Allow both /etc/ld.so.conf and /etc/ld.so.cache files in /etc since tools expect these to be standard.
See: https://github.com/siderolabs/extensions/pull/1031
Replaces changes for Dockerfile from #12909
Signed-off-by: Noel Georgi <git@frezbo.dev>
When dashboard runs within Talos, it previously used `os:admin` role
which allows anything.
With changes in 1.13, I dropped the role to `os:reader`, which is a way
tighter scope from the security perspective, but it broke network config
tab - it tries to write to META, which is not allowed under `os:reader`
role, so this change fixes the dashboard, but still keeps the RBAC
tight.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#13056
The TPM unseal operation doesn't respect the context, and we had 10
second timeout for the whole key unlock operation.
So there might a case when a "slow" TPM unseal runs for more than 10
seconds, and by the time TPM unseal is down, context timeout already
passed, so a somewhat wrong messahe pops in, as the rate limiter is
configured with any limit, but it fails due to the fact that the context
got canceled (but it would have failed later anyways doing the actual
resource operation).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
ExternalVolume has type=nfs defined in the Schema. It is currently
unused and unimplemented, and will fail to provision. Remove it
from the schema, validation and docs, to not confuse the users.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
The QEMU VM launcher's /poweroff HTTP endpoint now accepts an optional grace-period query parameter (Go duration format, e.g. "5m"). When set, it sends an ACPI power button event via the QEMU monitor socket instead of immediately killing the process, allowing the guest OS to shut down cleanly. If the guest does not shut down within the grace period, the process is force-killed as a fallback.
Without the parameter, the behavior is unchanged (immediate kill).
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add support for caching all platforms in a multi-platform image index
by passing --platform=all to the images cache-create command.
When all is specified, the index manifest is fetched without platform
resolution, and each platform-specific image is downloaded individually.
Attestation manifests (unknown/unknown) are included.
Include the platform in the fetch log line so each pull is identifiable,
e.g. fetching image "..." (linux/amd64).
Signed-off-by: Kevin Tijssen <kevin.tijssen@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a test that covers all maintenance APIs in general.
Add a test for transition from SideroLink.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Our fixes got merged, and more fixes in the library as well.
Bump grpc library (due to a reported CVE which we are not affected
with).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add ErrMissingAPIVersion check in the config document decoder, parallel
to the existing ErrMissingKind. Previously, a typo in the apiVersion key
(e.g. 'apiVerstion') would result in a misleading 'not registered' error
instead of clearly indicating the missing field.
Signed-off-by: Dominik Pitz <pitzdominik@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Also sync tools, now the kernel is built with LLVM 22.1.
See https://github.com/siderolabs/pkgs/issues/1479 for the context.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This was yet another socket with implicit auth - remove it completely
by reworking the only usecase for it - cluster-side health checks.
Now these health checks build a "regular" network Talos API client (as
they anyways work only controlplane nodes).
Refactor the check for controlplane nodes to use resources instead of
machine config directly (as machine config might not be always present).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
A fixup for #12896
The health check might be running as a reduced privilege role client, so
don't pull the machine config, but instead read a field from a
non-sensitive resource.
As this field doesn't exist in older versions of Talos, the check should
still run by default (as it will be empty).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `talosctl install` command using the LifecycleService.Install
streaming API with support for insecure (maintenance) mode and progress
reporting. Refactor `talosctl upgrade` to use the new
LifecycleService.Upgrade streaming API with automatic fallback to the
legacy MachineService.Upgrade path for older Talos versions.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Implement new minimal Install/Upgrade LifecycleService API with streaming
support for real-time progress reporting. Add protobuf definitions, gRPC
service implementation, and client bindings.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
This PR would add the ability to generate a standardized document for trusted roots.
Ran into wanting this with the vsphere provider and I generally feel like we should try
to extend the available standard patches here over time.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The `talosctl upgrade-k8s` doesn't support pinning to image digests, but
it should ignore any image digests if they already exist in the
machine configuration.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
drop the old cli-utils based manifest apply logic and replace it with the new fluxcd/pkg/ssa based implementation
Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>
Since the type was changed to the custom one, merging code can't handle
it correctly, so add an explicit merge method.
```
merge field v1alpha1.Config.ClusterConfig: merge field v1alpha1.ClusterConfig.ProxyConfig: merge field v1alpha1.ProxyConfig.ExtraArgsConfig: merge map key v1alpha1.Args[metrics-bind-address]: merge field v1alpha1.ArgValue.strValue: merge not possible, left $(POD_IP):10249 is not settable
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
There were two issues which prevented this patch from working:
* `CommonLinkConfig` is an embedded struct, so we need to make selector
descend into embedded structs properly
* The previous `reflect.Value.String()` doesn't handle correctly complex
values (like `netip.Prefix`) which have a custom `fmt.Stringer`
See https://github.com/siderolabs/talos/discussions/12848#discussioncomment-15910003
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
