IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This PR fixes incorrect packet TTL if `forwardKubeDNSToHost` is enabled.
Credits go to Julian Wiedmann.
Closes#8698.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Initramfs and kernel are compressed with zstd.
Extensions are compressed with zstd for Talos 1.8+.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This will be useful for debugging process access rights once we start implementing SELinux
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
New package arrived in Go 1.22 which provides better rand primitives and functions.
Use it instead of the old one.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Optimize `DNSResolveCacheController` type, including `dns.Server` optimization for easy start/stop. This PR ensures that we
delete server from runners on stop (even unexpected) and restart it properly. Also fixes incorrect assumption on unit-tests.
Fixes#8563
This PR also does those things:
- Removes `utils.Runner`
- Removes `ctxutil.MonitorFn`
- Removes `dns.Runner`
- Removes `network.dnsRunner`
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The log stream displayed in the dashboard was stopping to work when a node was rebooted.
Rework the log data source to establish a per-node connection and use a retry loop to always reconnect until the dashboard is terminated.
Print the connection errors in the log stream in red color.
Closessiderolabs/talos#8388.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Dynamically map Kubernetes and Talos API ports to an available port on
the host, so every cluster gets its own unique set of parts.
As part of the changes, refactor the provision library and interfaces,
dropping old weird interfaces replacing with (hopefully) much more
descriprive names.
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Update Go to 1.22.2, update Go modules to resolve
[HTTP/2 issue](https://www.kb.cert.org/vuls/id/421644).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR adds the support for CoreDNS forwarding to host DNS. We try to bind on 9th address on the first element from
`serviceSubnets` and create a simple service so k8s will not attempt to rebind it.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Co-authored-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Implement `Install` for imager overlays.
Also add support for generating installers.
Depends on: #8377Fixes: #8350Fixes: #8351Fixes: #8350
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fix the nil dereferences when a Talos node is attempted to be upgraded while in maintenance mode and having a partial machine config.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
To be used in the `go-talos-support` module without importing the whole
Talos repo.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Turns out there is actually no black magic in systemd, they simply listen on 127.0.0.53 and forward dns requests there in resolv.conf.
Reason is the same as ours — to preserve compatibility with other applications. So we do the same in our code.
This PR also does two things:
- Adds `::1` into resolv.conf for IPv6 only resolvers.
- Drops `SO_REUSEPORT` from control options (it works without them).
Closes#8328
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This errors pops up when `udevd` rescans the partition table with Talos
trying to mount a device concurrently.
This feels to be something new with Linux 6.6 probably.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Drop the Kubernetes manifests as static files clean up (this is only
needed for upgrades from 1.2.x).
Fix Talos handling of cgroup hierarchy: if started in container in a
non-root cgroup hiearachy, use that to handle proper cgroup paths.
Add a test for a simple TinK mode (Talos-in-Kubernetes).
Update the docs.
Fixes#8274
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It was deprecated 16 months ago, time to cleanup.
(This is to prepare for the first v1.7 release)
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
In the previous implementation, even though `installer.err` was set, it
was never checked 🤦.
The run loop was stolen from the dashboard code.
Fixes#8205
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR adds a new controller - `DNSServerController` that starts tcp and udp dns servers locally. Just like `EtcFileController` it monitors `ResolverStatusType` and updates the list of destinations from there.
Most of the caching logic is in our "lobotomized" "`CoreDNS` fork. We need this fork because default `CoreDNS` carries
full Caddy server and various other modules that we don't need in Talos. On our side we implement
random selection of the actual dns and request forwarding.
Closes#7693
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
When the dashboard is used via the CLI through a proxy, e.g., through Omni, node names or IDs can be used in the `--nodes` flag instead of the IPs.
This caused rendering inconsistencies in the dashboard, as some parts of it used the IPs and some used the names passed in the context.
Fix this by collecting all node IPs on dashboard start, and map these IPs to the respective nodes passed as the `--nodes` flag.
On the dashboard footer, we always display the node names as they are passed in the `--nodes` flag.
As part of it, remove the node list change reactivity from the dashboard, so it will always take the passed nodes as the truth.
The IP to node mapping collection at dashboard startup also solves another issue where the first API call by the dashboard triggered the interactive API authentication (e.g., the OIDC flow). Previously, because the terminal was already switched to the raw mode, it was not possible to authenticate properly.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Support different providers, not only static file paths.
Drop `pcr-signing-key-public.pem` file, as we generate it on the fly
now.
See https://github.com/siderolabs/image-factory/issues/19
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This PR does those things:
- It allows API calls `MetaWrite` and `MetaRead` in maintenance mode.
- SystemInformation resource now waits for available META
- SystemInformation resource now overwrites UUID from META if there is an override
- META now supports "UUID override" and "unique token" keys
- ProvisionRequest now includes unique token and Talos version
For #7694
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
First of all, this interface is way more performant than `pcap`
interface. It is Linux-specific, but we don't care in Talos Linux :)
Second, this drop dependency of `machined` on `gopacket/layers` package,
which has huge issues with memory allocations and startup time.
This cuts around 20MiB of process RSS for all Talos processes.
(`talosctl` still requires this `gopacket/layers` library for decoding
packets).
Fixes#7880
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
See https://github.com/siderolabs/image-factory/issues/44
Instead of using constants, use proper Talos version and kernel version
discovered from the image.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Use fixed partition name instead of trying to auto-discover by label.
Auto-discovery by label might hit completely wrong blockdevice.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This does not fix the underlying digest mismatch issue, but does handle the error and should provide
further insight into issues (if present).
Refs: #7828
Signed-off-by: Thomas Way <thomas@6f.io>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for
uncommon algorithms like SM3256. This can be avoided by checking the constants
directly, rather than converting them. It should also be fine to allow some non
SHA-256 PCRs.
Fixes: #7810
Signed-off-by: Thomas Way <thomas@6f.io>
Signed-off-by: Noel Georgi <git@frezbo.dev>
When running on the machine, the extensionTreePath is not writeable, so
create and clean up a temporary directory to host `modules.dep`
extension.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Drop loop device/mounts completely, use userspace utilities to extract
and lay over module trees in the tmpfs.
Discover kernel version automatically instead of hardcoding it to be
current one (required for Image Service).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
