See https://github.com/siderolabs/talos/discussions/10641
The problem is that `overridePath` config option should be per-endpoint,
not a global one.
As we can't easily change v1alpha1 config, change the interface instead,
and update the controller which generates final registry config to
use per-endpoint setting.
Ensure that `registryd` endpoint never uses `overridePath`.
E.g., with this PR:
```toml
[host]
[host.'http://127.0.0.1:3172']
capabilities = ['pull', 'resolve']
[host.'http://172.20.0.1:5006/v2/']
capabilities = ['pull', 'resolve']
override_path = true
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This complements the previous PRs to implement more volume features:
directory volumes control their permissions, SELinux labels, etc.
Overlay mounts support additional parent relationship.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use new controller for user disk and STATE mounts, drop
old code in the sequencer.
Also support mounts with parent (when e.g. `/var/lib` is mounted on top
of `/var`).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The issue is not so easy to fix, as GRPC tunnel on/off change requires
two different flow for the link (interface):
* no tunnel -> Talos link controller should create in-kernel `wireguard`
link and no userspace components
* tunnel on -> Talos link controller should never create the link, and
only adjust WG settings via UAPI, while the actual link is created by
the userspace implementation (it's a `tun` device)
Transition between those two links is impossible for the link controller
to distinguish, as it doesn't know that it has to drop old link and skip
creating new one based on the information available.
So, instead, use different names for the link in two states:
`siderolink` for the kernel flow, and `siderolinktun` for the userspace
flow. This fixes the issue of proper link cleanup/re-creation.
Add integration tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Mount EPHEMERAL volume via new controller.
Implement the first cut of volume dependencies from services, refactor
the way system disk wipe works.
Update volume manager controller to destroy volume statuses on shutdown,
which allows to signal mount operations to be terminated.
Lots of WIP ideas still, but I want to complete this PR and move on to
the next one:
* refactor user disks mounts to use new API
* refactor STATE mountes to use new API
* implement directory/overlay mounts
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9602
Aggregate incoming volume mount requests, reconcile them with volume
status, perform actual mounting, and produce mount status.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Support showing current feature state, and changing features on the fly.
The output and interface should be similar to `ethtool`.
We don't support legacy feature names.
```
node: 172.20.0.5
metadata:
namespace: network
type: EthernetStatuses.net.talos.dev
id: enp0s2
version: 2
owner: network.EthernetStatusController
phase: running
created: 2025-02-10T11:40:32Z
updated: 2025-02-10T11:40:32Z
spec:
linkState: true
port: Other
duplex: Unknown
rings:
rx-max: 256
tx-max: 256
rx: 256
tx: 256
tx-push: false
rx-push: false
features:
tx-scatter-gather: on
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: on
tx-checksum-ipv6: off [fixed]
highdma: on [fixed]
tx-scatter-gather-fraglist: off [fixed]
tx-vlan-hw-insert: off [fixed]
rx-vlan-hw-parse: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-generic-segmentation: on
rx-gro: on
rx-lro: off [fixed]
tx-tcp-segmentation: on
tx-gso-robust: on [fixed]
tx-tcp-ecn-segmentation: on
tx-tcp-mangleid-segmentation: off
tx-tcp6-segmentation: on
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-gre-csum-segmentation: off [fixed]
tx-ipxip4-segmentation: off [fixed]
tx-ipxip6-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-udp_tnl-csum-segmentation: off [fixed]
tx-gso-partial: off [fixed]
tx-tunnel-remcsum-segmentation: off [fixed]
tx-sctp-segmentation: off [fixed]
tx-esp-segmentation: off [fixed]
tx-udp-segmentation: off
tx-gso-list: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
rx-ntuple-filter: off [fixed]
rx-hashing: off [fixed]
rx-checksum: on [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]
tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]
rx-gro-hw: on
tls-hw-record: off [fixed]
rx-gro-list: off
macsec-hw-offload: off [fixed]
rx-udp-gro-forwarding: off
hsr-tag-ins-offload: off [fixed]
hsr-tag-rm-offload: off [fixed]
hsr-fwd-offload: off [fixed]
hsr-dup-offload: off [fixed]
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
At the moment, we don't use/support aliases, but we might in the future.
Altnames are filled out by `systemd-udevd`.
This PR has two parts:
* show aliases & altnames in `LinkStatus`
* match links by aliases/altnames when we configure
addresses/routes/links
This should make a transition to `systemd-udevd` less painful if the
previous link name is in `altNames`.
Forked rtnetlink for https://github.com/jsimonetti/rtnetlink/pull/241
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9615
The are no integration tests, this is to be addressed later.
I did manual tests so far.
Also includes first draft of the documentation.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New config field `machine.network.searchDomains` supports specifying custom search domains.
For the node it will look something like this:
```
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
```
For the pods it will look something like this:
```
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
```
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Fixes#9820
This only affects volumes with multiple key slots configured.
Make sync issues non-fatal, so that if some keys fail to sync, proceed
with normal boot, but record an error in the `VolumeStatus` resource.
When opening, correctly try all key slots.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.
Add corresponding test cases.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Implement a feature flag, a resource which controls the flow.
This controls the volume configuration, mounting, etc.
Fixes#9767
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Fixes#9731
The wipe doesn't require a reboot, but it requires the blockdevice not
to be used as a volume.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9691
This closes the race between the node registration and the moment
`NodeApplyController` would apply the taint.
As the taint is exactly same as added by `NodeApplyController`, it will
be owned by the controller, so it can be removed if
`allowSchedulingOnControlplanes` is enabled in the machine config while
the cluster is running.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is going to be used to detect disks that are safe to wipe.
For blockdevices, track secondaries as direct references, e.g. encrypted
`STATE` partition might have secondary `vda5`.
For disks, re-map secondaries to be whole devices names, e.g. `vda`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Dashboard now shows the active frequency of each CPU core when cpufreq
is available on non-virtualized systems, enhancing real-time accuracy.
Solves the issue of displaying 0MHz on certain SBCs due to
/proc/cpuinfo limitations.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Allow putting a device into a bridge from device configuration.
Signed-off-by: Joakim Nohlgård <joakim@nohlgard.se>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9538
Re-do the implementation by using the volume management primitives, so
that we can avoid/skip old code. This should fix all issues related to
the partition/whole disk.
Fix issues in the volume management (exposed, as we haven't used it this
way before).
Build a test case in `talosctl cluster create` to inject machine config
via `metal-iso`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The new command `talosctl cgroups` fetches cgroups snapshot from the
machine, parses it fully, enhances with additional information (e.g.
resolves pod names), and presents a customizable view of cgroups
configuration (e.g. limits) and current consumption.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements the first round of changes, replacing the volume backend
with the new implementation, while keeping most of the external
interfaces intact.
See #8367
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This will be useful for debugging SELinux implementation. Make API report other xattrs for further development like IMA/EVM
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
This option must be defined at the proto level in order to have an
import path that is reasonably usable
Signed-off-by: Eddie Zaneski <eddiezane@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is an attempt to fix many issues related with trying to use Service
IP for host DNS.
Fixes#9196
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes https://github.com/siderolabs/extensions/issues/448
Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is
the default CNI in Talos) in the Talos `initramfs`.
With this change, no plugin install is required, so the `install-cni`
step is dropped from the Flannel default manifest.
The bundled plugins:
```
$ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/
NODE MODE UID GID SIZE(B) LASTMOD NAME
172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago .
172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge
172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback
172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap
```
The `initramfs` for amd64 grows 67 -> 73 MiB with this change.
The path `/opt/cni/bin` is still an overlay mount, so extra plugins can
be dropped to this directory (no change here).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Extensions are posted the following way:
`extensions.talos.dev/<name>=<version>`
The name should be valid as a label (annotation) key.
If the value is valid as a label value, use labels, otherwise use
annotations.
Also implements node annotations in the machine config as a side-effect.
Fixes#9089Fixes#8971
See #9070
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add a new resource, `SiderolinkStatus`, which combines the following info:
- The Siderolink API endpoint without the query parameters or fragments (potentially sensitive info due to the join token)
- The status of the Siderolink connection
This resource is not set as sensitive, so it can be retrieved by the users with `os:operator` role (e.g., using `talosctl dashboard` through Omni).
Make use of this resource in the dashboard to display the status of the Siderolink connection.
Additionally, rework the status columns in the dashboard to:
- Display a Linux terminal compatible "tick" or a "cross" prefix for statuses in addition to the red/green color coding.
- Move and combine some statuses to save rows and make them more even.
Closessiderolabs/talos#8643.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Detect CD devices, and set size to 0 for CD without media.
In user disk wipe tests, skip device mapper devices and CD-ROM.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Uses go-siderolabs/go-blockdevice/v2 for all the hard parts,
provides new resource `Disk` which describes all disks in the system.
Additional resource `SystemDisk` always point to the system disk (based
on the location of `META` partition).
The `Disks` API (and `talosctl disks`) provides a view now into the
`talosctl get disks` to keep backwards compatibility.
QEMU provisioner can now create extra disks of various types: IDE, AHCI,
SCSI, NVME, this allows to test detection properly.
The new resource will be the foundation for volume provisioning (to pick
up the disk to provision the volume on).
Example:
```
talosctl -n 172.20.0.5 get disks
NODE NAMESPACE TYPE ID VERSION SIZE READ ONLY TRANSPORT ROTATIONAL WWID MODEL SERIAL
172.20.0.5 runtime Disk loop0 1 65568768 true
172.20.0.5 runtime Disk nvme0n1 1 10485760000 false nvme nvme.1b36-6465616462656566-51454d55204e564d65204374726c-00000001 QEMU NVMe Ctrl deadbeef
172.20.0.5 runtime Disk sda 1 10485760000 false virtio true QEMU HARDDISK
172.20.0.5 runtime Disk sdb 1 10485760000 false sata true t10.ATA QEMU HARDDISK QM00013 QEMU HARDDISK
172.20.0.5 runtime Disk sdc 1 10485760000 false sata true t10.ATA QEMU HARDDISK QM00001 QEMU HARDDISK
172.20.0.5 runtime Disk vda 1 12884901888 false virtio true
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Talos diagnostics analyzes current system state and comes up with detailed
warnings on the system misconfiguration which might be tricky to figure
out other way.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Retrieve the DNS names of instances from the platform metadata.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This will be useful for debugging process access rights once we start implementing SELinux
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
