From 9cd2d794d060b637dbac5263ae417a4e83d54efe Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Wed, 17 Sep 2025 18:41:52 +0400 Subject: [PATCH] feat: ship nft binary with Talos rootfs Fixes #11846 Also bump Linux to 6.16.7 via pkgs. Signed-off-by: Andrey Smirnov --- Dockerfile | 6 ++++++ Makefile | 4 +++- hack/release.toml | 8 +++++++- .../pkg/controllers/network/nftables_chain_test.go | 9 ++++++++- pkg/machinery/constants/constants.go | 2 +- pkg/machinery/gendata/data/pkgs | 2 +- 6 files changed, 26 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 161945a6b..2ed992daf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,6 +48,7 @@ ARG PKG_LINUX_FIRMWARE=scratch ARG PKG_LVM2=scratch ARG PKG_MTOOLS=scratch ARG PKG_MUSL=scratch +ARG PKG_NFTABLES=scratch ARG PKG_OPENSSL=scratch ARG PKG_OPEN_VMDK=scratch ARG PKG_PCRE2=scratch @@ -151,6 +152,9 @@ FROM --platform=arm64 ${PKG_LVM2} AS pkg-lvm2-arm64 FROM --platform=amd64 ${PKG_LIBAIO} AS pkg-libaio-amd64 FROM --platform=arm64 ${PKG_LIBAIO} AS pkg-libaio-arm64 +FROM --platform=amd64 ${PKG_NFTABLES} AS pkg-nftables-amd64 +FROM --platform=arm64 ${PKG_NFTABLES} AS pkg-nftables-arm64 + FROM --platform=amd64 ${PKG_MUSL} AS pkg-musl-amd64 FROM --platform=arm64 ${PKG_MUSL} AS pkg-musl-arm64 @@ -694,6 +698,7 @@ COPY --link --from=pkg-openssl-amd64 / /rootfs COPY --link --from=pkg-lvm2-amd64 / /rootfs COPY --link --from=pkg-libaio-amd64 / /rootfs COPY --link --from=pkg-musl-amd64 / /rootfs +COPY --link --from=pkg-nftables-amd64 / /rootfs COPY --link --from=pkg-runc-amd64 / /rootfs COPY --link --from=pkg-xfsprogs-amd64 / /rootfs COPY --link --from=pkg-util-linux-amd64 /usr/lib/libblkid.* /rootfs/usr/lib/ @@ -775,6 +780,7 @@ COPY --link --from=pkg-openssl-arm64 / /rootfs COPY --link --from=pkg-lvm2-arm64 / /rootfs COPY --link --from=pkg-libaio-arm64 / /rootfs COPY --link --from=pkg-musl-arm64 / /rootfs +COPY --link --from=pkg-nftables-arm64 / /rootfs COPY --link --from=pkg-runc-arm64 / /rootfs COPY --link --from=pkg-xfsprogs-arm64 / /rootfs COPY --link --from=pkg-util-linux-arm64 /usr/lib/libblkid.* /rootfs/usr/lib/ diff --git a/Makefile b/Makefile index f3c2aac8d..5d1a03917 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,7 @@ EMBED_TARGET ?= embed TOOLS_PREFIX ?= ghcr.io/siderolabs/tools TOOLS ?= v1.12.0-alpha.0-6-gc37ac80 PKGS_PREFIX ?= ghcr.io/siderolabs -PKGS ?= v1.12.0-alpha.0-21-g122fa66 +PKGS ?= v1.12.0-alpha.0-26-g7fe686d GENERATE_VEX_PREFIX ?= ghcr.io/siderolabs/generate-vex GENERATE_VEX ?= latest @@ -69,6 +69,7 @@ PKG_LINUX_FIRMWARE ?= $(PKGS_PREFIX)/linux-firmware:$(PKGS) PKG_LVM2 ?= $(PKGS_PREFIX)/lvm2:$(PKGS) PKG_MTOOLS ?= $(PKGS_PREFIX)/mtools:$(PKGS) PKG_MUSL ?= $(PKGS_PREFIX)/musl:$(PKGS) +PKG_NFTABLES ?= $(PKGS_PREFIX)/nftables:$(PKGS) PKG_OPENSSL ?= $(PKGS_PREFIX)/openssl:$(PKGS) PKG_OPEN_VMDK ?= $(PKGS_PREFIX)/open-vmdk:$(PKGS) PKG_PCRE2 ?= $(PKGS_PREFIX)/pcre2:$(PKGS) @@ -219,6 +220,7 @@ COMMON_ARGS += --build-arg=PKG_LIBURCU=$(PKG_LIBURCU) COMMON_ARGS += --build-arg=PKG_LINUX_FIRMWARE=$(PKG_LINUX_FIRMWARE) COMMON_ARGS += --build-arg=PKG_LVM2=$(PKG_LVM2) COMMON_ARGS += --build-arg=PKG_MTOOLS=$(PKG_MTOOLS) +COMMON_ARGS += --build-arg=PKG_NFTABLES=$(PKG_NFTABLES) COMMON_ARGS += --build-arg=PKG_MUSL=$(PKG_MUSL) COMMON_ARGS += --build-arg=PKG_OPENSSL=$(PKG_OPENSSL) COMMON_ARGS += --build-arg=PKG_OPEN_VMDK=$(PKG_OPEN_VMDK) diff --git a/hack/release.toml b/hack/release.toml index 5bb443c55..096d1c4cd 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -18,7 +18,7 @@ preface = """ [notes.updates] title = "Component Updates" description = """\ -Linux: 6.16.6 +Linux: 6.16.7 Kubernetes: 1.34.1 CNI Plugins: 1.8.0 cryptsetup: 2.8.1 @@ -60,6 +60,12 @@ The currently used PCR's can be seen with `talosctl get volumestatus -o description = """\ Talos now enables a stricter set of KSPP sysctl settings by default. The list of overridden settings is available with `talosctl get kernelparamstatus` command. +""" + + [notes.extra-binaries] + title = "Extra Binaries" + description = """\ +Talos Linux now ships with `nft` binary in the rootfs to support CNIs which shell out to `nft` command. """ [make_deps] diff --git a/internal/app/machined/pkg/controllers/network/nftables_chain_test.go b/internal/app/machined/pkg/controllers/network/nftables_chain_test.go index 4109551c3..396089949 100644 --- a/internal/app/machined/pkg/controllers/network/nftables_chain_test.go +++ b/internal/app/machined/pkg/controllers/network/nftables_chain_test.go @@ -29,6 +29,13 @@ type NfTablesChainSuite struct { func (s *NfTablesChainSuite) nftOutput() string { out, err := exec.CommandContext(s.T().Context(), "nft", "list", "table", "inet", "talos-test").CombinedOutput() + if err != nil { + if strings.Contains(string(out), "No such file or directory") || + strings.Contains(string(out), "No such table") { + return "table inet talos-test {\n}" + } + } + s.Require().NoError(err, "nft list table inet talos-test failed: %s", string(out)) return string(out) @@ -195,7 +202,7 @@ func (s *NfTablesChainSuite) TestConntrackCounter() { s.checkNftOutput(`table inet talos-test { chain test1 { type filter hook input priority security; policy accept; - ct state { established, related } accept + ct state { 0x2000000, 0x4000000 } accept ct state invalid counter packets 0 bytes 0 drop } }`) diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index 7b452e63a..b401714eb 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -14,7 +14,7 @@ import ( const ( // DefaultKernelVersion is the default Linux kernel version. - DefaultKernelVersion = "6.16.6-talos" + DefaultKernelVersion = "6.16.7-talos" // KernelParamConfig is the kernel parameter name for specifying the URL. // to the config. diff --git a/pkg/machinery/gendata/data/pkgs b/pkg/machinery/gendata/data/pkgs index 0f284986b..851b6bf78 100644 --- a/pkg/machinery/gendata/data/pkgs +++ b/pkg/machinery/gendata/data/pkgs @@ -1 +1 @@ -v1.12.0-alpha.0-21-g122fa66 \ No newline at end of file +v1.12.0-alpha.0-26-g7fe686d \ No newline at end of file