It all started debugging the issue on Talos being stuck on reboot when
`talosctl logs -f kubelet` is being used.
Fixes:
* abort goroutine runner even if the goroutine doesn't terminate - we
have no way to force termination, so at least don't hang forever
* align timeouts for apid/trustd for graceful termination - so that at
least the service is not SIGKILLed while it does its own graceful
shutdown
* in stream chunker, act on canceled context immediately instead of
relying on `Read` to return: with `logs -f` the reader will block
forever waiting for new logs
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9820
This only affects volumes with multiple key slots configured.
Make sync issues non-fatal, so that if some keys fail to sync, proceed
with normal boot, but record an error in the `VolumeStatus` resource.
When opening, correctly try all key slots.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
For 1.9, we keep it disabled until it gets more production ready in
1.10.
It still can be enabled with `selinux=1`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.
Add corresponding test cases.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Implement a feature flag, a resource which controls the flow.
This controls the volume configuration, mounting, etc.
Fixes#9767
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* Save image in OCI format, so imager can either use as OCI input or from
a registry.
* Support caching layers to a path, so subsequent runs are faster
Signed-off-by: Noel Georgi <git@frezbo.dev>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Always add directory entries to tarball.
Handle directory v/s files in tarball `build`.
Use the source file info to set file permissions.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#9731
The wipe doesn't require a reboot, but it requires the blockdevice not
to be used as a volume.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* print some progress
* properly save manifests for image refs which are both tagged and
digested
* skip pulling duplicate blobs
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This should fix the problem of including bond members by MAC address
when MAC address changes as the link becomes part of the bond.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
I added those in the early days of the current policy development, yet there was no use for them. This change simplifies the policy and handling of labels.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Fixes#9691
This closes the race between the node registration and the moment
`NodeApplyController` would apply the taint.
As the taint is exactly same as added by `NodeApplyController`, it will
be owned by the controller, so it can be removed if
`allowSchedulingOnControlplanes` is enabled in the machine config while
the cluster is running.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9613
This has two changes:
* adjust Talos registry resolver to match containerd (CRI) resolver: use
by default upstream as a fallback
* add a machine config option to skip upstream as a fallback, and adjust
CRI configuration accordingly
See https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-configuration---examples
for details on CRI's `hosts.toml`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is going to be used to detect disks that are safe to wipe.
For blockdevices, track secondaries as direct references, e.g. encrypted
`STATE` partition might have secondary `vda5`.
For disks, re-map secondaries to be whole devices names, e.g. `vda`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Addresses old and recent change combination that prevents qemu provisioning on
ArchLinux by adding a default search path and the filenames the package
maintainer used.
Signed-off-by: Sam Stelfox <sstelfox@bedroomprogrammers.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Rewrite matcher to take out old go-blockdevice library out of the way,
implementing translation from go-blockdevice format to CEL.
Implement facilities to build CEL expressions programmatically.
Now we can add a machine config disk match expression (CEL) easily.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Save `support.zip` always, also use a different folder for saving logs,
so we can save artifacts of multi cluster tests.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Dashboard now shows the active frequency of each CPU core when cpufreq
is available on non-virtualized systems, enhancing real-time accuracy.
Solves the issue of displaying 0MHz on certain SBCs due to
/proc/cpuinfo limitations.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Combine the checks for bonded and bridged interfaces to avoid code
duplication. Add new test case for addresses on bridged interfaces.
Update test cases to match rephrased error messages.
Fix test case implementation for addresses on bonded interfaces to
include eth2 which was configured but not used in the test.
Signed-off-by: Joakim Nohlgård <joakim@nohlgard.se>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Conditionally mount selinuxfs only if it's present.
Fix AppArmor tests, `apparmor` and other minor LSM's and set
`apparmor=1`.
Signed-off-by: Noel Georgi <git@frezbo.dev>
