Support generating unsigned UKI's.
Also plumb in support to `talosctl cluster create` to boot off UKI's.
This doesn't work yet as installer needs more work.
Signed-off-by: Noel Georgi <git@frezbo.dev>
This ensures that even in the event of a DHCP downtime that exceeds the
lease time, the current IP can be maintained.
Signed-off-by: TomyLobo <tomylobo@nurfuerspam.de>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.
Fixes#10083
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Bring in parity with systemd 257 by supporting more UKI sections.
The output of `sd-measure` and our measure code will be different until
https://github.com/systemd/systemd/pull/35765 is fixed upstream.
Fixes: #10075
Signed-off-by: Noel Georgi <git@frezbo.dev>
The file which is exported back to source via `make generate` is using
short tag (vX.Y.Z), while the one generated for the actual build comes
with full version tag.
Fixes#8898
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The code from `talosctl` imports transitively tpm package, so make it
build on non-Linux.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10040
Sometimes etcd after 'server stoppped' error actually removes a member,
so the next attempt returns member not found, ignore it, as our goal was
to remove a member.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
1. Don't set max cgroups limit if race mode is enabled (only in test
mode). When e.g. apid/trustd are built with race detector on, they
consume 10x the memory.
2. Fix a data race in `talosctl support` when showing UI progress.
3. Fix an issue pulling `kubeconfig` in `talosctl support` - pull from
endpoints (controlplanes) without setting any nodes.
Fixes#10036
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This should improve watch reliability, as it was failing on channel
being closed.
Fixes#10039
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Search domain should be domain name of the hostname, not the FQDN.
Bug introduced in #9844
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Make default args depend on quirks, and also pass quirks down to
platform code.
Reduces amount of hacks, but it is functionally equivalent.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Mostly by using new version of `go-uefi` module and streaming instead of loading all at once.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
At the moment, we don't use/support aliases, but we might in the future.
Altnames are filled out by `systemd-udevd`.
This PR has two parts:
* show aliases & altnames in `LinkStatus`
* match links by aliases/altnames when we configure
addresses/routes/links
This should make a transition to `systemd-udevd` less painful if the
previous link name is in `altNames`.
Forked rtnetlink for https://github.com/jsimonetti/rtnetlink/pull/241
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The issue shows up in our tests as:
```
=== RUN TestIntegration/api.DiscoverySuite/TestRegistries
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
```
It should be a minor issue for non-KubeSpan'ed clusters (as members get
correctly de-duplicated), but might cause connectivity issues for
KubeSpan'ed clusters.
The issue comes from the short mount in the sequencer around
`loadConfig` step: as the mount time is short, it triggers a race in the
node identity controller when it tries to read existing identity from
`/system/state`, but as the partition is unmounted by the time it tries
to read, it assumes there's no identity and establishes a new one.
Eventually, it will write new identity back to disk, but that new
identity is different from the previous one, so it creates another entry
for itself in the discovery service.
A proper solution is a volume mount controller, but a temporary band aid
is to avoid broadcasting mount notification for this short `STATE` mount
via resources, so that controller isn't triggered.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fix generating and serving registies having port in them.
This is needed to copy and serve imagecache from a vfat filesystem.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Scenario: copy contents of the ISO to the USB VFAT stick.
Make sure VFAT filesystem has a label `TALOS_*`.
Fixes#9936
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
There were two issues which showed up specifically under `race` tests:
1. As the address resources are added while the controller is running,
and `default` address is immutable (by design), insert the future
default address first, otherwise the controller might pick up another
one it sees first randomly.
2. There was a bug in accumulative address handling when the sort only
took into account addresses ignoring prefix lengths.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This fixes an issue like that:
* the system disk is say 10GiB
* STATE is fixed 100 MiB always
* EPHEMERAL is configured to be min 6 GiB, max 100 GiB
As the EPHEMERAL/STATE provisioning order was not defined, EPHEMERAL
might be created first, occupying whole disk and leaving no space left
for STATE.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This commit adds runner options for priority, IO priority, scheduling policy. It also cleans up previously developed code for capabilities.
This is useful to launch background tasks such as xfs_scrub to not reduce system performance. We set nice 10 for dashboard so that it gives priority to more important system services.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
