During removal of encryption key, we logged slot of current key instead of the removed key.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit be58eafaba98bb7b1bcd20ac1ed8f8b03734c7e0)
Allow to set build NAME on build, propagate it down to more consumers.
Expose name in `Version` resource, and use that in the dashboard
next to Talos version.
Fix some places where `Name` was hardcoded.
Propagate Name down to UKI build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 968ec1e0ca26eb1f0de0836e0a55df09dea7dafe)
When decompressing extensions, we might not be able to set xattrs (e.g.
running rootless), so instead of setting xattrs, save them in memory and
push to mksquashfs as pseudo definitions.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit d697f5538a7a624a1ac7bafdfebc67dd9418c434)
Fixes#12933
There are many usecases for this:
* exploring resources and state of the system, learning available
resources
* when a Talos machine is booted up in an environment without network
access, learning all available network interfaces, all disks
available, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 5e24d5265bde9adee92c02e675140de87ee126bf)
Fixes#13056
The TPM unseal operation doesn't respect the context, and we had 10
second timeout for the whole key unlock operation.
So there might a case when a "slow" TPM unseal runs for more than 10
seconds, and by the time TPM unseal is down, context timeout already
passed, so a somewhat wrong messahe pops in, as the rate limiter is
configured with any limit, but it fails due to the fact that the context
got canceled (but it would have failed later anyways doing the actual
resource operation).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 087ced85f5130656cbc647c2e4d838cab3ff1737)
Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 038cb87354eea1c1ff4612bdd13d1e77e595955a)
Trade some imports, bump some modules, net result is killing lots of
transitive dependencies which were getting into the build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pseudo late mount points (`/system`, `/run` and `/system`) were consistently failing to unmount.
While reaching this unmount sequence, we should already have unmounted any children.
However, if those are not unmounted, we should log what are we unmounting and unmount them recursively.
Fixes#12974
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Attempt to fix intermittent issue with images being pulled with the
wrong platform for multi-platform images.
The Claude did the analysis, and I think the root cause is that the
`DefaultSpec()` we used causes the match to include `variant` which is
e.g. `v8` for arm64, while if the image doesn't declare the exact
variant, it might skip filtering and pick up the first layer which is
amd64.
It is still not clear why exactly it is intermittent this way.
But this change aligns it more closely with the way containerd pulls, so
should be good to go.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement new minimal Install/Upgrade LifecycleService API with streaming
support for real-time progress reporting. Add protobuf definitions, gRPC
service implementation, and client bindings.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Allow mouse input, this already works in Table component (process list).
We have a custom footer, which is not a set of buttons, so instead add a
custom handler, so that nodes & screens in the footer are clickable now.
No changes for the way it looks.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use the library built for tview, so that we don't have to have two UI
libraries working in parallel in the same TUI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pulls in KMS with logging, and adds more logging to Talos.
This allows to debug encryption problems better.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add advertisedNetworks filter to KubeSpan configuration that allows
filtering which additional networks (e.g., pod CIDRs) are advertised
over KubeSpan when advertiseKubernetesNetworks is enabled.
Signed-off-by: Daniil Kivenko <daniil.kivenko@p2p.org>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also allow the system containerd to execute igzip, which is essential
for pulling images
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add DisableAccessTime and Secure mount options for existing volumes.
DisableAccessTime adds noatime parameter to disable access time updates.
Secure adds nosuid and nodev parameters for security (defaults to true).
Add integration tests for both options.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
I got a failure when dual-boot image refuses to format EPHEMERAL
partition where `EFI` partition used to be (VFAT).
So until we have a resolution, do this workaround.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This reports image pull progress in the console for images pulled by
Talos:
* etcd
* kubelet
* installer
This work was mostly done by @laurazard, I just wrapped it for the
console with Laura's help. (see #12932)
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Populate endpoint coming from the Kubernetes controlplane endpoint with
the hostname (if the endpoint is a hostname).
This should improve cases when hostname is used for the endpoint in
terms of SNI, proper resolving of DNS if it's dynamic.
See https://github.com/siderolabs/talos/pull/12556#issuecomment-3755862314
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#12491
In (almost) all places we previously used `FastWipe`, use instead a
helper which will try to discover filesystem/partition signatures, and
wipe them.
This fixes the issue when a partition re-created in the same place might
already hit a scenario when the "old" filesystem is discovered in the
same place.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use literal IP address instead of `localhost` to make `kube-apiserver`
connect to etcd member instead of relying on IPv4/IPv6 resolving of
`localhost`.
Simplify configuration for listening on 127.0.0.1 only, generate cert
SANs uncoditionally for etcd loopback IPs.
Fixes#12542
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
If system services including kubelet/CRI start using swap, it might lead
to extreme performance degradation.
Disable swap for all system services except for dashboard (which is not
critical).
```
NAME SwapCurrent SwapPeak SwapHigh SwapMax ZswapCurrent ZswapMax ZswapWriteback
. unset unset unset unset unset unset 1
├──init 0 B 0 B max 0 B 0 B max 1
├──podruntime 0 B 0 B max max 0 B max 1
│ ├──etcd 0 B 0 B max 0 B 0 B max 1
│ ├──kubelet 0 B 0 B max 0 B 0 B max 1
│ └──runtime 0 B 0 B max 0 B 0 B max 1
└──system 0 B 0 B max max 0 B max 1
├──apid 0 B 0 B max 0 B 0 B max 1
├──dashboard 0 B 0 B max max 0 B max 1
├──runtime 0 B 0 B max 0 B 0 B max 1
├──trustd 0 B 0 B max 0 B 0 B max 1
```
Refactor etcd cgroup to use same common pattern while keeping same
settings (but limit swap).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also changes the bootloader interface.
Disks are formatted/created with pre-populated source directories in Install/Image mode.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Support creating filesystems from `SourceDirectory`, this implies partitions can have the data populated when formatted.
ImageCache handling is now using `SourceDirectory` while formatting simplifying the code.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add a test for this case
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It should help airgapped switch NTP servers on machine config change
while being stuck resolving unresolvalbe default endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When resetting+wiping system partitions (`talosctl reset
--system-labels-to-wipe ...`), also drop partitions. This enables
usecases such as relocating EPHEMERAL, etc. with a new machine
config.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Fixes#10963
Also hides/deprecated `.machine.network.interfaces`, as every piece of
it is now available as proper multi-doc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It only applies to Talos pulling images, not CRI-initiated pulls.
This more of an experiment to fight a random issue when a wrong platform
image is pulled (specifically on arm64 platform accidentally pulling
amd64 image).
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update COSI, and stop using a fork of `gopkg.in/yaml.v3`, now we use new
supported for of this library.
Drop `MarshalYAMLBytes` for the machine config, as we actually marshal
config as a string, and we don't need this at all.
Make `talosctl` stop doing hacks on machine config for newer Talos, keep
hacks for backwards compatibility.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use cmdline from the UKI in Talos 1.12+ by default for new installs.
This brings GRUB in line with systemd-boot vs. cmdline behavior.
Fixes#12019
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
