Good advise @samnewman86, but too late. When you have your house stopped, you don’t think clever…
I don’t know @DavidFW1960, I just couldn’t. I tried from server config and from supervisor, but with no luck. Perhaps the automations component is a mandatory one, or something like that.
However, after replace with a previous automations.yaml file and hard reset, it has come to live again. But here is a funny thing, I have restored again my present file (the one that didn’t load after update HA) and after resetting HA, everything works as before.
Maybe my HA wanted to spend some time with me this Sunday morning…
I often find I need to restart a couple of times after an update… I think some custom components need some time to load some dependencies causing problems. These days HA will pretty much start even if there are config issues so you can normally at least troubleshoot
Code that is already running within your HA instance is capable of starting an outbound conversation with whatever server it wants (Assumes your HA instance can freely talk to the internet). Any routes you may have setup inbound are of course always potentially susceptible, but code that’s already running internally (HACS etc.) can ‘sniff’ your secrets.yaml file, or any other HA file and communicate that out to wherever it wants. I posted about this back in early December on the FB group. Seems odd that it’s now getting a lot of attention…
I know everyone would not be on board with this. But perhaps adding an option for automatic updates of point releases when a security patch comes out to the supervisor.
For instance
If you are currently running core 2021.1.X
then it could automatically update you to 2021.1.5
If you are still on core 0.118.3 or 2020.12.1
then it would not auto update as most of the breaking changes are in that point release and not the maintenance releases.
With security fixes I often prefer that whatever system I’m using pick them up immediately, with features updates I’m good at checking for the update and applying it myself, specifically with Home Assistant so that I can ensure that nothing will break.
Isn’t it an option to redesign the current custome_components and move to containers for custom integration instead the same file system as core?
So every component have its own user in home assistant with a long lived token and the containers only allowed to communicate trough the API. Also a benefit for the logging you can see who (integration) is triggering devices. For local folder mapping a filter in place and opt-in so you must give the container access to local folder / files
Update from 2021.1.4 to 5 failed.
Restart not possible, connect to cloud not possible.
I have this strange message in my logs:
Logger: homeassistant.components.hassio.http
Source: components/hassio/http.py:126
Integration: Hass.io (documentation, issues)
First occurred: 13:07:03 (5 occurrences)
Last logged: 13:07:06
Client error on api snapshots/reload request Cannot connect to host 172.30.32.2:80 ssl:default [Connect call failed ('172.30.32.2', 80)]
Client error on api supervisor/logs request Cannot connect to host 172.30.32.2:80 ssl:default [Connect call failed ('172.30.32.2', 80)]
Client error on api network/info request Cannot connect to host 172.30.32.2:80 ssl:default [Connect call failed ('172.30.32.2', 80)]
Client error on api supervisor/stats request Cannot connect to host 172.30.32.2:80 ssl:default [Connect call failed ('172.30.32.2', 80)]
Client error on api core/stats request Cannot connect to host 172.30.32.2:80 ssl:default [Connect call failed ('172.30.32.2', 80)]
No connect to cloud was possible.
All sensors to the OS (CPU,SWAP etx) were unavailable.
Places Component was unavailable
Browser_mod could not be installed
A restart wasn’t possible. Click on restart was simply ignored.
Now, after the rollback to 2021.1.4, everything’s working again.
What con I do now? What went wrong?
Hi, I’m running HA core in docker container. I’ve pulled the latest image, run docker-compose up --force-recreate, but still see 2021.1.3 under Configuration / Info. What am I missing?
After changing all passwords I’m getting a “login attempt failed” notification every minute.
As I use nginx add-on, HA just shows the nginx container ip address, so I can’t know which device/service is is trying to connect to my HA and failing. I couldn’t find how to access the nginx full logs.
The Alexa integration is working fine, both my android apps are working fine. I don’t know how to debug where this connection is coming from.
Does someone has an idea how to proceed to solve this problem?
I just created a nginx_proxy_default.conf file in the /share directory and inserted the configuration you told me, now I can see the failed connection is comming from AWS.
I would like to thank the HA team and Nabu Casa for the swift response! This is a free open-source project and we all appreciate your time and effort. Maybe, security was not the main focus so far in the development and these incidents may get them to a higher priority.
I was always wondering why we have to store passwords and credentials in plain text in a file somewhere in the network. I think these issues show that HA needs an integrated encrypted password and credential storage where all the passwords can be safely stored and integrations and addons can access them via an API call with rights that need to be granted by the user.
Is something like this coming or planned in the near future? I mean the security breach could be non-HA related but these passwords still hang around in the network.
Hi,
Thanks team for all this security updates.
This vulnerability show that internal Encrypted Vault to share different password of addons custom integration or other is now mandatory. Plan text password in yaml files is now not possible for a wonderfull product like HomeAssitant
I read the answer, but it is not fully convincing. Why is it too hard to ask for a password (optionally if the user has configured it in HA) during startup time to get the vault access? This is similar to OS passwords, UEFI passwords, etc. Once logged it, sure HA is then able to read all passwords in the vault, but it should come with a rights management such that the admin can decide which (custom-)integration has access to which pw.
Moreover, the larger fear is that anywhere in the network could be a security breach and access your secrets.yaml file vs. only HA must be breached with a vault. Just this difference is already huge. Of course, this could always be made optional if there is no need for these security measures.
Because, any reboot/restart due to power failure, software glitch, etc would keep HA from starting, which could be an issue if you aren’t home when this happens
Totally understand that. My point is just that everyone should (be able) to decide on his/her own whether the inconvience of a non-booting HA when not at home is worse than a compromised Google/Amazon/Whatever account or vice versa.
