Ensure that SecureBoot enabled images come before regular ones.
With Ubuntu 24.04 `ovmf` package, due to the ordering of the search
paths `talosctl` might pick up a wrong image and disable SecureBoot.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
- replace `interface{}` with `any` using `gofmt -r 'interface{} -> any -w'`
- replace `a = []T{}` with `var a []T` where possible.
- replace `a = []T{}` with `a = make([]T, 0, len(b))` where possible.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The iscsi test broke when the new disks api was introduced making the
test pass always, now filter other only `iscsi` disk types using the new
disks API.
Signed-off-by: Noel Georgi <git@frezbo.dev>
When META has never been written (e.g. booted from a disk image), it
won't be detected as `talosmeta`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(This is not user-facing, but rather internal use of the kubeconfig in
the tests/inside the machine).
This was added 4 years ago as a workaround, but instead of a global
timeout we should rather use contexts with timeouts/deadlines (and we
do!).
Setting a global timeout breaks streaming Kubernetes pod logs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Detect CD devices, and set size to 0 for CD without media.
In user disk wipe tests, skip device mapper devices and CD-ROM.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Uses go-siderolabs/go-blockdevice/v2 for all the hard parts,
provides new resource `Disk` which describes all disks in the system.
Additional resource `SystemDisk` always point to the system disk (based
on the location of `META` partition).
The `Disks` API (and `talosctl disks`) provides a view now into the
`talosctl get disks` to keep backwards compatibility.
QEMU provisioner can now create extra disks of various types: IDE, AHCI,
SCSI, NVME, this allows to test detection properly.
The new resource will be the foundation for volume provisioning (to pick
up the disk to provision the volume on).
Example:
```
talosctl -n 172.20.0.5 get disks
NODE NAMESPACE TYPE ID VERSION SIZE READ ONLY TRANSPORT ROTATIONAL WWID MODEL SERIAL
172.20.0.5 runtime Disk loop0 1 65568768 true
172.20.0.5 runtime Disk nvme0n1 1 10485760000 false nvme nvme.1b36-6465616462656566-51454d55204e564d65204374726c-00000001 QEMU NVMe Ctrl deadbeef
172.20.0.5 runtime Disk sda 1 10485760000 false virtio true QEMU HARDDISK
172.20.0.5 runtime Disk sdb 1 10485760000 false sata true t10.ATA QEMU HARDDISK QM00013 QEMU HARDDISK
172.20.0.5 runtime Disk sdc 1 10485760000 false sata true t10.ATA QEMU HARDDISK QM00001 QEMU HARDDISK
172.20.0.5 runtime Disk vda 1 12884901888 false virtio true
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use shared locks, discover more partitions, some other small changes.
Re-enable the flaky test.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Try to activate/deactivate watchdogs, change timeout, run only on QEMU.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
- By default, github.com/miekg/dns uses `dns.MinMsgSize` for UDP messages, which is 512 bytes. This is too small for some
DNS request/responses, and can cause truncation and errors. This change sets the buffer size to `dns.DefaultMsgSize`
4096 bytes, which is the maximum size of a dns packet payload per RFC 6891.
- We also retry the request if the response is truncated or previous connection was closed.
- And finally we properly handle the case where the response is larger than the client buffer size,
and we return a truncated correct response.
Closes#8763
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Note: this issue never happens with default Talos worker configuration
(generated by Omni, `talosctl gen config` or CABPT).
Before change https://github.com/siderolabs/talos/pull/4294 3 years ago,
worker nodes connected to trustd in "insecure" mode (without validating
the trustd server certificate). The change kept backwards compatibility,
so it still allowed insecure mode on upgrades.
Now it's time to break this compatibility promise, and require
accepted CAs to be always present. Adds validation for machine
configuration, so if upgrade is attempeted, it would not validate the
machine config without accepted CAs.
Now lack of accepted CAs would lead to failure to connect to trustd.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Run a health check before the test, as the test depends on CoreDNS being
healthy, and previous tests might disturb the cluster.
Also refactor by using watch instead of retries, make pods terminate
fast.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Provide a trace for each step of the reset sequence taken, so if one of
those fails, integration test produces a meaningful message instead of
proceeding and failing somewhere else.
More cleanup/refactor, should be functionally equivalent.
Fixes#8635
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
New package arrived in Go 1.22 which provides better rand primitives and functions.
Use it instead of the old one.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
More specifically, pick up `/etc/resolv.conf` contents by default when
in container mode, and use that as a base resolver for the host DNS.
Fixes#8303
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This fixes an issue with a single controlplane cluster.
Properly present all accepted CAs to the apiserver, in the test let the
cluster fully recovery between two CA rotations performed.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Dynamically map Kubernetes and Talos API ports to an available port on
the host, so every cluster gets its own unique set of parts.
As part of the changes, refactor the provision library and interfaces,
dropping old weird interfaces replacing with (hopefully) much more
descriprive names.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8361
Talos requires v2 (circa 2008), but VMs are often configured to limit
the exposed features to the baseline (v1).
```
[ 0.779218] [talos] [initramfs] booting Talos v1.7.0-alpha.1-35-gef5bbe728-dirty
[ 0.779806] [talos] [initramfs] CPU: QEMU Virtual CPU version 2.5+, 4 core(s), 1 thread(s) per core
[ 0.780529] [talos] [initramfs] x86_64 microarchitecture level: 1
[ 0.781018] [talos] [initramfs] it might be that the VM is configured with an older CPU model, please check the VM configuration
[ 0.782346] [talos] [initramfs] x86_64 microarchitecture level 2 or higher is required, halting
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This allows to roll all nodes to use a new CA, to refresh it, or e.g.
when the `talosconfig` was exposed accidentally.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This controller combines kobject events, and scan of `/sys/block` to
build a consistent list of available block devices, updating resources
as the blockdevice changes.
Based on these resources the next step can run probe on the blockdevices
as they change to present a consistent view of filesystems/partitions.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The current code was stipping non-`v1alpha1.Config` documents. Provide a
proper method in the config provider, and update places using it.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
To be used in the `go-talos-support` module without importing the whole
Talos repo.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Let's add a very basic test for the Kata Containers extension, mimicing
what's already in place for gVisor.
This depends on the work being done in:
https://github.com/siderolabs/extensions/pull/279
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Drop the Kubernetes manifests as static files clean up (this is only
needed for upgrades from 1.2.x).
Fix Talos handling of cgroup hierarchy: if started in container in a
non-root cgroup hiearachy, use that to handle proper cgroup paths.
Add a test for a simple TinK mode (Talos-in-Kubernetes).
Update the docs.
Fixes#8274
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
