Also changes the bootloader interface.
Disks are formatted/created with pre-populated source directories in Install/Image mode.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Support creating filesystems from `SourceDirectory`, this implies partitions can have the data populated when formatted.
ImageCache handling is now using `SourceDirectory` while formatting simplifying the code.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add a test for this case
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The fix enforces the order `VolumeMountStatus` resources are locked via
finalizers: the order follows the definition in the service, which
follows the order parent -> child. Previous parallel implementation
could put a finalizer on the child before parent, which might lead to a
deadlock.
Example flow:
* there are two mount requests `/var/lib` and `/var/lib/audit` (having
`/var/lib` as parent)
* service requests mounts, puts finalizers, runs
* service stops, releases volume mount requests, and restart
* at the same time concurrently controller might decide to unmount
`/var/lib` which will be blocked on child `/var/lib/audit` being
mounted
* starting service might put a finalizer on `/var/lib/audit` as it's not
tearing down yet
* the finalizer on a child `/var/lib/audit` will prevent `/var/lib` from
being unmounted ever.
Also remove mount requests generation hack.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Ignore primaryIndex unless it's both configured and set in the kernel.
I think we should never actually set primaryIndex in any case, but this
fixes an issue with Talos gets into a loop trying to reconcile
primaryIndex (when kernel reports it, and we don't have it set).
This comes from a private user report.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
I don't see much point in this check, as it's only valuable when joining
to a local development instance of Omni, which is pretty nice usecase.
But this check breaks joining to "real" Omni which has hostname in the
endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use the grouping feature to reflect internal command structure better in
the `--help` output.
```
$ talosctl --help
A CLI for out-of-band management of Kubernetes nodes created by Talos
Usage:
talosctl [command]
Manage running Talos clusters:
apply-config Apply a new configuration to a node
bootstrap Bootstrap the etcd cluster on the specified node.
cgroups Retrieve cgroups usage information
config Manage the client configuration file (talosconfig)
conformance Run conformance tests
containers List containers
copy Copy data out from the node
dashboard Cluster dashboard with node overview, logs and real-time metrics
dmesg Retrieve kernel logs
edit Edit Talos node machine configuration with the default editor.
etcd Manage etcd
events Stream runtime events
get Get a specific resource or list of resources (use 'talosctl get rd' to see all available resource types).
health Check cluster health
image Manage CRI container images
inspect Inspect internals of Talos
kubeconfig Download the admin kubeconfig from the node
list Retrieve a directory listing
logs Retrieve logs for a service
memory Show memory usage
meta Write and delete keys in the META partition
mounts List mounts
netstat Show network connections and sockets
patch Patch machine configuration of a Talos node with a local patch.
pcap Capture the network packets from the node.
processes List running processes
read Read a file on the machine
reboot Reboot a node
reset Reset a node
restart Restart a process
rollback Rollback a node to the previous installation
rotate-ca Rotate cluster CAs (Talos and Kubernetes APIs).
service Retrieve the state of a service (or all services), control service state
shutdown Shutdown a node
stats Get container stats
support Dump debug information about the cluster
time Gets current server time
upgrade Upgrade Talos on the target node
upgrade-k8s Upgrade Kubernetes control plane in the Talos cluster.
usage Retrieve a disk usage
version Prints the version
wipe Wipe block device or volumes
Commands to generate and manage machine configuration offline:
gen Generate CAs, certificates, and private keys
inject Inject Talos API resources into Kubernetes manifests
machineconfig Machine config related commands
validate Validate config
Local Talos cluster commands:
cluster A collection of commands for managing local docker-based or QEMU-based clusters
Additional Commands:
completion Output shell completion code for the specified shell (bash, fish or zsh)
help Help about any command
Flags:
-h, --help help for talosctl
Use "talosctl [command] --help" for more information about a command.
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Un-hide the `talosctl cluster create` command, as it hides its children,
but instead hide all flags. The flags are still documented for
`talosctl cluster dev`.
Fixes#12423
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Do same exclusions as we applied to "old-style" config:
* not a node IP
* not applicable as etcd endpoint
Fixes#12410
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This was manually verified on Equinix Metal box.
Two fixes:
1. `missed_max` should be treated specially - it can't be set for some
bond types, but at the same time kernel returns value '2' for it.
2. Fix default configuration for bonds set via platform config for
Equinix Metal, nocloud and OpenStack.
See https://github.com/siderolabs/talos/issues/12315
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This silences now properly messages like:
```
E1210 14:54:05.283069 1 reflector.go:429] "The watchlist request ended with an error, falling back to the standard LIST/WATCH semantics because making progress is better than deadlocking" err="client rate limiter Wait returned an error: context canceled - error from a previous attempt: EOF"
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When creating Talos with QEMU on Mac, do not override default DNS settings to Gateway IPs
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Don't attach nft rules to the IPv6 KubeSpan addresses, as Linux can
route these packets natively, they are directly assigned to the
`kubespan` interface.
Also fix the way MSS clamping is applied: previous implementation
incorrectly triggered clamping to all addresses if the list of IPv4 or
IPv6 addresses is empty.
Previous rules:
```
table inet talos {
chain kubespan_outgoing {
type route hook output priority filter; policy accept;
meta mark & 0x00000060 == 0x00000020 accept
oifname "lo" accept
ip daddr { 172.20.0.2, 172.20.0.4-172.20.0.6 } tcp flags & (syn | rst) == syn tcp option maxseg size > 1368 tcp option maxseg size set 1368
ip6 daddr { fd4e:cae:686b:1902:87f:e8ff:fe1e:b4e3, fd4e:cae:686b:1902:a44b:28ff:febf:e664, fd4e:cae:686b:1902:c049:f2ff:fe84:1785, fd4e:cae:686b:1902:c8c9:75ff:fe4c:5ba8 } tcp flags & (syn | rst) == syn tcp option maxseg size > 1348 tcp option maxseg size set 1348
ip daddr { 172.20.0.2, 172.20.0.4-172.20.0.6 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept
ip6 daddr { fd4e:cae:686b:1902:87f:e8ff:fe1e:b4e3, fd4e:cae:686b:1902:a44b:28ff:febf:e664, fd4e:cae:686b:1902:c049:f2ff:fe84:1785, fd4e:cae:686b:1902:c8c9:75ff:fe4c:5ba8 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept
}
chain kubespan_prerouting {
type filter hook prerouting priority filter; policy accept;
meta mark & 0x00000060 == 0x00000020 accept
ip daddr { 172.20.0.2, 172.20.0.4-172.20.0.6 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept
ip6 daddr { fd4e:cae:686b:1902:87f:e8ff:fe1e:b4e3, fd4e:cae:686b:1902:a44b:28ff:febf:e664, fd4e:cae:686b:1902:c049:f2ff:fe84:1785, fd4e:cae:686b:1902:c8c9:75ff:fe4c:5ba8 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept
}
}
```
New rules:
```
table inet talos {
chain kubespan_outgoing {
type route hook output priority filter; policy accept;
meta mark & 0x00000060 == 0x00000020 accept
oifname "lo" accept
ip daddr { 172.20.0.2, 172.20.0.4-172.20.0.6 } tcp flags & (syn | rst) == syn tcp option maxseg size > 1368 tcp option maxseg size set 1368
ip daddr { 172.20.0.2, 172.20.0.4-172.20.0.6 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept
}
chain kubespan_prerouting {
type filter hook prerouting priority filter; policy accept;
meta mark & 0x00000060 == 0x00000020 accept
ip daddr { 172.20.0.2, 172.20.0.4-172.20.0.6 } meta mark set meta mark & 0xffffffdf | 0x00000040 accept
}
}
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
s/default/k8s-bundle
s/source-bundle/talos-bundle
for UX consistency when generating lists of images used by talos.
Remove non-k8s images from k8s-bundle list.
Signed-off-by: Justin Garrison <justin.garrison@siderolabs.com>
Subtract 12 bytes more from the MTU to build correct MSS clamping for
TCP. Linux by default adds TCP options (timestamps, etc.) which seems to
occupy 12 bytes (3 options).
This zeroes out TCP retransmissions on `iperf3` testing with KubeSpan,
but has no effect on throughput.
Fixes#12311
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Set the MTU in QEMU launch args. MTU is already sent by DHCP to Talos
machines, so the rest should just work.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The needed changes for SBOM + VEX support have landed on main and are
available in the current Grype release.
Also rebase the Syft PR and use Syft 1.38.1 + deterministic/reproducible
SPDX SBOM generation patch.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Use UKI cmdline either if the config is missing completely, or if the
incomplete machine config is present (we are in maintenance mode).
Fixes#12349
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
