Support generating unsigned UKI's.
Also plumb in support to `talosctl cluster create` to boot off UKI's.
This doesn't work yet as installer needs more work.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded.
Fixes#10083
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Bring in parity with systemd 257 by supporting more UKI sections.
The output of `sd-measure` and our measure code will be different until
https://github.com/systemd/systemd/pull/35765 is fixed upstream.
Fixes: #10075
Signed-off-by: Noel Georgi <git@frezbo.dev>
The code from `talosctl` imports transitively tpm package, so make it
build on non-Linux.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#10040
Sometimes etcd after 'server stoppped' error actually removes a member,
so the next attempt returns member not found, ignore it, as our goal was
to remove a member.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Make default args depend on quirks, and also pass quirks down to
platform code.
Reduces amount of hacks, but it is functionally equivalent.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Mostly by using new version of `go-uefi` module and streaming instead of loading all at once.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The issue shows up in our tests as:
```
=== RUN TestIntegration/api.DiscoverySuite/TestRegistries
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
discovery.go:210: waiting for cluster affiliates to be discovered: 4 expected, 6 found
```
It should be a minor issue for non-KubeSpan'ed clusters (as members get
correctly de-duplicated), but might cause connectivity issues for
KubeSpan'ed clusters.
The issue comes from the short mount in the sequencer around
`loadConfig` step: as the mount time is short, it triggers a race in the
node identity controller when it tries to read existing identity from
`/system/state`, but as the partition is unmounted by the time it tries
to read, it assumes there's no identity and establishes a new one.
Eventually, it will write new identity back to disk, but that new
identity is different from the previous one, so it creates another entry
for itself in the discovery service.
A proper solution is a volume mount controller, but a temporary band aid
is to avoid broadcasting mount notification for this short `STATE` mount
via resources, so that controller isn't triggered.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fix building on SELinux systems. Extracting xattrs led to return code 2 as a non-critical error. This should not influence extension build.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Fixes#9820
This only affects volumes with multiple key slots configured.
Make sync issues non-fatal, so that if some keys fail to sync, proceed
with normal boot, but record an error in the `VolumeStatus` resource.
When opening, correctly try all key slots.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8074
One part of the fix is to wait for udevd to be ready, as anyways before
udevd is ready network interfaces are not ready, so sync is not
possible.
Second part is that now u-root's rtc package supports closing rtc
devices, so we can properly open/close it as part of the sync loop (vs.
previous workaround with sync.Once).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement SELinux labeling support in EtcFileController, label both squashfs and runtime-created files in /etc and /system/etc.
Add corresponding test cases.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Implement a feature flag, a resource which controls the flow.
This controls the volume configuration, mounting, etc.
Fixes#9767
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Do not do string lookups in repetitive calls. We do not support changing SELinux status during runtime, so once we read this we can assume status does not change.
Also avoid unneeded FS writes when appropriate label is already set on file.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
I added those in the early days of the current policy development, yet there was no use for them. This change simplifies the policy and handling of labels.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Fixes#9613
This has two changes:
* adjust Talos registry resolver to match containerd (CRI) resolver: use
by default upstream as a fallback
* add a machine config option to skip upstream as a fallback, and adjust
CRI configuration accordingly
See https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-configuration---examples
for details on CRI's `hosts.toml`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8900Closes#9687
(contains splitting of late mounts)
The benefits:
* tasks run _before_ controllers are started
* tasks can register `defer` to undo actions
This decomposes sequencer tasks a bit.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Split from #9596 (without IPv6 stuff). This PR does this things:
- Refactored `DNSResolveCacheController`. Most of the logic moved to `dns` package types. Simplify and streamline logic.
- Replace most of the goroutine orchestration with suture package.
- Support per-item reaction to the dns listeners/servers failing to start. This allows us to ignore IPv6 errors if it's disabled.
- Support per-item reaction to the dns listeners/servers failing to stop.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Dashboard now shows the active frequency of each CPU core when cpufreq
is available on non-virtualized systems, enhancing real-time accuracy.
Solves the issue of displaying 0MHz on certain SBCs due to
/proc/cpuinfo limitations.
Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Conditionally mount selinuxfs only if it's present.
Fix AppArmor tests, `apparmor` and other minor LSM's and set
`apparmor=1`.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Part of: #9127
Label executables and processes, build, load and manage SELinux policy, enable audit support.
Labeling filesystems, devices and runtime files will be done in further changes, see the full PR.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
After a fix a while ago, the condition was hard to understand - but we
should skip this block as long as there's no TLS config, which might
mean either being nil or having default values.
I found this while debugging #9594, but it doesn't change anything.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Re-design some methods, simplify flows and allow more simple
interactions.
Learn from mistakes and design better methods.
Fixes#9471
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR does those things:
- Fixes race condition where controller could potentially modify upstream, while other controller is copying its internals to the slice.
- Simplifies `run` function in `DNSUpstreamController` by removing all `Idx` handling.
- Removes `Idx` field from `DNSUpstream`. Upstreams are now sorted by their id with №X prefix.
- `Proxy` Stop is now called from the finalizer. In combination with iterators, this ensures that we only stop upstream when it's fully unreachable.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
