Fixes: #7081
Review all reservations and limits set, test under stress load (using
both memory and CPU).
The goal: system components (Talos itself) and runtime (kubelet, CRI)
should survive under extreme resource starvation (workloads consuming
all CPU/memory).
Uses #9337 to visualize changes, but doesn't depend on it.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is specifically for the glibc extension to support nvidia container
toolkit.
Signed-off-by: Jean-Francois Roy <jf@devklog.net>
Signed-off-by: Noel Georgi <git@frezbo.dev>
When a map key is deleted, it should be deleted as a whole.
Before the fix it was zeroing out map value by key.
Fixes#9325
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Run SideroLink API server via TLS with self-signed certificate, inject
that certificate into Talos via `talos.config.inline=`.
Fix a couple of place where our special TLS root CA provider supporting
reloading on the fly was not used.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The fix in #9233 wasn't correct, as it was looking for number of
replicas in a "random" ReplicaSet. If the deployment has multiple
replica sets, it leads to unexpected results.
Instead, read the Deployment resource directly.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
`List` returns a sorted (by id) list of resources. This doesn't work when the order of dns upstreams is important. Because of that
add an `Idx` field to the "DNSUpstreams.net.talos.dev" resource, so we can preserve order.
Fixes#9274
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Move META constants out to machinery, and fix up imports. The internal
`pkg/meta` package shold not be consumed in public-facing commands.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The previous code didn't work, as it was manipulating args before they
were reset by the platform.
Also it was producing wrong order of console args.
Both fixed, plus a unit-test.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This implements the first round of changes, replacing the volume backend
with the new implementation, while keeping most of the external
interfaces intact.
See #8367
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Pause sequencer till the boot timeout if talos is booted from ISO/PXE, but
an existing talos is installed to disk and
`talos.iso.boot.halt_if_installed` kernel argument is set.
Fixes: #9232
Signed-off-by: Noel Georgi <git@frezbo.dev>
Kaniko adds an entry for the root folder `/` in its tarballs.
Processing the file causes the process to hang when trying to
recreate the destination directory.
The root directory already exists, so it triggers an error, but as the
errors were not correctly propagated, the process hangs forever.
Fix both issues.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update tools, pkgs, extras, Go dependencies, Go tools, etc.
Linux 6.6.47 and containerd 2.0.0-rc.4.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Explicitly enable access to host DNS from pod/service IPs.
Also fix the Kubernetes health checks to assert number of ready pods to
match expectation, otherwise the check might skip a pod (e.g.
`kube-proxy` one) which is not ready, allowing the test to proceed too
early.
Update DNS test to print more logs on error.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This will be useful for debugging SELinux implementation. Make API report other xattrs for further development like IMA/EVM
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
This option must be defined at the proto level in order to have an
import path that is reasonably usable
Signed-off-by: Eddie Zaneski <eddiezane@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is an attempt to fix many issues related with trying to use Service
IP for host DNS.
Fixes#9196
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Re-structure k8s components health checks so that K8s health can be
independently checked without auxiliary components being up.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#9092
This is a workaround for broken hardware drivers (e.g. RAID
controllers), which report settled event too early.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes https://github.com/siderolabs/extensions/issues/448
Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is
the default CNI in Talos) in the Talos `initramfs`.
With this change, no plugin install is required, so the `install-cni`
step is dropped from the Flannel default manifest.
The bundled plugins:
```
$ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/
NODE MODE UID GID SIZE(B) LASTMOD NAME
172.20.0.2 drwxr-xr-x 0 0 109 B 7 hours ago .
172.20.0.2 -rwxr-xr-x 0 0 3.2 MB 7 hours ago bridge
172.20.0.2 -rwxr-xr-x 0 0 3.3 MB 7 hours ago firewall
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago flannel
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago host-local
172.20.0.2 -rwxr-xr-x 0 0 2.4 MB 7 hours ago loopback
172.20.0.2 -rwxr-xr-x 0 0 2.8 MB 7 hours ago portmap
```
The `initramfs` for amd64 grows 67 -> 73 MiB with this change.
The path `/opt/cni/bin` is still an overlay mount, so extra plugins can
be dropped to this directory (no change here).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Put Talos version in the ISO volume ID and volumeset ID.
Volume ID is restricted on valid characters, while volumeset ID is not
restricted (Unicode).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Support `unsupported` flag for mkfs, so that `STATE` partition with size
less than 300M can be created by `mkfs.xfs`.
This allows to bring in newer `xfsprogs` that can repair corrupted FS
better.
Signed-off-by: Noel Georgi <git@frezbo.dev>
This is required in Image Factory to manipulate properly the imager
profile when enabling an option for well-known UEFI certificates.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The main etcd tag is now multiarch so the special case isn't needed.
Signed-off-by: Steven Fackler <sfackler@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
