This aligns the nomenclature for filesystems like /dev and /proc with
what is used in the kernel code.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This creates an IMA policy at boot. It uses the default TCB policy with
a dont_measure rule for XFS.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This updates the kernel to make use of a version that has IMA
measurement and appraisal enabled. It is not yet enforced. Additionally,
this adds the securityfs mount at /sys/kernel/security.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This removes the github.com/pkg/errors package in favor of the official
error wrapping in go 1.13.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This package provides a consistent way for us to retry arbitrary logic.
It provides the following backoff algorithms:
- exponential
- linear
- constant
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
The gofumports does everything that gofumpt does with the addition of
formatting imports. This change proposes the use of the `-local` flag so
that we can have imports separated in the following order:
- standard library
- third party
- Talos specific
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
The gofumpt linter is a stricter drop-in replacement for gofmt. The
rules are ones that I strongly agree with and I think it would be better
if we added this linter instead of nit picking every PR.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This adds a well defined task for handling all overlay mount points that
are required by the system.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This moves to using BLKPG ioctl instead of BLKRRPART. BLKRRPART is older
and more sensitive to EBUSY errors. BLKPG has the potential to minimize
the changes of encountering an EBUSY error when manipulating partition
tables.
In looking at a comparison between BLKPG and BLKRRPART, it seems that
both have their pros and cons. Eventually a combination of the two may
serve us better, but for now I think BLKPG will get us further.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This changes the data partition name to something more appropriate. We
chose ephemeral to make it very clear that the disk should not be used
for application data.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This also includes a fix for #955 which had the unintended side effect
of breaking image creation ( since it would attempt to grow the filesystem
always ).
The refactor standardizes around looking for the DATA and ESP labels to
discover any existing installations/filesystems. If none are found, an
installation will proceed -- for both image creation and bare metal.
During bootup, the DATA partition will always attempt to expand/grow.
This also introduces a new phase to verify the installation through the
existance of /boot/installed ( migrated from install stage ).
Signed-off-by: Brad Beam <brad.beam@talos-systems.com>
This adds the logic for mounting the owned block device and resizing the
ephemeral partition for cloud platforms.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This change aims to make installations more unified and reliable. It
introduces the concept of a mountpoint manager that is capable of
mounting, unmounting, and moving a set of mountpoints in the correct
order.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This change aims to standardize the boot process. It introduces the
concept of a phase, which is comprised of tasks. Phases are ran in serial and
the tasks that make up a phase are ran concurrently.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
This uses the correct mount flag for read-only.
We mistakenly had the flag for opening a file as read-only.
Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
