Fixes#4947
It turns out there's something related to boot process in BIOS mode
which leads to initramfs corruption on later `kexec`.
Booting via GRUB is always successful.
Problem with kexec was confirmed with:
* direct boot via QEMU
* QEMU boot via iPXE (bundled with QEMU)
The root cause is not known, but the only visible difference is the
placement of RAMDISK with UEFI and BIOS boots:
```
[ 0.005508] RAMDISK: [mem 0x312dd000-0x34965fff]
```
or:
```
[ 0.003821] RAMDISK: [mem 0x711aa000-0x747a7fff]
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#5003
This implements a way to configure API server admission plugins via
Talos machine configuration.
If Pod Security admission is enabled, default cluster-wide policy is
generated which enforces baseline policy.
Policy can be overridden per-namespace.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4694
User services run alongside with Talos system services.
Every user service container root filesystem should be already present
in the Talos root filesystem.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Instead of bundling the apiserver audit logs with the rest of the
apiserver logs, we should store them separately to file, assuring
reasonable defaults for retention and rotation.
Fixes#5000
Signed-off-by: Seán C McCord <ulexus@gmail.com>
Pin talos default k8s version to `talosctl gen config`
Signed-off-by: Charlie Haley <charlie.haley@hotmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#4727
On worker nodes, static pods are injected, but status can't be monitored
by Talos. On control plane nodes full status is available via
`StaticPodStatus`.
Pod definition is left as `Unstructured` in the machine configuration,
and no specific validation is performed to avoid pulling in Kubernetes
libraries into Talos machinery package.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Adds a timezone file for UTC to the rootfs and create a symlink for it
at /etc/localtime
Fixes#4840
Signed-off-by: Philipp Sauter <sauterp@protonmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Include filename content if value begins with @ (see curl for example).
Add multiple config-path option on cmdline to apply them in order.
ex:
```
talosctl-linux-amd64 gen config talos1 https://127.0.0.1:6443 --config-patch-control-plan @cidrs.json --config-patch-worker @sysctls-workders.json --config-path @cluster-name.json
```
Load JSON patch from YAML.
This applies to all commands handling config patches.
Closes: https://github.com/talos-systems/talos/issues/4764
Signed-off-by: Sébastien Bernard <sbernard@nerim.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This will fix running these scripts on distros without /bin/bash, but
where bash is in $PATH, such as NixOS.
Currently, `make fmt` otherwise fails to run:
```
make[3]: Leaving directory '/home/flokli/dev/numtide/manifoldfinance/talos'
sh: ./hack/fix-artifacts.sh: /bin/bash: bad interpreter: No such file or directory
make[2]: *** [Makefile:163: local-fmt-protobuf] Error 126
make[2]: Leaving directory '/home/flokli/dev/numtide/manifoldfinance/talos'
make[1]: *** [Makefile:274: fmt-protobuf] Error 2
make[1]: Leaving directory '/home/flokli/dev/numtide/manifoldfinance/talos'
make: *** [Makefile:277: fmt] Error 2
```
Signed-off-by: Florian Klink <flokli@flokli.de>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Containerd doesn't support merging plugin configuration from multiple
sources, and Talos has several pieces which configure CRI plugin:
(see https://github.com/containerd/containerd/issues/5837)
* base config
* registry mirror config
* system extensions
* ...
So we implement our own simple way of merging config parts (by simply
concatenating text files) to build a final `cri.toml`.
At the same time containerd migrated to a new format to specify registry
mirror configuration, while old way (via CRI config) is going to be
removed in 1.7.0. New way also allows to apply most of registry
configuration (except for auth) on the fly.
Also, containerd was updated to 1.6.0-rc.0 and runc to 1.1.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Drop the rewrite rule which seems to be causing issues for
`ingress-nginx` when Kubernetes IPv4-only cluster runs in the
IPv6-enabled environment.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
