IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
To enable authorization to services via siderolink on startup we extend
the kernel parameter siderolink.api to accept an optional join token as
a parameter as in grpc://<host>:<port>?jointoken=1234
Fixes#5592
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
The tag was already corrected in v1.1 of the doc but we also need to
correct it for v1.0. When we check out git tag v1.0.5 and build the
installer it will create the image with `siderolabs` in the image tag.
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Instead of hardcoded `grub.cfg`, use common code to generate list of
kernel arguments and allow using `--extra-kernel-arg` as well.
Before the change:
```
linux /boot/vmlinuz init_on_alloc=1 slab_nomerge pti=on panic=0 consoleblank=0 printk.devkmsg=on earlyprintk=ttyS0 console=tty0 console=ttyS0 talos.platform=metal
```
New (default line):
```
linux /boot/vmlinuz talos.platform=metal earlyprintk=ttyS0 console=ttyS0 console=tty0 init_on_alloc=1 slab_nomerge pti=on consoleblank=0 nvme_core.io_timeout=4294967295 random.trust_cpu=on printk.devkmsg=on ima_template=ima-ng ima_appraise=fix ima_hash=sha512
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
`GenerateKey` generates random 32 bytes vs. the key suitable for
Wireguard endpoint key.
This is the only place in code with this bug, and it is only used in
test code (`talosctl cluster create` with fixed Wireguard
configuration).
SideroLink and Kubespan are not affected.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
If SideroLink is enabled, maintenance mode should only allow Siderolink connections.
Closes#5627
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Add extra context to error message when unable to properly
open the talos config file when creating a cluster.
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
This adds the option to toggle the automatic creation of search domains.
Signed-off-by: Bᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs <me@bjw-s.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot-based, go-mod-outdated is broken due to sum issue with Azure
SDK package :(
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes:
* Node hostname has a different place in metadata config.
* Do not reboot if machine-config is empty.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This increases `initramfs` size by 356060 bytes (raw text database is
1.3 MiB).
In QEMU:
```
$ talosctl -n 172.20.0.2 get links eth0 -o yaml
spec:
...
productID: "0x1000"
vendorID: "0x1af4"
product: Virtio network device
vendor: Red Hat, Inc.
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The examples contain raw structures which will be base64-encoded on
marshaling to YAML which might be confusing if someone tries to decode
values.
At the same time we want to make sure that example certs/keys are not
useable to prevent clusters being created with fixed secrets.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Adds a example setup for sending talos logs to a vector aggregator
Signed-off-by: Nat Allan <19149206+Truxnell@users.noreply.github.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#5588
This fixes `apid` certificate generation for SideroLink IPs, so that
Talos API can be accessed over SideroLink connection.
We also drop SideroLink addresses from cluster discovery, as these
addresses don't work across nodes, so that they are not used for
KubeSpan, endpoints, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot + go-mod-outdated
`arp` library is now using Go stdlib `netip.Addr`, so we need an ugly
way to convert `netaddr.IP` to `netip.Addr`. We should soon refactor to
use `netip.Addr` everywhere (starting with `siderolabs/net` package).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
We extend the extension service spec with three security options,
WithWriteableSysfs, WithMaskedPaths, WithReadonlyPaths
Fixes#5411
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Rewrite types in deep-copy generation line to ascending order. Coming from #5563.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This fixes an error when integration test become stuck with the message
like:
```
waiting for coredns to report ready: some pods are not ready: [coredns-868c687b7-g2z64]
```
After some random sequence of node restarts one of the pods might become
"stuck" in `Completed` state (as it is shown in `kubectl get pods`)
blocking the check, as the pod will never become ready.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Refactor every typed.Resource except KubeletConfigSpec to use deep-copy tool for generating DeepCopy method.
KubeletConfigSpec is excluded because its DeepCopy method is not trivial.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
We are trying to get an IP-address lifetime, but we do not have it yet.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This affects both API server and Talos API cert SANs.
Before the fix, SANs accumulated changes over time, so even if the
hostname changes, old hostname is still kept in SANs. Even though it
shouldn't be a problem in general, it is confusing as after reboot list
will be reset back to expected value.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Docker on WSL seems to have same issue as Docker/OS X and
Docker/Windows: container IPs are not routable from the host, so we need
to apply same "magic" by using exposed ports.
WSL `talosctl` binary is built for Linux, so we need to do additional
checks for the platform.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes an issue with `talosctl gen config` not appending API server
cert SANs if the endpoint doesn't contain a port.
In fact this shouldn't be ever needed, as Talos automatically injects
SANs form the endpoint URL on the fly, but good to fix for consistency.
Fixes#5536
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This is required when running Talos in a container when host OS kernel
doesn't have support for Wireguard.
The failure is deferred so that controller actually fails when it needs
the wireguard client, but if wireguard is not used, controller continues
running.
This should fix errors when running Talos on Docker/WSL:
```
[talos] 2022/05/11 08:52:28 controller failed {"component": "controller-runtime", "controller": "network.LinkStatusController", "error": "error creating wireguard client: setsockopt: protocol not available"}
[talos] 2022/05/11 08:50:48 controller failed {"component": "controller-runtime", "controller": "kubespan.ManagerController", "error": "error creating wireguard client: setsockopt: protocol not available"}
[talos] 2022/05/11 08:50:32 controller failed {"component": "controller-runtime", "controller": "network.LinkSpecController", "error": "error creating wireguard client: setsockopt: protocol not available"}
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fix catch cases
* when ip_address is empty string.
* route array has to be in interface layer.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
