Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This was missed during adding riscv64 build for talosctl, thus
artifact for this arch is missing from 1.12.0-beta.0 release
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
- Add d_* PSI derivative values to the trigger expression context
- Only trigger OOM action while PSI is rising
- Make OOM test fail if controller kills a cgroup without stress-ng
- Wait for stress-mem to terminate before proceeding with the next tests
- Skip OOM test when running with race detector
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
CoreDNS 1.13.0
Linux 6.17.4
Other go.mod dependencies, tools, Helm charts used in tests, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add new `--airgapped` flag to talos cluster create (qemu)
to disable NAT in the VMs to effectively become airgapped.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Otherwise we push latest from `release-*` branches which makes it
confusing and broken, as it jumps between versions.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This pulls in Linux 6.17.3, Tenstorrent 2.4.1 and NVIDIA LTS 580.95.05.
Also update calico canal manifest for tests to support running without
iptables-legacy
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Most of the work is to add proper test environment for more cases.
Include a test for pulling an image
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Instead of building images, fetch them from image factory to ensure
proper schematic is used for including default extensions.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
See 4b840414be for more information.
Talos versions prior to 1.12 locked to PCR 7 state and PCR 11 for signed policies.
In-order for backwards compatibility newer installs will still default to PCR 7 state. Locking to PCR 7 can be disabled by passing an empty list.
Fixes: #10677
Signed-off-by: Noel Georgi <git@frezbo.dev>
Update xz to v0.5.15 which has a fix for 32-bit build.
This reverts commit cfef3ad4544498a47de17f6b05fb8374c35e3dd8.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Today `integration/aws` triggers all NVIDIA tests, so there is no way to
run just AWS without NVIDIA.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add more NVIDIA tests covering all supported OSS and Proprietary LTS and Production driver versions.
Fixes: #11398
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add a CI job to build the current VEX file and scan SBOM.
This should enable automatic detection of new vulnerabilities once
information on them becomes available.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
SBOMs from /usr/local/share/spdx will now also be read, this is to be
used by system extensions. Add a sample for testing this feature.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
