It all started debugging the issue on Talos being stuck on reboot when
`talosctl logs -f kubelet` is being used.
Fixes:
* abort goroutine runner even if the goroutine doesn't terminate - we
have no way to force termination, so at least don't hang forever
* align timeouts for apid/trustd for graceful termination - so that at
least the service is not SIGKILLed while it does its own graceful
shutdown
* in stream chunker, act on canceled context immediately instead of
relying on `Read` to return: with `logs -f` the reader will block
forever waiting for new logs
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fix building on SELinux systems. Extracting xattrs led to return code 2 as a non-critical error. This should not influence extension build.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Fixes#9820
This only affects volumes with multiple key slots configured.
Make sync issues non-fatal, so that if some keys fail to sync, proceed
with normal boot, but record an error in the `VolumeStatus` resource.
When opening, correctly try all key slots.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
For 1.9, we keep it disabled until it gets more production ready in
1.10.
It still can be enabled with `selinux=1`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8074
One part of the fix is to wait for udevd to be ready, as anyways before
udevd is ready network interfaces are not ready, so sync is not
possible.
Second part is that now u-root's rtc package supports closing rtc
devices, so we can properly open/close it as part of the sync loop (vs.
previous workaround with sync.Once).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The problem was with specific disk selector `!system_disk` - in previous
implementation, as `system_disk` defaulted to false even if the system
disk is not known yet, this might result in picking up a disk which is
going to be system disk before system disk is picked.
In new implementation, as `system_disk` is not set before it is
detected, the condition containing `system_disk` (in either way) would
fail to execute and volume provision will be delayed until system disk
is detected.
Also:
Fixes#9809
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9786
Match on exact expected size otherwise as `META` name is common, Talos
might find `META` where it shouldn't be.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add an explicit example of kubelet config.
Signed-off-by: Rémi Paulmier <remi.paulmier@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
All `io.Writers` implementations expect that you return exactly `len(p)` bytes on successful exit.
So do just that, and ensure in runtime that we do the proper thing.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
On devtmpfs or sysfs SELinux attribute is not listed unless it has been set, yet it is available and represents the SELinux label of file.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
This fixes the rather irksome warning when using buildkit to build
images.
This should not break anything since the defaults are set to `scratch`
and if the `build-arg` is not passed the copy stage will fail.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.
Add corresponding test cases.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Implement a feature flag, a resource which controls the flow.
This controls the volume configuration, mounting, etc.
Fixes#9767
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* Save image in OCI format, so imager can either use as OCI input or from
a registry.
* Support caching layers to a path, so subsequent runs are faster
Signed-off-by: Noel Georgi <git@frezbo.dev>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Always add directory entries to tarball.
Handle directory v/s files in tarball `build`.
Use the source file info to set file permissions.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Do not do string lookups in repetitive calls. We do not support changing SELinux status during runtime, so once we read this we can assume status does not change.
Also avoid unneeded FS writes when appropriate label is already set on file.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Even though VMWare doesn't support non-amd64 case, for the imager (and
Image Factory), the common stuff should work correctly for any arch the
imager is running with (as arm64 imager can generate amd64 VMWare
image).
See https://github.com/siderolabs/image-factory/issues/164
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9731
The wipe doesn't require a reboot, but it requires the blockdevice not
to be used as a volume.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* print some progress
* properly save manifests for image refs which are both tagged and
digested
* skip pulling duplicate blobs
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Drop i915 and amdgpu drivers from Talos rootfs, these will be packaged
as extensions containing both firmware and drivers.
Some modules like `ttm`, `i2c-algo-bit` etc have been left off since they are used by both amdgpu and
i915, so makes sense to keep in plain talos.
Part of: #9728
Signed-off-by: Noel Georgi <git@frezbo.dev>
