Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Not updating Go modules yet, as there's a dependency conflict via
fluxcd/pkg/ssa right now due to removed autoscaling API in k8s.io/api.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This command was always hidden, rename it to `debug-tool` to free up the
`talosctl debug` for #12932.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
74d35900af0f6451426b70eec3b6db4b72eb993c was supposed to disable the k8s
tests on memory-restricted workers, but instead made the tests only run
on memory-restricted workers.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Pass the IF endpoint to `talosctl cluster create qemu`.
It matches the default value, but if we change the hostname, the test
breaks as it starts using different image factories for
provisioning/upgrade.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Kubernetes E2E tests have had a bump in memory usage, making running
these on 1GiB worker nodes unreliable.
Disable `talosctl health --run-e2e` in this case.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Add new `--airgapped` flag to talos cluster create (qemu)
to disable NAT in the VMs to effectively become airgapped.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
* add 'iso', 'pxe', 'disk-image', 'maintenance' and 'secureboot' presets
* swith the image-factory e2e test to use the create qemu command with presets
* add a '--omni-api-endpoint' to simplify connecting machines to omni
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Use cmdline from the UKI in Talos 1.12+ by default for new installs.
This brings GRUB in line with systemd-boot vs. cmdline behavior.
Fixes#12019
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Most of the work is to add proper test environment for more cases.
Include a test for pulling an image
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a user facing cluster create docker command with the following changes:
* renamed flags for simplicity and uniformity
* removed the bulk of the unnecessary flags
Other changes:
* split internal logic such that it's separate from the qemu cluster create logic
* refactor internal code aiming for simplicity
Ä change drives flag behavior in anticipation of the user facing create-qemu command
* extract code into separate functions
* add some unit tests
* remove the docker support from the cluster create command (docker is only supported via the user-facing create-docker command)
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
This showed up in docker runs (not sure why only docker), but the issue
is the following:
* a service is running which has some volume requirements
* `VolumeMountRequests` are created, and `VolumeMountStatus` were
established
* the service put finalizers on `VolumeMountStatus`
* now the service is going to be restarted - so at first it's going to
be shut down
* on shutdown, the service will remove `VolumeMountRequest`, and remove
finalizers on `VolumeMountStatus`
* now it's job of other controllers to tear down and remove mounts
* as the service starts back up after restart, it will re-create
`VolumeMountRequest`, and will try to wait and put finalizers on
`VolumeMountStatus`
* here comes the race condition: it can be that the service sees tearing
down `VolumeMountStatus` which is left from the shutdown time, so it
puts a finalizer on it, and it blocks the proper teardown of the
previous "generation" of the mount request/status, leading to a
deadlock
So the fix is to wait for the new status to be created which is not
tearing down.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add more NVIDIA tests covering all supported OSS and Proprietary LTS and Production driver versions.
Fixes: #11398
Signed-off-by: Noel Georgi <git@frezbo.dev>
Also bump Go dependencies, other dependencies.
Add version contract for future Talos 1.12.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Zswap allows to compress pages in memory before they hit the actual swap
device.
Both swap and zswap (or either one of these) can be enabled.
Fixes#10675
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10674
Provide a way to see current swap status, configure additional swap
devices (block) and de-configure them on the fly.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When extending PCR or trying to seed entropy pool from TPM if the found
device is a TPM1.2 device, skip it, since Talos only supports TPM2.0
Fixes: #10847
Signed-off-by: Noel Georgi <git@frezbo.dev>
