Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 038cb87354eea1c1ff4612bdd13d1e77e595955a)
Drop maintenance service and all the code supporting it directly.
Instead, move all network API termination into the `apid` service, which
now can work now in more modes to support maintenance operations as
well.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add RoutingRuleConfig multi-doc config type for management of routing rules.
KubeSpan now uses COSI resources instead of direct kernel management.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
A fixup for #12896
The health check might be running as a reduced privilege role client, so
don't pull the machine config, but instead read a field from a
non-sensitive resource.
As this field doesn't exist in older versions of Talos, the check should
still run by default (as it will be empty).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add advertisedNetworks filter to KubeSpan configuration that allows
filtering which additional networks (e.g., pod CIDRs) are advertised
over KubeSpan when advertiseKubernetesNetworks is enabled.
Signed-off-by: Daniil Kivenko <daniil.kivenko@p2p.org>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add DisableAccessTime and Secure mount options for existing volumes.
DisableAccessTime adds noatime parameter to disable access time updates.
Secure adds nosuid and nodev parameters for security (defaults to true).
Add integration tests for both options.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
This commit changes the way kubespan gets the podCIDR to advertise when
`advertiseKubernetesNetworks` is enabled. Before, it used the interface
address, but some CNIs (such as Cilium in NativeRouting) only set a
single /32 IP to a single interface (`cilium_host` in cilium's case).
This adds the `v1.Node`'s `.spec.podCIDRs` array to the `k8s.NodeStatus`
object and uses this to advertise the kubernetes network.
Signed-off-by: Florian Ströger <stroeger@youniqx.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for negative max size values in volume configuration.
Negative max size represents the amount of space to be left free on the device, rather than the size the volume should consume.
For example, a max size of "-10GiB" means the volume can grow to the device size minus 10GiB.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
BREAKING: internal resources for the components use different
representation of AxtraArgs, resulting in modified types in protocol
buffers.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Populate endpoint coming from the Kubernetes controlplane endpoint with
the hostname (if the endpoint is a hostname).
This should improve cases when hostname is used for the endpoint in
terms of SNI, proper resolving of DNS if it's dynamic.
See https://github.com/siderolabs/talos/pull/12556#issuecomment-3755862314
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a multicast option to LinkSpec that can be configured to explicitly declare the state of the multicast flag.
Signed-off-by: Bryan Lee <me@bryanl.ee>
Don't guess based on the volume type, but use explicit fields for
different locators.
IMAGECACHE-ISO is a disk volume, but uses full volume locator (by
filesystem type, etc.)
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also expand internal bond configuration to cover missing fields.
They are not going to be exposed in legacy configuration.
Fixes#10960
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
- Improve docs
- Disable OOM controller in container mode
- Log OOM events
- Add an integration test verifying the system can sustain an OOM event
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Support disabling kernel module signature verification.
Note that this does not work when SecureBoot is enabled.
Fixes: #11989
Signed-off-by: Noel Georgi <git@frezbo.dev>
There was a mismatch between how Talos encodes resource specs to
protobuf on the wire, and `.proto` files generated by `structprotogen`
for the same specs.
This only affected `LinkStatus`/`LinkSpec` resources, and it doesn't
affect Talos/Omni as they go via `protoenc`, bypassing `.proto` files.
Also if default proto library is used, it also works correctly.
The only place where it fails is a strict `vtprotobuf` encoding.
Also imports `protoenc` 0.2.4 skipping encoding of zero fields, which
should make COSI responses smaller for resources with lots of zero
fields.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These features don't make any sense right now, so remove them from the
machine config to reduce clutter.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
OOM controller helps mitigate out-of-memory by monitoring PSI, selecting
and killing cgroups to free up memory when RAM is near full.
Add config document and tests.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New multi-doc way to apply static configuration to network links.
Fixes#10957
Also implements related changes:
* new-style auto-DHCP mode - run DHCP as long as there is no new-style
config document
* refactoring of controllers/tests which were touched in this PR
* implemented embedded config structs handling in docgen -> Markdown and
docgen -> JSON schema
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See 4b840414be for more information.
Talos versions prior to 1.12 locked to PCR 7 state and PCR 11 for signed policies.
In-order for backwards compatibility newer installs will still default to PCR 7 state. Locking to PCR 7 can be disabled by passing an empty list.
Fixes: #10677
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#10992
The plan is detailed in the issue, but tl;dr is to get one big
controller into 4 smaller controllers, each doing its own part of the
work.
Each controller has its own set of tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
SBOMs from /usr/local/share/spdx will now also be read, this is to be
used by system extensions. Add a sample for testing this feature.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
ReferenceCount is a more common name, so replacing Instances will
provide better UX and will match online resources.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Zswap allows to compress pages in memory before they hit the actual swap
device.
Both swap and zswap (or either one of these) can be enabled.
Fixes#10675
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10674
Provide a way to see current swap status, configure additional swap
devices (block) and de-configure them on the fly.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/jsimonetti/rtnetlink/pull/256
See https://github.com/siderolabs/talos/issues/10696
Support setting address priority, this is important to ensure that the
prefix route has appropriate priority.
For now, we don't have it exposed in the machine config except for the
DHCP4 operator, so now both routes created explicitly by DHCP and routes
created implicitly have same metric/priority:
```
172.20.0.2 network RouteStatus inet4//172.20.0.0/24/1024 1 172.20.0.0/24 enp0s2 1024
172.20.0.2 network RouteStatus inet4/172.20.0.1//1024 1 172.20.0.1 enp0s2 1024
```
Before this change, the first route would have a metric zero.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
