IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This feature allows us to remove any comments from the machineconfig after
upgrading Kubernetes.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add output flag for `talosctl config info`.
This allows to programatically gather endpoints for CI tests.
Eg:
```bash
_out/talosctl-linux-amd64 config info --output json | jq '.Contexts[].Endpoints[0]'
```
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#7698
Also fix `talosctl config info` for `talosconfig` without a client
certificate (e.g. Omni-generated one).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is not a problem in general, but when running multiple image
generation procedures using the same mount point is a problem.
This is a no-op if `MountPrefix` is not set (when installing/upgrading
vs. creating an image).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
* report the final output path of the asset
* allow 'cmdline' output (just to get the kernel cmdline, e.g. for PXE
booting)
* support pre-pulled container images for extensions
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use `Progress`, and options to pass around the way messages are written.
Fixed some tiny issues in the code, but otherwise no functional changes.
To make colored output work with `docker run`, switched back image
generation to use volume mount for output (old mode is still
functioning, but it's not the default, and it works when docker is not
running on the same host).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Currently, we use `github.com/coreos/go-semver/semver` and `github.com/hashicorp/go-version`
for version parsing. As we use `github.com/blang/semver/v4` in our other projects, and it
has more features, it makes sense to use it across the projects. It also doesn't allocate
like crazy in `KubernetesVersion.SupportedWith`.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Support full configuration for image generation, including image
outputs, support most features (where applicable) for all image output
types, unify image generation process.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The code picks up firmware files in the order it's defined. The
secureboot QEMU firmware files are defined first, so this flag is a
no-op. This was leftover from when `ovmfctl` was used.
Signed-off-by: Noel Georgi <git@frezbo.dev>
This new fork seems to be more active. The change itself doesn't fix any
memory allocation, but I submitted a PR for gopacket/gopacket:
https://github.com/gopacket/gopacket/pull/24
Also fix crazy alloc in `tui/components` (this is only relevant for
`talosctl`).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
UKI is meant to be for UEFI Secure Boot, so it's expected to enforce
kernel lockdown. We might reconsider in the future to use a kernel patch
instead: b1a0314b08
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is intemediate step to move parts of the `ukify` down to the main
Talos source tree, and call it from `talosctl` binary.
The next step will be to integrate it into the imager and move `.uki`
build out of the Dockerfile.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#6391
Implement a set of APIs and commands to manage images in the CRI, and
pre-pull images on Kubernetes upgrades.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Talos now supports new type of encryption keys which rely on Sealing/Unsealing randomly generated bytes with a KMS server:
```
systemDiskEncryption:
ephemeral:
keys:
- kms:
endpoint: https://1.2.3.4:443
slot: 0
```
gRPC API definitions and a simple reference implementation of the KMS server can be found in this
[repository](https://github.com/siderolabs/kms-client/blob/main/cmd/kms-server/main.go).
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
The problem first spotted by Artem, leads to spurious dirty checks.
The sort order was checking wrong (lowered) keys, so the order was
actually random.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes#7425
The previously used method doesn't handle YAML multi-doc, incorrectly
stripping only the first document and throwing away everything else.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Previously, if META values were supplied to the Talos ISO via
environment variable, they will be written down and available after the
install. With this fix, values are also readable and available before
the installation runs (in maintenance mode).
Most of the PR is refactoring `meta.Value(s)` to be a shared library
which is used by the installer/imager and (now) Talos.
Also fixes an issue with not returning properly `NotExist` error when
META is not yet available as a partition on disk.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Allow specifying the reboot mode during upgrades by introducing `--reboot-mode` flag, similar to the `--mode` flag of the reboot command.
Closessiderolabs/talos#7302.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Uses the auto-enrollment feature of sd-boot to enroll required UEFI Secure
Boot keys.
Fixes: #7373
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This includes sd-boot handling, EFI variables, etc.
There are some TODOs which need to be addressed to make things smooth.
Install to disk, upgrades work.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit adds support for API load balancer. Quick way to enable it is during cluster creation using new `api-server-balancer-port` flag (0 by default - disabled). When enabled all API request will be routed across
cluster control plane endpoints.
Closes#7191
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Move labels out of the bootloader interface, while moving copying assets
into the bootloader interface. GRUB is using one set of assets,
`sd-boot` will be using another one.
Fix the problem with `bootloader.Probe()` finding boot partition on the
host when it runs in a priv container, fixing issues with image creation
in the CI.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This changes the bootloader code to be generic to support
multiple bootloader implementations.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Struct MetaValue has methods on both value and pointer receivers. Such usage is not recommended by the Go Documentation. Modifies the receiver usage.
Variable config collides with imported package name. Renames the variable config.
Removes a redundant alias.
Empty slice declaration uses a literal. Replaces with nil slice declaration.
Signed-off-by: Nanfei Chen <chennanfei@yeah.net>
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
There is no need that the value of err is assigned to itself. So removes this self assignment.
Signed-off-by: Nanfei Chen <chennanfei@yeah.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add flags for configuring the qemu bridge interface with chaos options:
- network-chaos-enabled
- network-jitter
- network-latency
- network-packet-loss
- network-packet-reorder
- network-packet-corrupt
- network-bandwidth
These flags are used in /pkg/provision/providers/vm/network.go at the end of the CreateNetwork function to first see if the network-chaos-enabled flag is set, and then check if bandwidth is set. This will allow developers to simulate clusters having a degraded WAN connection in the development environment and testing pipelines.
If bandwidth is not set, it will then enable the other options.
- Note that if bandwidth is set, the other options such as jitter, latency, packet loss, reordering and corruption will not be used. This is for two reasons:
- Restriction the bandwidth can often intoduce many of the other issues being set by the other options.
- Setting the bandwidth uses a separate queuing discipline (Token Bucket Filter) from the other options (Network Emulator) and requires a much more complex configuration using a Heirarchial Token Bucket Filter which cannot be configured at a granular enough level using the vishvananda/netlink library.
Adding both queuing disciplines to the same interface may be an option to look into in the future, but would take more extensive testing and control over many more variables which I believe is out of the scope of this PR. It is also possible to add custom profiles, but will also take more research to develop common scenarios which combine different options in a realistic manner.
Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Add qemu support for secureboot testing via `talosctl cluster create`.
Can be tested via:
```bash
sudo -E _out/talosctl-linux-amd64 cluster create --provisioner=qemu $REGISTRY_MIRROR_FLAGS --controlplanes=1 --workers=1 --iso-path=_out/talos-uki-amd64.iso --with-secureboot=true --with-tpm2=true --skip-injecting-config --with-apply-config
```
This currently only supports just booting Talos in SecureBoot mode.
Installation and Upgrade comes as extra PRs.
Fixes: #7324
Signed-off-by: Noel Georgi <git@frezbo.dev>
Use `pigz` (parallel) instead of `gzip`.
Use `xz` compression `-0` instead of `-6`.
This has pros and cons:
* image size goes up (77M -> 79M) (+2.5%)
* image generation goes down 19s -> 10s (-50%).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Use `udevd` rules to create stable interface names.
Link controllers should wait for `udevd` to settle down, otherwise link
rename will fail (interface should not be UP).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
`config.Container` implements a multi-doc container which implements
both `Container` interface (encoding, validation, etc.), and `Conifg`
interface (accessing parts of the config).
Refactor `generate` and `bundle` packages to support multi-doc, and
provide backwards compatibility.
Implement a first (mostly example) machine config document for
SideroLink API URL.
Many places don't properly support multi-doc yet (e.g. config patches).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Use `pigz` and `--sparse` to handle more efficiently compression of the
assets.
Also move tasks out of `setup-ci` step, as it runs always, including for
the promoted pipelines.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
See #7230
Refactor more config interfaces, move config accessor interfaces
to different package to break the dependency loop.
Make `.RawV1Alpha1()` method typed to avoid type assertions everywhere.
No functional changes.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
See #7230
This is a step towards preparing for multi-doc config.
Split the `config.Provider` interface into parts which have different
implementation:
* `config.Config` accesses the config itself, it might be implemented by
`v1alpha1.Config` for example
* `config.Container` will be a set of config documents, which implement
validation, encoding, etc.
`Version()` method dropped, as it makes little sense and it was almost
not used.
`Raw()` method renamed to `RawV1Alpha1()` to support legacy direct
access to `v1alpha1.Config`, next PR will refactor more to make it
return proper type.
There will be many more changes coming up.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR changes the default disk size for cloud images to be 8GiB
instead. This was prompted b/c the disk price in azure between tiers is
doubled and the cutoff for the tier is 8GiB.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
