CoreSysAttributes):
        return AUDIO_DOCKER_NAME

    @property
-    def mounts(self) -> list[Mount]:
+    def mounts(self) -> list[DockerMount]:
        """Return mounts for container."""
        mounts = [
            MOUNT_DEV,
-            Mount(
-                type=MountType.BIND.value,
+            DockerMount(
+                type=MountType.BIND,
                source=self.sys_config.path_extern_audio.as_posix(),
                target=PATH_PRIVATE_DATA.as_posix(),
                read_only=False,
@@ -75,10 +74,10 @@ class DockerAudio(DockerInterface, CoreSysAttributes):
        return [Capabilities.SYS_NICE, Capabilities.SYS_RESOURCE]

    @property
-    def ulimits(self) -> list[docker.types.Ulimit]:
+    def ulimits(self) -> list[Ulimit]:
        """Generate ulimits for audio."""
        # Pulseaudio by default tries to use real-time scheduling with priority of 5.
-        return [docker.types.Ulimit(name="rtprio", soft=10, hard=10)]
+        return [Ulimit(name="rtprio", soft=10, hard=10)]

    @property
    def cpu_rt_runtime(self) -> int | None:
--- a/supervisor/docker/const.py
+++ b/supervisor/docker/const.py
@@ -3,18 +3,24 @@
 from __future__ import annotations

 from contextlib import suppress
+from dataclasses import dataclass
 from enum import Enum, StrEnum
 from functools import total_ordering
 from pathlib import PurePath
 import re
-from typing import cast
-
-from docker.types import Mount
+from typing import Any, cast

 from ..const import MACHINE_ID

 RE_RETRYING_DOWNLOAD_STATUS = re.compile(r"Retrying in \d+ seconds?")

+# Docker Hub registry identifier (official default)
+# Docker's default registry is docker.io
+DOCKER_HUB = "docker.io"
+
+# Legacy Docker Hub identifier for backward compatibility
+DOCKER_HUB_LEGACY = "hub.docker.com"
+

 class Capabilities(StrEnum):
    """Linux Capabilities."""
@@ -126,33 +132,94 @@ class PullImageLayerStage(Enum):
        return None


+@dataclass(slots=True, frozen=True)
+class MountBindOptions:
+    """Bind options for docker mount."""
+
+    propagation: PropagationMode | None = None
+    read_only_non_recursive: bool | None = None
+
+    def to_dict(self) -> dict[str, Any]:
+        """To dictionary representation."""
+        out: dict[str, Any] = {}
+        if self.propagation:
+            out["Propagation"] = self.propagation.value
+        if self.read_only_non_recursive is not None:
+            out["ReadOnlyNonRecursive"] = self.read_only_non_recursive
+        return out
+
+
+@dataclass(slots=True, frozen=True)
+class DockerMount:
+    """A docker mount."""
+
+    type: MountType
+    source: str
+    target: str
+    read_only: bool
+    bind_options: MountBindOptions | None = None
+
+    def to_dict(self) -> dict[str, Any]:
+        """To dictionary representation."""
+        out: dict[str, Any] = {
+            "Type": self.type.value,
+            "Source": self.source,
+            "Target": self.target,
+            "ReadOnly": self.read_only,
+        }
+        if self.bind_options:
+            out["BindOptions"] = self.bind_options.to_dict()
+        return out
+
+
+@dataclass(slots=True, frozen=True)
+class Ulimit:
+    """A linux user limit."""
+
+    name: str
+    soft: int
+    hard: int
+
+    def to_dict(self) -> dict[str, str | int]:
+        """To dictionary representation."""
+        return {
+            "Name": self.name,
+            "Soft": self.soft,
+            "Hard": self.hard,
+        }
+
+
+ENV_DUPLICATE_LOG_FILE = "HA_DUPLICATE_LOG_FILE"
 ENV_TIME = "TZ"
 ENV_TOKEN = "SUPERVISOR_TOKEN"
 ENV_TOKEN_OLD = "HASSIO_TOKEN"

 LABEL_MANAGED = "supervisor_managed"

-MOUNT_DBUS = Mount(
-    type=MountType.BIND.value, source="/run/dbus", target="/run/dbus", read_only=True
+MOUNT_DBUS = DockerMount(
+    type=MountType.BIND, source="/run/dbus", target="/run/dbus", read_only=True
 )
-MOUNT_DEV = Mount(
-    type=MountType.BIND.value, source="/dev", target="/dev", read_only=True
+MOUNT_DEV = DockerMount(
+    type=MountType.BIND,
+    source="/dev",
+    target="/dev",
+    read_only=True,
+    bind_options=MountBindOptions(read_only_non_recursive=True),
 )
-MOUNT_DEV.setdefault("BindOptions", {})["ReadOnlyNonRecursive"] = True
-MOUNT_DOCKER = Mount(
-    type=MountType.BIND.value,
+MOUNT_DOCKER = DockerMount(
+    type=MountType.BIND,
    source="/run/docker.sock",
    target="/run/docker.sock",
    read_only=True,
 )
-MOUNT_MACHINE_ID = Mount(
-    type=MountType.BIND.value,
+MOUNT_MACHINE_ID = DockerMount(
+    type=MountType.BIND,
    source=MACHINE_ID.as_posix(),
    target=MACHINE_ID.as_posix(),
    read_only=True,
 )
-MOUNT_UDEV = Mount(
-    type=MountType.BIND.value, source="/run/udev", target="/run/udev", read_only=True
+MOUNT_UDEV = DockerMount(
+    type=MountType.BIND, source="/run/udev", target="/run/udev", read_only=True
 )

 PATH_PRIVATE_DATA = PurePath("/data")
--- a/supervisor/docker/dns.py
+++ b/supervisor/docker/dns.py
@@ -2,13 +2,11 @@

 import logging

-from docker.types import Mount
-
 from ..coresys import CoreSysAttributes
 from ..exceptions import DockerJobError
 from ..jobs.const import JobConcurrency
 from ..jobs.decorator import Job
-from .const import ENV_TIME, MOUNT_DBUS, MountType
+from .const import ENV_TIME, MOUNT_DBUS, DockerMount, MountType
 from .interface import DockerInterface

 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -47,8 +45,8 @@ class DockerDNS(DockerInterface, CoreSysAttributes):
            security_opt=self.security_opt,
            environment={ENV_TIME: self.sys_timezone},
            mounts=[
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_dns.as_posix(),
                    target="/config",
                    read_only=False,
--- a/supervisor/docker/homeassistant.py
+++ b/supervisor/docker/homeassistant.py
@@ -5,7 +5,6 @@ import logging
 import re

 from awesomeversion import AwesomeVersion
-from docker.types import Mount

 from ..const import LABEL_MACHINE
 from ..exceptions import DockerJobError
@@ -14,6 +13,7 @@ from ..homeassistant.const import LANDINGPAGE
 from ..jobs.const import JobConcurrency
 from ..jobs.decorator import Job
 from .const import (
+    ENV_DUPLICATE_LOG_FILE,
    ENV_TIME,
    ENV_TOKEN,
    ENV_TOKEN_OLD,
@@ -25,6 +25,8 @@ from .const import (
    PATH_PUBLIC_CONFIG,
    PATH_SHARE,
    PATH_SSL,
+    DockerMount,
+    MountBindOptions,
    MountType,
    PropagationMode,
 )
@@ -90,15 +92,15 @@ class DockerHomeAssistant(DockerInterface):
        )

    @property
-    def mounts(self) -> list[Mount]:
+    def mounts(self) -> list[DockerMount]:
        """Return mounts for container."""
        mounts = [
            MOUNT_DEV,
            MOUNT_DBUS,
            MOUNT_UDEV,
            # HA config folder
-            Mount(
-                type=MountType.BIND.value,
+            DockerMount(
+                type=MountType.BIND,
                source=self.sys_config.path_extern_homeassistant.as_posix(),
                target=PATH_PUBLIC_CONFIG.as_posix(),
                read_only=False,
@@ -110,41 +112,45 @@ class DockerHomeAssistant(DockerInterface):
            mounts.extend(
                [
                    # All other folders
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_ssl.as_posix(),
                        target=PATH_SSL.as_posix(),
                        read_only=True,
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_share.as_posix(),
                        target=PATH_SHARE.as_posix(),
                        read_only=False,
-                        propagation=PropagationMode.RSLAVE.value,
+                        bind_options=MountBindOptions(
+                            propagation=PropagationMode.RSLAVE
+                        ),
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_config.path_extern_media.as_posix(),
                        target=PATH_MEDIA.as_posix(),
                        read_only=False,
-                        propagation=PropagationMode.RSLAVE.value,
+                        bind_options=MountBindOptions(
+                            propagation=PropagationMode.RSLAVE
+                        ),
                    ),
                    # Configuration audio
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_homeassistant.path_extern_pulse.as_posix(),
                        target="/etc/pulse/client.conf",
                        read_only=True,
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_plugins.audio.path_extern_pulse.as_posix(),
                        target="/run/audio",
                        read_only=True,
                    ),
-                    Mount(
-                        type=MountType.BIND.value,
+                    DockerMount(
+                        type=MountType.BIND,
                        source=self.sys_plugins.audio.path_extern_asound.as_posix(),
                        target="/etc/asound.conf",
                        read_only=True,
@@ -174,6 +180,8 @@ class DockerHomeAssistant(DockerInterface):
        }
        if restore_job_id:
            environment[ENV_RESTORE_JOB_ID] = restore_job_id
+        if self.sys_homeassistant.duplicate_log_file:
+            environment[ENV_DUPLICATE_LOG_FILE] = "1"
        await self._run(
            tag=(self.sys_homeassistant.version),
            name=self.name,
@@ -213,20 +221,20 @@ class DockerHomeAssistant(DockerInterface):
            init=True,
            entrypoint=[],
            mounts=[
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_homeassistant.as_posix(),
                    target="/config",
                    read_only=False,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_ssl.as_posix(),
                    target="/ssl",
                    read_only=True,
                ),
-                Mount(
-                    type=MountType.BIND.value,
+                DockerMount(
+                    type=MountType.BIND,
                    source=self.sys_config.path_extern_share.as_posix(),
                    target="/share",
                    read_only=False,
--- a/supervisor/docker/interface.py
+++ b/supervisor/docker/interface.py
@@ -8,7 +8,6 @@ from collections.abc import Awaitable
 from contextlib import suppress
 from http import HTTPStatus
 import logging
-import re
 from time import time
 from typing import Any, cast
 from uuid import uuid4
@@ -46,17 +45,20 @@ from ..jobs.decorator import Job
 from ..jobs.job_group import JobGroup
 from ..resolution.const import ContextType, IssueType, SuggestionType
 from ..utils.sentry import async_capture_exception
-from .const import ContainerState, PullImageLayerStage, RestartPolicy
+from .const import (
+    DOCKER_HUB,
+    DOCKER_HUB_LEGACY,
+    ContainerState,
+    PullImageLayerStage,
+    RestartPolicy,
+)
 from .manager import CommandReturn, PullLogEntry
 from .monitor import DockerContainerStateEvent
 from .stats import DockerStats

 _LOGGER: logging.Logger = logging.getLogger(__name__)

-IMAGE_WITH_HOST = re.compile(r"^((?:[a-z0-9]+(?:-[a-z0-9]+)*\.)+[a-z]{2,})\/.+")
-DOCKER_HUB = "hub.docker.com"
-
-MAP_ARCH: dict[CpuArch | str, str] = {
+MAP_ARCH: dict[CpuArch, str] = {
    CpuArch.ARMV7: "linux/arm/v7",
    CpuArch.ARMHF: "linux/arm/v6",
    CpuArch.AARCH64: "linux/arm64",
@@ -180,25 +182,17 @@ class DockerInterface(JobGroup, ABC):
        return self.meta_config.get("Healthcheck")

    def _get_credentials(self, image: str) -> dict:
-        """Return a dictionay with credentials for docker login."""
-        registry = None
+        """Return a dictionary with credentials for docker login."""
        credentials = {}
-        matcher = IMAGE_WITH_HOST.match(image)
-
-        # Custom registry
-        if matcher:
-            if matcher.group(1) in self.sys_docker.config.registries:
-                registry = matcher.group(1)
-                credentials[ATTR_REGISTRY] = registry
-
-        # If no match assume "dockerhub" as registry
-        elif DOCKER_HUB in self.sys_docker.config.registries:
-            registry = DOCKER_HUB
+        registry = self.sys_docker.config.get_registry_for_image(image)

        if registry:
            stored = self.sys_docker.config.registries[registry]
            credentials[ATTR_USERNAME] = stored[ATTR_USERNAME]
            credentials[ATTR_PASSWORD] = stored[ATTR_PASSWORD]
+            # Don't include registry for Docker Hub (both official and legacy)
+            if registry not in (DOCKER_HUB, DOCKER_HUB_LEGACY):
+                credentials[ATTR_REGISTRY] = registry

            _LOGGER.debug(
                "Logging in to %s as %s",
@@ -208,17 +202,6 @@ class DockerInterface(JobGroup, ABC):

        return credentials

-    async def _docker_login(self, image: str) -> None:
-        """Try to log in to the registry if there are credentials available."""
-        if not self.sys_docker.config.registries:
-            return
-
-        credentials = self._get_credentials(image)
-        if not credentials:
-            return
-
-        await self.sys_run_in_executor(self.sys_docker.dockerpy.login, **credentials)
-
    def _process_pull_image_log(  # noqa: C901
        self, install_job_id: str, reference: PullLogEntry
    ) -> None:
@@ -250,28 +233,16 @@ class DockerInterface(JobGroup, ABC):
                job = j
                break

-        # This likely only occurs if the logs came in out of sync and we got progress before the Pulling FS Layer one
+        # There should no longer be any real risk of logs out of order anymore.
+        # However tests with very small images have shown that sometimes Docker
+        # skips stages in log. So keeping this one as a safety check on null job
        if not job:
            raise DockerLogOutOfOrder(
                f"Received pull image log with status {reference.status} for image id {reference.id} and parent job {install_job_id} but could not find a matching job, skipping",
                _LOGGER.debug,
            )

-        # Hopefully these come in order but if they sometimes get out of sync, avoid accidentally going backwards
-        # If it happens a lot though we may need to reconsider the value of this feature
-        if job.done:
-            raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for job {job.uuid} but job was done, skipping",
-                _LOGGER.debug,
-            )
-
-        if job.stage and stage < PullImageLayerStage.from_status(job.stage):
-            raise DockerLogOutOfOrder(
-                f"Received pull image log with status {reference.status} for job {job.uuid} but job was already on stage {job.stage}, skipping",
-                _LOGGER.debug,
-            )
-
-        # For progress calcuation we assume downloading and extracting are each 50% of the time and others stages negligible
+        # For progress calculation we assume downloading is 70% of time, extracting is 30% and others stages negligible
        progress = job.progress
        match stage:
            case PullImageLayerStage.DOWNLOADING | PullImageLayerStage.EXTRACTING:
@@ -280,22 +251,26 @@ class DockerInterface(JobGroup, ABC):
                    and reference.progress_detail.current
                    and reference.progress_detail.total
                ):
-                    progress = 50 * (
+                    progress = (
                        reference.progress_detail.current
                        / reference.progress_detail.total
                    )
-                    if stage == PullImageLayerStage.EXTRACTING:
-                        progress += 50
+                    if stage == PullImageLayerStage.DOWNLOADING:
+                        progress = 70 * progress
+                    else:
+                        progress = 70 + 30 * progress
            case (
                PullImageLayerStage.VERIFYING_CHECKSUM
                | PullImageLayerStage.DOWNLOAD_COMPLETE
            ):
-                progress = 50
+                progress = 70
            case PullImageLayerStage.PULL_COMPLETE:
                progress = 100
            case PullImageLayerStage.RETRYING_DOWNLOAD:
                progress = 0

+        # No real risk of getting things out of order in current implementation
+        # but keeping this one in case another change to these trips us up.
        if stage != PullImageLayerStage.RETRYING_DOWNLOAD and progress < job.progress:
            raise DockerLogOutOfOrder(
                f"Received pull image log with status {reference.status} for job {job.uuid} that implied progress was {progress} but current progress is {job.progress}, skipping",
@@ -310,6 +285,8 @@ class DockerInterface(JobGroup, ABC):
        if (
            stage in {PullImageLayerStage.DOWNLOADING, PullImageLayerStage.EXTRACTING}
            and reference.progress_detail
+            and reference.progress_detail.current is not None
+            and reference.progress_detail.total is not None
        ):
            job.update(
                progress=progress,
@@ -357,7 +334,7 @@ class DockerInterface(JobGroup, ABC):
        progress = 0.0
        stage = PullImageLayerStage.PULL_COMPLETE
        for job in layer_jobs:
-            if not job.extra:
+            if not job.extra or not job.extra.get("total"):
                return
            progress += job.progress * (job.extra["total"] / total)
            job_stage = PullImageLayerStage.from_status(cast(str, job.stage))
@@ -396,14 +373,13 @@ class DockerInterface(JobGroup, ABC):
        if not image:
            raise ValueError("Cannot pull without an image!")

-        image_arch = str(arch) if arch else self.sys_arch.supervisor
+        image_arch = arch or self.sys_arch.supervisor
        listener: EventListener | None = None

        _LOGGER.info("Downloading docker image %s with tag %s.", image, version)
        try:
-            if self.sys_docker.config.registries:
-                # Try login if we have defined credentials
-                await self._docker_login(image)
+            # Get credentials for private registries to pass to aiodocker
+            credentials = self._get_credentials(image) or None

            curr_job_id = self.sys_jobs.current.uuid

@@ -419,12 +395,13 @@ class DockerInterface(JobGroup, ABC):
                BusEvent.DOCKER_IMAGE_PULL_UPDATE, process_pull_image_log
            )

-            # Pull new image
+            # Pull new image, passing credentials to aiodocker
            docker_image = await self.sys_docker.pull_image(
                self.sys_jobs.current.uuid,
                image,
                str(version),
                platform=MAP_ARCH[image_arch],
+                auth=credentials,
            )

            # Tag latest
@@ -480,35 +457,34 @@ class DockerInterface(JobGroup, ABC):
            return True
        return False

-    async def is_running(self) -> bool:
-        """Return True if Docker is running."""
+    async def _get_container(self) -> Container | None:
+        """Get docker container, returns None if not found."""
        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+            return await self.sys_run_in_executor(
+                self.sys_docker.containers_legacy.get, self.name
            )
        except docker.errors.NotFound:
-            return False
+            return None
        except docker.errors.DockerException as err:
-            raise DockerAPIError() from err
+            raise DockerAPIError(
+                f"Docker API error occurred while getting container information: {err!s}"
+            ) from err
        except requests.RequestException as err:
-            raise DockerRequestError() from err
+            raise DockerRequestError(
+                f"Error communicating with Docker to get container information: {err!s}"
+            ) from err

-        return docker_container.status == "running"
+    async def is_running(self) -> bool:
+        """Return True if Docker is running."""
+        if docker_container := await self._get_container():
+            return docker_container.status == "running"
+        return False

    async def current_state(self) -> ContainerState:
        """Return current state of container."""
-        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
-            )
-        except docker.errors.NotFound:
-            return ContainerState.UNKNOWN
-        except docker.errors.DockerException as err:
-            raise DockerAPIError() from err
-        except requests.RequestException as err:
-            raise DockerRequestError() from err
-
-        return _container_state_from_model(docker_container)
+        if docker_container := await self._get_container():
+            return _container_state_from_model(docker_container)
+        return ContainerState.UNKNOWN

    @Job(name="docker_interface_attach", concurrency=JobConcurrency.GROUP_QUEUE)
    async def attach(
@@ -517,7 +493,7 @@ class DockerInterface(JobGroup, ABC):
        """Attach to running Docker container."""
        with suppress(docker.errors.DockerException, requests.RequestException):
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
            self._meta = docker_container.attrs
            self.sys_docker.monitor.watch_container(docker_container)
@@ -543,7 +519,9 @@ class DockerInterface(JobGroup, ABC):

        # Successful?
        if not self._meta:
-            raise DockerError()
+            raise DockerError(
+                f"Could not get metadata on container or image for {self.name}"
+            )
        _LOGGER.info("Attaching to %s with version %s", self.image, self.version)

    @Job(
@@ -555,8 +533,11 @@ class DockerInterface(JobGroup, ABC):
        """Run Docker image."""
        raise NotImplementedError()

-    async def _run(self, **kwargs) -> None:
-        """Run Docker image with retry inf necessary."""
+    async def _run(self, *, name: str, **kwargs) -> None:
+        """Run Docker image with retry if necessary."""
+        if not (image := self.image):
+            raise ValueError(f"Cannot determine image to use to run {self.name}!")
+
        if await self.is_running():
            return

@@ -565,16 +546,14 @@ class DockerInterface(JobGroup, ABC):

        # Create & Run container
        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.run, self.image, **kwargs
-            )
+            container_metadata = await self.sys_docker.run(image, name=name, **kwargs)
        except DockerNotFound as err:
            # If image is missing, capture the exception as this shouldn't happen
            await async_capture_exception(err)
            raise

        # Store metadata
-        self._meta = docker_container.attrs
+        self._meta = container_metadata

    @Job(
        name="docker_interface_stop",
@@ -633,9 +612,7 @@ class DockerInterface(JobGroup, ABC):
        expected_cpu_arch: CpuArch | None = None,
    ) -> None:
        """Check we have expected image with correct arch."""
-        expected_image_cpu_arch = (
-            str(expected_cpu_arch) if expected_cpu_arch else self.sys_arch.supervisor
-        )
+        arch = expected_cpu_arch or self.sys_arch.supervisor
        image_name = f"{expected_image}:{version!s}"
        if self.image == expected_image:
            try:
@@ -653,7 +630,7 @@ class DockerInterface(JobGroup, ABC):
            # If we have an image and its the right arch, all set
            # It seems that newer Docker version return a variant for arm64 images.
            # Make sure we match linux/arm64 and linux/arm64/v8.
-            expected_image_arch = MAP_ARCH[expected_image_cpu_arch]
+            expected_image_arch = MAP_ARCH[arch]
            if image_arch.startswith(expected_image_arch):
                return
            _LOGGER.info(
@@ -666,7 +643,7 @@ class DockerInterface(JobGroup, ABC):
        # We're missing the image we need. Stop and clean up what we have then pull the right one
        with suppress(DockerError):
            await self.remove()
-        await self.install(version, expected_image, arch=expected_image_cpu_arch)
+        await self.install(version, expected_image, arch=arch)

    @Job(
        name="docker_interface_update",
@@ -748,14 +725,8 @@ class DockerInterface(JobGroup, ABC):

    async def is_failed(self) -> bool:
        """Return True if Docker is failing state."""
-        try:
-            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
-            )
-        except docker.errors.NotFound:
+        if not (docker_container := await self._get_container()):
            return False
-        except (docker.errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err

        # container is not running
        if docker_container.status != "exited":
--- a/supervisor/docker/manager.py
+++ b/supervisor/docker/manager.py
@@ -13,10 +13,12 @@ import logging
 import os
 from pathlib import Path
 import re
-from typing import Any, Final, Self, cast
+from typing import Any, Final, Literal, Self, cast

 import aiodocker
+from aiodocker.containers import DockerContainers
 from aiodocker.images import DockerImages
+from aiodocker.types import JSONObject
 from aiohttp import ClientSession, ClientTimeout, UnixConnector
 import attr
 from awesomeversion import AwesomeVersion, AwesomeVersionCompareException
@@ -49,9 +51,19 @@ from ..exceptions import (
 )
 from ..utils.common import FileConfiguration
 from ..validate import SCHEMA_DOCKER_CONFIG
-from .const import LABEL_MANAGED
+from .const import (
+    DOCKER_HUB,
+    DOCKER_HUB_LEGACY,
+    LABEL_MANAGED,
+    Capabilities,
+    DockerMount,
+    MountType,
+    RestartPolicy,
+    Ulimit,
+)
 from .monitor import DockerMonitor
 from .network import DockerNetwork
+from .utils import get_registry_from_image

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -76,15 +88,25 @@ class DockerInfo:
    storage: str = attr.ib()
    logging: str = attr.ib()
    cgroup: str = attr.ib()
+    support_cpu_realtime: bool = attr.ib()

    @staticmethod
-    def new(data: dict[str, Any]):
+    async def new(data: dict[str, Any]) -> DockerInfo:
        """Create a object from docker info."""
+        # Check if CONFIG_RT_GROUP_SCHED is loaded (blocking I/O in executor)
+        cpu_rt_file_exists = await asyncio.get_running_loop().run_in_executor(
+            None, Path("/sys/fs/cgroup/cpu/cpu.rt_runtime_us").exists
+        )
+        cpu_rt_supported = (
+            cpu_rt_file_exists and os.environ.get(ENV_SUPERVISOR_CPU_RT) == "1"
+        )
+
        return DockerInfo(
            AwesomeVersion(data.get("ServerVersion", "0.0.0")),
            data.get("Driver", "unknown"),
            data.get("LoggingDriver", "unknown"),
            data.get("CgroupVersion", "1"),
+            cpu_rt_supported,
        )

    @property
@@ -95,23 +117,21 @@ class DockerInfo:
        except AwesomeVersionCompareException:
            return False

-    @property
-    def support_cpu_realtime(self) -> bool:
-        """Return true, if CONFIG_RT_GROUP_SCHED is loaded."""
-        if not Path("/sys/fs/cgroup/cpu/cpu.rt_runtime_us").exists():
-            return False
-        return bool(os.environ.get(ENV_SUPERVISOR_CPU_RT) == "1")
-

@dataclass(frozen=True, slots=True)
 class PullProgressDetail:
    """Progress detail information for pull.

    Documentation lacking but both of these seem to be in bytes when populated.
+
+    Containerd-snapshot update - When leveraging this new feature, this information
+    becomes useless to us while extracting. It simply tells elapsed time using
+    current and units.
    """

    current: int | None = None
    total: int | None = None
+    units: str | None = None

    @classmethod
    def from_pull_log_dict(cls, value: dict[str, int]) -> PullProgressDetail:
@@ -199,6 +219,33 @@ class DockerConfig(FileConfiguration):
        """Return credentials for docker registries."""
        return self._data.get(ATTR_REGISTRIES, {})

+    def get_registry_for_image(self, image: str) -> str | None:
+        """Return the registry name if credentials are available for the image.
+
+        Matches the image against configured registries and returns the registry
+        name if found, or None if no matching credentials are configured.
+
+        Uses Docker's domain detection logic from:
+        vendor/github.com/distribution/reference/normalize.go
+        """
+        if not self.registries:
+            return None
+
+        # Check if image uses a custom registry (e.g., ghcr.io/org/image)
+        registry = get_registry_from_image(image)
+        if registry:
+            if registry in self.registries:
+                return registry
+        else:
+            # No registry prefix means Docker Hub
+            # Support both docker.io (official) and hub.docker.com (legacy)
+            if DOCKER_HUB in self.registries:
+                return DOCKER_HUB
+            if DOCKER_HUB_LEGACY in self.registries:
+                return DOCKER_HUB_LEGACY
+
+        return None
+

 class DockerAPI(CoreSysAttributes):
    """Docker Supervisor wrapper.
@@ -234,7 +281,7 @@ class DockerAPI(CoreSysAttributes):
                timeout=900,
            ),
        )
-        self._info = DockerInfo.new(self.dockerpy.info())
+        self._info = await DockerInfo.new(self.dockerpy.info())
        await self.config.read_data()
        self._network = await DockerNetwork(self.dockerpy).post_init(
            self.config.enable_ipv6, self.config.mtu
@@ -261,8 +308,13 @@ class DockerAPI(CoreSysAttributes):
        return self.docker.images

    @property
-    def containers(self) -> ContainerCollection:
+    def containers(self) -> DockerContainers:
        """Return API containers."""
+        return self.docker.containers
+
+    @property
+    def containers_legacy(self) -> ContainerCollection:
+        """Return API containers from Dockerpy."""
        return self.dockerpy.containers

    @property
@@ -295,50 +347,137 @@ class DockerAPI(CoreSysAttributes):
        """Stop docker events monitor."""
        await self.monitor.unload()

-    def run(
+    def _create_container_config(
        self,
        image: str,
+        *,
        tag: str = "latest",
        dns: bool = True,
-        ipv4: IPv4Address | None = None,
-        **kwargs: Any,
-    ) -> Container:
-        """Create a Docker container and run it.
+        init: bool = False,
+        hostname: str | None = None,
+        detach: bool = True,
+        security_opt: list[str] | None = None,
+        restart_policy: dict[str, RestartPolicy] | None = None,
+        extra_hosts: dict[str, IPv4Address] | None = None,
+        environment: dict[str, str | None] | None = None,
+        mounts: list[DockerMount] | None = None,
+        ports: dict[str, str | int | None] | None = None,
+        oom_score_adj: int | None = None,
+        network_mode: Literal["host"] | None = None,
+        privileged: bool = False,
+        device_cgroup_rules: list[str] | None = None,
+        tmpfs: dict[str, str] | None = None,
+        entrypoint: list[str] | None = None,
+        cap_add: list[Capabilities] | None = None,
+        ulimits: list[Ulimit] | None = None,
+        cpu_rt_runtime: int | None = None,
+        stdin_open: bool = False,
+        pid_mode: str | None = None,
+        uts_mode: str | None = None,
+    ) -> JSONObject:
+        """Map kwargs to create container config.

-        Need run inside executor.
+        This only covers the docker options we currently use. It is not intended
+        to be exhaustive as its dockerpy equivalent was. We'll add to it as we
+        make use of new feature.
        """
-        name: str | None = kwargs.get("name")
-        network_mode: str | None = kwargs.get("network_mode")
-        hostname: str | None = kwargs.get("hostname")
+        # Set up host dependent config for container
+        host_config: dict[str, Any] = {
+            "NetworkMode": network_mode if network_mode else "default",
+            "Init": init,
+            "Privileged": privileged,
+        }
+        if security_opt:
+            host_config["SecurityOpt"] = security_opt
+        if restart_policy:
+            host_config["RestartPolicy"] = restart_policy
+        if extra_hosts:
+            host_config["ExtraHosts"] = [f"{k}:{v}" for k, v in extra_hosts.items()]
+        if mounts:
+            host_config["Mounts"] = [mount.to_dict() for mount in mounts]
+        if oom_score_adj is not None:
+            host_config["OomScoreAdj"] = oom_score_adj
+        if device_cgroup_rules:
+            host_config["DeviceCgroupRules"] = device_cgroup_rules
+        if tmpfs:
+            host_config["Tmpfs"] = tmpfs
+        if cap_add:
+            host_config["CapAdd"] = cap_add
+        if cpu_rt_runtime is not None:
+            host_config["CPURealtimeRuntime"] = cpu_rt_runtime
+        if pid_mode:
+            host_config["PidMode"] = pid_mode
+        if uts_mode:
+            host_config["UtsMode"] = uts_mode
+        if ulimits:
+            host_config["Ulimits"] = [limit.to_dict() for limit in ulimits]

-        if "labels" not in kwargs:
-            kwargs["labels"] = {}
-        elif isinstance(kwargs["labels"], list):
-            kwargs["labels"] = dict.fromkeys(kwargs["labels"], "")
+        # Full container config
+        config: dict[str, Any] = {
+            "Image": f"{image}:{tag}",
+            "Labels": {LABEL_MANAGED: ""},
+            "OpenStdin": stdin_open,
+            "StdinOnce": not detach and stdin_open,
+            "AttachStdin": not detach and stdin_open,
+            "AttachStdout": not detach,
+            "AttachStderr": not detach,
+            "HostConfig": host_config,
+        }
+        if hostname:
+            config["Hostname"] = hostname
+        if environment:
+            config["Env"] = [
+                env if val is None else f"{env}={val}"
+                for env, val in environment.items()
+            ]
+        if entrypoint:
+            config["Entrypoint"] = entrypoint

-        kwargs["labels"][LABEL_MANAGED] = ""
-
-        # Setup DNS
+        # Set up networking
        if dns:
-            kwargs["dns"] = [str(self.network.dns)]
-            kwargs["dns_search"] = [DNS_SUFFIX]
+            host_config["Dns"] = [str(self.network.dns)]
+            host_config["DnsSearch"] = [DNS_SUFFIX]
            # CoreDNS forward plug-in fails in ~6s, then fallback triggers.
            # However, the default timeout of glibc and musl is 5s. Increase
            # default timeout to make sure CoreDNS fallback is working
            # on first query.
-            kwargs["dns_opt"] = ["timeout:10"]
+            host_config["DnsOptions"] = ["timeout:10"]
            if hostname:
-                kwargs["domainname"] = DNS_SUFFIX
+                config["Domainname"] = DNS_SUFFIX

-        # Setup network
-        if not network_mode:
-            kwargs["network"] = None
+        # Setup ports
+        if ports:
+            port_bindings = {
+                port if "/" in port else f"{port}/tcp": [
+                    {"HostIp": "", "HostPort": str(host_port) if host_port else ""}
+                ]
+                for port, host_port in ports.items()
+            }
+            config["ExposedPorts"] = {port: {} for port in port_bindings}
+            host_config["PortBindings"] = port_bindings
+
+        return config
+
+    async def run(
+        self,
+        image: str,
+        *,
+        name: str,
+        tag: str = "latest",
+        hostname: str | None = None,
+        mounts: list[DockerMount] | None = None,
+        network_mode: Literal["host"] | None = None,
+        ipv4: IPv4Address | None = None,
+        **kwargs,
+    ) -> dict[str, Any]:
+        """Create a Docker container and run it."""
+        if not image or not name:
+            raise ValueError("image, name and tag cannot be an empty string!")

        # Setup cidfile and bind mount it
-        cidfile_path = None
-        if name:
-            cidfile_path = self.coresys.config.path_cid_files / f"{name}.cid"
+        cidfile_path = self.coresys.config.path_cid_files / f"{name}.cid"

+        def create_cidfile() -> None:
            # Remove the file/directory if it exists e.g. as a leftover from unclean shutdown
            # Note: Can be a directory if Docker auto-started container with restart policy
            # before Supervisor could write the CID file
@@ -352,31 +491,37 @@ class DockerAPI(CoreSysAttributes):
            # from creating it as a directory if container auto-starts
            cidfile_path.touch()

-            extern_cidfile_path = (
-                self.coresys.config.path_extern_cid_files / f"{name}.cid"
-            )
+        await self.sys_run_in_executor(create_cidfile)

-            # Bind mount to /run/cid in container
-            if "volumes" not in kwargs:
-                kwargs["volumes"] = {}
-            kwargs["volumes"][str(extern_cidfile_path)] = {
-                "bind": "/run/cid",
-                "mode": "ro",
-            }
+        # Bind mount to /run/cid in container
+        extern_cidfile_path = self.coresys.config.path_extern_cid_files / f"{name}.cid"
+        cid_mount = DockerMount(
+            type=MountType.BIND,
+            source=extern_cidfile_path.as_posix(),
+            target="/run/cid",
+            read_only=True,
+        )
+        if mounts is None:
+            mounts = [cid_mount]
+        else:
+            mounts = [*mounts, cid_mount]

        # Create container
+        config = self._create_container_config(
+            image,
+            tag=tag,
+            hostname=hostname,
+            mounts=mounts,
+            network_mode=network_mode,
+            **kwargs,
+        )
        try:
-            container = self.containers.create(
-                f"{image}:{tag}", use_config_proxy=False, **kwargs
-            )
-            if cidfile_path:
-                with cidfile_path.open("w", encoding="ascii") as cidfile:
-                    cidfile.write(str(container.id))
-        except docker_errors.NotFound as err:
-            raise DockerNotFound(
-                f"Image {image}:{tag} does not exist for {name}", _LOGGER.error
-            ) from err
-        except docker_errors.DockerException as err:
+            container = await self.containers.create(config, name=name)
+        except aiodocker.DockerError as err:
+            if err.status == HTTPStatus.NOT_FOUND:
+                raise DockerNotFound(
+                    f"Image {image}:{tag} does not exist for {name}", _LOGGER.error
+                ) from err
            raise DockerAPIError(
                f"Can't create container from {name}: {err}", _LOGGER.error
            ) from err
@@ -385,43 +530,62 @@ class DockerAPI(CoreSysAttributes):
                f"Dockerd connection issue for {name}: {err}", _LOGGER.error
            ) from err

-        # Attach network
-        if not network_mode:
-            alias = [hostname] if hostname else None
-            try:
-                self.network.attach_container(container, alias=alias, ipv4=ipv4)
-            except DockerError:
-                _LOGGER.warning("Can't attach %s to hassio-network!", name)
-            else:
-                with suppress(DockerError):
-                    self.network.detach_default_bridge(container)
-        else:
-            host_network: Network = self.dockerpy.networks.get(DOCKER_NETWORK_HOST)
+        # Get container metadata
+        try:
+            container_attrs = await container.show()
+        except aiodocker.DockerError as err:
+            raise DockerAPIError(
+                f"Can't inspect new container {name}: {err}", _LOGGER.error
+            ) from err
+        except requests.RequestException as err:
+            raise DockerRequestError(
+                f"Dockerd connection issue for {name}: {err}", _LOGGER.error
+            ) from err

-            # Check if container is register on host
-            # https://github.com/moby/moby/issues/23302
-            if name and name in (
-                val.get("Name")
-                for val in host_network.attrs.get("Containers", {}).values()
-            ):
-                with suppress(docker_errors.NotFound):
-                    host_network.disconnect(name, force=True)
+        # Setup network and store container id in cidfile
+        def setup_network_and_cidfile() -> None:
+            # Write cidfile
+            with cidfile_path.open("w", encoding="ascii") as cidfile:
+                cidfile.write(str(container.id))
+
+            # Attach network
+            if not network_mode:
+                alias = [hostname] if hostname else None
+                try:
+                    self.network.attach_container(
+                        container.id, name, alias=alias, ipv4=ipv4
+                    )
+                except DockerError:
+                    _LOGGER.warning("Can't attach %s to hassio-network!", name)
+                else:
+                    with suppress(DockerError):
+                        self.network.detach_default_bridge(container.id, name)
+            else:
+                host_network: Network = self.dockerpy.networks.get(DOCKER_NETWORK_HOST)
+
+                # Check if container is register on host
+                # https://github.com/moby/moby/issues/23302
+                if name and name in (
+                    val.get("Name")
+                    for val in host_network.attrs.get("Containers", {}).values()
+                ):
+                    with suppress(docker_errors.NotFound):
+                        host_network.disconnect(name, force=True)
+
+        await self.sys_run_in_executor(setup_network_and_cidfile)

        # Run container
        try:
-            container.start()
-        except docker_errors.DockerException as err:
+            await container.start()
+        except aiodocker.DockerError as err:
            raise DockerAPIError(f"Can't start {name}: {err}", _LOGGER.error) from err
        except requests.RequestException as err:
            raise DockerRequestError(
                f"Dockerd connection issue for {name}: {err}", _LOGGER.error
            ) from err

-        # Update metadata
-        with suppress(docker_errors.DockerException, requests.RequestException):
-            container.reload()
-
-        return container
+        # Return metadata
+        return container_attrs

    async def pull_image(
        self,
@@ -429,6 +593,7 @@ class DockerAPI(CoreSysAttributes):
        repository: str,
        tag: str = "latest",
        platform: str | None = None,
+        auth: dict[str, str] | None = None,
    ) -> dict[str, Any]:
        """Pull the specified image and return it.

@@ -437,8 +602,10 @@ class DockerAPI(CoreSysAttributes):
        raises only if the get fails afterwards. Additionally it fires progress reports for the pull
        on the bus so listeners can use that to update status for users.
        """
+        # Use timeout=None to disable timeout for pull operations, matching docker-py behavior.
+        # aiodocker converts None to ClientTimeout(total=None) which disables the timeout.
        async for e in self.images.pull(
-            repository, tag=tag, platform=platform, stream=True
+            repository, tag=tag, platform=platform, auth=auth, stream=True, timeout=None
        ):
            entry = PullLogEntry.from_pull_log_dict(job_id, e)
            if entry.error:
@@ -571,16 +738,24 @@ class DockerAPI(CoreSysAttributes):
    ) -> bool:
        """Return True if docker container exists in good state and is built from expected image."""
        try:
-            docker_container = await self.sys_run_in_executor(self.containers.get, name)
+            docker_container = await self.sys_run_in_executor(
+                self.containers_legacy.get, name
+            )
            docker_image = await self.images.inspect(f"{image}:{version}")
        except docker_errors.NotFound:
            return False
        except aiodocker.DockerError as err:
            if err.status == HTTPStatus.NOT_FOUND:
                return False
-            raise DockerError() from err
+            raise DockerError(
+                f"Could not get container {name} or image {image}:{version} to check state: {err!s}",
+                _LOGGER.error,
+            ) from err
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Could not get container {name} or image {image}:{version} to check state: {err!s}",
+                _LOGGER.error,
+            ) from err

        # Check the image is correct and state is good
        return (
@@ -594,11 +769,15 @@ class DockerAPI(CoreSysAttributes):
    ) -> None:
        """Stop/remove Docker container."""
        try:
-            docker_container: Container = self.containers.get(name)
+            docker_container: Container = self.containers_legacy.get(name)
        except docker_errors.NotFound:
+            # Generally suppressed so we don't log this
            raise DockerNotFound() from None
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Could not get container {name} for stopping: {err!s}",
+                _LOGGER.error,
+            ) from err

        if docker_container.status == "running":
            _LOGGER.info("Stopping %s application", name)
@@ -617,7 +796,7 @@ class DockerAPI(CoreSysAttributes):
    def start_container(self, name: str) -> None:
        """Start Docker container."""
        try:
-            docker_container: Container = self.containers.get(name)
+            docker_container: Container = self.containers_legacy.get(name)
        except docker_errors.NotFound:
            raise DockerNotFound(
                f"{name} not found for starting up", _LOGGER.error
@@ -636,11 +815,15 @@ class DockerAPI(CoreSysAttributes):
    def restart_container(self, name: str, timeout: int) -> None:
        """Restart docker container."""
        try:
-            container: Container = self.containers.get(name)
+            container: Container = self.containers_legacy.get(name)
        except docker_errors.NotFound:
-            raise DockerNotFound() from None
+            raise DockerNotFound(
+                f"Container {name} not found for restarting", _LOGGER.warning
+            ) from None
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Could not get container {name} for restarting: {err!s}", _LOGGER.error
+            ) from err

        _LOGGER.info("Restarting %s", name)
        try:
@@ -651,11 +834,15 @@ class DockerAPI(CoreSysAttributes):
    def container_logs(self, name: str, tail: int = 100) -> bytes:
        """Return Docker logs of container."""
        try:
-            docker_container: Container = self.containers.get(name)
+            docker_container: Container = self.containers_legacy.get(name)
        except docker_errors.NotFound:
-            raise DockerNotFound() from None
+            raise DockerNotFound(
+                f"Container {name} not found for logs", _LOGGER.warning
+            ) from None
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Could not get container {name} for logs: {err!s}", _LOGGER.error
+            ) from err

        try:
            return docker_container.logs(tail=tail, stdout=True, stderr=True)
@@ -667,18 +854,23 @@ class DockerAPI(CoreSysAttributes):
    def container_stats(self, name: str) -> dict[str, Any]:
        """Read and return stats from container."""
        try:
-            docker_container: Container = self.containers.get(name)
+            docker_container: Container = self.containers_legacy.get(name)
        except docker_errors.NotFound:
-            raise DockerNotFound() from None
+            raise DockerNotFound(
+                f"Container {name} not found for stats", _LOGGER.warning
+            ) from None
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Could not inspect container '{name}': {err!s}", _LOGGER.error
+            ) from err

        # container is not running
        if docker_container.status != "running":
            raise DockerError(f"Container {name} is not running", _LOGGER.error)

        try:
-            return docker_container.stats(stream=False)
+            # When stream=False, stats() returns dict, not Iterator
+            return cast(dict[str, Any], docker_container.stats(stream=False))
        except (docker_errors.DockerException, requests.RequestException) as err:
            raise DockerError(
                f"Can't read stats from {name}: {err}", _LOGGER.error
@@ -687,17 +879,23 @@ class DockerAPI(CoreSysAttributes):
    def container_run_inside(self, name: str, command: str) -> CommandReturn:
        """Execute a command inside Docker container."""
        try:
-            docker_container: Container = self.containers.get(name)
+            docker_container: Container = self.containers_legacy.get(name)
        except docker_errors.NotFound:
-            raise DockerNotFound() from None
+            raise DockerNotFound(
+                f"Container {name} not found for running command", _LOGGER.warning
+            ) from None
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Can't get container {name} to run command: {err!s}"
+            ) from err

        # Execute
        try:
            code, output = docker_container.exec_run(command)
        except (docker_errors.DockerException, requests.RequestException) as err:
-            raise DockerError() from err
+            raise DockerError(
+                f"Can't run command in container {name}: {err!s}"
+            ) from err

        return CommandReturn(code, output)

@@ -730,7 +928,7 @@ class DockerAPI(CoreSysAttributes):
        """Import a tar file as image."""
        try:
            with tar_file.open("rb") as read_tar:
-                resp: list[dict[str, Any]] = self.images.import_image(read_tar)
+                resp: list[dict[str, Any]] = await self.images.import_image(read_tar)
        except (aiodocker.DockerError, OSError) as err:
            raise DockerError(
                f"Can't import image from tar: {err}", _LOGGER.error
--- a/supervisor/docker/network.py
+++ b/supervisor/docker/network.py
@@ -7,6 +7,7 @@ import logging
 from typing import Self, cast

 import docker
+from docker.models.networks import Network
 import requests

 from ..const import (
@@ -59,7 +60,7 @@ class DockerNetwork:
    def __init__(self, docker_client: docker.DockerClient):
        """Initialize internal Supervisor network."""
        self.docker: docker.DockerClient = docker_client
-        self._network: docker.models.networks.Network
+        self._network: Network

    async def post_init(
        self, enable_ipv6: bool | None = None, mtu: int | None = None
@@ -76,7 +77,7 @@ class DockerNetwork:
        return DOCKER_NETWORK

    @property
-    def network(self) -> docker.models.networks.Network:
+    def network(self) -> Network:
        """Return docker network."""
        return self._network

@@ -117,7 +118,7 @@ class DockerNetwork:

    def _get_network(
        self, enable_ipv6: bool | None = None, mtu: int | None = None
-    ) -> docker.models.networks.Network:
+    ) -> Network:
        """Get supervisor network."""
        try:
            if network := self.docker.networks.get(DOCKER_NETWORK):
@@ -218,7 +219,8 @@ class DockerNetwork:

    def attach_container(
        self,
-        container: docker.models.containers.Container,
+        container_id: str,
+        name: str,
        alias: list[str] | None = None,
        ipv4: IPv4Address | None = None,
    ) -> None:
@@ -231,15 +233,15 @@ class DockerNetwork:
            self.network.reload()

        # Check stale Network
-        if container.name and container.name in (
+        if name in (
            val.get("Name") for val in self.network.attrs.get("Containers", {}).values()
        ):
-            self.stale_cleanup(container.name)
+            self.stale_cleanup(name)

        # Attach Network
        try:
            self.network.connect(
-                container, aliases=alias, ipv4_address=str(ipv4) if ipv4 else None
+                container_id, aliases=alias, ipv4_address=str(ipv4) if ipv4 else None
            )
        except (
            docker.errors.NotFound,
@@ -248,7 +250,7 @@ class DockerNetwork:
            requests.RequestException,
        ) as err:
            raise DockerError(
-                f"Can't connect {container.name} to Supervisor network: {err}",
+                f"Can't connect {name} to Supervisor network: {err}",
                _LOGGER.error,
            ) from err

@@ -272,19 +274,20 @@ class DockerNetwork:
        ) as err:
            raise DockerError(f"Can't find {name}: {err}", _LOGGER.error) from err

-        if container.id not in self.containers:
-            self.attach_container(container, alias, ipv4)
+        if not (container_id := container.id):
+            raise DockerError(f"Received invalid metadata from docker for {name}")

-    def detach_default_bridge(
-        self, container: docker.models.containers.Container
-    ) -> None:
+        if container_id not in self.containers:
+            self.attach_container(container_id, name, alias, ipv4)
+
+    def detach_default_bridge(self, container_id: str, name: str) -> None:
        """Detach default Docker bridge.

        Need run inside executor.
        """
        try:
            default_network = self.docker.networks.get(DOCKER_NETWORK_DRIVER)
-            default_network.disconnect(container)
+            default_network.disconnect(container_id)
        except docker.errors.NotFound:
            pass
        except (
@@ -293,7 +296,7 @@ class DockerNetwork:
            requests.RequestException,
        ) as err:
            raise DockerError(
-                f"Can't disconnect {container.name} from default network: {err}",
+                f"Can't disconnect {name} from default network: {err}",
                _LOGGER.warning,
            ) from err

--- a/supervisor/docker/supervisor.py
+++ b/supervisor/docker/supervisor.py
@@ -54,7 +54,7 @@ class DockerSupervisor(DockerInterface):
        """Attach to running docker container."""
        try:
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
        except (docker.errors.DockerException, requests.RequestException) as err:
            raise DockerError() from err
@@ -74,7 +74,8 @@ class DockerSupervisor(DockerInterface):
        _LOGGER.info("Connecting Supervisor to hassio-network")
        await self.sys_run_in_executor(
            self.sys_docker.network.attach_container,
-            docker_container,
+            docker_container.id,
+            self.name,
            alias=["supervisor"],
            ipv4=self.sys_docker.network.supervisor,
        )
@@ -90,7 +91,7 @@ class DockerSupervisor(DockerInterface):
        Need run inside executor.
        """
        try:
-            docker_container = self.sys_docker.containers.get(self.name)
+            docker_container = self.sys_docker.containers_legacy.get(self.name)
        except (docker.errors.DockerException, requests.RequestException) as err:
            raise DockerError(
                f"Could not get Supervisor container for retag: {err}", _LOGGER.error
@@ -118,7 +119,7 @@ class DockerSupervisor(DockerInterface):
        """Update start tag to new version."""
        try:
            docker_container = await self.sys_run_in_executor(
-                self.sys_docker.containers.get, self.name
+                self.sys_docker.containers_legacy.get, self.name
            )
            docker_image = await self.sys_docker.images.inspect(f"{image}:{version!s}")
        except (
--- a/supervisor/docker/utils.py
+++ b/supervisor/docker/utils.py
@@ -0,0 +1,57 @@
+"""Docker utilities."""
+
+from __future__ import annotations
+
+import re
+
+# Docker image reference domain regex
+# Based on Docker's reference implementation:
+# vendor/github.com/distribution/reference/normalize.go
+#
+# A domain is detected if the part before the first / contains:
+# - "localhost" (with optional port)
+# - Contains "." (like registry.example.com or 127.0.0.1)
+# - Contains ":" (like myregistry:5000)
+# - IPv6 addresses in brackets (like [::1]:5000)
+#
+# Note: Docker also treats uppercase letters as registry indicators since
+# namespaces must be lowercase, but this regex handles lowercase matching
+# and the get_registry_from_image() function validates the registry rules.
+IMAGE_REGISTRY_REGEX = re.compile(
+    r"^(?P<registry>"
+    r"localhost(?::[0-9]+)?|"  # localhost with optional port
+    r"(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])"  # domain component
+    r"(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))*"  # more components
+    r"(?::[0-9]+)?|"  # optional port
+    r"\[[a-fA-F0-9:]+\](?::[0-9]+)?"  # IPv6 with optional port
+    r")/"  # must be followed by /
+)
+
+
+def get_registry_from_image(image_ref: str) -> str | None:
+    """Extract registry from Docker image reference.
+
+    Returns the registry if the image reference contains one,
+    or None if the image uses Docker Hub (docker.io).
+
+    Based on Docker's reference implementation:
+    vendor/github.com/distribution/reference/normalize.go
+
+    Examples:
+        get_registry_from_image("nginx")                        -> None (docker.io)
+        get_registry_from_image("library/nginx")                -> None (docker.io)
+        get_registry_from_image("myregistry.com/nginx")         -> "myregistry.com"
+        get_registry_from_image("localhost/myimage")            -> "localhost"
+        get_registry_from_image("localhost:5000/myimage")       -> "localhost:5000"
+        get_registry_from_image("registry.io:5000/org/app:v1")  -> "registry.io:5000"
+        get_registry_from_image("[::1]:5000/myimage")           -> "[::1]:5000"
+
+    """
+    match = IMAGE_REGISTRY_REGEX.match(image_ref)
+    if match:
+        registry = match.group("registry")
+        # Must contain '.' or ':' or be 'localhost' to be a real registry
+        # This prevents treating "myuser/myimage" as having registry "myuser"
+        if "." in registry or ":" in registry or registry == "localhost":
+            return registry
+    return None  # No registry = Docker Hub (docker.io)
--- a/supervisor/exceptions.py
+++ b/supervisor/exceptions.py
@@ -1,25 +1,25 @@
 """Core Exceptions."""

-from collections.abc import Callable
+from collections.abc import Callable, Mapping
 from typing import Any

+MESSAGE_CHECK_SUPERVISOR_LOGS = (
+    "Check supervisor logs for details (check with '{logs_command}')"
+)
+EXTRA_FIELDS_LOGS_COMMAND = {"logs_command": "ha supervisor logs"}
+

 class HassioError(Exception):
    """Root exception."""

    error_key: str | None = None
    message_template: str | None = None
+    extra_fields: dict[str, Any] | None = None

    def __init__(
-        self,
-        message: str | None = None,
-        logger: Callable[..., None] | None = None,
-        *,
-        extra_fields: dict[str, Any] | None = None,
+        self, message: str | None = None, logger: Callable[..., None] | None = None
    ) -> None:
        """Raise & log."""
-        self.extra_fields = extra_fields or {}
-
        if not message and self.message_template:
            message = (
                self.message_template.format(**self.extra_fields)
@@ -41,6 +41,94 @@ class HassioNotSupportedError(HassioError):
    """Function is not supported."""


+# API
+
+
+class APIError(HassioError, RuntimeError):
+    """API errors."""
+
+    status = 400
+    headers: Mapping[str, str] | None = None
+
+    def __init__(
+        self,
+        message: str | None = None,
+        logger: Callable[..., None] | None = None,
+        *,
+        headers: Mapping[str, str] | None = None,
+        job_id: str | None = None,
+    ) -> None:
+        """Raise & log, optionally with job."""
+        super().__init__(message, logger)
+        self.headers = headers
+        self.job_id = job_id
+
+
+class APIUnauthorized(APIError):
+    """API unauthorized error."""
+
+    status = 401
+
+
+class APIForbidden(APIError):
+    """API forbidden error."""
+
+    status = 403
+
+
+class APINotFound(APIError):
+    """API not found error."""
+
+    status = 404
+
+
+class APIGone(APIError):
+    """API is no longer available."""
+
+    status = 410
+
+
+class APITooManyRequests(APIError):
+    """API too many requests error."""
+
+    status = 429
+
+
+class APIInternalServerError(APIError):
+    """API internal server error."""
+
+    status = 500
+
+
+class APIAddonNotInstalled(APIError):
+    """Not installed addon requested at addons API."""
+
+
+class APIDBMigrationInProgress(APIError):
+    """Service is unavailable due to an offline DB migration is in progress."""
+
+    status = 503
+
+
+class APIUnknownSupervisorError(APIError):
+    """Unknown error occurred within supervisor. Adds supervisor check logs rider to message template."""
+
+    status = 500
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        job_id: str | None = None,
+    ) -> None:
+        """Initialize exception."""
+        self.message_template = (
+            f"{self.message_template}. {MESSAGE_CHECK_SUPERVISOR_LOGS}"
+        )
+        self.extra_fields = (self.extra_fields or {}) | EXTRA_FIELDS_LOGS_COMMAND
+        super().__init__(None, logger, job_id=job_id)
+
+
 # JobManager


@@ -122,6 +210,13 @@ class SupervisorAppArmorError(SupervisorError):
    """Supervisor AppArmor error."""


+class SupervisorUnknownError(SupervisorError, APIUnknownSupervisorError):
+    """Raise when an unknown error occurs interacting with Supervisor or its container."""
+
+    error_key = "supervisor_unknown_error"
+    message_template = "An unknown error occurred with Supervisor"
+
+
 class SupervisorJobError(SupervisorError, JobException):
    """Raise on job errors."""

@@ -250,6 +345,54 @@ class AddonConfigurationError(AddonsError):
    """Error with add-on configuration."""


+class AddonConfigurationInvalidError(AddonConfigurationError, APIError):
+    """Raise if invalid configuration provided for addon."""
+
+    error_key = "addon_configuration_invalid_error"
+    message_template = "Add-on {addon} has invalid options: {validation_error}"
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        addon: str,
+        validation_error: str,
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "validation_error": validation_error}
+        super().__init__(None, logger)
+
+
+class AddonBootConfigCannotChangeError(AddonsError, APIError):
+    """Raise if user attempts to change addon boot config when it can't be changed."""
+
+    error_key = "addon_boot_config_cannot_change_error"
+    message_template = (
+        "Addon {addon} boot option is set to {boot_config} so it cannot be changed"
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str, boot_config: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "boot_config": boot_config}
+        super().__init__(None, logger)
+
+
+class AddonNotRunningError(AddonsError, APIError):
+    """Raise when an addon is not running."""
+
+    error_key = "addon_not_running_error"
+    message_template = "Add-on {addon} is not running"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(None, logger)
+
+
 class AddonNotSupportedError(HassioNotSupportedError):
    """Addon doesn't support a function."""

@@ -268,11 +411,8 @@ class AddonNotSupportedArchitectureError(AddonNotSupportedError):
        architectures: list[str],
    ) -> None:
        """Initialize exception."""
-        super().__init__(
-            None,
-            logger,
-            extra_fields={"slug": slug, "architectures": ", ".join(architectures)},
-        )
+        self.extra_fields = {"slug": slug, "architectures": ", ".join(architectures)}
+        super().__init__(None, logger)


 class AddonNotSupportedMachineTypeError(AddonNotSupportedError):
@@ -289,11 +429,8 @@ class AddonNotSupportedMachineTypeError(AddonNotSupportedError):
        machine_types: list[str],
    ) -> None:
        """Initialize exception."""
-        super().__init__(
-            None,
-            logger,
-            extra_fields={"slug": slug, "machine_types": ", ".join(machine_types)},
-        )
+        self.extra_fields = {"slug": slug, "machine_types": ", ".join(machine_types)}
+        super().__init__(None, logger)


 class AddonNotSupportedHomeAssistantVersionError(AddonNotSupportedError):
@@ -310,11 +447,96 @@ class AddonNotSupportedHomeAssistantVersionError(AddonNotSupportedError):
        version: str,
    ) -> None:
        """Initialize exception."""
-        super().__init__(
-            None,
-            logger,
-            extra_fields={"slug": slug, "version": version},
-        )
+        self.extra_fields = {"slug": slug, "version": version}
+        super().__init__(None, logger)
+
+
+class AddonNotSupportedWriteStdinError(AddonNotSupportedError, APIError):
+    """Addon does not support writing to stdin."""
+
+    error_key = "addon_not_supported_write_stdin_error"
+    message_template = "Add-on {addon} does not support writing to stdin"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(None, logger)
+
+
+class AddonBuildDockerfileMissingError(AddonNotSupportedError, APIError):
+    """Raise when addon build invalid because dockerfile is missing."""
+
+    error_key = "addon_build_dockerfile_missing_error"
+    message_template = (
+        "Cannot build addon '{addon}' because dockerfile is missing. A repair "
+        "using '{repair_command}' will fix this if the cause is data "
+        "corruption. Otherwise please report this to the addon developer."
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "repair_command": "ha supervisor repair"}
+        super().__init__(None, logger)
+
+
+class AddonBuildArchitectureNotSupportedError(AddonNotSupportedError, APIError):
+    """Raise when addon cannot be built on system because it doesn't support its architecture."""
+
+    error_key = "addon_build_architecture_not_supported_error"
+    message_template = (
+        "Cannot build addon '{addon}' because its supported architectures "
+        "({addon_arches}) do not match the system supported architectures ({system_arches})"
+    )
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        addon: str,
+        addon_arch_list: list[str],
+        system_arch_list: list[str],
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {
+            "addon": addon,
+            "addon_arches": ", ".join(addon_arch_list),
+            "system_arches": ", ".join(system_arch_list),
+        }
+        super().__init__(None, logger)
+
+
+class AddonUnknownError(AddonsError, APIUnknownSupervisorError):
+    """Raise when unknown error occurs taking an action for an addon."""
+
+    error_key = "addon_unknown_error"
+    message_template = "An unknown error occurred with addon {addon}"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(logger)
+
+
+class AddonBuildFailedUnknownError(AddonsError, APIUnknownSupervisorError):
+    """Raise when the build failed for an addon due to an unknown error."""
+
+    error_key = "addon_build_failed_unknown_error"
+    message_template = (
+        "An unknown error occurred while trying to build the image for addon {addon}"
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(logger)


 class AddonsJobError(AddonsError, JobException):
@@ -346,13 +568,64 @@ class AuthError(HassioError):
    """Auth errors."""


-class AuthPasswordResetError(HassioError):
+class AuthPasswordResetError(AuthError, APIError):
    """Auth error if password reset failed."""

+    error_key = "auth_password_reset_error"
+    message_template = "Username '{user}' does not exist. Check list of users using '{auth_list_command}'."

-class AuthListUsersError(HassioError):
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        user: str,
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"user": user, "auth_list_command": "ha auth list"}
+        super().__init__(None, logger)
+
+
+class AuthListUsersError(AuthError, APIUnknownSupervisorError):
    """Auth error if listing users failed."""

+    error_key = "auth_list_users_error"
+    message_template = "Can't request listing users on Home Assistant"
+
+
+class AuthListUsersNoneResponseError(AuthError, APIInternalServerError):
+    """Auth error if listing users returned invalid None response."""
+
+    error_key = "auth_list_users_none_response_error"
+    message_template = "Home Assistant returned invalid response of `{none}` instead of a list of users. Check Home Assistant logs for details (check with `{logs_command}`)"
+    extra_fields = {"none": "None", "logs_command": "ha core logs"}
+
+    def __init__(self, logger: Callable[..., None] | None = None) -> None:
+        """Initialize exception."""
+        super().__init__(None, logger)
+
+
+class AuthInvalidNonStringValueError(AuthError, APIUnauthorized):
+    """Auth error if something besides a string provided as username or password."""
+
+    error_key = "auth_invalid_non_string_value_error"
+    message_template = "Username and password must be strings"
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        headers: Mapping[str, str] | None = None,
+    ) -> None:
+        """Initialize exception."""
+        super().__init__(None, logger, headers=headers)
+
+
+class AuthHomeAssistantAPIValidationError(AuthError, APIUnknownSupervisorError):
+    """Error encountered trying to validate auth details via Home Assistant API."""
+
+    error_key = "auth_home_assistant_api_validation_error"
+    message_template = "Unable to validate authentication details with Home Assistant"
+

 # Host

@@ -385,60 +658,6 @@ class HostLogError(HostError):
    """Internal error with host log."""


-# API
-
-
-class APIError(HassioError, RuntimeError):
-    """API errors."""
-
-    status = 400
-
-    def __init__(
-        self,
-        message: str | None = None,
-        logger: Callable[..., None] | None = None,
-        *,
-        job_id: str | None = None,
-        error: HassioError | None = None,
-    ) -> None:
-        """Raise & log, optionally with job."""
-        # Allow these to be set from another error here since APIErrors essentially wrap others to add a status
-        self.error_key = error.error_key if error else None
-        self.message_template = error.message_template if error else None
-        super().__init__(
-            message, logger, extra_fields=error.extra_fields if error else None
-        )
-        self.job_id = job_id
-
-
-class APIForbidden(APIError):
-    """API forbidden error."""
-
-    status = 403
-
-
-class APINotFound(APIError):
-    """API not found error."""
-
-    status = 404
-
-
-class APIGone(APIError):
-    """API is no longer available."""
-
-    status = 410
-
-
-class APIAddonNotInstalled(APIError):
-    """Not installed addon requested at addons API."""
-
-
-class APIDBMigrationInProgress(APIError):
-    """Service is unavailable due to an offline DB migration is in progress."""
-
-    status = 503
-
-
 # Service / Discovery


@@ -616,6 +835,10 @@ class DockerError(HassioError):
    """Docker API/Transport errors."""


+class DockerBuildError(DockerError):
+    """Docker error during build."""
+
+
 class DockerAPIError(DockerError):
    """Docker API error."""

@@ -647,7 +870,7 @@ class DockerNoSpaceOnDevice(DockerError):
        super().__init__(None, logger=logger)


-class DockerHubRateLimitExceeded(DockerError):
+class DockerHubRateLimitExceeded(DockerError, APITooManyRequests):
    """Raise for docker hub rate limit exceeded error."""

    error_key = "dockerhub_rate_limit_exceeded"
@@ -655,16 +878,13 @@ class DockerHubRateLimitExceeded(DockerError):
        "Your IP address has made too many requests to Docker Hub which activated a rate limit. "
        "For more details see {dockerhub_rate_limit_url}"
    )
+    extra_fields = {
+        "dockerhub_rate_limit_url": "https://www.home-assistant.io/more-info/dockerhub-rate-limit"
+    }

    def __init__(self, logger: Callable[..., None] | None = None) -> None:
        """Raise & log."""
-        super().__init__(
-            None,
-            logger=logger,
-            extra_fields={
-                "dockerhub_rate_limit_url": "https://www.home-assistant.io/more-info/dockerhub-rate-limit"
-            },
-        )
+        super().__init__(None, logger=logger)


 class DockerJobError(DockerError, JobException):
@@ -735,6 +955,20 @@ class StoreNotFound(StoreError):
    """Raise if slug is not known."""


+class StoreAddonNotFoundError(StoreError, APINotFound):
+    """Raise if a requested addon is not in the store."""
+
+    error_key = "store_addon_not_found_error"
+    message_template = "Addon {addon} does not exist in the store"
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon}
+        super().__init__(None, logger)
+
+
 class StoreJobError(StoreError, JobException):
    """Raise on job error with git."""

@@ -770,7 +1004,7 @@ class BackupJobError(BackupError, JobException):
    """Raise on Backup job error."""


-class BackupFileNotFoundError(BackupError):
+class BackupFileNotFoundError(BackupError, APINotFound):
    """Raise if the backup file hasn't been found."""


@@ -782,6 +1016,55 @@ class BackupFileExistError(BackupError):
    """Raise if the backup file already exists."""


+class AddonBackupMetadataInvalidError(BackupError, APIError):
+    """Raise if invalid metadata file provided for addon in backup."""
+
+    error_key = "addon_backup_metadata_invalid_error"
+    message_template = (
+        "Metadata file for add-on {addon} in backup is invalid: {validation_error}"
+    )
+
+    def __init__(
+        self,
+        logger: Callable[..., None] | None = None,
+        *,
+        addon: str,
+        validation_error: str,
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {"addon": addon, "validation_error": validation_error}
+        super().__init__(None, logger)
+
+
+class AddonPrePostBackupCommandReturnedError(BackupError, APIError):
+    """Raise when addon's pre/post backup command returns an error."""
+
+    error_key = "addon_pre_post_backup_command_returned_error"
+    message_template = (
+        "Pre-/Post backup command for add-on {addon} returned error code: "
+        "{exit_code}. Please report this to the addon developer. Enable debug "
+        "logging to capture complete command output using {debug_logging_command}"
+    )
+
+    def __init__(
+        self, logger: Callable[..., None] | None = None, *, addon: str, exit_code: int
+    ) -> None:
+        """Initialize exception."""
+        self.extra_fields = {
+            "addon": addon,
+            "exit_code": exit_code,
+            "debug_logging_command": "ha supervisor options --logging debug",
+        }
+        super().__init__(None, logger)
+
+
+class BackupRestoreUnknownError(BackupError, APIUnknownSupervisorError):
+    """Raise when an unknown error occurs during backup or restore."""
+
+    error_key = "backup_restore_unknown_error"
+    message_template = "An unknown error occurred during backup/restore"
+
+
 # Security


--- a/supervisor/homeassistant/core.py
+++ b/supervisor/homeassistant/core.py
@@ -48,7 +48,7 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)

 SECONDS_BETWEEN_API_CHECKS: Final[int] = 5
 # Core Stage 1 and some wiggle room
-STARTUP_API_RESPONSE_TIMEOUT: Final[timedelta] = timedelta(minutes=3)
+STARTUP_API_RESPONSE_TIMEOUT: Final[timedelta] = timedelta(minutes=10)
 # All stages plus event start timeout and some wiggle rooom
 STARTUP_API_CHECK_RUNNING_TIMEOUT: Final[timedelta] = timedelta(minutes=15)
 # While database migration is running, the timeout will be extended
--- a/supervisor/homeassistant/module.py
+++ b/supervisor/homeassistant/module.py
@@ -23,6 +23,7 @@ from ..const import (
    ATTR_AUDIO_OUTPUT,
    ATTR_BACKUPS_EXCLUDE_DATABASE,
    ATTR_BOOT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_MESSAGE,
    ATTR_PORT,
@@ -299,6 +300,16 @@ class HomeAssistant(FileConfiguration, CoreSysAttributes):
        """Set whether backups should exclude database by default."""
        self._data[ATTR_BACKUPS_EXCLUDE_DATABASE] = value

+    @property
+    def duplicate_log_file(self) -> bool:
+        """Return True if Home Assistant should duplicate logs to file."""
+        return self._data[ATTR_DUPLICATE_LOG_FILE]
+
+    @duplicate_log_file.setter
+    def duplicate_log_file(self, value: bool) -> None:
+        """Set whether Home Assistant should duplicate logs to file."""
+        self._data[ATTR_DUPLICATE_LOG_FILE] = value
+
    async def load(self) -> None:
        """Prepare Home Assistant object."""
        await asyncio.wait(
--- a/supervisor/homeassistant/validate.py
+++ b/supervisor/homeassistant/validate.py
@@ -10,6 +10,7 @@ from ..const import (
    ATTR_AUDIO_OUTPUT,
    ATTR_BACKUPS_EXCLUDE_DATABASE,
    ATTR_BOOT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_PORT,
    ATTR_REFRESH_TOKEN,
@@ -36,6 +37,7 @@ SCHEMA_HASS_CONFIG = vol.Schema(
        vol.Optional(ATTR_AUDIO_OUTPUT, default=None): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT, default=None): vol.Maybe(str),
        vol.Optional(ATTR_BACKUPS_EXCLUDE_DATABASE, default=False): vol.Boolean(),
+        vol.Optional(ATTR_DUPLICATE_LOG_FILE, default=False): vol.Boolean(),
        vol.Optional(ATTR_OVERRIDE_IMAGE, default=False): vol.Boolean(),
    },
    extra=vol.REMOVE_EXTRA,
--- a/supervisor/host/configuration.py
+++ b/supervisor/host/configuration.py
@@ -6,8 +6,8 @@ import logging
 import socket

 from ..dbus.const import (
+    ConnectionState,
    ConnectionStateFlags,
-    ConnectionStateType,
    DeviceType,
    InterfaceAddrGenMode as NMInterfaceAddrGenMode,
    InterfaceIp6Privacy as NMInterfaceIp6Privacy,
@@ -267,25 +267,47 @@ class Interface:
        return InterfaceMethod.DISABLED

    @staticmethod
-    def _map_nm_addr_gen_mode(addr_gen_mode: int) -> InterfaceAddrGenMode:
-        """Map IPv6 interface addr_gen_mode."""
+    def _map_nm_addr_gen_mode(addr_gen_mode: int | None) -> InterfaceAddrGenMode:
+        """Map IPv6 interface addr_gen_mode.
+
+        NetworkManager omits the addr_gen_mode property when set to DEFAULT, so we
+        treat None as DEFAULT here.
+        """
        mapping = {
            NMInterfaceAddrGenMode.EUI64.value: InterfaceAddrGenMode.EUI64,
            NMInterfaceAddrGenMode.STABLE_PRIVACY.value: InterfaceAddrGenMode.STABLE_PRIVACY,
            NMInterfaceAddrGenMode.DEFAULT_OR_EUI64.value: InterfaceAddrGenMode.DEFAULT_OR_EUI64,
+            NMInterfaceAddrGenMode.DEFAULT.value: InterfaceAddrGenMode.DEFAULT,
+            None: InterfaceAddrGenMode.DEFAULT,
        }

+        if addr_gen_mode not in mapping:
+            _LOGGER.warning(
+                "Unknown addr_gen_mode value from NetworkManager: %s", addr_gen_mode
+            )
+
        return mapping.get(addr_gen_mode, InterfaceAddrGenMode.DEFAULT)

    @staticmethod
-    def _map_nm_ip6_privacy(ip6_privacy: int) -> InterfaceIp6Privacy:
-        """Map IPv6 interface ip6_privacy."""
+    def _map_nm_ip6_privacy(ip6_privacy: int | None) -> InterfaceIp6Privacy:
+        """Map IPv6 interface ip6_privacy.
+
+        NetworkManager omits the ip6_privacy property when set to DEFAULT, so we
+        treat None as DEFAULT here.
+        """
        mapping = {
            NMInterfaceIp6Privacy.DISABLED.value: InterfaceIp6Privacy.DISABLED,
            NMInterfaceIp6Privacy.ENABLED_PREFER_PUBLIC.value: InterfaceIp6Privacy.ENABLED_PREFER_PUBLIC,
            NMInterfaceIp6Privacy.ENABLED.value: InterfaceIp6Privacy.ENABLED,
+            NMInterfaceIp6Privacy.DEFAULT.value: InterfaceIp6Privacy.DEFAULT,
+            None: InterfaceIp6Privacy.DEFAULT,
        }

+        if ip6_privacy not in mapping:
+            _LOGGER.warning(
+                "Unknown ip6_privacy value from NetworkManager: %s", ip6_privacy
+            )
+
        return mapping.get(ip6_privacy, InterfaceIp6Privacy.DEFAULT)

    @staticmethod
@@ -295,8 +317,8 @@ class Interface:
            return False

        return connection.state in (
-            ConnectionStateType.ACTIVATED,
-            ConnectionStateType.ACTIVATING,
+            ConnectionState.ACTIVATED,
+            ConnectionState.ACTIVATING,
        )

    @staticmethod
--- a/supervisor/host/network.py
+++ b/supervisor/host/network.py
@@ -16,7 +16,7 @@ from ..dbus.const import (
    DBUS_IFACE_DNS,
    DBUS_IFACE_NM,
    DBUS_SIGNAL_NM_CONNECTION_ACTIVE_CHANGED,
-    ConnectionStateType,
+    ConnectionState,
    ConnectivityState,
    DeviceType,
    WirelessMethodType,
@@ -338,16 +338,16 @@ class NetworkManager(CoreSysAttributes):
                # the state change before this point. Get the state currently to
                # avoid any race condition.
                await con.update()
-                state: ConnectionStateType = con.state
+                state: ConnectionState = con.state

-                while state != ConnectionStateType.ACTIVATED:
-                    if state == ConnectionStateType.DEACTIVATED:
+                while state != ConnectionState.ACTIVATED:
+                    if state == ConnectionState.DEACTIVATED:
                        raise HostNetworkError(
                            "Activating connection failed, check connection settings."
                        )

                    msg = await signal.wait_for_signal()
-                    state = msg[0]
+                    state = ConnectionState(msg[0])
                    _LOGGER.debug("Active connection state changed to %s", state)

        # update_only means not done by user so don't force a check afterwards
--- a/supervisor/jobs/init.py
+++ b/supervisor/jobs/init.py
@@ -9,7 +9,7 @@ from contextvars import Context, ContextVar, Token
 from dataclasses import dataclass
 from datetime import datetime
 import logging
-from typing import Any, Self
+from typing import Any, Self, cast
 from uuid import uuid4

 from attr.validators import gt, lt
@@ -102,13 +102,17 @@ class SupervisorJobError:
        "Unknown error, see Supervisor logs (check with 'ha supervisor logs')"
    )
    stage: str | None = None
+    error_key: str | None = None
+    extra_fields: dict[str, Any] | None = None

-    def as_dict(self) -> dict[str, str | None]:
+    def as_dict(self) -> dict[str, Any]:
        """Return dictionary representation."""
        return {
            "type": self.type_.__name__,
            "message": self.message,
            "stage": self.stage,
+            "error_key": self.error_key,
+            "extra_fields": self.extra_fields,
        }


@@ -158,7 +162,9 @@ class SupervisorJob:
    def capture_error(self, err: HassioError | None = None) -> None:
        """Capture an error or record that an unknown error has occurred."""
        if err:
-            new_error = SupervisorJobError(type(err), str(err), self.stage)
+            new_error = SupervisorJobError(
+                type(err), str(err), self.stage, err.error_key, err.extra_fields
+            )
        else:
            new_error = SupervisorJobError(stage=self.stage)
        self.errors += [new_error]
@@ -196,7 +202,7 @@ class SupervisorJob:
        self,
        progress: float | None = None,
        stage: str | None = None,
-        extra: dict[str, Any] | None = DEFAULT,  # type: ignore
+        extra: dict[str, Any] | None | type[DEFAULT] = DEFAULT,
        done: bool | None = None,
    ) -> None:
        """Update multiple fields with one on change event."""
@@ -207,8 +213,8 @@ class SupervisorJob:
            self.progress = progress
        if stage is not None:
            self.stage = stage
-        if extra != DEFAULT:
-            self.extra = extra
+        if extra is not DEFAULT:
+            self.extra = cast(dict[str, Any] | None, extra)

        # Done has special event. use that to trigger on change if included
        # If not then just use any other field to trigger
@@ -306,19 +312,21 @@ class JobManager(FileConfiguration, CoreSysAttributes):
        reference: str | None = None,
        initial_stage: str | None = None,
        internal: bool = False,
-        parent_id: str | None = DEFAULT,  # type: ignore
+        parent_id: str | None | type[DEFAULT] = DEFAULT,
        child_job_syncs: list[ChildJobSyncFilter] | None = None,
    ) -> SupervisorJob:
        """Create a new job."""
-        job = SupervisorJob(
-            name,
-            reference=reference,
-            stage=initial_stage,
-            on_change=self._on_job_change,
-            internal=internal,
-            child_job_syncs=child_job_syncs,
-            **({} if parent_id == DEFAULT else {"parent_id": parent_id}),  # type: ignore
-        )
+        kwargs: dict[str, Any] = {
+            "reference": reference,
+            "stage": initial_stage,
+            "on_change": self._on_job_change,
+            "internal": internal,
+            "child_job_syncs": child_job_syncs,
+        }
+        if parent_id is not DEFAULT:
+            kwargs["parent_id"] = parent_id
+
+        job = SupervisorJob(name, **kwargs)

        # Shouldn't happen but inability to find a parent for progress reporting
        # shouldn't raise and break the active job
--- a/supervisor/jobs/const.py
+++ b/supervisor/jobs/const.py
@@ -34,6 +34,7 @@ class JobCondition(StrEnum):
    PLUGINS_UPDATED = "plugins_updated"
    RUNNING = "running"
    SUPERVISOR_UPDATED = "supervisor_updated"
+    ARCHITECTURE_SUPPORTED = "architecture_supported"


 class JobConcurrency(StrEnum):
--- a/supervisor/jobs/decorator.py
+++ b/supervisor/jobs/decorator.py
@@ -441,6 +441,14 @@ class Job(CoreSysAttributes):
            raise JobConditionException(
                f"'{method_name}' blocked from execution, supervisor needs to be updated first"
            )
+        if (
+            JobCondition.ARCHITECTURE_SUPPORTED in used_conditions
+            and UnsupportedReason.SYSTEM_ARCHITECTURE
+            in coresys.sys_resolution.unsupported
+        ):
+            raise JobConditionException(
+                f"'{method_name}' blocked from execution, unsupported system architecture"
+            )

        if JobCondition.PLUGINS_UPDATED in used_conditions and (
            out_of_date := [
--- a/supervisor/misc/tasks.py
+++ b/supervisor/misc/tasks.py
@@ -1,5 +1,6 @@
 """A collection of tasks."""

+from contextlib import suppress
 from datetime import datetime, timedelta
 import logging
 from typing import cast
@@ -13,6 +14,7 @@ from ..exceptions import (
    BackupFileNotFoundError,
    HomeAssistantError,
    ObserverError,
+    SupervisorUpdateError,
 )
 from ..homeassistant.const import LANDINGPAGE, WSType
 from ..jobs.const import JobConcurrency
@@ -161,6 +163,7 @@ class Tasks(CoreSysAttributes):
            JobCondition.INTERNET_HOST,
            JobCondition.OS_SUPPORTED,
            JobCondition.RUNNING,
+            JobCondition.ARCHITECTURE_SUPPORTED,
        ],
        concurrency=JobConcurrency.REJECT,
    )
@@ -173,7 +176,11 @@ class Tasks(CoreSysAttributes):
            "Found new Supervisor version %s, updating",
            self.sys_supervisor.latest_version,
        )
-        await self.sys_supervisor.update()
+
+        # Errors are logged by the exceptions, we can't really do something
+        # if an update fails here.
+        with suppress(SupervisorUpdateError):
+            await self.sys_supervisor.update()

    async def _watchdog_homeassistant_api(self):
        """Create scheduler task for monitoring running state of API.
--- a/supervisor/mounts/mount.py
+++ b/supervisor/mounts/mount.py
@@ -135,7 +135,7 @@ class Mount(CoreSysAttributes, ABC):
    @property
    def state(self) -> UnitActiveState | None:
        """Get state of mount."""
-        return self._state
+        return UnitActiveState(self._state) if self._state is not None else None

    @cached_property
    def local_where(self) -> Path:
--- a/supervisor/plugins/const.py
+++ b/supervisor/plugins/const.py
@@ -23,4 +23,5 @@ PLUGIN_UPDATE_CONDITIONS = [
    JobCondition.HEALTHY,
    JobCondition.INTERNET_HOST,
    JobCondition.SUPERVISOR_UPDATED,
+    JobCondition.ARCHITECTURE_SUPPORTED,
 ]
--- a/supervisor/resolution/checks/network_interface_ipv4.py
+++ b/supervisor/resolution/checks/network_interface_ipv4.py
@@ -2,7 +2,7 @@

 from ...const import CoreState
 from ...coresys import CoreSys
-from ...dbus.const import ConnectionStateFlags, ConnectionStateType
+from ...dbus.const import ConnectionState, ConnectionStateFlags
 from ...dbus.network.interface import NetworkInterface
 from ...exceptions import NetworkInterfaceNotFound
 from ..const import ContextType, IssueType
@@ -47,7 +47,7 @@ class CheckNetworkInterfaceIPV4(CheckBase):

        return not (
            interface.connection.state
-            in [ConnectionStateType.ACTIVATED, ConnectionStateType.ACTIVATING]
+            in [ConnectionState.ACTIVATED, ConnectionState.ACTIVATING]
            and ConnectionStateFlags.IP4_READY in interface.connection.state_flags
        )

--- a/supervisor/resolution/const.py
+++ b/supervisor/resolution/const.py
@@ -58,6 +58,7 @@ class UnsupportedReason(StrEnum):
    SYSTEMD_JOURNAL = "systemd_journal"
    SYSTEMD_RESOLVED = "systemd_resolved"
    VIRTUALIZATION_IMAGE = "virtualization_image"
+    SYSTEM_ARCHITECTURE = "system_architecture"


 class UnhealthyReason(StrEnum):
--- a/supervisor/resolution/evaluations/container.py
+++ b/supervisor/resolution/evaluations/container.py
@@ -74,7 +74,9 @@ class EvaluateContainer(EvaluateBase):
        self._images.clear()

        try:
-            containers = await self.sys_run_in_executor(self.sys_docker.containers.list)
+            containers = await self.sys_run_in_executor(
+                self.sys_docker.containers_legacy.list
+            )
        except (DockerException, RequestException) as err:
            _LOGGER.error("Corrupt docker overlayfs detect: %s", err)
            self.sys_resolution.create_issue(
--- a/supervisor/resolution/evaluations/operating_system.py
+++ b/supervisor/resolution/evaluations/operating_system.py
@@ -5,8 +5,6 @@ from ...coresys import CoreSys
 from ..const import UnsupportedReason
 from .base import EvaluateBase

-SUPPORTED_OS = ["Debian GNU/Linux 12 (bookworm)"]
-

 def setup(coresys: CoreSys) -> EvaluateBase:
    """Initialize evaluation-setup function."""
@@ -33,6 +31,4 @@ class EvaluateOperatingSystem(EvaluateBase):

    async def evaluate(self) -> bool:
        """Run evaluation."""
-        if self.sys_os.available:
-            return False
-        return self.sys_host.info.operating_system not in SUPPORTED_OS
+        return not self.sys_os.available
--- a/supervisor/resolution/evaluations/system_architecture.py
+++ b/supervisor/resolution/evaluations/system_architecture.py
@@ -0,0 +1,38 @@
+"""Evaluation class for system architecture support."""
+
+from ...const import CoreState
+from ...coresys import CoreSys
+from ..const import UnsupportedReason
+from .base import EvaluateBase
+
+
+def setup(coresys: CoreSys) -> EvaluateBase:
+    """Initialize evaluation-setup function."""
+    return EvaluateSystemArchitecture(coresys)
+
+
+class EvaluateSystemArchitecture(EvaluateBase):
+    """Evaluate if the current Supervisor architecture is supported."""
+
+    @property
+    def reason(self) -> UnsupportedReason:
+        """Return a UnsupportedReason enum."""
+        return UnsupportedReason.SYSTEM_ARCHITECTURE
+
+    @property
+    def on_failure(self) -> str:
+        """Return a string that is printed when self.evaluate is True."""
+        return "System architecture is no longer supported. Move to a supported system architecture."
+
+    @property
+    def states(self) -> list[CoreState]:
+        """Return a list of valid states when this evaluation can run."""
+        return [CoreState.INITIALIZE]
+
+    async def evaluate(self):
+        """Run evaluation."""
+        return self.sys_host.info.sys_arch.supervisor in {
+            "i386",
+            "armhf",
+            "armv7",
+        }
--- a/supervisor/store/git.py
+++ b/supervisor/store/git.py
@@ -183,19 +183,22 @@ class GitRepo(CoreSysAttributes):
                raise StoreGitError() from err

            try:
-                branch = self.repo.active_branch.name
+                repo = self.repo

-                # Download data
-                await self.sys_run_in_executor(
-                    ft.partial(
-                        self.repo.remotes.origin.fetch,
-                        **{"update-shallow": True, "depth": 1},  # type: ignore
+                def _fetch_and_check() -> tuple[str, bool]:
+                    """Fetch from origin and check if changed."""
+                    # This property access is I/O bound
+                    branch = repo.active_branch.name
+                    repo.remotes.origin.fetch(
+                        **{"update-shallow": True, "depth": 1}  # type: ignore[arg-type]
                    )
-                )
+                    changed = repo.commit(branch) != repo.commit(f"origin/{branch}")
+                    return branch, changed

-                if changed := self.repo.commit(branch) != self.repo.commit(
-                    f"origin/{branch}"
-                ):
+                # Download data and check for changes
+                branch, changed = await self.sys_run_in_executor(_fetch_and_check)
+
+                if changed:
                    # Jump on top of that
                    await self.sys_run_in_executor(
                        ft.partial(self.repo.git.reset, f"origin/{branch}", hard=True)
@@ -224,6 +227,7 @@ class GitRepo(CoreSysAttributes):
                git.CommandError,
                ValueError,
                AssertionError,
+                AttributeError,
                UnicodeDecodeError,
            ) as err:
                _LOGGER.error("Can't update %s repo: %s.", self.url, err)
--- a/supervisor/supervisor.py
+++ b/supervisor/supervisor.py
@@ -28,8 +28,8 @@ from .exceptions import (
    DockerError,
    HostAppArmorError,
    SupervisorAppArmorError,
-    SupervisorError,
    SupervisorJobError,
+    SupervisorUnknownError,
    SupervisorUpdateError,
 )
 from .jobs.const import JobCondition, JobThrottle
@@ -261,7 +261,7 @@ class Supervisor(CoreSysAttributes):
        try:
            return await self.instance.stats()
        except DockerError as err:
-            raise SupervisorError() from err
+            raise SupervisorUnknownError() from err

    async def repair(self):
        """Repair local Supervisor data."""
--- a/supervisor/updater.py
+++ b/supervisor/updater.py
@@ -242,9 +242,10 @@ class Updater(FileConfiguration, CoreSysAttributes):
    @Job(
        name="updater_fetch_data",
        conditions=[
+            JobCondition.ARCHITECTURE_SUPPORTED,
            JobCondition.INTERNET_SYSTEM,
-            JobCondition.OS_SUPPORTED,
            JobCondition.HOME_ASSISTANT_CORE_SUPPORTED,
+            JobCondition.OS_SUPPORTED,
        ],
        on_condition=UpdaterJobError,
        throttle_period=timedelta(seconds=30),
--- a/supervisor/utils/dbus.py
+++ b/supervisor/utils/dbus.py
@@ -7,13 +7,7 @@ from collections.abc import Awaitable, Callable
 import logging
 from typing import Any, Protocol, cast

-from dbus_fast import (
-    ErrorType,
-    InvalidIntrospectionError,
-    Message,
-    MessageType,
-    Variant,
-)
+from dbus_fast import ErrorType, InvalidIntrospectionError, Message, MessageType
 from dbus_fast.aio.message_bus import MessageBus
 from dbus_fast.aio.proxy_object import ProxyInterface, ProxyObject
 from dbus_fast.errors import DBusError as DBusFastDBusError
@@ -265,7 +259,7 @@ class DBus:
        """

        async def sync_property_change(
-            prop_interface: str, changed: dict[str, Variant], invalidated: list[str]
+            prop_interface: str, changed: dict[str, Any], invalidated: list[str]
        ) -> None:
            """Sync property changes to cache."""
            if interface != prop_interface:
--- a/supervisor/utils/systemd_journal.py
+++ b/supervisor/utils/systemd_journal.py
@@ -5,12 +5,20 @@ from collections.abc import AsyncGenerator
 from datetime import UTC, datetime
 from functools import wraps
 import json
+import re

 from aiohttp import ClientResponse

 from supervisor.exceptions import MalformedBinaryEntryError
 from supervisor.host.const import LogFormatter

+_RE_ANSI_CSI_COLORS_PATTERN = re.compile(r"\x1B\[[0-9;]*m")
+
+
+def _strip_ansi_colors(message: str) -> str:
+    """Remove ANSI color codes from a message string."""
+    return _RE_ANSI_CSI_COLORS_PATTERN.sub("", message)
+

 def formatter(required_fields: list[str]):
    """Decorate journal entry formatters with list of required fields.
@@ -31,9 +39,9 @@ def formatter(required_fields: list[str]):


@formatter(["MESSAGE"])
-def journal_plain_formatter(entries: dict[str, str]) -> str:
+def journal_plain_formatter(entries: dict[str, str], no_colors: bool = False) -> str:
    """Format parsed journal entries as a plain message."""
-    return entries["MESSAGE"]
+    return _strip_ansi_colors(entries["MESSAGE"]) if no_colors else entries["MESSAGE"]


@formatter(
@@ -45,7 +53,7 @@ def journal_plain_formatter(entries: dict[str, str]) -> str:
        "MESSAGE",
    ]
 )
-def journal_verbose_formatter(entries: dict[str, str]) -> str:
+def journal_verbose_formatter(entries: dict[str, str], no_colors: bool = False) -> str:
    """Format parsed journal entries to a journalctl-like format."""
    ts = datetime.fromtimestamp(
        int(entries["__REALTIME_TIMESTAMP"]) / 1e6, UTC
@@ -58,14 +66,24 @@ def journal_verbose_formatter(entries: dict[str, str]) -> str:
        else entries.get("SYSLOG_IDENTIFIER", "_UNKNOWN_")
    )

-    return f"{ts} {entries.get('_HOSTNAME', '')} {identifier}: {entries.get('MESSAGE', '')}"
+    message = (
+        _strip_ansi_colors(entries.get("MESSAGE", ""))
+        if no_colors
+        else entries.get("MESSAGE", "")
+    )
+
+    return f"{ts} {entries.get('_HOSTNAME', '')} {identifier}: {message}"


 async def journal_logs_reader(
-    journal_logs: ClientResponse, log_formatter: LogFormatter = LogFormatter.PLAIN
+    journal_logs: ClientResponse,
+    log_formatter: LogFormatter = LogFormatter.PLAIN,
+    no_colors: bool = False,
 ) -> AsyncGenerator[tuple[str | None, str]]:
    """Read logs from systemd journal line by line, formatted using the given formatter.

+    Optionally strip ANSI color codes from the entries' messages.
+
    Returns a generator of (cursor, formatted_entry) tuples.
    """
    match log_formatter:
@@ -84,7 +102,10 @@ async def journal_logs_reader(
            # at EOF (likely race between at_eof and EOF check in readuntil)
            if line == b"\n" or not line:
                if entries:
-                    yield entries.get("__CURSOR"), formatter_(entries)
+                    yield (
+                        entries.get("__CURSOR"),
+                        formatter_(entries, no_colors=no_colors),
+                    )
                entries = {}
                continue

--- a/tests/addons/test_addon.py
+++ b/tests/addons/test_addon.py
@@ -5,6 +5,7 @@ from datetime import timedelta
 import errno
 from http import HTTPStatus
 from pathlib import Path
+from typing import Any
 from unittest.mock import MagicMock, PropertyMock, call, patch

 import aiodocker
@@ -23,7 +24,13 @@ from supervisor.docker.addon import DockerAddon
 from supervisor.docker.const import ContainerState
 from supervisor.docker.manager import CommandReturn, DockerAPI
 from supervisor.docker.monitor import DockerContainerStateEvent
-from supervisor.exceptions import AddonsError, AddonsJobError, AudioUpdateError
+from supervisor.exceptions import (
+    AddonPrePostBackupCommandReturnedError,
+    AddonsJobError,
+    AddonUnknownError,
+    AudioUpdateError,
+    HassioError,
+)
 from supervisor.hardware.helper import HwHelper
 from supervisor.ingress import Ingress
 from supervisor.store.repository import Repository
@@ -220,7 +227,7 @@ async def test_listener_attached_on_install(
    container_collection.get.side_effect = DockerException()
    with (
        patch(
-            "supervisor.docker.manager.DockerAPI.containers",
+            "supervisor.docker.manager.DockerAPI.containers_legacy",
            new=PropertyMock(return_value=container_collection),
        ),
        patch("pathlib.Path.is_dir", return_value=True),
@@ -502,31 +509,26 @@ async def test_backup_with_pre_post_command(


@pytest.mark.parametrize(
-    "get_error,exception_on_exec",
+    ("container_get_side_effect", "exec_run_side_effect", "exc_type_raised"),
    [
-        (NotFound("missing"), False),
-        (DockerException(), False),
-        (None, True),
-        (None, False),
+        (NotFound("missing"), [(1, None)], AddonUnknownError),
+        (DockerException(), [(1, None)], AddonUnknownError),
+        (None, DockerException(), AddonUnknownError),
+        (None, [(1, None)], AddonPrePostBackupCommandReturnedError),
    ],
 )
+@pytest.mark.usefixtures("tmp_supervisor_data", "path_extern")
 async def test_backup_with_pre_command_error(
    coresys: CoreSys,
    install_addon_ssh: Addon,
    container: MagicMock,
-    get_error: DockerException | None,
-    exception_on_exec: bool,
-    tmp_supervisor_data,
-    path_extern,
+    container_get_side_effect: DockerException | None,
+    exec_run_side_effect: DockerException | list[tuple[int, Any]],
+    exc_type_raised: type[HassioError],
 ) -> None:
    """Test backing up an addon with error running pre command."""
-    if get_error:
-        coresys.docker.containers.get.side_effect = get_error
-
-    if exception_on_exec:
-        container.exec_run.side_effect = DockerException()
-    else:
-        container.exec_run.return_value = (1, None)
+    coresys.docker.containers_legacy.get.side_effect = container_get_side_effect
+    container.exec_run.side_effect = exec_run_side_effect

    install_addon_ssh.path_data.mkdir()
    await install_addon_ssh.load()
@@ -535,7 +537,7 @@ async def test_backup_with_pre_command_error(
    with (
        patch.object(DockerAddon, "is_running", return_value=True),
        patch.object(Addon, "backup_pre", new=PropertyMock(return_value="backup_pre")),
-        pytest.raises(AddonsError),
+        pytest.raises(exc_type_raised),
    ):
        assert await install_addon_ssh.backup(tarfile) is None

@@ -947,7 +949,7 @@ async def test_addon_load_succeeds_with_docker_errors(
    )
    caplog.clear()
    await install_addon_ssh.load()
-    assert "Invalid build environment" in caplog.text
+    assert "Cannot build addon 'local_ssh' because dockerfile is missing" in caplog.text

    # Image build failure
    caplog.clear()
--- a/tests/addons/test_build.py
+++ b/tests/addons/test_build.py
@@ -1,12 +1,18 @@
 """Test addon build."""

+import base64
+import json
+from pathlib import Path
 from unittest.mock import PropertyMock, patch

 from awesomeversion import AwesomeVersion
+import pytest

 from supervisor.addons.addon import Addon
 from supervisor.addons.build import AddonBuild
 from supervisor.coresys import CoreSys
+from supervisor.docker.const import DOCKER_HUB
+from supervisor.exceptions import AddonBuildDockerfileMissingError

 from tests.common import is_in_list

@@ -29,7 +35,7 @@ async def test_platform_set(coresys: CoreSys, install_addon_ssh: Addon):
        ),
    ):
        args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
        )

    assert is_in_list(["--platform", "linux/amd64"], args["command"])
@@ -53,7 +59,7 @@ async def test_dockerfile_evaluation(coresys: CoreSys, install_addon_ssh: Addon)
        ),
    ):
        args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
        )

    assert is_in_list(["--file", "Dockerfile"], args["command"])
@@ -81,7 +87,7 @@ async def test_dockerfile_evaluation_arch(coresys: CoreSys, install_addon_ssh: A
        ),
    ):
        args = await coresys.run_in_executor(
-            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest"
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
        )

    assert is_in_list(["--file", "Dockerfile.aarch64"], args["command"])
@@ -102,11 +108,11 @@ async def test_build_valid(coresys: CoreSys, install_addon_ssh: Addon):
            type(coresys.arch), "default", new=PropertyMock(return_value="aarch64")
        ),
    ):
-        assert await build.is_valid()
+        assert (await build.is_valid()) is None


 async def test_build_invalid(coresys: CoreSys, install_addon_ssh: Addon):
-    """Test platform set in docker args."""
+    """Test build not supported because Dockerfile missing for specified architecture."""
    build = await AddonBuild(coresys, install_addon_ssh).load_config()
    with (
        patch.object(
@@ -115,5 +121,161 @@ async def test_build_invalid(coresys: CoreSys, install_addon_ssh: Addon):
        patch.object(
            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
        ),
+        pytest.raises(AddonBuildDockerfileMissingError),
    ):
-        assert not await build.is_valid()
+        await build.is_valid()
+
+
+async def test_docker_config_no_registries(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker config generation when no registries configured."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # No registries configured by default
+    assert build.get_docker_config_json() is None
+
+
+async def test_docker_config_no_matching_registry(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker config generation when registry doesn't match base image."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure a registry that doesn't match the base image
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        "some.other.registry": {"username": "user", "password": "pass"}
+    }
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+    ):
+        # Base image is ghcr.io/home-assistant/... which doesn't match
+        assert build.get_docker_config_json() is None
+
+
+async def test_docker_config_matching_registry(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker config generation when registry matches base image."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure ghcr.io registry which matches the default base image
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        "ghcr.io": {"username": "testuser", "password": "testpass"}
+    }
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+    ):
+        config_json = build.get_docker_config_json()
+        assert config_json is not None
+
+        config = json.loads(config_json)
+        assert "auths" in config
+        assert "ghcr.io" in config["auths"]
+
+        # Verify base64-encoded credentials
+        expected_auth = base64.b64encode(b"testuser:testpass").decode()
+        assert config["auths"]["ghcr.io"]["auth"] == expected_auth
+
+
+async def test_docker_config_docker_hub(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker config generation for Docker Hub registry."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    # Configure Docker Hub registry
+    # pylint: disable-next=protected-access
+    coresys.docker.config._data["registries"] = {
+        DOCKER_HUB: {"username": "hubuser", "password": "hubpass"}
+    }
+
+    # Mock base_image to return a Docker Hub image (no registry prefix)
+    with patch.object(
+        type(build),
+        "base_image",
+        new=PropertyMock(return_value="library/alpine:latest"),
+    ):
+        config_json = build.get_docker_config_json()
+        assert config_json is not None
+
+        config = json.loads(config_json)
+        # Docker Hub uses special URL as key
+        assert "https://index.docker.io/v1/" in config["auths"]
+
+        expected_auth = base64.b64encode(b"hubuser:hubpass").decode()
+        assert config["auths"]["https://index.docker.io/v1/"]["auth"] == expected_auth
+
+
+async def test_docker_args_with_config_path(coresys: CoreSys, install_addon_ssh: Addon):
+    """Test docker args include config volume when path provided."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+        patch.object(
+            type(coresys.config),
+            "local_to_extern_path",
+            side_effect=lambda p: f"/extern{p}",
+        ),
+    ):
+        config_path = Path("/data/supervisor/tmp/config.json")
+        args = await coresys.run_in_executor(
+            build.get_docker_args,
+            AwesomeVersion("latest"),
+            "test-image:latest",
+            config_path,
+        )
+
+    # Check that config is mounted
+    assert "/extern/data/supervisor/tmp/config.json" in args["volumes"]
+    assert (
+        args["volumes"]["/extern/data/supervisor/tmp/config.json"]["bind"]
+        == "/root/.docker/config.json"
+    )
+    assert args["volumes"]["/extern/data/supervisor/tmp/config.json"]["mode"] == "ro"
+
+
+async def test_docker_args_without_config_path(
+    coresys: CoreSys, install_addon_ssh: Addon
+):
+    """Test docker args don't include config volume when no path provided."""
+    build = await AddonBuild(coresys, install_addon_ssh).load_config()
+
+    with (
+        patch.object(
+            type(coresys.arch), "supported", new=PropertyMock(return_value=["amd64"])
+        ),
+        patch.object(
+            type(coresys.arch), "default", new=PropertyMock(return_value="amd64")
+        ),
+        patch.object(
+            type(coresys.config),
+            "local_to_extern_path",
+            return_value="/addon/path/on/host",
+        ),
+    ):
+        args = await coresys.run_in_executor(
+            build.get_docker_args, AwesomeVersion("latest"), "test-image:latest", None
+        )
+
+    # Only docker socket and addon path should be mounted
+    assert len(args["volumes"]) == 2
+    # Verify no docker config mount
+    for bind in args["volumes"].values():
+        assert bind["bind"] != "/root/.docker/config.json"
--- a/tests/addons/test_manager.py
+++ b/tests/addons/test_manager.py
@@ -10,7 +10,7 @@ from awesomeversion import AwesomeVersion
 import pytest

 from supervisor.addons.addon import Addon
-from supervisor.arch import CpuArch
+from supervisor.arch import CpuArchManager
 from supervisor.config import CoreConfig
 from supervisor.const import AddonBoot, AddonStartup, AddonState, BusEvent
 from supervisor.coresys import CoreSys
@@ -54,7 +54,9 @@ async def fixture_mock_arch_disk() -> AsyncGenerator[None]:
    """Mock supported arch and disk space."""
    with (
        patch("shutil.disk_usage", return_value=(42, 42, 2 * (1024.0**3))),
-        patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])),
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+        ),
    ):
        yield

--- a/tests/api/init.py
+++ b/tests/api/init.py
@@ -1,95 +1 @@
 """Test for API calls."""
-
-from unittest.mock import AsyncMock, MagicMock
-
-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-from supervisor.host.const import LogFormat
-
-DEFAULT_LOG_RANGE = "entries=:-99:100"
-DEFAULT_LOG_RANGE_FOLLOW = "entries=:-99:18446744073709551615"
-
-
-async def common_test_api_advanced_logs(
-    path_prefix: str,
-    syslog_identifier: str,
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available: None,
-):
-    """Template for tests of endpoints using advanced logs."""
-    resp = await api_client.get(f"{path_prefix}/logs")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier},
-        range_header=DEFAULT_LOG_RANGE,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/follow")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier, "follow": ""},
-        range_header=DEFAULT_LOG_RANGE_FOLLOW,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    mock_response = MagicMock()
-    mock_response.text = AsyncMock(
-        return_value='{"CONTAINER_LOG_EPOCH": "12345"}\n{"CONTAINER_LOG_EPOCH": "12345"}\n'
-    )
-    journald_logs.return_value.__aenter__.return_value = mock_response
-
-    resp = await api_client.get(f"{path_prefix}/logs/latest")
-    assert resp.status == 200
-
-    assert journald_logs.call_count == 2
-
-    # Check the first call for getting epoch
-    epoch_call = journald_logs.call_args_list[0]
-    assert epoch_call[1]["params"] == {"CONTAINER_NAME": syslog_identifier}
-    assert epoch_call[1]["range_header"] == "entries=:-1:2"
-
-    # Check the second call for getting logs with the epoch
-    logs_call = journald_logs.call_args_list[1]
-    assert logs_call[1]["params"]["SYSLOG_IDENTIFIER"] == syslog_identifier
-    assert logs_call[1]["params"]["CONTAINER_LOG_EPOCH"] == "12345"
-    assert logs_call[1]["range_header"] == "entries=:0:18446744073709551615"
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/boots/0")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={"SYSLOG_IDENTIFIER": syslog_identifier, "_BOOT_ID": "ccc"},
-        range_header=DEFAULT_LOG_RANGE,
-        accept=LogFormat.JOURNAL,
-    )
-
-    journald_logs.reset_mock()
-
-    resp = await api_client.get(f"{path_prefix}/logs/boots/0/follow")
-    assert resp.status == 200
-    assert resp.content_type == "text/plain"
-
-    journald_logs.assert_called_once_with(
-        params={
-            "SYSLOG_IDENTIFIER": syslog_identifier,
-            "_BOOT_ID": "ccc",
-            "follow": "",
-        },
-        range_header=DEFAULT_LOG_RANGE_FOLLOW,
-        accept=LogFormat.JOURNAL,
-    )
--- a/tests/api/conftest.py
+++ b/tests/api/conftest.py
@@ -0,0 +1,149 @@
+"""Fixtures for API tests."""
+
+from collections.abc import Awaitable, Callable
+from unittest.mock import ANY, AsyncMock, MagicMock
+
+from aiohttp.test_utils import TestClient
+import pytest
+
+from supervisor.coresys import CoreSys
+from supervisor.host.const import LogFormat, LogFormatter
+
+DEFAULT_LOG_RANGE = "entries=:-99:100"
+DEFAULT_LOG_RANGE_FOLLOW = "entries=:-99:18446744073709551615"
+
+
+async def _common_test_api_advanced_logs(
+    path_prefix: str,
+    syslog_identifier: str,
+    api_client: TestClient,
+    journald_logs: MagicMock,
+    coresys: CoreSys,
+    os_available: None,
+    journal_logs_reader: MagicMock,
+):
+    """Template for tests of endpoints using advanced logs."""
+    resp = await api_client.get(f"{path_prefix}/logs")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, False)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs?no_colors")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, True)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/follow")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier, "follow": ""},
+        range_header=DEFAULT_LOG_RANGE_FOLLOW,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, False)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    mock_response = MagicMock()
+    mock_response.text = AsyncMock(
+        return_value='{"CONTAINER_LOG_EPOCH": "12345"}\n{"CONTAINER_LOG_EPOCH": "12345"}\n'
+    )
+    journald_logs.return_value.__aenter__.return_value = mock_response
+
+    resp = await api_client.get(f"{path_prefix}/logs/latest")
+    assert resp.status == 200
+
+    assert journald_logs.call_count == 2
+
+    # Check the first call for getting epoch
+    epoch_call = journald_logs.call_args_list[0]
+    assert epoch_call[1]["params"] == {"CONTAINER_NAME": syslog_identifier}
+    assert epoch_call[1]["range_header"] == "entries=:-1:2"
+
+    # Check the second call for getting logs with the epoch
+    logs_call = journald_logs.call_args_list[1]
+    assert logs_call[1]["params"]["SYSLOG_IDENTIFIER"] == syslog_identifier
+    assert logs_call[1]["params"]["CONTAINER_LOG_EPOCH"] == "12345"
+    assert logs_call[1]["range_header"] == "entries=:0:18446744073709551615"
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.PLAIN, True)
+
+    journald_logs.reset_mock()
+    journal_logs_reader.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/boots/0")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": syslog_identifier, "_BOOT_ID": "ccc"},
+        range_header=DEFAULT_LOG_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+
+    journald_logs.reset_mock()
+
+    resp = await api_client.get(f"{path_prefix}/logs/boots/0/follow")
+    assert resp.status == 200
+    assert resp.content_type == "text/plain"
+
+    journald_logs.assert_called_once_with(
+        params={
+            "SYSLOG_IDENTIFIER": syslog_identifier,
+            "_BOOT_ID": "ccc",
+            "follow": "",
+        },
+        range_header=DEFAULT_LOG_RANGE_FOLLOW,
+        accept=LogFormat.JOURNAL,
+    )
+
+
+@pytest.fixture
+async def advanced_logs_tester(
+    api_client: TestClient,
+    journald_logs: MagicMock,
+    coresys: CoreSys,
+    os_available,
+    journal_logs_reader: MagicMock,
+) -> Callable[[str, str], Awaitable[None]]:
+    """Fixture that returns a function to test advanced logs endpoints.
+
+    This allows tests to avoid explicitly passing all the required fixtures.
+
+    Usage:
+        async def test_my_logs(advanced_logs_tester):
+            await advanced_logs_tester("/path/prefix", "syslog_identifier")
+    """
+
+    async def test_logs(path_prefix: str, syslog_identifier: str):
+        await _common_test_api_advanced_logs(
+            path_prefix,
+            syslog_identifier,
+            api_client,
+            journald_logs,
+            coresys,
+            os_available,
+            journal_logs_reader,
+        )
+
+    return test_logs
--- a/tests/api/test_addons.py
+++ b/tests/api/test_addons.py
@@ -5,11 +5,12 @@ from unittest.mock import MagicMock, PropertyMock, patch

 from aiohttp import ClientResponse
 from aiohttp.test_utils import TestClient
+from docker.errors import DockerException
 import pytest

 from supervisor.addons.addon import Addon
 from supervisor.addons.build import AddonBuild
-from supervisor.arch import CpuArch
+from supervisor.arch import CpuArchManager
 from supervisor.const import AddonState
 from supervisor.coresys import CoreSys
 from supervisor.docker.addon import DockerAddon
@@ -20,7 +21,6 @@ from supervisor.exceptions import HassioError
 from supervisor.store.repository import Repository

 from ..const import TEST_ADDON_SLUG
-from . import common_test_api_advanced_logs


 def _create_test_event(name: str, state: ContainerState) -> DockerContainerStateEvent:
@@ -72,21 +72,11 @@ async def test_addons_info_not_installed(


 async def test_api_addon_logs(
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available,
+    advanced_logs_tester,
    install_addon_ssh: Addon,
 ):
    """Test addon logs."""
-    await common_test_api_advanced_logs(
-        "/addons/local_ssh",
-        "addon_local_ssh",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/addons/local_ssh", "addon_local_ssh")


 async def test_api_addon_logs_not_installed(api_client: TestClient):
@@ -247,7 +237,9 @@ async def test_api_addon_rebuild_healthcheck(
        patch.object(AddonBuild, "is_valid", return_value=True),
        patch.object(DockerAddon, "is_running", return_value=False),
        patch.object(Addon, "need_build", new=PropertyMock(return_value=True)),
-        patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])),
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+        ),
        patch.object(DockerAddon, "run", new=container_events_task),
        patch.object(
            coresys.docker,
@@ -319,7 +311,9 @@ async def test_api_addon_rebuild_force(
        patch.object(
            Addon, "need_build", new=PropertyMock(return_value=False)
        ),  # Image-based
-        patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])),
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+        ),
    ):
        resp = await api_client.post("/addons/local_ssh/rebuild")

@@ -337,7 +331,9 @@ async def test_api_addon_rebuild_force(
        patch.object(
            Addon, "need_build", new=PropertyMock(return_value=False)
        ),  # Image-based
-        patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])),
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+        ),
        patch.object(DockerAddon, "run", new=container_events_task),
        patch.object(
            coresys.docker,
@@ -482,6 +478,11 @@ async def test_addon_options_boot_mode_manual_only_invalid(
        body["message"]
        == "Addon local_example boot option is set to manual_only so it cannot be changed"
    )
+    assert body["error_key"] == "addon_boot_config_cannot_change_error"
+    assert body["extra_fields"] == {
+        "addon": "local_example",
+        "boot_config": "manual_only",
+    }


 async def get_message(resp: ClientResponse, json_expected: bool) -> str:
@@ -550,3 +551,154 @@ async def test_addon_not_installed(
    resp = await api_client.request(method, url)
    assert resp.status == 400
    assert await get_message(resp, json_expected) == "Addon is not installed"
+
+
+async def test_addon_set_options(api_client: TestClient, install_addon_example: Addon):
+    """Test setting options for an addon."""
+    resp = await api_client.post(
+        "/addons/local_example/options", json={"options": {"message": "test"}}
+    )
+    assert resp.status == 200
+    assert install_addon_example.options == {"message": "test"}
+
+
+async def test_addon_reset_options(
+    api_client: TestClient, install_addon_example: Addon
+):
+    """Test resetting options for an addon to defaults.
+
+    Fixes SUPERVISOR-171F.
+    """
+    # First set some custom options
+    install_addon_example.options = {"message": "custom"}
+    assert install_addon_example.persist["options"] == {"message": "custom"}
+
+    # Reset to defaults by sending null
+    resp = await api_client.post(
+        "/addons/local_example/options", json={"options": None}
+    )
+    assert resp.status == 200
+
+    # Persisted options should be empty (meaning defaults will be used)
+    assert install_addon_example.persist["options"] == {}
+
+
+async def test_addon_set_options_error(
+    api_client: TestClient, install_addon_example: Addon
+):
+    """Test setting options for an addon."""
+    resp = await api_client.post(
+        "/addons/local_example/options", json={"options": {"message": True}}
+    )
+    assert resp.status == 400
+    body = await resp.json()
+    assert (
+        body["message"]
+        == "Add-on local_example has invalid options: not a valid value. Got {'message': True}"
+    )
+    assert body["error_key"] == "addon_configuration_invalid_error"
+    assert body["extra_fields"] == {
+        "addon": "local_example",
+        "validation_error": "not a valid value. Got {'message': True}",
+    }
+
+
+async def test_addon_start_options_error(
+    api_client: TestClient,
+    install_addon_example: Addon,
+    caplog: pytest.LogCaptureFixture,
+):
+    """Test error writing options when trying to start addon."""
+    install_addon_example.options = {"message": "hello"}
+
+    # Simulate OS error trying to write the file
+    with patch("supervisor.utils.json.atomic_write", side_effect=OSError("fail")):
+        resp = await api_client.post("/addons/local_example/start")
+        assert resp.status == 500
+        body = await resp.json()
+        assert (
+            body["message"]
+            == "An unknown error occurred with addon local_example. Check supervisor logs for details (check with 'ha supervisor logs')"
+        )
+        assert body["error_key"] == "addon_unknown_error"
+        assert body["extra_fields"] == {
+            "addon": "local_example",
+            "logs_command": "ha supervisor logs",
+        }
+        assert "Add-on local_example can't write options" in caplog.text
+
+    # Simulate an update with a breaking change for options schema creating failure on start
+    caplog.clear()
+    install_addon_example.data["schema"] = {"message": "bool"}
+    resp = await api_client.post("/addons/local_example/start")
+    assert resp.status == 400
+    body = await resp.json()
+    assert (
+        body["message"]
+        == "Add-on local_example has invalid options: expected boolean. Got {'message': 'hello'}"
+    )
+    assert body["error_key"] == "addon_configuration_invalid_error"
+    assert body["extra_fields"] == {
+        "addon": "local_example",
+        "validation_error": "expected boolean. Got {'message': 'hello'}",
+    }
+    assert (
+        "Add-on local_example has invalid options: expected boolean. Got {'message': 'hello'}"
+        in caplog.text
+    )
+
+
+@pytest.mark.parametrize(("method", "action"), [("get", "stats"), ("post", "stdin")])
+@pytest.mark.usefixtures("install_addon_example")
+async def test_addon_not_running_error(
+    api_client: TestClient, method: str, action: str
+):
+    """Test addon not running error for endpoints that require that."""
+    with patch.object(Addon, "with_stdin", new=PropertyMock(return_value=True)):
+        resp = await api_client.request(method, f"/addons/local_example/{action}")
+
+    assert resp.status == 400
+    body = await resp.json()
+    assert body["message"] == "Add-on local_example is not running"
+    assert body["error_key"] == "addon_not_running_error"
+    assert body["extra_fields"] == {"addon": "local_example"}
+
+
+@pytest.mark.usefixtures("install_addon_example")
+async def test_addon_write_stdin_not_supported_error(api_client: TestClient):
+    """Test error when trying to write stdin to addon that does not support it."""
+    resp = await api_client.post("/addons/local_example/stdin")
+    assert resp.status == 400
+    body = await resp.json()
+    assert body["message"] == "Add-on local_example does not support writing to stdin"
+    assert body["error_key"] == "addon_not_supported_write_stdin_error"
+    assert body["extra_fields"] == {"addon": "local_example"}
+
+
+@pytest.mark.usefixtures("install_addon_ssh")
+async def test_addon_rebuild_fails_error(api_client: TestClient, coresys: CoreSys):
+    """Test error when build fails during rebuild for addon."""
+    coresys.hardware.disk.get_disk_free_space = lambda x: 5000
+    coresys.docker.containers_legacy.run.side_effect = DockerException("fail")
+
+    with (
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["aarch64"])
+        ),
+        patch.object(
+            CpuArchManager, "default", new=PropertyMock(return_value="aarch64")
+        ),
+        patch.object(AddonBuild, "get_docker_args", return_value={}),
+    ):
+        resp = await api_client.post("/addons/local_ssh/rebuild")
+    assert resp.status == 500
+    body = await resp.json()
+    assert (
+        body["message"]
+        == "An unknown error occurred while trying to build the image for addon local_ssh. Check supervisor logs for details (check with 'ha supervisor logs')"
+    )
+    assert body["error_key"] == "addon_build_failed_unknown_error"
+    assert body["extra_fields"] == {
+        "addon": "local_ssh",
+        "logs_command": "ha supervisor logs",
+    }
--- a/tests/api/test_audio.py
+++ b/tests/api/test_audio.py
@@ -1,18 +1,6 @@
 """Test audio api."""

-from unittest.mock import MagicMock

-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-
-from tests.api import common_test_api_advanced_logs
-
-
-async def test_api_audio_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_audio_logs(advanced_logs_tester) -> None:
    """Test audio logs."""
-    await common_test_api_advanced_logs(
-        "/audio", "hassio_audio", api_client, journald_logs, coresys, os_available
-    )
+    await advanced_logs_tester("/audio", "hassio_audio")
--- a/tests/api/test_auth.py
+++ b/tests/api/test_auth.py
@@ -1,6 +1,7 @@
 """Test auth API."""

 from datetime import UTC, datetime, timedelta
+from typing import Any
 from unittest.mock import AsyncMock, MagicMock, patch

 from aiohttp.hdrs import WWW_AUTHENTICATE
@@ -9,6 +10,8 @@ import pytest

 from supervisor.addons.addon import Addon
 from supervisor.coresys import CoreSys
+from supervisor.exceptions import HomeAssistantAPIError, HomeAssistantWSError
+from supervisor.homeassistant.api import HomeAssistantAPI

 from tests.common import MockResponse
 from tests.const import TEST_ADDON_SLUG
@@ -100,6 +103,52 @@ async def test_password_reset(
    assert "Successful password reset for 'john'" in caplog.text


+@pytest.mark.parametrize(
+    ("post_mock", "expected_log"),
+    [
+        (
+            MagicMock(return_value=MockResponse(status=400)),
+            "The user 'john' is not registered",
+        ),
+        (
+            MagicMock(side_effect=HomeAssistantAPIError("fail")),
+            "Can't request password reset on Home Assistant: fail",
+        ),
+    ],
+)
+async def test_failed_password_reset(
+    api_client: TestClient,
+    coresys: CoreSys,
+    caplog: pytest.LogCaptureFixture,
+    websession: MagicMock,
+    post_mock: MagicMock,
+    expected_log: str,
+):
+    """Test failed password reset."""
+    coresys.homeassistant.api.access_token = "abc123"
+    # pylint: disable-next=protected-access
+    coresys.homeassistant.api._access_token_expires = datetime.now(tz=UTC) + timedelta(
+        days=1
+    )
+
+    websession.post = post_mock
+    resp = await api_client.post(
+        "/auth/reset", json={"username": "john", "password": "doe"}
+    )
+    assert resp.status == 400
+    body = await resp.json()
+    assert (
+        body["message"]
+        == "Username 'john' does not exist. Check list of users using 'ha auth list'."
+    )
+    assert body["error_key"] == "auth_password_reset_error"
+    assert body["extra_fields"] == {
+        "user": "john",
+        "auth_list_command": "ha auth list",
+    }
+    assert expected_log in caplog.text
+
+
 async def test_list_users(
    api_client: TestClient, coresys: CoreSys, ha_ws_client: AsyncMock
 ):
@@ -120,6 +169,48 @@ async def test_list_users(
    ]


+@pytest.mark.parametrize(
+    ("send_command_mock", "error_response", "expected_log"),
+    [
+        (
+            AsyncMock(return_value=None),
+            {
+                "result": "error",
+                "message": "Home Assistant returned invalid response of `None` instead of a list of users. Check Home Assistant logs for details (check with `ha core logs`)",
+                "error_key": "auth_list_users_none_response_error",
+                "extra_fields": {"none": "None", "logs_command": "ha core logs"},
+            },
+            "Home Assistant returned invalid response of `None` instead of a list of users. Check Home Assistant logs for details (check with `ha core logs`)",
+        ),
+        (
+            AsyncMock(side_effect=HomeAssistantWSError("fail")),
+            {
+                "result": "error",
+                "message": "Can't request listing users on Home Assistant. Check supervisor logs for details (check with 'ha supervisor logs')",
+                "error_key": "auth_list_users_error",
+                "extra_fields": {"logs_command": "ha supervisor logs"},
+            },
+            "Can't request listing users on Home Assistant: fail",
+        ),
+    ],
+)
+async def test_list_users_failure(
+    api_client: TestClient,
+    ha_ws_client: AsyncMock,
+    caplog: pytest.LogCaptureFixture,
+    send_command_mock: AsyncMock,
+    error_response: dict[str, Any],
+    expected_log: str,
+):
+    """Test failure listing users via API."""
+    ha_ws_client.async_send_command = send_command_mock
+    resp = await api_client.get("/auth/list")
+    assert resp.status == 500
+    result = await resp.json()
+    assert result == error_response
+    assert expected_log in caplog.text
+
+
@pytest.mark.parametrize(
    ("field", "api_client"),
    [("username", TEST_ADDON_SLUG), ("user", TEST_ADDON_SLUG)],
@@ -156,6 +247,13 @@ async def test_auth_json_failure_none(
    mock_check_login.return_value = True
    resp = await api_client.post("/auth", json={"username": user, "password": password})
    assert resp.status == 401
+    assert (
+        resp.headers["WWW-Authenticate"]
+        == 'Basic realm="Home Assistant Authentication"'
+    )
+    body = await resp.json()
+    assert body["message"] == "Username and password must be strings"
+    assert body["error_key"] == "auth_invalid_non_string_value_error"


@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
@@ -267,3 +365,26 @@ async def test_non_addon_token_no_auth_access(api_client: TestClient):
    """Test auth where add-on is not allowed to access auth API."""
    resp = await api_client.post("/auth", json={"username": "test", "password": "pass"})
    assert resp.status == 403
+
+
+@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
+@pytest.mark.usefixtures("install_addon_ssh")
+async def test_auth_backend_login_failure(api_client: TestClient):
+    """Test backend login failure on auth."""
+    with (
+        patch.object(HomeAssistantAPI, "check_api_state", return_value=True),
+        patch.object(
+            HomeAssistantAPI, "make_request", side_effect=HomeAssistantAPIError("fail")
+        ),
+    ):
+        resp = await api_client.post(
+            "/auth", json={"username": "test", "password": "pass"}
+        )
+    assert resp.status == 500
+    body = await resp.json()
+    assert (
+        body["message"]
+        == "Unable to validate authentication details with Home Assistant. Check supervisor logs for details (check with 'ha supervisor logs')"
+    )
+    assert body["error_key"] == "auth_home_assistant_api_validation_error"
+    assert body["extra_fields"] == {"logs_command": "ha supervisor logs"}
--- a/tests/api/test_backups.py
+++ b/tests/api/test_backups.py
@@ -17,6 +17,7 @@ from supervisor.const import CoreState
 from supervisor.coresys import CoreSys
 from supervisor.docker.manager import DockerAPI
 from supervisor.exceptions import (
+    AddonPrePostBackupCommandReturnedError,
    AddonsError,
    BackupInvalidError,
    HomeAssistantBackupError,
@@ -24,6 +25,7 @@ from supervisor.exceptions import (
 from supervisor.homeassistant.core import HomeAssistantCore
 from supervisor.homeassistant.module import HomeAssistant
 from supervisor.homeassistant.websocket import HomeAssistantWebSocket
+from supervisor.jobs import SupervisorJob
 from supervisor.mounts.mount import Mount
 from supervisor.supervisor import Supervisor

@@ -401,6 +403,8 @@ async def test_api_backup_errors(
            "type": "BackupError",
            "message": str(err),
            "stage": None,
+            "error_key": None,
+            "extra_fields": None,
        }
    ]
    assert job["child_jobs"][2]["name"] == "backup_store_folders"
@@ -437,6 +441,8 @@ async def test_api_backup_errors(
            "type": "HomeAssistantBackupError",
            "message": "Backup error",
            "stage": "home_assistant",
+            "error_key": None,
+            "extra_fields": None,
        }
    ]
    assert job["child_jobs"][0]["name"] == "backup_store_homeassistant"
@@ -445,6 +451,8 @@ async def test_api_backup_errors(
            "type": "HomeAssistantBackupError",
            "message": "Backup error",
            "stage": None,
+            "error_key": None,
+            "extra_fields": None,
        }
    ]
    assert len(job["child_jobs"]) == 1
@@ -749,6 +757,8 @@ async def test_backup_to_multiple_locations_error_on_copy(
            "type": "BackupError",
            "message": "Could not copy backup to .cloud_backup due to: ",
            "stage": None,
+            "error_key": None,
+            "extra_fields": None,
        }
    ]

@@ -1191,10 +1201,8 @@ async def test_restore_homeassistant_adds_env(

    assert docker.containers.create.call_args.kwargs["name"] == "homeassistant"
    assert (
-        docker.containers.create.call_args.kwargs["environment"][
-            "SUPERVISOR_RESTORE_JOB_ID"
-        ]
-        == job.uuid
+        f"SUPERVISOR_RESTORE_JOB_ID={job.uuid}"
+        in docker.containers.create.call_args.args[0]["Env"]
    )


@@ -1483,3 +1491,44 @@ async def test_immediate_list_after_missing_file_restore(
    result = await resp.json()
    assert len(result["data"]["backups"]) == 1
    assert result["data"]["backups"][0]["slug"] == "93b462f8"
+
+
+@pytest.mark.parametrize("command", ["backup_pre", "backup_post"])
+@pytest.mark.usefixtures("install_addon_example", "tmp_supervisor_data")
+async def test_pre_post_backup_command_error(
+    api_client: TestClient, coresys: CoreSys, container: MagicMock, command: str
+):
+    """Test pre/post backup command error."""
+    await coresys.core.set_state(CoreState.RUNNING)
+    coresys.hardware.disk.get_disk_free_space = lambda x: 5000
+
+    container.status = "running"
+    container.exec_run.return_value = (1, b"")
+    with patch.object(Addon, command, new=PropertyMock(return_value="test")):
+        resp = await api_client.post(
+            "/backups/new/partial", json={"addons": ["local_example"]}
+        )
+
+    assert resp.status == 200
+    body = await resp.json()
+    job_id = body["data"]["job_id"]
+    job: SupervisorJob | None = None
+    for j in coresys.jobs.jobs:
+        if j.name == "backup_store_addons" and j.parent_id == job_id:
+            job = j
+            break
+
+    assert job
+    assert job.done is True
+    assert job.errors[0].type_ == AddonPrePostBackupCommandReturnedError
+    assert job.errors[0].message == (
+        "Pre-/Post backup command for add-on local_example returned error code: "
+        "1. Please report this to the addon developer. Enable debug "
+        "logging to capture complete command output using ha supervisor options --logging debug"
+    )
+    assert job.errors[0].error_key == "addon_pre_post_backup_command_returned_error"
+    assert job.errors[0].extra_fields == {
+        "addon": "local_example",
+        "exit_code": 1,
+        "debug_logging_command": "ha supervisor options --logging debug",
+    }
--- a/tests/api/test_dns.py
+++ b/tests/api/test_dns.py
@@ -1,13 +1,12 @@
 """Test DNS API."""

-from unittest.mock import MagicMock, patch
+from unittest.mock import patch

 from aiohttp.test_utils import TestClient

 from supervisor.coresys import CoreSys
 from supervisor.dbus.resolved import Resolved

-from tests.api import common_test_api_advanced_logs
 from tests.dbus_service_mocks.base import DBusServiceMock
 from tests.dbus_service_mocks.resolved import Resolved as ResolvedService

@@ -66,15 +65,6 @@ async def test_options(api_client: TestClient, coresys: CoreSys):
        restart.assert_called_once()


-async def test_api_dns_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_dns_logs(advanced_logs_tester):
    """Test dns logs."""
-    await common_test_api_advanced_logs(
-        "/dns",
-        "hassio_dns",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/dns", "hassio_dns")
--- a/tests/api/test_docker.py
+++ b/tests/api/test_docker.py
@@ -4,6 +4,11 @@ from aiohttp.test_utils import TestClient
 import pytest

 from supervisor.coresys import CoreSys
+from supervisor.resolution.const import ContextType, IssueType, SuggestionType
+from supervisor.resolution.data import Issue, Suggestion
+
+from tests.dbus_service_mocks.agent_system import System as SystemService
+from tests.dbus_service_mocks.base import DBusServiceMock


@pytest.mark.asyncio
@@ -84,3 +89,70 @@ async def test_registry_not_found(api_client: TestClient):
    assert resp.status == 404
    body = await resp.json()
    assert body["message"] == "Hostname bad does not exist in registries"
+
+
+@pytest.mark.parametrize("os_available", ["17.0.rc1"], indirect=True)
+async def test_api_migrate_docker_storage_driver(
+    api_client: TestClient,
+    coresys: CoreSys,
+    os_agent_services: dict[str, DBusServiceMock],
+    os_available,
+):
+    """Test Docker storage driver migration."""
+    system_service: SystemService = os_agent_services["agent_system"]
+    system_service.MigrateDockerStorageDriver.calls.clear()
+
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlayfs"},
+    )
+    assert resp.status == 200
+
+    assert system_service.MigrateDockerStorageDriver.calls == [("overlayfs",)]
+    assert (
+        Issue(IssueType.REBOOT_REQUIRED, ContextType.SYSTEM)
+        in coresys.resolution.issues
+    )
+    assert (
+        Suggestion(SuggestionType.EXECUTE_REBOOT, ContextType.SYSTEM)
+        in coresys.resolution.suggestions
+    )
+
+
+@pytest.mark.parametrize("os_available", ["17.0.rc1"], indirect=True)
+async def test_api_migrate_docker_storage_driver_invalid_backend(
+    api_client: TestClient,
+    os_available,
+):
+    """Test 400 is returned for invalid storage driver."""
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "invalid"},
+    )
+    assert resp.status == 400
+
+
+async def test_api_migrate_docker_storage_driver_not_os(
+    api_client: TestClient,
+    coresys: CoreSys,
+):
+    """Test 404 is returned if not running on HAOS."""
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlayfs"},
+    )
+    assert resp.status == 404
+
+
+@pytest.mark.parametrize("os_available", ["16.2"], indirect=True)
+async def test_api_migrate_docker_storage_driver_old_os(
+    api_client: TestClient,
+    coresys: CoreSys,
+    os_available,
+):
+    """Test 404 is returned if OS is older than 17.0."""
+    resp = await api_client.post(
+        "/docker/migrate-storage-driver",
+        json={"storage_driver": "overlayfs"},
+    )
+    assert resp.status == 404
--- a/tests/api/test_homeassistant.py
+++ b/tests/api/test_homeassistant.py
@@ -18,34 +18,26 @@ from supervisor.homeassistant.const import WSEvent
 from supervisor.homeassistant.core import HomeAssistantCore
 from supervisor.homeassistant.module import HomeAssistant

-from tests.api import common_test_api_advanced_logs
 from tests.common import AsyncIterator, load_json_fixture


@pytest.mark.parametrize("legacy_route", [True, False])
 async def test_api_core_logs(
-    api_client: TestClient,
-    journald_logs: MagicMock,
-    coresys: CoreSys,
-    os_available,
+    advanced_logs_tester: AsyncMock,
    legacy_route: bool,
 ):
    """Test core logs."""
-    await common_test_api_advanced_logs(
+    await advanced_logs_tester(
        f"/{'homeassistant' if legacy_route else 'core'}",
        "homeassistant",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
    )


 async def test_api_stats(api_client: TestClient, coresys: CoreSys):
    """Test stats."""
-    coresys.docker.containers.get.return_value.status = "running"
-    coresys.docker.containers.get.return_value.stats.return_value = load_json_fixture(
-        "container_stats.json"
+    coresys.docker.containers_legacy.get.return_value.status = "running"
+    coresys.docker.containers_legacy.get.return_value.stats.return_value = (
+        load_json_fixture("container_stats.json")
    )

    resp = await api_client.get("/homeassistant/stats")
@@ -146,14 +138,14 @@ async def test_api_rebuild(
        await api_client.post("/homeassistant/rebuild")

    assert container.remove.call_count == 2
-    container.start.assert_called_once()
+    coresys.docker.containers.create.return_value.start.assert_called_once()
    assert not safe_mode_marker.exists()

    with patch.object(HomeAssistantCore, "_block_till_run"):
        await api_client.post("/homeassistant/rebuild", json={"safe_mode": True})

    assert container.remove.call_count == 4
-    assert container.start.call_count == 2
+    assert coresys.docker.containers.create.return_value.start.call_count == 2
    assert safe_mode_marker.exists()


@@ -331,29 +323,29 @@ async def test_api_progress_updates_home_assistant_update(
        },
        {
            "stage": None,
-            "progress": 1.2,
+            "progress": 1.7,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 2.8,
+            "progress": 4.0,
            "done": False,
        },
    ]
    assert events[-5:] == [
        {
            "stage": None,
-            "progress": 97.2,
+            "progress": 98.2,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 98.4,
+            "progress": 98.3,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 99.4,
+            "progress": 99.3,
            "done": False,
        },
        {
--- a/tests/api/test_host.py
+++ b/tests/api/test_host.py
@@ -272,7 +272,7 @@ async def test_advaced_logs_query_parameters(
        range_header=DEFAULT_RANGE,
        accept=LogFormat.JOURNAL,
    )
-    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE, False)

    journal_logs_reader.reset_mock()
    journald_logs.reset_mock()
@@ -290,7 +290,19 @@ async def test_advaced_logs_query_parameters(
        range_header="entries=:-52:53",
        accept=LogFormat.JOURNAL,
    )
-    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE, False)
+
+    journal_logs_reader.reset_mock()
+    journald_logs.reset_mock()
+
+    # Check no_colors query parameter
+    await api_client.get("/host/logs?no_colors")
+    journald_logs.assert_called_once_with(
+        params={"SYSLOG_IDENTIFIER": coresys.host.logs.default_identifiers},
+        range_header=DEFAULT_RANGE,
+        accept=LogFormat.JOURNAL,
+    )
+    journal_logs_reader.assert_called_with(ANY, LogFormatter.VERBOSE, True)


 async def test_advanced_logs_boot_id_offset(
@@ -343,24 +355,24 @@ async def test_advanced_logs_formatters(
    """Test advanced logs formatters varying on Accept header."""

    await api_client.get("/host/logs")
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE, False)

    journal_logs_reader.reset_mock()

    headers = {"Accept": "text/x-log"}
    await api_client.get("/host/logs", headers=headers)
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE, False)

    journal_logs_reader.reset_mock()

    await api_client.get("/host/logs/identifiers/test")
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.PLAIN)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.PLAIN, False)

    journal_logs_reader.reset_mock()

    headers = {"Accept": "text/x-log"}
    await api_client.get("/host/logs/identifiers/test", headers=headers)
-    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE)
+    journal_logs_reader.assert_called_once_with(ANY, LogFormatter.VERBOSE, False)


 async def test_advanced_logs_errors(coresys: CoreSys, api_client: TestClient):
--- a/tests/api/test_jobs.py
+++ b/tests/api/test_jobs.py
@@ -374,6 +374,8 @@ async def test_job_with_error(
                    "type": "SupervisorError",
                    "message": "bad",
                    "stage": "test",
+                    "error_key": None,
+                    "extra_fields": None,
                }
            ],
            "child_jobs": [
@@ -391,6 +393,8 @@ async def test_job_with_error(
                            "type": "SupervisorError",
                            "message": "bad",
                            "stage": None,
+                            "error_key": None,
+                            "extra_fields": None,
                        }
                    ],
                    "child_jobs": [],
--- a/tests/api/test_multicast.py
+++ b/tests/api/test_multicast.py
@@ -1,23 +1,6 @@
 """Test multicast api."""

-from unittest.mock import MagicMock

-from aiohttp.test_utils import TestClient
-
-from supervisor.coresys import CoreSys
-
-from tests.api import common_test_api_advanced_logs
-
-
-async def test_api_multicast_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_multicast_logs(advanced_logs_tester):
    """Test multicast logs."""
-    await common_test_api_advanced_logs(
-        "/multicast",
-        "hassio_multicast",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/multicast", "hassio_multicast")
--- a/tests/api/test_store.py
+++ b/tests/api/test_store.py
@@ -4,13 +4,12 @@ import asyncio
 from pathlib import Path
 from unittest.mock import AsyncMock, MagicMock, PropertyMock, patch

-from aiohttp import ClientResponse
 from aiohttp.test_utils import TestClient
 from awesomeversion import AwesomeVersion
 import pytest

 from supervisor.addons.addon import Addon
-from supervisor.arch import CpuArch
+from supervisor.arch import CpuArchManager
 from supervisor.backups.manager import BackupManager
 from supervisor.config import CoreConfig
 from supervisor.const import AddonState, CoreState
@@ -191,7 +190,9 @@ async def test_api_store_update_healthcheck(
        patch.object(DockerAddon, "run", new=container_events_task),
        patch.object(DockerInterface, "install"),
        patch.object(DockerAddon, "is_running", return_value=False),
-        patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])),
+        patch.object(
+            CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+        ),
    ):
        resp = await api_client.post(f"/store/addons/{TEST_ADDON_SLUG}/update")

@@ -290,14 +291,6 @@ async def test_api_detached_addon_documentation(
    assert result == "Addon local_ssh does not exist in the store"


-async def get_message(resp: ClientResponse, json_expected: bool) -> str:
-    """Get message from response based on response type."""
-    if json_expected:
-        body = await resp.json()
-        return body["message"]
-    return await resp.text()
-
-
@pytest.mark.parametrize(
    ("method", "url", "json_expected"),
    [
@@ -323,7 +316,13 @@ async def test_store_addon_not_found(
    """Test store addon not found error."""
    resp = await api_client.request(method, url)
    assert resp.status == 404
-    assert await get_message(resp, json_expected) == "Addon bad does not exist"
+    if json_expected:
+        body = await resp.json()
+        assert body["message"] == "Addon bad does not exist in the store"
+        assert body["error_key"] == "store_addon_not_found_error"
+        assert body["extra_fields"] == {"addon": "bad"}
+    else:
+        assert await resp.text() == "Addon bad does not exist in the store"


@pytest.mark.parametrize(
@@ -548,7 +547,9 @@ async def test_api_store_addons_addon_availability_arch_not_supported(
        coresys.addons.data.user[addon_obj.slug] = {"version": AwesomeVersion("0.0.1")}

    # Mock the system architecture to be different
-    with patch.object(CpuArch, "supported", new=PropertyMock(return_value=["amd64"])):
+    with patch.object(
+        CpuArchManager, "supported", new=PropertyMock(return_value=["amd64"])
+    ):
        resp = await api_client.request(
            api_method, f"/store/addons/{addon_obj.slug}/{api_action}"
        )
@@ -773,29 +774,29 @@ async def test_api_progress_updates_addon_install_update(
        },
        {
            "stage": None,
-            "progress": 1.2,
+            "progress": 1.7,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 2.8,
+            "progress": 4.0,
            "done": False,
        },
    ]
    assert events[-5:] == [
        {
            "stage": None,
-            "progress": 97.2,
+            "progress": 98.2,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 98.4,
+            "progress": 98.3,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 99.4,
+            "progress": 99.3,
            "done": False,
        },
        {
--- a/tests/api/test_supervisor.py
+++ b/tests/api/test_supervisor.py
@@ -7,6 +7,7 @@ from unittest.mock import AsyncMock, MagicMock, PropertyMock, patch
 from aiohttp.test_utils import TestClient
 from awesomeversion import AwesomeVersion
 from blockbuster import BlockingError
+from docker.errors import DockerException
 import pytest

 from supervisor.const import CoreState
@@ -18,7 +19,6 @@ from supervisor.store.repository import Repository
 from supervisor.supervisor import Supervisor
 from supervisor.updater import Updater

-from tests.api import common_test_api_advanced_logs
 from tests.common import AsyncIterator, load_json_fixture
 from tests.dbus_service_mocks.base import DBusServiceMock
 from tests.dbus_service_mocks.os_agent import OSAgent as OSAgentService
@@ -155,18 +155,9 @@ async def test_api_supervisor_options_diagnostics(
    assert coresys.dbus.agent.diagnostics is False


-async def test_api_supervisor_logs(
-    api_client: TestClient, journald_logs: MagicMock, coresys: CoreSys, os_available
-):
+async def test_api_supervisor_logs(advanced_logs_tester):
    """Test supervisor logs."""
-    await common_test_api_advanced_logs(
-        "/supervisor",
-        "hassio_supervisor",
-        api_client,
-        journald_logs,
-        coresys,
-        os_available,
-    )
+    await advanced_logs_tester("/supervisor", "hassio_supervisor")


 async def test_api_supervisor_fallback(
@@ -381,29 +372,29 @@ async def test_api_progress_updates_supervisor_update(
        },
        {
            "stage": None,
-            "progress": 1.2,
+            "progress": 1.7,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 2.8,
+            "progress": 4.0,
            "done": False,
        },
    ]
    assert events[-5:] == [
        {
            "stage": None,
-            "progress": 97.2,
+            "progress": 98.2,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 98.4,
+            "progress": 98.3,
            "done": False,
        },
        {
            "stage": None,
-            "progress": 99.4,
+            "progress": 99.3,
            "done": False,
        },
        {
@@ -417,3 +408,37 @@ async def test_api_progress_updates_supervisor_update(
            "done": True,
        },
    ]
+
+
+async def test_api_supervisor_stats(api_client: TestClient, coresys: CoreSys):
+    """Test supervisor stats."""
+    coresys.docker.containers_legacy.get.return_value.status = "running"
+    coresys.docker.containers_legacy.get.return_value.stats.return_value = (
+        load_json_fixture("container_stats.json")
+    )
+
+    resp = await api_client.get("/supervisor/stats")
+    assert resp.status == 200
+    result = await resp.json()
+    assert result["data"]["cpu_percent"] == 90.0
+    assert result["data"]["memory_usage"] == 59700000
+    assert result["data"]["memory_limit"] == 4000000000
+    assert result["data"]["memory_percent"] == 1.49
+
+
+async def test_supervisor_api_stats_failure(
+    api_client: TestClient, coresys: CoreSys, caplog: pytest.LogCaptureFixture
+):
+    """Test supervisor stats failure."""
+    coresys.docker.containers_legacy.get.side_effect = DockerException("fail")
+
+    resp = await api_client.get("/supervisor/stats")
+    assert resp.status == 500
+    body = await resp.json()
+    assert (
+        body["message"]
+        == "An unknown error occurred with Supervisor. Check supervisor logs for details (check with 'ha supervisor logs')"
+    )
+    assert body["error_key"] == "supervisor_unknown_error"
+    assert body["extra_fields"] == {"logs_command": "ha supervisor logs"}
+    assert "Could not inspect container 'hassio_supervisor': fail" in caplog.text
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -9,6 +9,7 @@ import subprocess
 from unittest.mock import AsyncMock, MagicMock, Mock, PropertyMock, patch
 from uuid import uuid4

+from aiodocker.containers import DockerContainer, DockerContainers
 from aiodocker.docker import DockerImages
 from aiohttp import ClientSession, web
 from aiohttp.test_utils import TestClient
@@ -120,11 +121,13 @@ async def docker() -> DockerAPI:
        "Id": "test123",
        "RepoTags": ["ghcr.io/home-assistant/amd64-hassio-supervisor:latest"],
    }
+    container_inspect = image_inspect | {"State": {"ExitCode": 0}}

    with (
        patch("supervisor.docker.manager.DockerClient", return_value=MagicMock()),
        patch(
-            "supervisor.docker.manager.DockerAPI.containers", return_value=MagicMock()
+            "supervisor.docker.manager.DockerAPI.containers_legacy",
+            return_value=MagicMock(),
        ),
        patch("supervisor.docker.manager.DockerAPI.api", return_value=MagicMock()),
        patch("supervisor.docker.manager.DockerAPI.info", return_value=MagicMock()),
@@ -136,6 +139,12 @@ async def docker() -> DockerAPI:
                return_value=(docker_images := MagicMock(spec=DockerImages))
            ),
        ),
+        patch(
+            "supervisor.docker.manager.DockerAPI.containers",
+            new=PropertyMock(
+                return_value=(docker_containers := MagicMock(spec=DockerContainers))
+            ),
+        ),
    ):
        docker_obj = await DockerAPI(MagicMock()).post_init()
        docker_obj.config._data = {"registries": {}}
@@ -144,12 +153,18 @@ async def docker() -> DockerAPI:

        docker_images.inspect.return_value = image_inspect
        docker_images.list.return_value = [image_inspect]
-        docker_images.import_image.return_value = [
-            {"stream": "Loaded image: test:latest\n"}
-        ]
-
+        docker_images.import_image = AsyncMock(
+            return_value=[{"stream": "Loaded image: test:latest\n"}]
+        )
        docker_images.pull.return_value = AsyncIterator([{}])

+        docker_containers.get.return_value = docker_container = MagicMock(
+            spec=DockerContainer
+        )
+        docker_containers.list.return_value = [docker_container]
+        docker_containers.create.return_value = docker_container
+        docker_container.show.return_value = container_inspect
+
        docker_obj.info.logging = "journald"
        docker_obj.info.storage = "overlay2"
        docker_obj.info.version = AwesomeVersion("1.0.0")
@@ -790,7 +805,7 @@ async def docker_logs(docker: DockerAPI, supervisor_name) -> MagicMock:
    """Mock log output for a container from docker."""
    container_mock = MagicMock()
    container_mock.logs.return_value = load_binary_fixture("logs_docker_container.txt")
-    docker.containers.get.return_value = container_mock
+    docker.containers_legacy.get.return_value = container_mock
    yield container_mock.logs


@@ -824,7 +839,7 @@ async def os_available(request: pytest.FixtureRequest) -> None:
@pytest.fixture
 async def mount_propagation(docker: DockerAPI, coresys: CoreSys) -> None:
    """Mock supervisor connected to container with propagation set."""
-    docker.containers.get.return_value = supervisor = MagicMock()
+    docker.containers_legacy.get.return_value = supervisor = MagicMock()
    supervisor.attrs = {
        "Mounts": [
            {
@@ -844,10 +859,11 @@ async def mount_propagation(docker: DockerAPI, coresys: CoreSys) -> None:
@pytest.fixture
 async def container(docker: DockerAPI) -> MagicMock:
    """Mock attrs and status for container on attach."""
-    docker.containers.get.return_value = addon = MagicMock()
-    docker.containers.create.return_value = addon
-    addon.status = "stopped"
-    addon.attrs = {"State": {"ExitCode": 0}}
+    attrs = {"State": {"ExitCode": 0}}
+    docker.containers_legacy.get.return_value = addon = MagicMock(
+        status="stopped", attrs=attrs
+    )
+    docker.containers.create.return_value.show.return_value = attrs
    yield addon


--- a/tests/dbus/network/test_interface.py
+++ b/tests/dbus/network/test_interface.py
@@ -184,3 +184,20 @@ async def test_interface_becomes_unmanaged(
    assert wireless.is_connected is False
    assert eth0.connection is None
    assert connection.is_connected is False
+
+
+async def test_unknown_device_type(
+    device_eth0_service: DeviceService, dbus_session_bus: MessageBus
+):
+    """Test unknown device types are handled gracefully."""
+    interface = NetworkInterface("/org/freedesktop/NetworkManager/Devices/1")
+    await interface.connect(dbus_session_bus)
+
+    # Emit an unknown device type (e.g., 1000 which doesn't exist in the enum)
+    device_eth0_service.emit_properties_changed({"DeviceType": 1000})
+    await device_eth0_service.ping()
+
+    # Should return UNKNOWN instead of crashing
+    assert interface.type == DeviceType.UNKNOWN
+    # Wireless should be None since it's not a wireless device
+    assert interface.wireless is None
--- a/tests/dbus/network/test_network_manager.py
+++ b/tests/dbus/network/test_network_manager.py
@@ -6,7 +6,7 @@ from unittest.mock import Mock, PropertyMock, patch
 from dbus_fast.aio.message_bus import MessageBus
 import pytest

-from supervisor.dbus.const import ConnectionStateType
+from supervisor.dbus.const import ConnectionState
 from supervisor.dbus.network import NetworkManager
 from supervisor.dbus.network.interface import NetworkInterface
 from supervisor.exceptions import (
@@ -93,7 +93,7 @@ async def test_activate_connection(
        "/org/freedesktop/NetworkManager/Settings/1",
        "/org/freedesktop/NetworkManager/Devices/1",
    )
-    assert connection.state == ConnectionStateType.ACTIVATED
+    assert connection.state == ConnectionState.ACTIVATED
    assert (
        connection.settings.object_path == "/org/freedesktop/NetworkManager/Settings/1"
    )
@@ -117,7 +117,7 @@ async def test_add_and_activate_connection(
    )
    assert settings.connection.uuid == "0c23631e-2118-355c-bbb0-8943229cb0d6"
    assert settings.ipv4.method == "auto"
-    assert connection.state == ConnectionStateType.ACTIVATED
+    assert connection.state == ConnectionState.ACTIVATED
    assert (
        connection.settings.object_path == "/org/freedesktop/NetworkManager/Settings/1"
    )
--- a/tests/dbus/test_resolved.py
+++ b/tests/dbus/test_resolved.py
@@ -41,51 +41,51 @@ async def test_dbus_resolved_info(
    assert resolved.dns_over_tls == DNSOverTLSEnabled.NO

    assert len(resolved.dns) == 2
-    assert resolved.dns[0] == [0, 2, inet_aton("127.0.0.1")]
-    assert resolved.dns[1] == [0, 10, inet_pton(AF_INET6, "::1")]
+    assert resolved.dns[0] == (0, 2, inet_aton("127.0.0.1"))
+    assert resolved.dns[1] == (0, 10, inet_pton(AF_INET6, "::1"))
    assert len(resolved.dns_ex) == 2
-    assert resolved.dns_ex[0] == [0, 2, inet_aton("127.0.0.1"), 0, ""]
-    assert resolved.dns_ex[1] == [0, 10, inet_pton(AF_INET6, "::1"), 0, ""]
+    assert resolved.dns_ex[0] == (0, 2, inet_aton("127.0.0.1"), 0, "")
+    assert resolved.dns_ex[1] == (0, 10, inet_pton(AF_INET6, "::1"), 0, "")

    assert len(resolved.fallback_dns) == 2
-    assert resolved.fallback_dns[0] == [0, 2, inet_aton("1.1.1.1")]
-    assert resolved.fallback_dns[1] == [
+    assert resolved.fallback_dns[0] == (0, 2, inet_aton("1.1.1.1"))
+    assert resolved.fallback_dns[1] == (
        0,
        10,
        inet_pton(AF_INET6, "2606:4700:4700::1111"),
-    ]
+    )
    assert len(resolved.fallback_dns_ex) == 2
-    assert resolved.fallback_dns_ex[0] == [
+    assert resolved.fallback_dns_ex[0] == (
        0,
        2,
        inet_aton("1.1.1.1"),
        0,
        "cloudflare-dns.com",
-    ]
-    assert resolved.fallback_dns_ex[1] == [
+    )
+    assert resolved.fallback_dns_ex[1] == (
        0,
        10,
        inet_pton(AF_INET6, "2606:4700:4700::1111"),
        0,
        "cloudflare-dns.com",
-    ]
+    )

-    assert resolved.current_dns_server == [0, 2, inet_aton("127.0.0.1")]
-    assert resolved.current_dns_server_ex == [
+    assert resolved.current_dns_server == (0, 2, inet_aton("127.0.0.1"))
+    assert resolved.current_dns_server_ex == (
        0,
        2,
        inet_aton("127.0.0.1"),
        0,
        "",
-    ]
+    )

    assert len(resolved.domains) == 1
-    assert resolved.domains[0] == [0, "local.hass.io", False]
+    assert resolved.domains[0] == (0, "local.hass.io", False)

-    assert resolved.transaction_statistics == [0, 100000]
-    assert resolved.cache_statistics == [10, 50000, 10000]
+    assert resolved.transaction_statistics == (0, 100000)
+    assert resolved.cache_statistics == (10, 50000, 10000)
    assert resolved.dnssec == DNSSECValidation.NO
-    assert resolved.dnssec_statistics == [0, 0, 0, 0]
+    assert resolved.dnssec_statistics == (0, 0, 0, 0)
    assert resolved.dnssec_supported is False
    assert resolved.dnssec_negative_trust_anchors == [
        "168.192.in-addr.arpa",
--- a/Show More
+++ b/Show More