IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
To be used in the `go-talos-support` module without importing the whole
Talos repo.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Fixes a condition when the timestamp contains a single digit day.
This started failing when the month started :sweat_smile.
Also handle a case when `tag` and `hostname` are both missing.
Signed-off-by: Noel Georgi <git@frezbo.dev>
Support overlays for imager.
The `Install` interface is not wired yet, it will be done as a different
PR.
This should be a no-op for existing imager.
Part of: #8350
Signed-off-by: Noel Georgi <git@frezbo.dev>
As we're using a mirrored image from `registry.k8s.io`, use that as a
source instead of GitHub. Mirrored image appears with some delay after
an official CoreDNS release.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
When provisioning VMs, each launch process sets up CNI network, and from
time to time CNI setup fails with something like:
```
error provisioning CNI network: plugin type="firewall" failed (add): running [/sbin/iptables -t filter -N CNI-ADMIN --wait]: exit status 4: iptables v1.8.10 (nf_tables)
```
This a race condition in the CNI plugins, and it looks like there is no
fix for it (see e.g. https://github.com/hashicorp/nomad/issues/8838).
As a workaround, take a mutex around CNI operation to serialize them.
CNI setup happens in different processes, so use a file-based mutex.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Turns out there is actually no black magic in systemd, they simply listen on 127.0.0.53 and forward dns requests there in resolv.conf.
Reason is the same as ours — to preserve compatibility with other applications. So we do the same in our code.
This PR also does two things:
- Adds `::1` into resolv.conf for IPv6 only resolvers.
- Drops `SO_REUSEPORT` from control options (it works without them).
Closes#8328
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This errors pops up when `udevd` rescans the partition table with Talos
trying to mount a device concurrently.
This feels to be something new with Linux 6.6 probably.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8345
Both `apid` and `trustd` services use a gRPC connection back to
`machined` to watch changes to the certificates (new certificates being
issued).
This refactors the code to follow regular conventions, so that a failure
to watch will crash the process, and they have a way to restart and
re-establish the watch.
Use the context and errgroup consistently.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Preallocation still done by default for correct max usage estimates, but
in development environment it could be beneficial not to use up that
space, so I added a flag to disable preallocation
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Allow passing a partial config to the machines using the `--input-dir` flag of `talosctl cluster create`.
With this change, it is not required to have talosconfig inside the input directory, neither for the configuration documents to contain a `v1alpha1` config document. They can solely contain maintenance config, e.g., `KmsgLogConfig`.
This is useful for testing scenarios such as partial machine configs being provided via cloud user data.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Let's add a very basic test for the Kata Containers extension, mimicing
what's already in place for gVisor.
This depends on the work being done in:
https://github.com/siderolabs/extensions/pull/279
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Drop the Kubernetes manifests as static files clean up (this is only
needed for upgrades from 1.2.x).
Fix Talos handling of cgroup hierarchy: if started in container in a
non-root cgroup hiearachy, use that to handle proper cgroup paths.
Add a test for a simple TinK mode (Talos-in-Kubernetes).
Update the docs.
Fixes#8274
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
SideroLink is a secure channel, so we can allow read access to the resources. This will give us more control of the node via Omni and/or other systems using SideroLink.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This disables by default (if not specified in the machine config) the
endpoint harvesting for KubeSpan peers.
The idea was to observe Wireguard endpoints as seen by other peers in
the cluster, and add them to the list of endpoints for the node. This
might be helpful only in case of some special type of NATs which are
almost never seen in the wild today.
So disable by default, but keep an option to enable it.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Prevent `DNSUpstreamController` from panicking by checking if the `machine` section in the config is `nil`. This is the case when a machine has partial configuration, e.g., when the machine has only a `SideroLinkConfig` in its config.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Update extensions test to use strategic patches and use
`ExtensionServiceConfig` document.
Depends on: https://github.com/siderolabs/extensions/pull/320
Signed-off-by: Noel Georgi <git@frezbo.dev>
Talos Linux 1.7.0 will ship with Kubernetes v1.30.0.
Drop some compatibility for Kubernetes < 1.25, as 1.25 is the minimum
supported version now.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The previous implementation used old events API, which had several
issues:
* buffer overruns, and weird checks
* big timeout even if the all nodes are booted up
Replace that with direct reading of `MachineStatus` resource which is
available since Talos 1.2.0.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixed URL to point to repository that exists.
Signed-off-by: Michael Stephenson <m.k.stephenson@outlook.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8196
Example (profile excerpt):
```yaml
output:
kind: iso
isoOptions:
sdBootEnrollKeys: force
outFormat: raw
```
Defaults are still same (`if-safe` unless explicitly overridden).
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
