Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Add a multicast option to LinkSpec that can be configured to explicitly declare the state of the multicast flag.
Signed-off-by: Bryan Lee <me@bryanl.ee>
Also expand internal bond configuration to cover missing fields.
They are not going to be exposed in legacy configuration.
Fixes#10960
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
There was a mismatch between how Talos encodes resource specs to
protobuf on the wire, and `.proto` files generated by `structprotogen`
for the same specs.
This only affected `LinkStatus`/`LinkSpec` resources, and it doesn't
affect Talos/Omni as they go via `protoenc`, bypassing `.proto` files.
Also if default proto library is used, it also works correctly.
The only place where it fails is a strict `vtprotobuf` encoding.
Also imports `protoenc` 0.2.4 skipping encoding of zero fields, which
should make COSI responses smaller for resources with lots of zero
fields.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New multi-doc way to apply static configuration to network links.
Fixes#10957
Also implements related changes:
* new-style auto-DHCP mode - run DHCP as long as there is no new-style
config document
* refactoring of controllers/tests which were touched in this PR
* implemented embedded config structs handling in docgen -> Markdown and
docgen -> JSON schema
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10992
The plan is detailed in the issue, but tl;dr is to get one big
controller into 4 smaller controllers, each doing its own part of the
work.
Each controller has its own set of tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/jsimonetti/rtnetlink/pull/256
See https://github.com/siderolabs/talos/issues/10696
Support setting address priority, this is important to ensure that the
prefix route has appropriate priority.
For now, we don't have it exposed in the machine config except for the
DHCP4 operator, so now both routes created explicitly by DHCP and routes
created implicitly have same metric/priority:
```
172.20.0.2 network RouteStatus inet4//172.20.0.0/24/1024 1 172.20.0.0/24 enp0s2 1024
172.20.0.2 network RouteStatus inet4/172.20.0.1//1024 1 172.20.0.1 enp0s2 1024
```
Before this change, the first route would have a metric zero.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Support showing current feature state, and changing features on the fly.
The output and interface should be similar to `ethtool`.
We don't support legacy feature names.
```
node: 172.20.0.5
metadata:
namespace: network
type: EthernetStatuses.net.talos.dev
id: enp0s2
version: 2
owner: network.EthernetStatusController
phase: running
created: 2025-02-10T11:40:32Z
updated: 2025-02-10T11:40:32Z
spec:
linkState: true
port: Other
duplex: Unknown
rings:
rx-max: 256
tx-max: 256
rx: 256
tx: 256
tx-push: false
rx-push: false
features:
tx-scatter-gather: on
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: on
tx-checksum-ipv6: off [fixed]
highdma: on [fixed]
tx-scatter-gather-fraglist: off [fixed]
tx-vlan-hw-insert: off [fixed]
rx-vlan-hw-parse: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-generic-segmentation: on
rx-gro: on
rx-lro: off [fixed]
tx-tcp-segmentation: on
tx-gso-robust: on [fixed]
tx-tcp-ecn-segmentation: on
tx-tcp-mangleid-segmentation: off
tx-tcp6-segmentation: on
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-gre-csum-segmentation: off [fixed]
tx-ipxip4-segmentation: off [fixed]
tx-ipxip6-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-udp_tnl-csum-segmentation: off [fixed]
tx-gso-partial: off [fixed]
tx-tunnel-remcsum-segmentation: off [fixed]
tx-sctp-segmentation: off [fixed]
tx-esp-segmentation: off [fixed]
tx-udp-segmentation: off
tx-gso-list: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
rx-ntuple-filter: off [fixed]
rx-hashing: off [fixed]
rx-checksum: on [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]
tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]
rx-gro-hw: on
tls-hw-record: off [fixed]
rx-gro-list: off
macsec-hw-offload: off [fixed]
rx-udp-gro-forwarding: off
hsr-tag-ins-offload: off [fixed]
hsr-tag-rm-offload: off [fixed]
hsr-fwd-offload: off [fixed]
hsr-dup-offload: off [fixed]
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
At the moment, we don't use/support aliases, but we might in the future.
Altnames are filled out by `systemd-udevd`.
This PR has two parts:
* show aliases & altnames in `LinkStatus`
* match links by aliases/altnames when we configure
addresses/routes/links
This should make a transition to `systemd-udevd` less painful if the
previous link name is in `altNames`.
Forked rtnetlink for https://github.com/jsimonetti/rtnetlink/pull/241
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New config field `machine.network.searchDomains` supports specifying custom search domains.
For the node it will look something like this:
```
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
```
For the pods it will look something like this:
```
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
```
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Allow putting a device into a bridge from device configuration.
Signed-off-by: Joakim Nohlgård <joakim@nohlgard.se>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This option must be defined at the proto level in order to have an
import path that is reasonably usable
Signed-off-by: Eddie Zaneski <eddiezane@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR adds the support for CoreDNS forwarding to host DNS. We try to bind on 9th address on the first element from
`serviceSubnets` and create a simple service so k8s will not attempt to rebind it.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Co-authored-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This PR adds a new controller - `DNSServerController` that starts tcp and udp dns servers locally. Just like `EtcFileController` it monitors `ResolverStatusType` and updates the list of destinations from there.
Most of the caching logic is in our "lobotomized" "`CoreDNS` fork. We need this fork because default `CoreDNS` carries
full Caddy server and various other modules that we don't need in Talos. On our side we implement
random selection of the actual dns and request forwarding.
Closes#7693
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
We already have the code which supports custom enums, so let's extend it to support custom enums in slices and
fix the NfTablesConntrackStateMatch proto definition.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Many changes to the nftables backend which will be used in the follow-up
PR with #4421.
1. Add support for chain policy: drop/accept.
2. Properly handle match on all IPs in the set (`0.0.0.0/0` like).
3. Implement conntrack state matching.
4. Implement multiple ifname matching in a single rule.
5. Implement anonymous counters.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement initial set of backend controllers/resources to handle
nftables chains/rules etc.
Replace the KubeSpan nftables operations with controller-based.
See #4421
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Network probes are configured with the specs, and provide their output
as a status.
At the moment only platform code can configure network probes.
If any network probes are configured, they affect network.Status
'Connectivity' flag.
Example, create the probe:
```
talosctl -n 172.20.0.3 meta write 0xa '{"probes": [{"interval": "1s", "tcp": {"endpoint": "google.com:80", "timeout": "10s"}}]}'
```
Watch probe status:
```
$ talosctl -n 172.20.0.3 get probe
NODE NAMESPACE TYPE ID VERSION SUCCESS
172.20.0.3 network ProbeStatus tcp:google.com:80 5 true
```
With failing probes:
```
$ talosctl -n 172.20.0.3 get probe
NODE NAMESPACE TYPE ID VERSION SUCCESS
172.20.0.3 network ProbeStatus tcp:google.com:80 4 true
172.20.0.3 network ProbeStatus tcp:google.com:81 1 false
$ talosctl -n 172.20.0.3 get networkstatus
NODE NAMESPACE TYPE ID VERSION ADDRESS CONNECTIVITY HOSTNAME ETC
172.20.0.3 network NetworkStatus status 5 true true true true
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This adds support for automatically registering node hostnames in DNS by
sending the current hostname to DHCP via option 12. If the current hostname is
updated, issue a new DISCOVER to propagate the update to DHCP (updating the
hostname on lease renewals is not universally supported by DHCP servers). This
addition maintains the previous functionality where the node can also request
its hostname from the DHCP server. The received hostname will be processed and
prioritized as usual by the `network.HostnameSpecController`.
This change set also contains fixes to make DHCP renewals compliant with RFC
2131, specifically avoiding sending the server identifier and requested IP
address when issuing renewals using a previous offer. This also uncovered
issues and missing features in the upstream `insomniacslk/dhcp` library, the
fixes and improvements for which are now finally merged.
Sending hostname updates have been tested against `dnsmasq` and the built-in
DHCP + DNS services in Windows Server. Hostname retrieval from DHCP and edge
cases with overridden hostnames from different configuration layers have been
extensively tested against `dnsmasq`.
Signed-off-by: Dennis Marttinen <twelho@welho.tech>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
There's a cyclic dependency on siderolink library which imports talos
machinery back. We will fix that after we get talos pushed under a new
name.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Introduce new DHCP operator option to skip hostname request/response,
and use that in OpenStack platform.
OpenStack configures interface with DHCP, while providing dummy hostname
over DHCP and proper hostname over metadata. As operators override
platform settings, DHCP hostname takes over OpenStack hostname. As a
fix, ignore DHCP hostname while on OpenStack.
Fixes#6350
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Permanent address is only available for physical links, and it might be
different from the 'hardware address': when bonding, 'hardware address'
gets overridden from the bond master, while 'permanent address' still
shows MAC of the interface.
This part of the fix for incorrect bonding issue on Equinix Metal.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit adds structprotogen tool which is used to generate proto file from Go structs.
Closes#6078.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
