feat: update kernel to 5.9.13, new KSPP requirements

Pulls in following changes: * https://github.com/talos-systems/toolchain/pull/20 * https://github.com/talos-systems/tools/pull/116 * https://github.com/talos-systems/pkgs/pull/214 * https://github.com/talos-systems/pkgs/pull/215 * https://github.com/talos-systems/pkgs/pull/216 * https://github.com/talos-systems/pkgs/pull/217 * https://github.com/talos-systems/go-procfs/pull/4 New empty amd64 images for u-boot & rpi-firmware reduce the size of amd64 installer image. For backwards compatibility QEMU provisioner still injects "legacy" KSPP kernel args into initial boot environment. Installer correctly upgrades KSPP options when moving from one version of Talos to another. Signed-off-by: Andrey Smirnov <smirnov.andrey@gmail.com>
2020-12-10 17:10:06 +03:00 · 2020-12-10 17:10:06 +03:00 · 80184393bc
commit 80184393bc
parent 54ed80e244
17 changed files with 51 additions and 30 deletions
--- a/4
+++ b/4
@ -8,8 +8,8 @@ REGISTRY_AND_USERNAME := $(REGISTRY)/$(USERNAME)
 DOCKER_LOGIN_ENABLED ?= true

 ARTIFACTS := _out
-TOOLS ?= ghcr.io/talos-systems/tools:v0.3.0-12-g0eb84c1
-PKGS ?= v0.3.0-50-g18423fa
+TOOLS ?= ghcr.io/talos-systems/tools:v0.3.0-13-g05b7372
+PKGS ?= v0.3.0-54-gf5baaab
 EXTRAS ?= v0.1.0-6-gdc32cc8
 GO_VERSION ?= 1.15
 GOFUMPT_VERSION ?= abc0db2c416aca0f60ea33c23c76665f6e7ba0b6
--- a/cmd/installer/cmd/iso.go
+++ b/cmd/installer/cmd/iso.go
@ -29,7 +29,7 @@ terminal_output console
 menuentry "Talos ISO" {
 	set gfxmode=auto
 	set gfxpayload=text
-	linux /boot/vmlinuz page_poison=1 slab_nomerge slub_debug=P pti=on panic=0 consoleblank=0 earlyprintk=ttyS0 console=tty0 console=ttyS0 talos.platform=metal
+	linux /boot/vmlinuz init_on_alloc=1 init_on_free=1 slab_nomerge pti=on panic=0 consoleblank=0 earlyprintk=ttyS0 console=tty0 console=ttyS0 talos.platform=metal
 	initrd /boot/initramfs.xz
 }`)

--- a/cmd/installer/pkg/install/install.go
+++ b/cmd/installer/pkg/install/install.go
@ -49,12 +49,13 @@ func Install(p runtime.Platform, seq runtime.Sequence, opts *Options) (err error
 		return err
 	}

+	// first defaults, then extra kernel args to allow extra kernel args to override defaults
+	cmdline.AppendDefaults()
+
 	if err = cmdline.AppendAll(opts.ExtraKernelArgs); err != nil {
 		return err
 	}

-	cmdline.AppendDefaults()
-
 	i, err := NewInstaller(cmdline, seq, opts)
 	if err != nil {
 		return err
--- a/go.mod
+++ b/go.mod
@ -61,7 +61,7 @@ require (
 	github.com/talos-systems/crypto v0.2.1-0.20201203131813-e0dd56ac4745
 	github.com/talos-systems/go-blockdevice v0.1.1-0.20201204153756-943b08bc32a2
 	github.com/talos-systems/go-loadbalancer v0.1.0
-	github.com/talos-systems/go-procfs v0.0.0-20200219015357-57c7311fdd45
+	github.com/talos-systems/go-procfs v0.0.0-20201210152942-5a9a4a75d559
 	github.com/talos-systems/go-retry v0.1.1-0.20201113203059-8c63d290a688
 	github.com/talos-systems/go-smbios v0.0.0-20200807005123-80196199691e
 	github.com/talos-systems/grpc-proxy v0.2.0
--- a/go.sum
+++ b/go.sum
@ -933,8 +933,8 @@ github.com/talos-systems/go-blockdevice v0.1.1-0.20201204153756-943b08bc32a2 h1:
 github.com/talos-systems/go-blockdevice v0.1.1-0.20201204153756-943b08bc32a2/go.mod h1:efEE9wjtgxiovqsZAV39xlOd/AOI/0sLuZqb5jEgeqo=
 github.com/talos-systems/go-loadbalancer v0.1.0 h1:MQFONvSjoleU8RrKq1O1Z8CyTCJGd4SLqdAHDlR6o9s=
 github.com/talos-systems/go-loadbalancer v0.1.0/go.mod h1:D5Qjfz+29WVjONWECZvOkmaLsBb3f5YeWME0u/5HmIc=
-github.com/talos-systems/go-procfs v0.0.0-20200219015357-57c7311fdd45 h1:FND/LgzFHTBdJBOeZVzdO6B47kxQZvSIzb9AMIXYotg=
-github.com/talos-systems/go-procfs v0.0.0-20200219015357-57c7311fdd45/go.mod h1:ATyUGFQIW8OnbnmvqefZWVPgL9g+CAmXHfkgny21xX8=
+github.com/talos-systems/go-procfs v0.0.0-20201210152942-5a9a4a75d559 h1:wHuwJhQa20pD0Re+Ucpr0ec+om/b0GgPcpvTwRHSR3o=
+github.com/talos-systems/go-procfs v0.0.0-20201210152942-5a9a4a75d559/go.mod h1:ATyUGFQIW8OnbnmvqefZWVPgL9g+CAmXHfkgny21xX8=
 github.com/talos-systems/go-retry v0.1.0/go.mod h1:HiXQqyVStZ35uSY/MTLWVvQVmC3lIW2MS5VdDaMtoKM=
 github.com/talos-systems/go-retry v0.1.1-0.20201113203059-8c63d290a688 h1:U5wFGj5LXt/r+qfy1nGftQxJvEbg/lVJuasHKtk3K7s=
 github.com/talos-systems/go-retry v0.1.1-0.20201113203059-8c63d290a688/go.mod h1:HiXQqyVStZ35uSY/MTLWVvQVmC3lIW2MS5VdDaMtoKM=
--- a/hack/test/digitalrebar/bootenv.yaml
+++ b/hack/test/digitalrebar/bootenv.yaml
@ -45,7 +45,7 @@ Templates:
 Kernel: 'vmlinuz'
 Initrds:
  - 'initramfs.xz'
-BootParams: 'console=tty0 ip=dhcp modules=loop,squashfs nomodeset page_poison=1 slab_nomerge slub_debug=P pti=on ima_template=ima-ng ima_appraise=fix ima_hash=sha512 talos.platform=metal talos.config={{ .ProvisionerURL }}/files/{{.Param "talos/role"}}.yaml'
+BootParams: 'console=tty0 ip=dhcp modules=loop,squashfs nomodeset init_on_alloc=1 init_on_free=1 slab_nomerge pti=on ima_template=ima-ng ima_appraise=fix ima_hash=sha512 talos.platform=metal talos.config={{ .ProvisionerURL }}/files/{{.Param "talos/role"}}.yaml'
 RequiredParams: []
 OptionalParams:
  - 'talos/role'
--- a/hack/test/libvirt/matchbox/profiles/controlplane.json
+++ b/hack/test/libvirt/matchbox/profiles/controlplane.json
@ -6,9 +6,9 @@
    "initrd": ["/assets/initramfs.xz"],
    "args": [
      "initrd=initramfs.xz",
-      "page_poison=1",
+      "init_on_alloc=1",
+      "init_on_free=1",
      "slab_nomerge",
-      "slub_debug=P",
      "pti=on",
      "ima_template=ima-ng",
      "ima_appraise=fix",
--- a/hack/test/libvirt/matchbox/profiles/default.json
+++ b/hack/test/libvirt/matchbox/profiles/default.json
@ -6,9 +6,9 @@
    "initrd": ["/assets/initramfs.xz"],
    "args": [
      "initrd=initramfs.xz",
-      "page_poison=1",
+      "init_on_alloc=1",
+      "init_on_free=1",
      "slab_nomerge",
-      "slub_debug=P",
      "pti=on",
      "ima_template=ima-ng",
      "ima_appraise=fix",
--- a/hack/test/libvirt/matchbox/profiles/init.json
+++ b/hack/test/libvirt/matchbox/profiles/init.json
@ -6,9 +6,9 @@
    "initrd": ["/assets/initramfs.xz"],
    "args": [
      "initrd=initramfs.xz",
-      "page_poison=1",
+      "init_on_alloc=1",
+      "init_on_free=1",
      "slab_nomerge",
-      "slub_debug=P",
      "pti=on",
      "ima_template=ima-ng",
      "ima_appraise=fix",
--- a/hack/test/qemu/qemu.sh
+++ b/hack/test/qemu/qemu.sh
@ -38,6 +38,6 @@ qemu-system-x86_64 \
    -nographic \
    -serial mon:stdio \
    -cdrom ${ISO} \
-    -append "talos.platform=metal page_poison=1 slub_debug=P slab_nomerge pti=on printk.devkmsg=on earlyprintk=serial,tty0,keep console=tty0 talos.config=metal-iso" \
+    -append "talos.platform=metal init_on_alloc=1 init_on_free=1 slab_nomerge pti=on printk.devkmsg=on earlyprintk=serial,tty0,keep console=tty0 talos.config=metal-iso" \
    -kernel ${KERNEL} \
    -initrd ${INITRD}
--- a/internal/pkg/kernel/kspp/kspp.go
+++ b/internal/pkg/kernel/kspp/kspp.go
@ -16,9 +16,11 @@ import (
 // RequiredKSPPKernelParameters is the set of kernel parameters required to
 // satisfy the KSPP.
 var RequiredKSPPKernelParameters = procfs.Parameters{
-	procfs.NewParameter("page_poison").Append("1"),
+	// init_on_alloc and init_on_free are not enforced, as they default to '1' in kernel config
+	// this way they can be overridden via installer extra args in case of severe performance issues
+	// procfs.NewParameter("init_on_alloc").Append("1"),
+	// procfs.NewParameter("init_on_free").Append("1"),
 	procfs.NewParameter("slab_nomerge").Append(""),
-	procfs.NewParameter("slub_debug").Append("P"),
 	procfs.NewParameter("pti").Append("on"),
 }

--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@ -14,7 +14,7 @@ import (

 const (
 	// DefaultKernelVersion is the default Linux kernel version.
-	DefaultKernelVersion = "5.9.11-talos"
+	DefaultKernelVersion = "5.9.13-talos"

 	// KernelParamConfig is the kernel parameter name for specifying the URL.
 	// to the config.
--- a/pkg/provision/providers/qemu/node.go
+++ b/pkg/provision/providers/qemu/node.go
@ -63,6 +63,11 @@ func (p *provisioner) createNode(state *vm.State, clusterReq provision.ClusterRe

 	cmdline := procfs.NewDefaultCmdline()

+	// backwards compatibility to boot initrd from Talos < 0.8
+	// we can remove it once we stop testing upgrades from versions < 0.8
+	cmdline.Append("slub_debug", "P")
+	cmdline.Append("page_poison", "1")
+
 	// required to get kernel console
 	cmdline.Append("console", arch.Console())

--- a/website/content/docs/v0.8/Bare
+++ b/website/content/docs/v0.8/Bare
@ -20,9 +20,9 @@ These assets can be downloaded from a given [release](https://github.com/talos-s
 The following is a list of kernel parameters required by Talos:

 - `talos.platform`: set this to `packet`
- `page_poison=1`: required by KSPP
+- `init_on_alloc=1`: required by KSPP
+- `init_on_free=1`: required by KSPP
 - `slab_nomerge`: required by KSPP
- `slub_debug=P`: required by KSPP
 - `pti=on`: required by KSPP

 ### User Data
--- a/website/content/docs/v0.8/Bare
+++ b/website/content/docs/v0.8/Bare
@ -62,9 +62,9 @@ Download these files from the [release](https://github.com/talos-systems/talos/r
    "initrd": ["/assets/initramfs.xz"],
    "args": [
      "initrd=initramfs.xz",
-      "page_poison=1",
+      "init_on_alloc=1",
+      "init_on_free=1",
      "slab_nomerge",
-      "slub_debug=P",
      "pti=on",
      "console=tty0",
      "console=ttyS0",
@ -89,9 +89,9 @@ Download these files from the [release](https://github.com/talos-systems/talos/r
    "initrd": ["/assets/initramfs.xz"],
    "args": [
      "initrd=initramfs.xz",
-      "page_poison=1",
+      "init_on_alloc=1",
+      "init_on_free=1",
      "slab_nomerge",
-      "slub_debug=P",
      "pti=on",
      "console=tty0",
      "console=ttyS0",
@ -114,9 +114,9 @@ Download these files from the [release](https://github.com/talos-systems/talos/r
    "initrd": ["/assets/initramfs.xz"],
    "args": [
      "initrd=initramfs.xz",
-      "page_poison=1",
+      "init_on_alloc=1",
+      "init_on_free=1",
      "slab_nomerge",
-      "slub_debug=P",
      "pti=on",
      "console=tty0",
      "console=ttyS0",
--- a/website/content/docs/v0.8/Introduction/getting-started.md
+++ b/website/content/docs/v0.8/Introduction/getting-started.md
@ -18,9 +18,9 @@ The following is a list of kernel parameters required by Talos:

 - `talos.config`: the HTTP(S) URL at which the machine data can be found
 - `talos.platform`: can be one of `aws`, `azure`, `container`, `digitalocean`, `gcp`, `metal`, `packet`, or `vmware`
- `page_poison=1`: required by KSPP
+- `init_on_alloc=1`: required by KSPP
+- `init_on_free=1`: required by KSPP
 - `slab_nomerge`: required by KSPP
- `slub_debug=P`: required by KSPP
 - `pti=on`: required by KSPP

 ## CLI
--- a/website/content/docs/v0.8/Learn
+++ b/website/content/docs/v0.8/Learn
@ -110,6 +110,19 @@ automatically?

 We provide the [Talos Controller Manager](https://github.com/talos-systems/talos-controller-manager) to perform this maintenance in a simple, controllable fashion.

+## Upgrade Notes for Talos 0.8
+
+Talos 0.8 comes with new [KSPP requirements](https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings) compliance check.
+
+Following kernel arguments are mandatory for Talos to boot successfully:
+
+- `init_on_alloc=1`: required by KSPP
+- `init_on_free=1`: required by KSPP
+- `slab_nomerge`: required by KSPP
+- `pti=on`: required by KSPP
+
+Talos installer automatically injects those args while installing Talos, so this mostly is required when PXE booting Talos.
+
 ## Kubernetes

-Kubernetes upgrades with Talos also start with an API call.
+Kubernetes upgrades with Talos are covered in a [separate document](../../guides/upgrading-kubernetes/).