Support generating unsigned UKI's.
Also plumb in support to `talosctl cluster create` to boot off UKI's.
This doesn't work yet as installer needs more work.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#10097
See https://github.com/siderolabs/go-blockdevice/pull/121
I added an option to QEMU provisioner to create disks with custom block
sizes (supported for some disk types).
Unfortunately, this case can't be built as a regression as QEMU's
firmware boots fine with ESP partition at 256/1024/2048 LBA.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
1. Don't set max cgroups limit if race mode is enabled (only in test
mode). When e.g. apid/trustd are built with race detector on, they
consume 10x the memory.
2. Fix a data race in `talosctl support` when showing UI progress.
3. Fix an issue pulling `kubeconfig` in `talosctl support` - pull from
endpoints (controlplanes) without setting any nodes.
Fixes#10036
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Make default args depend on quirks, and also pass quirks down to
platform code.
Reduces amount of hacks, but it is functionally equivalent.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The problem was with specific disk selector `!system_disk` - in previous
implementation, as `system_disk` defaulted to false even if the system
disk is not known yet, this might result in picking up a disk which is
going to be system disk before system disk is picked.
In new implementation, as `system_disk` is not set before it is
detected, the condition containing `system_disk` (in either way) would
fail to execute and volume provision will be delayed until system disk
is detected.
Also:
Fixes#9809
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* Save image in OCI format, so imager can either use as OCI input or from
a registry.
* Support caching layers to a path, so subsequent runs are faster
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#9731
The wipe doesn't require a reboot, but it requires the blockdevice not
to be used as a volume.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Save `support.zip` always, also use a different folder for saving logs,
so we can save artifacts of multi cluster tests.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#9607
Use docker CLI syntax, support any kind of mounts supported by docker
CLI.
Also drop modules from `talos` container image, as it's useless to
provide modules in container mode.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#9538
Re-do the implementation by using the volume management primitives, so
that we can avoid/skip old code. This should fix all issues related to
the partition/whole disk.
Fix issues in the volume management (exposed, as we haven't used it this
way before).
Build a test case in `talosctl cluster create` to inject machine config
via `metal-iso`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Bring in new tools, pkgs, update Go dependencies and others.
In preparation for Talos 1.9.0-alpha.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add an option to `talosctl cluster create` to start a JSON log receiver,
and enabled it optionally.
Enable in `integration-qemu`.
See #9510
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Unify usage of proto codec v2 across our projects.
Bump grpc library to 1.67.1 and ensure that we it still works with HTTP/2 ALPN value changes.
For https://github.com/siderolabs/talos/issues/9404
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Modules pflag and cobra use csv.Reader for `StringSliceVar` method. This doesn't work well with JSON, and we do not need this at all.
Drop it.
Fixes#9493
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The new command `talosctl cgroups` fetches cgroups snapshot from the
machine, parses it fully, enhances with additional information (e.g.
resolves pod names), and presents a customizable view of cgroups
configuration (e.g. limits) and current consumption.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update tools, pkgs, extras.
Brings in Go 1.23.1, Linux 6.6.52, new xfsprogs, etc.
Fork docs.
Add new version contract, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Run SideroLink API server via TLS with self-signed certificate, inject
that certificate into Talos via `talos.config.inline=`.
Fix a couple of place where our special TLS root CA provider supporting
reloading on the fly was not used.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The initramfs unarchive won't work as it's extension is `xz` while the
actual compression is `zst`.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Move META constants out to machinery, and fix up imports. The internal
`pkg/meta` package shold not be consumed in public-facing commands.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements the first round of changes, replacing the volume backend
with the new implementation, while keeping most of the external
interfaces intact.
See #8367
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update tools, pkgs, extras, Go dependencies, Go tools, etc.
Linux 6.6.47 and containerd 2.0.0-rc.4.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This will be useful for debugging SELinux implementation. Make API report other xattrs for further development like IMA/EVM
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Restructure code as per changes from #9198.
This makes the flag name to be in sync with what it actually does.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes https://github.com/siderolabs/extensions/issues/448
Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is
the default CNI in Talos) in the Talos `initramfs`.
With this change, no plugin install is required, so the `install-cni`
step is dropped from the Flannel default manifest.
The bundled plugins:
```
$ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/
NODE MODE UID GID SIZE(B) LASTMOD NAME
172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago .
172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge
172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback
172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap
```
The `initramfs` for amd64 grows 67 -> 73 MiB with this change.
The path `/opt/cni/bin` is still an overlay mount, so extra plugins can
be dropped to this directory (no change here).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This patch adds a flag to `secureboot.database.Generate` to append the
Microsoft UEFI secure boot DB and KEK certificates to the appropriate
ESLs, in addition to complimentary command line flags.
This patch also includes a copy of said Microsoft certificates. The
certificates are downloaded from an official Microsoft repo.
Signed-off-by: Jean-Francois Roy <jf@devklog.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8995
There is no security impact, as the actual SecureBoot
state/configuration is measured into the PCR 7 and the disk encryption
key unsealing is tied to this value.
This is more to provide a way to avoid accidentally encrypting to the
TPM while SecureBoot is not enabled.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
- replace `interface{}` with `any` using `gofmt -r 'interface{} -> any -w'`
- replace `a = []T{}` with `var a []T` where possible.
- replace `a = []T{}` with `a = make([]T, 0, len(b))` where possible.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
