IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Fixes#4421
See documentation for details on how to use the feature.
With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
We already have the code which supports custom enums, so let's extend it to support custom enums in slices and
fix the NfTablesConntrackStateMatch proto definition.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Many changes to the nftables backend which will be used in the follow-up
PR with #4421.
1. Add support for chain policy: drop/accept.
2. Properly handle match on all IPs in the set (`0.0.0.0/0` like).
3. Implement conntrack state matching.
4. Implement multiple ifname matching in a single rule.
5. Implement anonymous counters.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Implement initial set of backend controllers/resources to handle
nftables chains/rules etc.
Replace the KubeSpan nftables operations with controller-based.
See #4421
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The code will rotate through the endpoints, until it reaches the end, and only then it will try to do the provisioning again.
Closes#7973
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This PR adds support for custom node taints. Refer to `nodeTaints` in the `configuration` for more information.
Closes#7581
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Adds missing whitespace to ensure correct rendering on web
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes the shortcuts for the dashboard command by encoding < and >
Signed-off-by: Oscar Utbult <oscar.utbult@gmail.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
This commit deprecates those things:
- Removes the support of `.persist` flag. From now, it should always be enabled or not defined in the config.
- Removes the documentation for `.bootloader`. It never worked anyway.
- Adds a warning for `.machine.install.extensions`, suggests to use boot-assets.
Closes#7972Closes#7507
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Ignore kernel command line for `SideroLink` and `EventsSink` config when
running in container mode. Otherwise when running Talos as a docker
container in Talos it picks up the host kernel cmdline and try to
configure SideroLink/EventsSink.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Start container early in the boot process so system extension services
start in maintenance mode.
Fixes: #7083
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#7873
Some services which perform mounts inside the container which require
mounts to propagate back to the host (e.g. `stargz-snapshotter`) require
this configuration setting.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
With SecureBoot, kernel args are part of the UKI (and signed), so we
need to allow kernel args when building an installer, as this is the
only way to allow updating kernel args in SecureBoot mode.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Support different providers, not only static file paths.
Drop `pcr-signing-key-public.pem` file, as we generate it on the fly
now.
See https://github.com/siderolabs/image-factory/issues/19
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR does those things:
- It allows API calls `MetaWrite` and `MetaRead` in maintenance mode.
- SystemInformation resource now waits for available META
- SystemInformation resource now overwrites UUID from META if there is an override
- META now supports "UUID override" and "unique token" keys
- ProvisionRequest now includes unique token and Talos version
For #7694
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Previously a fix was deployed in the Talos API client, but when the
request passes through `apid`, we need to make sure that proxy doesn't
reject large responses.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Output the PCR public key in `.der` format in addition to the `.pem` format.
Closessiderolabs/talos#7742.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Move `setupLogging` inside the controller, so that logger is set up
correctly before Talos starts printing first messages.
This fixes an inconsistency that first messages are printed using
"default" logger, while after that the proper logger is set up, and
format of the messages matches kernel log.
Also move `waitForUSBDelay` into the sequencer after `udevd` was
started (this is when blockdevices including USB ones are discovered).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
First of all, this interface is way more performant than `pcap`
interface. It is Linux-specific, but we don't care in Talos Linux :)
Second, this drop dependency of `machined` on `gopacket/layers` package,
which has huge issues with memory allocations and startup time.
This cuts around 20MiB of process RSS for all Talos processes.
(`talosctl` still requires this `gopacket/layers` library for decoding
packets).
Fixes#7880
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
As Talos doesn't consume `.machine.install` if already installed, there
is no point in validating it once already installed.
This fixes a problem users often run into: after a reboot/upgrade the
system disk blockdevice name changes, due to the kernel upgrade, or just
unpredictable behavior of device discovery. Talos fails to boot as it
can't validate the machine config, while it's already installed, so
actual blockdevice name doesn't matter.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/siderolabs/image-factory/issues/44
Instead of using constants, use proper Talos version and kernel version
discovered from the image.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Document Image Factory in general, and also provide specific examples
for boot assets.
Secure Boot section is not covered, as we don't have Secure Boot support
(yet) in the Image Factory.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This leads to lots of unnecessary improts, as the chain from network
controllers is pretty long.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use fixed partition name instead of trying to auto-discover by label.
Auto-discovery by label might hit completely wrong blockdevice.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
`Input` is initialized with fields populated and at the end of the
function the fields are updated again with the same value
Signed-off-by: budimanjojo <budimanjojo@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/siderolabs/image-factory/issues/43
Two fixes:
* pass path to the dtb, uboot and rpi-firmware explicitly
* include dtb, uboot and rpi-firmware into arm64 installer image when
generated via imager (regular arm64 installer was fine)
(The generation of SBC images was not broken for Talos itself, but only
when used via Image Factory).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Before we started a reboot/shutdown/reset/upgrade action with the action tracker (`--wait`), we were setting a flag to prevent cobra from printing the returned error from the command.
This was to prevent the error from being printed twice, as the reporter of the action tracker already prints any errors occurred during the action execution.
But if the error happens too early - i.e. before we even started the status printer goroutine, then that error wouldn't be printed at all, as we have suppressed the errors.
This PR moves the suppression flag to be set after the status printer is started - so we still do not double-print the errors, but neither do we suppress any early-stage error from being printed.
Closessiderolabs/talos#7900.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
