Whitelist services which can access the file socket, refuse other
connections.
Fixes#12701
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 038cb87354eea1c1ff4612bdd13d1e77e595955a)
Trade some imports, bump some modules, net result is killing lots of
transitive dependencies which were getting into the build.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pseudo late mount points (`/system`, `/run` and `/system`) were consistently failing to unmount.
While reaching this unmount sequence, we should already have unmounted any children.
However, if those are not unmounted, we should log what are we unmounting and unmount them recursively.
Fixes#12974
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Attempt to fix intermittent issue with images being pulled with the
wrong platform for multi-platform images.
The Claude did the analysis, and I think the root cause is that the
`DefaultSpec()` we used causes the match to include `variant` which is
e.g. `v8` for arm64, while if the image doesn't declare the exact
variant, it might skip filtering and pick up the first layer which is
amd64.
It is still not clear why exactly it is intermittent this way.
But this change aligns it more closely with the way containerd pulls, so
should be good to go.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add support for whole machine-wide image verification configuration.
Configuration is a set of rules applied top-down to the image reference,
each specifying a specific cosign-based identity or static public key
claim.
Talos provides a machined API to verify an image reference, resolving it
to the digest on the way as needed.
Talos itself hooks up in the image verification process, while
containerd CRI plugin accesses same API via the machined socket.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement new minimal Install/Upgrade LifecycleService API with streaming
support for real-time progress reporting. Add protobuf definitions, gRPC
service implementation, and client bindings.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Allow mouse input, this already works in Table component (process list).
We have a custom footer, which is not a set of buttons, so instead add a
custom handler, so that nodes & screens in the footer are clickable now.
No changes for the way it looks.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use the library built for tview, so that we don't have to have two UI
libraries working in parallel in the same TUI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Via tools/pkgs, also pulling in Clang-built Linux
Update go.mod dependencies
Fix linter errors with new golangci-lint, modernize, use new()
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pulls in KMS with logging, and adds more logging to Talos.
This allows to debug encryption problems better.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add advertisedNetworks filter to KubeSpan configuration that allows
filtering which additional networks (e.g., pod CIDRs) are advertised
over KubeSpan when advertiseKubernetesNetworks is enabled.
Signed-off-by: Daniil Kivenko <daniil.kivenko@p2p.org>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also allow the system containerd to execute igzip, which is essential
for pulling images
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
This implements a way to run a debug container with a provided image on
the node.
The container runs with privileged profile, allowing to issue debugging
commands (e.g. using some advanced network tools) to troubleshoot a
machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add DisableAccessTime and Secure mount options for existing volumes.
DisableAccessTime adds noatime parameter to disable access time updates.
Secure adds nosuid and nodev parameters for security (defaults to true).
Add integration tests for both options.
Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
These new APIs only support one2one proxying, so they don't have any
hacks, and look as regular gRPC APIs.
Old APIs are deprecated, but still supported.
Implement client-side multiplexing in `talosctl`, provide fallback to
old APIs for legacy Talos versions.
New APIs include removing an image, importing an image.
Extracted from #12392
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
I got a failure when dual-boot image refuses to format EPHEMERAL
partition where `EFI` partition used to be (VFAT).
So until we have a resolution, do this workaround.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This reports image pull progress in the console for images pulled by
Talos:
* etcd
* kubelet
* installer
This work was mostly done by @laurazard, I just wrapped it for the
console with Laura's help. (see #12932)
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Populate endpoint coming from the Kubernetes controlplane endpoint with
the hostname (if the endpoint is a hostname).
This should improve cases when hostname is used for the endpoint in
terms of SNI, proper resolving of DNS if it's dynamic.
See https://github.com/siderolabs/talos/pull/12556#issuecomment-3755862314
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#12491
In (almost) all places we previously used `FastWipe`, use instead a
helper which will try to discover filesystem/partition signatures, and
wipe them.
This fixes the issue when a partition re-created in the same place might
already hit a scenario when the "old" filesystem is discovered in the
same place.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use literal IP address instead of `localhost` to make `kube-apiserver`
connect to etcd member instead of relying on IPv4/IPv6 resolving of
`localhost`.
Simplify configuration for listening on 127.0.0.1 only, generate cert
SANs uncoditionally for etcd loopback IPs.
Fixes#12542
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
If system services including kubelet/CRI start using swap, it might lead
to extreme performance degradation.
Disable swap for all system services except for dashboard (which is not
critical).
```
NAME SwapCurrent SwapPeak SwapHigh SwapMax ZswapCurrent ZswapMax ZswapWriteback
. unset unset unset unset unset unset 1
├──init 0 B 0 B max 0 B 0 B max 1
├──podruntime 0 B 0 B max max 0 B max 1
│ ├──etcd 0 B 0 B max 0 B 0 B max 1
│ ├──kubelet 0 B 0 B max 0 B 0 B max 1
│ └──runtime 0 B 0 B max 0 B 0 B max 1
└──system 0 B 0 B max max 0 B max 1
├──apid 0 B 0 B max 0 B 0 B max 1
├──dashboard 0 B 0 B max max 0 B max 1
├──runtime 0 B 0 B max 0 B 0 B max 1
├──trustd 0 B 0 B max 0 B 0 B max 1
```
Refactor etcd cgroup to use same common pattern while keeping same
settings (but limit swap).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The interactive installer has been deprecated since v1.12 cycle,
now removed completely including the API method.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Also changes the bootloader interface.
Disks are formatted/created with pre-populated source directories in Install/Image mode.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Support creating filesystems from `SourceDirectory`, this implies partitions can have the data populated when formatted.
ImageCache handling is now using `SourceDirectory` while formatting simplifying the code.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add a test for this case
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Co-authored-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It should help airgapped switch NTP servers on machine config change
while being stuck resolving unresolvalbe default endpoint.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When resetting+wiping system partitions (`talosctl reset
--system-labels-to-wipe ...`), also drop partitions. This enables
usecases such as relocating EPHEMERAL, etc. with a new machine
config.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Fixes#10963
Also hides/deprecated `.machine.network.interfaces`, as every piece of
it is now available as proper multi-doc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It only applies to Talos pulling images, not CRI-initiated pulls.
This more of an experiment to fight a random issue when a wrong platform
image is pulled (specifically on arm64 platform accidentally pulling
amd64 image).
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update COSI, and stop using a fork of `gopkg.in/yaml.v3`, now we use new
supported for of this library.
Drop `MarshalYAMLBytes` for the machine config, as we actually marshal
config as a string, and we don't need this at all.
Make `talosctl` stop doing hacks on machine config for newer Talos, keep
hacks for backwards compatibility.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use cmdline from the UKI in Talos 1.12+ by default for new installs.
This brings GRUB in line with systemd-boot vs. cmdline behavior.
Fixes#12019
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Support disabling kernel module signature verification.
Note that this does not work when SecureBoot is enabled.
Fixes: #11989
Signed-off-by: Noel Georgi <git@frezbo.dev>
This is handy to detect frozen machines when looking at the dashboard
output video console.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
- Do not create target dir for detached mounts;
- Use 'ro' flag on ReadOnly mount requests;
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Most of the work is to add proper test environment for more cases.
Include a test for pulling an image
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When `RemountReadOnly` was called on a detached mount, it returned `EINVAL`.
This is not the expected behavior.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
