Fixes#9615
The are no integration tests, this is to be addressed later.
I did manual tests so far.
Also includes first draft of the documentation.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New config field `machine.network.searchDomains` supports specifying custom search domains.
For the node it will look something like this:
```
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
```
For the pods it will look something like this:
```
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
```
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
For 1.9, we keep it disabled until it gets more production ready in
1.10.
It still can be enabled with `selinux=1`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9731
The wipe doesn't require a reboot, but it requires the blockdevice not
to be used as a volume.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Drop i915 and amdgpu drivers from Talos rootfs, these will be packaged
as extensions containing both firmware and drivers.
Some modules like `ttm`, `i2c-algo-bit` etc have been left off since they are used by both amdgpu and
i915, so makes sense to keep in plain talos.
Part of: #9728
Signed-off-by: Noel Georgi <git@frezbo.dev>
This should fix the problem of including bond members by MAC address
when MAC address changes as the link becomes part of the bond.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9613
This has two changes:
* adjust Talos registry resolver to match containerd (CRI) resolver: use
by default upstream as a fallback
* add a machine config option to skip upstream as a fallback, and adjust
CRI configuration accordingly
See https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-configuration---examples
for details on CRI's `hosts.toml`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Rewrite matcher to take out old go-blockdevice library out of the way,
implementing translation from go-blockdevice format to CEL.
Implement facilities to build CEL expressions programmatically.
Now we can add a machine config disk match expression (CEL) easily.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Save `support.zip` always, also use a different folder for saving logs,
so we can save artifacts of multi cluster tests.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Conditionally mount selinuxfs only if it's present.
Fix AppArmor tests, `apparmor` and other minor LSM's and set
`apparmor=1`.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Part of: #9127
Label executables and processes, build, load and manage SELinux policy, enable audit support.
Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Adds a auditd service that gathers all audit logs from kernel.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This PR does those things:
- Fixes race condition where controller could potentially modify upstream, while other controller is copying its internals to the slice.
- Simplifies `run` function in `DNSUpstreamController` by removing all `Idx` handling.
- Removes `Idx` field from `DNSUpstream`. Upstreams are now sorted by their id with №X prefix.
- `Proxy` Stop is now called from the finalizer. In combination with iterators, this ensures that we only stop upstream when it's fully unreachable.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Fixes#9538
Re-do the implementation by using the volume management primitives, so
that we can avoid/skip old code. This should fix all issues related to
the partition/whole disk.
Fix issues in the volume management (exposed, as we haven't used it this
way before).
Build a test case in `talosctl cluster create` to inject machine config
via `metal-iso`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
