Include percent-based maxSize, e.g. use 50% of available space.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
(cherry picked from commit 83f2bdb9ce6c9466716a6ac9c94dc2222e569ee8)
Don't guess based on the volume type, but use explicit fields for
different locators.
IMAGECACHE-ISO is a disk volume, but uses full volume locator (by
filesystem type, etc.)
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
In certain situations, Talos's shutdown/reboot sequence hangs while
waiting for services/mounts to be gracefully stopped (see:
https://github.com/siderolabs/talos/issues/11775).
This patch adds a forceful mode to the reboot sequence (`talosctl reboot
--mode force`) that bypasses graceful userspace teardown and hard
reboots the machine.
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
Also expand internal bond configuration to cover missing fields.
They are not going to be exposed in legacy configuration.
Fixes#10960
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
- Improve docs
- Disable OOM controller in container mode
- Log OOM events
- Add an integration test verifying the system can sustain an OOM event
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Support disabling kernel module signature verification.
Note that this does not work when SecureBoot is enabled.
Fixes: #11989
Signed-off-by: Noel Georgi <git@frezbo.dev>
There was a mismatch between how Talos encodes resource specs to
protobuf on the wire, and `.proto` files generated by `structprotogen`
for the same specs.
This only affected `LinkStatus`/`LinkSpec` resources, and it doesn't
affect Talos/Omni as they go via `protoenc`, bypassing `.proto` files.
Also if default proto library is used, it also works correctly.
The only place where it fails is a strict `vtprotobuf` encoding.
Also imports `protoenc` 0.2.4 skipping encoding of zero fields, which
should make COSI responses smaller for resources with lots of zero
fields.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
These features don't make any sense right now, so remove them from the
machine config to reduce clutter.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
OOM controller helps mitigate out-of-memory by monitoring PSI, selecting
and killing cgroups to free up memory when RAM is near full.
Add config document and tests.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New multi-doc way to apply static configuration to network links.
Fixes#10957
Also implements related changes:
* new-style auto-DHCP mode - run DHCP as long as there is no new-style
config document
* refactoring of controllers/tests which were touched in this PR
* implemented embedded config structs handling in docgen -> Markdown and
docgen -> JSON schema
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See 4b840414be for more information.
Talos versions prior to 1.12 locked to PCR 7 state and PCR 11 for signed policies.
In-order for backwards compatibility newer installs will still default to PCR 7 state. Locking to PCR 7 can be disabled by passing an empty list.
Fixes: #10677
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#10992
The plan is detailed in the issue, but tl;dr is to get one big
controller into 4 smaller controllers, each doing its own part of the
work.
Each controller has its own set of tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Move stuff into `tools/go.mod`.
Also fix linting issues on the way (updating golangci-lint).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
SBOMs from /usr/local/share/spdx will now also be read, this is to be
used by system extensions. Add a sample for testing this feature.
Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
ReferenceCount is a more common name, so replacing Instances will
provide better UX and will match online resources.
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>
Fixes#10011
Also implement a hidden option to skip secondary disks check which
allows to wipe disks which are used as part of active LVM volume. This
is unsafe in general, but sometimes if you know what you're doing, it's
fine.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Zswap allows to compress pages in memory before they hit the actual swap
device.
Both swap and zswap (or either one of these) can be enabled.
Fixes#10675
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10674
Provide a way to see current swap status, configure additional swap
devices (block) and de-configure them on the fly.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/jsimonetti/rtnetlink/pull/256
See https://github.com/siderolabs/talos/issues/10696
Support setting address priority, this is important to ensure that the
prefix route has appropriate priority.
For now, we don't have it exposed in the machine config except for the
DHCP4 operator, so now both routes created explicitly by DHCP and routes
created implicitly have same metric/priority:
```
172.20.0.2 network RouteStatus inet4//172.20.0.0/24/1024 1 172.20.0.0/24 enp0s2 1024
172.20.0.2 network RouteStatus inet4/172.20.0.1//1024 1 172.20.0.1 enp0s2 1024
```
Before this change, the first route would have a metric zero.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
User volumes are identified by a short name which serves both
as a `/var/mnt` mount point and a partition label.
User volumes can be added and removed on the fly, and they are
automatically propagated into the `kubelet` mount namespace.
Also deprecate `.machine.disks`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/siderolabs/talos/discussions/10641
The problem is that `overridePath` config option should be per-endpoint,
not a global one.
As we can't easily change v1alpha1 config, change the interface instead,
and update the controller which generates final registry config to
use per-endpoint setting.
Ensure that `registryd` endpoint never uses `overridePath`.
E.g., with this PR:
```toml
[host]
[host.'http://127.0.0.1:3172']
capabilities = ['pull', 'resolve']
[host.'http://172.20.0.1:5006/v2/']
capabilities = ['pull', 'resolve']
override_path = true
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This complements the previous PRs to implement more volume features:
directory volumes control their permissions, SELinux labels, etc.
Overlay mounts support additional parent relationship.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use new controller for user disk and STATE mounts, drop
old code in the sequencer.
Also support mounts with parent (when e.g. `/var/lib` is mounted on top
of `/var`).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The issue is not so easy to fix, as GRPC tunnel on/off change requires
two different flow for the link (interface):
* no tunnel -> Talos link controller should create in-kernel `wireguard`
link and no userspace components
* tunnel on -> Talos link controller should never create the link, and
only adjust WG settings via UAPI, while the actual link is created by
the userspace implementation (it's a `tun` device)
Transition between those two links is impossible for the link controller
to distinguish, as it doesn't know that it has to drop old link and skip
creating new one based on the information available.
So, instead, use different names for the link in two states:
`siderolink` for the kernel flow, and `siderolinktun` for the userspace
flow. This fixes the issue of proper link cleanup/re-creation.
Add integration tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Mount EPHEMERAL volume via new controller.
Implement the first cut of volume dependencies from services, refactor
the way system disk wipe works.
Update volume manager controller to destroy volume statuses on shutdown,
which allows to signal mount operations to be terminated.
Lots of WIP ideas still, but I want to complete this PR and move on to
the next one:
* refactor user disks mounts to use new API
* refactor STATE mountes to use new API
* implement directory/overlay mounts
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9602
Aggregate incoming volume mount requests, reconcile them with volume
status, perform actual mounting, and produce mount status.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Support showing current feature state, and changing features on the fly.
The output and interface should be similar to `ethtool`.
We don't support legacy feature names.
```
node: 172.20.0.5
metadata:
namespace: network
type: EthernetStatuses.net.talos.dev
id: enp0s2
version: 2
owner: network.EthernetStatusController
phase: running
created: 2025-02-10T11:40:32Z
updated: 2025-02-10T11:40:32Z
spec:
linkState: true
port: Other
duplex: Unknown
rings:
rx-max: 256
tx-max: 256
rx: 256
tx: 256
tx-push: false
rx-push: false
features:
tx-scatter-gather: on
tx-checksum-ipv4: off [fixed]
tx-checksum-ip-generic: on
tx-checksum-ipv6: off [fixed]
highdma: on [fixed]
tx-scatter-gather-fraglist: off [fixed]
tx-vlan-hw-insert: off [fixed]
rx-vlan-hw-parse: off [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-generic-segmentation: on
rx-gro: on
rx-lro: off [fixed]
tx-tcp-segmentation: on
tx-gso-robust: on [fixed]
tx-tcp-ecn-segmentation: on
tx-tcp-mangleid-segmentation: off
tx-tcp6-segmentation: on
tx-fcoe-segmentation: off [fixed]
tx-gre-segmentation: off [fixed]
tx-gre-csum-segmentation: off [fixed]
tx-ipxip4-segmentation: off [fixed]
tx-ipxip6-segmentation: off [fixed]
tx-udp_tnl-segmentation: off [fixed]
tx-udp_tnl-csum-segmentation: off [fixed]
tx-gso-partial: off [fixed]
tx-tunnel-remcsum-segmentation: off [fixed]
tx-sctp-segmentation: off [fixed]
tx-esp-segmentation: off [fixed]
tx-udp-segmentation: off
tx-gso-list: off [fixed]
tx-checksum-fcoe-crc: off [fixed]
tx-checksum-sctp: off [fixed]
rx-ntuple-filter: off [fixed]
rx-hashing: off [fixed]
rx-checksum: on [fixed]
tx-nocache-copy: off
loopback: off [fixed]
rx-fcs: off [fixed]
rx-all: off [fixed]
tx-vlan-stag-hw-insert: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]
l2-fwd-offload: off [fixed]
hw-tc-offload: off [fixed]
esp-hw-offload: off [fixed]
esp-tx-csum-hw-offload: off [fixed]
rx-udp_tunnel-port-offload: off [fixed]
tls-hw-tx-offload: off [fixed]
tls-hw-rx-offload: off [fixed]
rx-gro-hw: on
tls-hw-record: off [fixed]
rx-gro-list: off
macsec-hw-offload: off [fixed]
rx-udp-gro-forwarding: off
hsr-tag-ins-offload: off [fixed]
hsr-tag-rm-offload: off [fixed]
hsr-fwd-offload: off [fixed]
hsr-dup-offload: off [fixed]
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
