Added a decomposition option to the kernel.NewDefaultCmdline() so that
the Defaults can be added _after_ constructing a custom commandline.
This is then implemented for `osctl install`.
Fixes#1128
Signed-off-by: Seán C McCord <ulexus@gmail.com>
Added a property to userdata to allow a network interface to be ignored,
such that Talos will perform no operations on it (including DHCP).
Also added kernel commandline parameter (talos.network.interface.ignore)
to specify a network interface should be ignored.
Also allows chaining of kernel cmdline parameter Contains() where the
parameter in question does not exist.
Fixes#1124
Signed-off-by: Seán C McCord <ulexus@gmail.com>
This sets the default install image just before installation. It was
erroneously placed in the boot verification.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
We have no need for this anymore since installs and upgrades are now
completely handled in a container.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This PR will move to using the external kubeadm v1beta2 structs for our
code base. This will hopefully allow for more stable integrations with
kubeadm in the long term, as well as solve some needs we have in the
machine config rewrite.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This adds a well defined task for handling all overlay mount points that
are required by the system.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This moves to using BLKPG ioctl instead of BLKRRPART. BLKRRPART is older
and more sensitive to EBUSY errors. BLKPG has the potential to minimize
the changes of encountering an EBUSY error when manipulating partition
tables.
In looking at a comparison between BLKPG and BLKRRPART, it seems that
both have their pros and cons. Eventually a combination of the two may
serve us better, but for now I think BLKPG will get us further.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This is a major rewrite of our network subsystem.
- This changes networkd to run as a standalone app versus internal goroutine
- This changes out the netlink package with the more idiomatic netlink/rtnetlink
packages
- This changes the initial network bootstrap/discovery from using a single
interface to attempting to bring up all interfaces
- This moves us back on to the upstream dhcp library
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
In order to DRY up all installation methods and mount methods, this PR
introduces a few more runtime modes. The modes are then used to
determine the strategy for creating and or mounting the paritions.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This adds a command runner function that can be used everywhere we need
to exec a binary. It adds addtional logic around error handling that
will allow for viewing errors in the case of a failed command.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This fixes the possibility of panicing on a nil pointer by running the
verification steps earlier.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This changes the data partition name to something more appropriate. We
chose ephemeral to make it very clear that the disk should not be used
for application data.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This is not ideal, but it works. We essentially need to start using
replace statements in order to pull in the modules we need.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This also includes a fix for #955 which had the unintended side effect
of breaking image creation ( since it would attempt to grow the filesystem
always ).
The refactor standardizes around looking for the DATA and ESP labels to
discover any existing installations/filesystems. If none are found, an
installation will proceed -- for both image creation and bare metal.
During bootup, the DATA partition will always attempt to expand/grow.
This also introduces a new phase to verify the installation through the
existance of /boot/installed ( migrated from install stage ).
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
This adds the logic for mounting the owned block device and resizing the
ephemeral partition for cloud platforms.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This change aims to make installations more unified and reliable. It
introduces the concept of a mountpoint manager that is capable of
mounting, unmounting, and moving a set of mountpoints in the correct
order.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This PR will fix a bug we encountered in GCE, where the interface was
already up and the MTU value wasn't getting set.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This change aims to standardize the boot process. It introduces the
concept of a phase, which is comprised of tasks. Phases are ran in serial and
the tasks that make up a phase are ran concurrently.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
It runs containers via CRI interface in a pod sandbox. This is the very
first version: I tried not to introduce any changes to common runner
interface.
There should be some CRI-speficic options for the runner (like polling
interval, as it doesn't have nice `Wait()` API), plus my plan so far is
to use OCI as the common layer for container options, so that we can
analyze OCI and translate to CRI (when possible, return errors when
option is not implemented).
CRI interface doesn't have a concept of 'unpacking' an image, so we
probably need to unpack via containerd API (or any other
runtime-specific API) by targeting CRI namespace.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
The responsibility of init should only be to mount the rootfs. This
change moves Talos specific logic into machined. This will allow us to
define a version of Talos in a single binary instead of split across
two. This will enable cleaner upgrades and helps make the codebase
easier to reason about.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
These were disabled in previous versions of Talos since BPF was
completely disabled. With this change, we now implement all recommended
sysctls.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This PR fixes a small bug where we weren't properly checking the value
of a net.ParseIP() call and setting the hostname to the first octet of
an IP.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
This PR will connect to each trustd endpoint specified, returning once
successful. Closes#891.
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
We need /etc/resolv.conf to be writable so that networkd can update it.
This change achieves this by creating a symlink at /etc/resolv.conf that
points to /var/resolv.conf.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This PR will fix a bug where the non-init nodes were not generating
their certs locally and relying on trustd instead. This broke down
because we aren't saving the CA key when we're generating with the
trustd identity function (because we don't need it for workers).
Signed-off-by: Spencer Smith <robertspencersmith@gmail.com>
We should only set the hostname to the actual host name instead of FQDN.
This hasnt been much of an issue, but GCE does return the FQDN for the
hostname field in dhcp.
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
Without this, the check for the existence of the symlinks created in the
rootfs preparation step will always fail. On a reboot init will fail
because it tries to create a symlink that already exists.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
In order to accomodate the various ways that SSL certs are managed by
the different Linux distros, kubeadm creates control plane compoents
with volume mounts of the type DirectoryOrCreate to all well known SSL
cert locations. This change creates symlinks to /etc/ss/certs at all the
well known paths to account for the fact that the rootfs is read-only.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
Switch from `StringSliceVar` to `StringArrayVar` to maintain commas
in kernel args.
Update entrypoint script to allow specifying extra kernel args.
Remove default console settings in kernel config.
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
This uses the correct mount flag for read-only.
We mistakenly had the flag for opening a file as read-only.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
In addition to adding a flag, this adds a field to the user data that allows
for extra kernel arguments to be specified.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This is preparation for implementing CRI runner.
CRI client moved into its own package, I split it into multiple files
and added rudimentary tests for it.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This makes test launch their own isolated instance of containerd with
its own root/state directories and listening socket address. Each test
brings this instance up/down on its own.
Add options to override containerd address in the code (used only in the
tests).
Enable parallel go test runs once again.
P.S. I wish I could share that 'SetupSuite' phase across the tests, but
afaik there's no way in Go to share `_test.go` code across packages. If
we put it as normal package, this might pull in test dependencies (like
`testify`) into production code, which I don't like.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
This change fixes a bug that caused installations to fail.
On each iteration, the previously discovered block devices were dropped because the `probed` variable was reassigned.
We now append the discovered block devices to a slice declared outside the for loop.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This refactors metrics interface to remove containerd-specific stuff and
make it common for CRI & containerd.
Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
