IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Generating YAML using text templates is going to stop working because of
proper escaping.
Also fix unrelated issue with `cloud.google.com/go` module which got
split into submodules, and now this conflicts with each other.
Fixes#7180
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This patch adds a flag to `secureboot.database.Generate` to append the
Microsoft UEFI secure boot DB and KEK certificates to the appropriate
ESLs, in addition to complimentary command line flags.
This patch also includes a copy of said Microsoft certificates. The
certificates are downloaded from an official Microsoft repo.
Signed-off-by: Jean-Francois Roy <jf@devklog.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8690
Consider the following scenario (e.g. OpenStack): platform issues a
correct list of DNS servers, which includes both IPv4 and IPv6
resolvers, and configures DHCPv4 on the interface.
DHCPv4 returns a set of IPv4 resolvers (as it can't return IPv6 ones),
and this list completely overrides the list from the platform, wiping
out the IPv6 resolvers completely.
With this change, the merge process is more smart, as it tries to
preserve IPv6 resolvers for example if the next layer provides no
resolvers for IPv6.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
We missed passing the log formatting options while printing logs in a couple places, causing the logs to be in inconsistent format.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Fixes#8995
There is no security impact, as the actual SecureBoot
state/configuration is measured into the PCR 7 and the disk encryption
key unsealing is tied to this value.
This is more to provide a way to avoid accidentally encrypting to the
TPM while SecureBoot is not enabled.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Ensure that SecureBoot enabled images come before regular ones.
With Ubuntu 24.04 `ovmf` package, due to the ordering of the search
paths `talosctl` might pick up a wrong image and disable SecureBoot.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Simple change:
1. `FilterMessages` became `filterMessages`.
2. `FilterMessages` is now typed generic function which calls `filterMessages` internally.
3. Adjusted callsites of `FilterMessages`.
Most of the reflection can be avoided in `filterMessages` body (aside from setting `Messages` field
which can be done using proto reflection mechanisms). But for now, lets stick to the simple change.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Bump github.com/siderolabs/grpc-proxy to v0.4.1 and replace deprecated calls to `grpc.CustomCodec`.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
- replace `interface{}` with `any` using `gofmt -r 'interface{} -> any -w'`
- replace `a = []T{}` with `var a []T` where possible.
- replace `a = []T{}` with `a = make([]T, 0, len(b))` where possible.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Remove the need for additional allocation in case we use `EncodeString` and overall looks nicer.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
`SortBonds` function bothered me since the last time I refactored this part.
We always know that it only accepts `network.LinkSpec`s, but we accepted the slice of untyped Resources because
this is what `List` method returns. Now we can do better, since `safe.List` now supports `Swap` method.
We can utilize `sort.Interface` and pass `safe.List` directly to `SortBonds`.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
As the controllers might fail with transient errors on machine startup,
but errors are always retried, persisten errors will anyway show up in
the console.
The full `talosctl logs controller-runtime` are not suppressed.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Bring in AppArmor pkg from `pkgs` which would add
`/sbin/apparmor_parser` which would get picked by containerd.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Add a new resource, `SiderolinkStatus`, which combines the following info:
- The Siderolink API endpoint without the query parameters or fragments (potentially sensitive info due to the join token)
- The status of the Siderolink connection
This resource is not set as sensitive, so it can be retrieved by the users with `os:operator` role (e.g., using `talosctl dashboard` through Omni).
Make use of this resource in the dashboard to display the status of the Siderolink connection.
Additionally, rework the status columns in the dashboard to:
- Display a Linux terminal compatible "tick" or a "cross" prefix for statuses in addition to the red/green color coding.
- Move and combine some statuses to save rows and make them more even.
Closessiderolabs/talos#8643.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
The v1 version is no longer supported.
The major change is the decoding of link data, but we're not using it,
as we have our own decoders/encoders for a long time.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Azure SDK has a CVE, bump other modules.
Update `hydrophone` with my fixes which got merged upstream.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(This is not user-facing, but rather internal use of the kubeconfig in
the tests/inside the machine).
This was added 4 years ago as a workaround, but instead of a global
timeout we should rather use contexts with timeouts/deadlines (and we
do!).
Setting a global timeout breaks streaming Kubernetes pod logs.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Detect CD devices, and set size to 0 for CD without media.
In user disk wipe tests, skip device mapper devices and CD-ROM.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* Replace logging.Wrap(log.Writer()) with zaptest.NewLogger(suite.T()) where possible.
* Replace reflect.DeepEqual with =|slices.Equal|bytes.Equal where possible.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Uses go-siderolabs/go-blockdevice/v2 for all the hard parts,
provides new resource `Disk` which describes all disks in the system.
Additional resource `SystemDisk` always point to the system disk (based
on the location of `META` partition).
The `Disks` API (and `talosctl disks`) provides a view now into the
`talosctl get disks` to keep backwards compatibility.
QEMU provisioner can now create extra disks of various types: IDE, AHCI,
SCSI, NVME, this allows to test detection properly.
The new resource will be the foundation for volume provisioning (to pick
up the disk to provision the volume on).
Example:
```
talosctl -n 172.20.0.5 get disks
NODE NAMESPACE TYPE ID VERSION SIZE READ ONLY TRANSPORT ROTATIONAL WWID MODEL SERIAL
172.20.0.5 runtime Disk loop0 1 65568768 true
172.20.0.5 runtime Disk nvme0n1 1 10485760000 false nvme nvme.1b36-6465616462656566-51454d55204e564d65204374726c-00000001 QEMU NVMe Ctrl deadbeef
172.20.0.5 runtime Disk sda 1 10485760000 false virtio true QEMU HARDDISK
172.20.0.5 runtime Disk sdb 1 10485760000 false sata true t10.ATA QEMU HARDDISK QM00013 QEMU HARDDISK
172.20.0.5 runtime Disk sdc 1 10485760000 false sata true t10.ATA QEMU HARDDISK QM00001 QEMU HARDDISK
172.20.0.5 runtime Disk vda 1 12884901888 false virtio true
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
There was a bit of a mess here which worked fine until we bumped
runc/containerd, and the problem shows up in Talos-in-Kubernetes tests.
Use consistently `runner.WithCgroupPath`, as it handles cgroup nesting
for cases when Talos runs in a container.
Assign each service its own unique cgroup.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Talos diagnostics analyzes current system state and comes up with detailed
warnings on the system misconfiguration which might be tricky to figure
out other way.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This never worked properly, as `Wait()` doesn't work for child
processes, and `talosctl cluster destroy` is not a child of processes
created by `talosctl cluster create`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Enum generator github.com/dmarkham/enumer supports comma separated list of types.
Use it and speed up this process by a LOT.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
