For 1.9, we keep it disabled until it gets more production ready in
1.10.
It still can be enabled with `selinux=1`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9731
The wipe doesn't require a reboot, but it requires the blockdevice not
to be used as a volume.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Drop i915 and amdgpu drivers from Talos rootfs, these will be packaged
as extensions containing both firmware and drivers.
Some modules like `ttm`, `i2c-algo-bit` etc have been left off since they are used by both amdgpu and
i915, so makes sense to keep in plain talos.
Part of: #9728
Signed-off-by: Noel Georgi <git@frezbo.dev>
This should fix the problem of including bond members by MAC address
when MAC address changes as the link becomes part of the bond.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9613
This has two changes:
* adjust Talos registry resolver to match containerd (CRI) resolver: use
by default upstream as a fallback
* add a machine config option to skip upstream as a fallback, and adjust
CRI configuration accordingly
See https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-configuration---examples
for details on CRI's `hosts.toml`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Rewrite matcher to take out old go-blockdevice library out of the way,
implementing translation from go-blockdevice format to CEL.
Implement facilities to build CEL expressions programmatically.
Now we can add a machine config disk match expression (CEL) easily.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Save `support.zip` always, also use a different folder for saving logs,
so we can save artifacts of multi cluster tests.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Conditionally mount selinuxfs only if it's present.
Fix AppArmor tests, `apparmor` and other minor LSM's and set
`apparmor=1`.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Part of: #9127
Label executables and processes, build, load and manage SELinux policy, enable audit support.
Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Adds a auditd service that gathers all audit logs from kernel.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This PR does those things:
- Fixes race condition where controller could potentially modify upstream, while other controller is copying its internals to the slice.
- Simplifies `run` function in `DNSUpstreamController` by removing all `Idx` handling.
- Removes `Idx` field from `DNSUpstream`. Upstreams are now sorted by their id with №X prefix.
- `Proxy` Stop is now called from the finalizer. In combination with iterators, this ensures that we only stop upstream when it's fully unreachable.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Fixes#9538
Re-do the implementation by using the volume management primitives, so
that we can avoid/skip old code. This should fix all issues related to
the partition/whole disk.
Fix issues in the volume management (exposed, as we haven't used it this
way before).
Build a test case in `talosctl cluster create` to inject machine config
via `metal-iso`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Bring in new tools, pkgs, update Go dependencies and others.
In preparation for Talos 1.9.0-alpha.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add an option to `talosctl cluster create` to start a JSON log receiver,
and enabled it optionally.
Enable in `integration-qemu`.
See #9510
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Unify usage of proto codec v2 across our projects.
Bump grpc library to 1.67.1 and ensure that we it still works with HTTP/2 ALPN value changes.
For https://github.com/siderolabs/talos/issues/9404
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The new command `talosctl cgroups` fetches cgroups snapshot from the
machine, parses it fully, enhances with additional information (e.g.
resolves pod names), and presents a customizable view of cgroups
configuration (e.g. limits) and current consumption.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is to suppress warnings on failure to load plugins, which were
harmless, but confusing.
Fixes#9393
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
