Error: Update of Supervisor failed: Can’t install ghcr.io/home-assistant/amd64-hassio-supervisor:2023.03.1: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=2023.03.1&fromImage=ghcr.io%2Fhome-assistant%2Famd64-hassio-supervisor&platform=linux%2Famd64: Internal Server Error (“Get “https://ghcr.io/v2/”: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”)
My installation is currently at:
Home Assistant 2023.1.7
Supervisor 2023.01.1
Operating System 9.4
Frontend 20230110.0 - latest
From what I can tell, it isn’t a DNS problem.
Update: I was unable to apply any updates to Home Assistant in February too. So I just now restored the host to an earlier image, which reverted Home Assistant to:
Home Assistant 2022.12.9
Supervisor 2022.12.1
Operating System 9.4
Frontend 20221213.1
But attempting to update brought the same error as above, which is strange, since I’d been able to update to 2023.1.7 in January!?!
The logs for the reverted version also contained the following:
homeassistant.components.hassio.handler.HassioAPIError: ‘HomeAssistantCore.update’ blocked from execution, no host internet connection
Weird, as anything external I manually attempt to reach from the HA cli works…via IPv4.
ping ghcr.io
PING ghcr.io (140.82.113.33): 56 data bytes
64 bytes from 140.82.113.33: seq=0 ttl=47 time=38.816 ms
64 bytes from 140.82.113.33: seq=1 ttl=47 time=40.445 ms
I have IPv6 disabled in HA and I’m pretty sure it’s blocked on my network. Could that be the problem, might the updater have been restricted to IPv6 since February?
I got to core-2023.3.4 supervisor-2023.03.1 Home Assistant OS 9.5 without IPv6 being enabled on my network nor HA. So I don’t think IPv4-only is your problem.
I got to core-2023.3.4 supervisor-2023.03.1 Home Assistant OS 9.5 without IPv6 being enabled on my network nor HA. So I don’t think IPv4-only is your problem.
I had forgotten that in late January our internet provided changed the gateway technology we use. That changed our gateway addressing, which includes the DNS address, and I had neglected to update the static DNS address assigned to the Network Interface within Home Assistant. With that now corrected, I have Home Assistant fully up to date.
If your system’s network interface is set to static values, you might review them to see if you suffer the same issue.
Tinkerer
(aka DubhAd on GitHub)
Split this topic
273
This issue looks to be still active or once hacked, there is malware in your supervisor/install.
It has been in play since 2022/10/27 16:39 and with my supervisor at 2023.04.0, the attacks are still happening.
I am just about to backup and blow away the VM and start from scratch with min config.
Any recommendation on what to avoid restoring? Where virus/malware will be hidden in /config??
There’s unlikely to be any malware there, but if there is it should be pretty obvious. The only things in your config folder should be YAML, JSON, the database, and the log file. Anything else is suspect (or installed by a custom component).
The alerts from your security software should be investigated to see if they’re actually anything of note, or just what happens when you’re accessible from the Internet (lots of failed exploit attempts against other software).
While technically a nabucasa connected device would expose the vulnerability, in order to connect to your instance the hacker would have to guess your unique URL. So unless nabucasa uses a very dumb algorithm for generating your unique URL (that is they are not randomly generated), the probability of someone guessing a nabucasa URL is very very very low. @frenck if you have information that indicates this isn’t correct please advise.
Turns out the random nabu casa URL was a security scam. Nabu casa should have made a clear statement that the random url provided no security. They report all URLs out to the internet so you’re basically putting you instance directly on the internet. I can’t believe I trusted nabu casa. Errrr!
What are you talking about “security scam”… Nabucasa makes no mention of a random url in the security information. Are you sure you didn’t get that info from a blog that made that assumption?
They make no mention of the fact that your URL is reported out to the internet so you’re really directly exposing your system. They use a random URL that gives the impression of security. Using nabu casa is no different than putting the https port directly on the internet from your local network. Nabu casa never make this clear. That’s a scam.
Random URL or not, the moment you connect to your internet provider you get an IP (random most likely also) , but that is in the end the “Door” into your devices.
Anything that have direct access to the internet, without real protection will be found indexed and cached.
“Browser tool bars, especially ones made by companies that run crawlers, such as Alexa and Netcraft, can report visited URLs back to their parent sites, ready for the bot to come and crawl later”
… just to mention one of your own potential “fault-behavior”
… And i don’t even wanna mention or think about Google, or Microsofts “register”
I don’t intend to upset you or make you paranoid , just use common sense, and not “mynabucasa1234secretpassword”, And btw. the moment you open port 80, (or other well known ports) , make sure you have a network-monitor to verify the result … NO matter if you just got a new IP number, and don’t have any public domain-name
The use of a URL that looks like https://yd748fdl398dmsagljd98djajh34gs23.ui.nabu.casa/ gives the false impression of a very secret URL which you cannot guess even if you have the best super computer in the world. But the fact is that you can issue a command and get a list of all the Nabu Casa customer URLs. You could as well have used URLs like https://6523.ui.nabu.casa/
Many developers and network experts talk down to users as they are idiots. You cannot expect any normal person to know that a url with a 32 character hash looking is available in public. We are not talking about my IPS may know, or CIA may know. We are talking about the fact that anyone can open the browser and 20 seconds later they have a complete list of all Nabu Casa URLs without having done anything illegal and without having any special access.
Scam may be a hard word to use because it indicates ill intention to harm. But I understand why people feel it is a scam because it should have been documented that this URL is not at all kept secret. If I had known - I would have turned off the feature in HA long ago. And I have it off now. Except last week where I had use of it. And then it was my choice to turn it on a few days.
I am sure the Nabu Casa guys did not know this fact either to be honest. I do not think it meant as a scam. I think it was ignorance. I think someone as Nabu Casa found out by reading this thread. And I can forgive ignorance. We cannot all know everything. But don’t tell us that we normal customers - paying customers - should have known this.
I’m sorry, but name resolution is the backbone of the internet. There’s no scam here. It’s just how it works.
I’m sorry if some people got the impression that there’s security through obscurity, but that is not the only option: Picking or generating a large random ID like this is also a step that doesn’t require users to come up with their own input to get a unique URL. It requires no user intervention.
While you can source all the NC URLs, it’s not the same as knowing a specific individual’s URL.