diff --git a/internal/integration/provision/provision.go b/internal/integration/provision/provision.go index 7f9e48612..0125f2d6b 100644 --- a/internal/integration/provision/provision.go +++ b/internal/integration/provision/provision.go @@ -23,6 +23,7 @@ import ( "github.com/siderolabs/go-blockdevice/v2/encryption" "github.com/siderolabs/go-kubernetes/kubernetes/upgrade" "github.com/siderolabs/go-pointer" + "github.com/siderolabs/go-procfs/procfs" "github.com/siderolabs/go-retry/retry" sideronet "github.com/siderolabs/net" "github.com/stretchr/testify/suite" @@ -440,6 +441,8 @@ type clusterOptions struct { ControlplaneNodes int WorkerNodes int + InjectExtraKernelArgs *procfs.Cmdline + SourceKernelPath string SourceInitramfsPath string SourceDiskImagePath string @@ -648,7 +651,8 @@ func (suite *BaseSuite) setupCluster(options clusterOptions) { Size: DefaultSettings.DiskGB * 1024 * 1024 * 1024, }, }, - Config: suite.configBundle.ControlPlane(), + Config: suite.configBundle.ControlPlane(), + SDStubKernelArgs: options.InjectExtraKernelArgs, }, ) } @@ -667,7 +671,8 @@ func (suite *BaseSuite) setupCluster(options clusterOptions) { Size: DefaultSettings.DiskGB * 1024 * 1024 * 1024, }, }, - Config: suite.configBundle.Worker(), + Config: suite.configBundle.Worker(), + SDStubKernelArgs: options.InjectExtraKernelArgs, }, ) } diff --git a/internal/integration/provision/upgrade.go b/internal/integration/provision/upgrade.go index 507c4f80f..9d32739e2 100644 --- a/internal/integration/provision/upgrade.go +++ b/internal/integration/provision/upgrade.go @@ -10,16 +10,24 @@ import ( "fmt" "path/filepath" + "github.com/cosi-project/runtime/pkg/resource/rtestutils" + "github.com/siderolabs/go-procfs/procfs" + "github.com/stretchr/testify/assert" + "github.com/siderolabs/talos/cmd/talosctl/pkg/mgmt/helpers" "github.com/siderolabs/talos/pkg/images" + talosclient "github.com/siderolabs/talos/pkg/machinery/client" "github.com/siderolabs/talos/pkg/machinery/config/machine" "github.com/siderolabs/talos/pkg/machinery/constants" + "github.com/siderolabs/talos/pkg/machinery/resources/runtime" ) //nolint:maligned type upgradeSpec struct { ShortName string + InjectExtraKernelArgs *procfs.Cmdline + SourceKernelPath string SourceInitramfsPath string SourceDiskImagePath string @@ -42,6 +50,7 @@ type upgradeSpec struct { WithEncryption bool WithBios bool WithApplyConfig bool + WithEnforcing bool } const ( @@ -226,6 +235,38 @@ func upgradeCurrentToCurrentNewCmdline() upgradeSpec { } } +func upgradeCurrentToCurrentEnforcing() upgradeSpec { + installerImage := fmt.Sprintf( + "%s/%s:%s", + DefaultSettings.TargetInstallImageRegistry, + images.DefaultInstallerImageName, + DefaultSettings.CurrentVersion, + ) + + return upgradeSpec{ + ShortName: fmt.Sprintf("%s-same-ver-enforcing", DefaultSettings.CurrentVersion), + + InjectExtraKernelArgs: procfs.NewCmdline("enforcing=1"), + + SourceISOPath: helpers.ArtifactPath("metal-amd64.iso"), + SourceInstallerImage: installerImage, + SourceVersion: DefaultSettings.CurrentVersion, + SourceK8sVersion: currentK8sVersion, + + TargetInstallerImage: installerImage, + TargetVersion: DefaultSettings.CurrentVersion, + TargetK8sVersion: currentK8sVersion, + + ControlplaneNodes: 1, + WorkerNodes: 0, + + TargetCmdlineContains: "enforcing=1", + + WithApplyConfig: true, + WithEnforcing: true, + } +} + // UpgradeSuite ... type UpgradeSuite struct { BaseSuite @@ -264,6 +305,8 @@ func (suite *UpgradeSuite) TestRolling() { ControlplaneNodes: suite.spec.ControlplaneNodes, WorkerNodes: suite.spec.WorkerNodes, + InjectExtraKernelArgs: suite.spec.InjectExtraKernelArgs, + SourceKernelPath: suite.spec.SourceKernelPath, SourceInitramfsPath: suite.spec.SourceInitramfsPath, SourceDiskImagePath: suite.spec.SourceDiskImagePath, @@ -283,6 +326,18 @@ func (suite *UpgradeSuite) TestRolling() { // verify initial cluster version suite.assertSameVersionCluster(client, suite.spec.SourceVersion) + // verify enforcing state + for _, node := range suite.Cluster.Info().Nodes { + rtestutils.AssertResource( + talosclient.WithNode(suite.ctx, node.IPs[0].String()), + suite.T(), client.COSI, + runtime.SecurityStateID, + func(r *runtime.SecurityState, asrt *assert.Assertions) { + asrt.Equal(suite.spec.WithEnforcing, r.TypedSpec().SELinuxState == runtime.SELinuxStateEnforcing) + }, + ) + } + options := upgradeOptions{ TargetInstallerImage: suite.spec.TargetInstallerImage, UpgradeStage: suite.spec.UpgradeStage, @@ -306,6 +361,18 @@ func (suite *UpgradeSuite) TestRolling() { // verify final cluster version suite.assertSameVersionCluster(client, suite.spec.TargetVersion) + // verify enforcing state + for _, node := range suite.Cluster.Info().Nodes { + rtestutils.AssertResource( + talosclient.WithNode(suite.ctx, node.IPs[0].String()), + suite.T(), client.COSI, + runtime.SecurityStateID, + func(r *runtime.SecurityState, asrt *assert.Assertions) { + asrt.Equal(suite.spec.WithEnforcing, r.TypedSpec().SELinuxState == runtime.SELinuxStateEnforcing) + }, + ) + } + // upgrade Kubernetes if required suite.upgradeKubernetes(suite.spec.SourceK8sVersion, suite.spec.TargetK8sVersion, suite.spec.SkipKubeletUpgrade) @@ -337,5 +404,6 @@ func init() { &UpgradeSuite{specGen: upgradeCurrentToCurrentBios, track: 0}, &UpgradeSuite{specGen: upgradeStableToCurrentPreserveStage, track: 1}, &UpgradeSuite{specGen: upgradeCurrentToCurrentNewCmdline, track: 2}, + &UpgradeSuite{specGen: upgradeCurrentToCurrentEnforcing, track: 1}, ) } diff --git a/internal/pkg/install/pull.go b/internal/pkg/install/pull.go index c8a654e1d..82b0b98b7 100644 --- a/internal/pkg/install/pull.go +++ b/internal/pkg/install/pull.go @@ -16,6 +16,7 @@ import ( "github.com/containerd/errdefs" "github.com/siderolabs/talos/internal/pkg/containers/image" + "github.com/siderolabs/talos/internal/pkg/selinux" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -67,6 +68,10 @@ func PullAndValidateInstallerImage(ctx context.Context, registryBuilder image.Re oci.WithProcessArgs(args...), } + if selinux.IsEnabled() { + specOpts = append(specOpts, oci.WithSelinuxLabel(constants.SelinuxLabelInstaller)) + } + containerOpts := []containerd.NewContainerOpts{ containerd.WithImage(img), containerd.WithNewSnapshot(containerID, img), diff --git a/pkg/provision/providers/qemu/launch.go b/pkg/provision/providers/qemu/launch.go index aea57b9a2..9ef2a98f1 100644 --- a/pkg/provision/providers/qemu/launch.go +++ b/pkg/provision/providers/qemu/launch.go @@ -43,6 +43,7 @@ type LaunchConfig struct { ExtraISOPath string PFlashImages []string KernelArgs string + SDStubKernelArgs string MonitorPath string DefaultBootOrder string BootloaderEnabled bool @@ -458,6 +459,10 @@ func patchKernelArgs(config *LaunchConfig, httpServerAddr net.Addr) error { config.sdStubExtraCmdline = "console=ttyS0" + if config.SDStubKernelArgs != "" { + config.sdStubExtraCmdline += " " + config.SDStubKernelArgs + } + if strings.Contains(config.KernelArgs, "{TALOS_CONFIG_URL}") { config.KernelArgs = strings.ReplaceAll(config.KernelArgs, "{TALOS_CONFIG_URL}", fmt.Sprintf("http://%s/config.yaml", configServerAddr)) config.sdStubExtraCmdlineConfig = fmt.Sprintf(" talos.config=http://%s/config.yaml", httpServerAddr) diff --git a/pkg/provision/providers/qemu/node.go b/pkg/provision/providers/qemu/node.go index 04c94d3c6..d4801684a 100644 --- a/pkg/provision/providers/qemu/node.go +++ b/pkg/provision/providers/qemu/node.go @@ -221,6 +221,10 @@ func (p *provisioner) createNode(ctx context.Context, state *provision.State, cl launchConfig.Network.Hostname = nodeReq.Name } + if nodeReq.SDStubKernelArgs != nil { + launchConfig.SDStubKernelArgs = nodeReq.SDStubKernelArgs.String() + } + if !nodeReq.PXEBooted && launchConfig.IPXEBootFileName == "" { launchConfig.KernelImagePath = strings.ReplaceAll(clusterReq.KernelPath, constants.ArchVariable, opts.TargetArch) launchConfig.InitrdPath = strings.ReplaceAll(clusterReq.InitramfsPath, constants.ArchVariable, opts.TargetArch) diff --git a/pkg/provision/request.go b/pkg/provision/request.go index c140b42b5..931708b85 100644 --- a/pkg/provision/request.go +++ b/pkg/provision/request.go @@ -218,6 +218,11 @@ type NodeRequest struct { // This doesn't apply to boots from ISO or from the disk image. ExtraKernelArgs *procfs.Cmdline + // SDStubKernelArgs passes additional kernel args via the systemd-stub. + // + // This applies to boots from ISO and from the disk image. + SDStubKernelArgs *procfs.Cmdline + // UUID allows to specify the UUID of the node (VMs only). // // If not specified, a random UUID will be generated.