Support disabling kernel module signature verification.
Note that this does not work when SecureBoot is enabled.
Fixes: #11989
Signed-off-by: Noel Georgi <git@frezbo.dev>
New multi-doc way to apply static configuration to network links.
Fixes#10957
Also implements related changes:
* new-style auto-DHCP mode - run DHCP as long as there is no new-style
config document
* refactoring of controllers/tests which were touched in this PR
* implemented embedded config structs handling in docgen -> Markdown and
docgen -> JSON schema
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
One issue is with update hostname tests which runs against Talos v1.11
machine config which contains legacy fields which need to be removed.
Another is an attempt to refactor apply-try tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
We test for labels immediately after volume status is ready, but we
should instead wait a bit for labels to be discovered.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#11780
Couple of changes:
* clear connection refused before apply config with reboot (no-op CRI
patch test)
* improve log output in volume tests
* drop locking in vgcreate, as it seems to conflict with background disk
scans (by Talos or udevd)
Co-authored-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10953
This the very first migrated document. I picked up a very simple
configuration document to build some initial idea how we handle
migration of the config documents to the new format.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See 4b840414be for more information.
Talos versions prior to 1.12 locked to PCR 7 state and PCR 11 for signed policies.
In-order for backwards compatibility newer installs will still default to PCR 7 state. Locking to PCR 7 can be disabled by passing an empty list.
Fixes: #10677
Signed-off-by: Noel Georgi <git@frezbo.dev>
Move stuff into `tools/go.mod`.
Also fix linting issues on the way (updating golangci-lint).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Deprecate/hide old v1alpha1 disk encryption config, and move to
unified approach via `VolumeConfig` resource.
Allow only encryption configuration for `STATE` (for now).
Fixes#10749
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add more NVIDIA tests covering all supported OSS and Proprietary LTS and Production driver versions.
Fixes: #11398
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#11153
The idea is to allow to mount existing partitions on a Talos machine so
that they are available for workloads.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
ReferenceCount is a more common name, so replacing Instances will
provide better UX and will match online resources.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
A minor change to validation of LoadedKernelModules (Instances field).
This field should be non-negative, zero should be treaded as correct
value.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Make the setup phase of the test a bit more consistent - wait for the
machine to be ready, connection refused to be cleared (after reboots).
This doesn't change anything in the tests themselves, but hopefully
should reduce number of flakes like: https://github.com/siderolabs/talos/actions/runs/15895820994/job/44827039818
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Zswap allows to compress pages in memory before they hit the actual swap
device.
Both swap and zswap (or either one of these) can be enabled.
Fixes#10675
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10674
Provide a way to see current swap status, configure additional swap
devices (block) and de-configure them on the fly.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Instead of relying on the fact that CRI patch should modify the
generated final CRI config, rely on the specific checksum of the CRI
patch to be included into the generated CRI config.
This also to resolve Talos hanging on boot when a CRI patch is a no-op
(it doesn't change the generated config).
Fixes#11132
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Linux kernel has the following policy:
* initial bridge MAC is random
* if the bridge MAC is not set explicitly by userspace,
bridge MAC is the smallest MAC address of all ports
But systemd-udevd which we use started to assign "stable" MACs to bridge
interfaces (when they are created), which Linux kernel treats as
userspace explicitly set, so the bridge no longer gets an automatic MAC
of the ports.
This is a breaking change, so we need to revert it.
Fixes#10884Fixes#11011
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
In maintenance mode, we still accept any config.
Fixes#10897
As "normal" mode requires v1alpha1 config today, it should be an easy
fix to require it part of the applied config always.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It seems that the integration test introduced in
https://github.com/siderolabs/talos/pull/10792 is causing some
unintented side-effects in kube-apiserver -> kubelet communication (most
probably around the TLS certificate??).
Instead of assigning dummy external IP, create a dummy link.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The bug was with incorrect condition: if `activeNetworkConfig` was ever
set to non-nil value, it was stuck with this value forever, despite new
network config being available with `networkConfig`.
In `talosctl dashboard` case, Talos `metal` platform always reports
initial data (before META is available) which doesn't have any network
config, but later on sends updates (if something updates META), so this
bug leads to Talos being stuck with initial empty network config.
Fixes#10787
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
User volumes are identified by a short name which serves both
as a `/var/mnt` mount point and a partition label.
User volumes can be added and removed on the fly, and they are
automatically propagated into the `kubelet` mount namespace.
Also deprecate `.machine.disks`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Make sure a privileged pod cannot violate some of the important security rules enforced by SELinux.
Fixes#10615
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
