IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
PEM was converted to DER incorrectly when the output was a X509 certificate and not a public key.
Skip unnecessary parsing of it to an RSA public key before writing it in DER format as output.
Simplify the code as we do not generate `*-signing-public-key.pem` anymore.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Rework docgen to scan a whole directory for multidoc config types recursively and generate a single schema for all of them.
Annotate the files which need to be scanned by docgen while generating a schema by `//docgen:jsonschema`.
Move and rename the schema.
Bring back schema tests.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Before this change KubePrism used hardcoded "localhost" as destination which Go could resolve to IPv6 destination and
then fail to connect to. This change forces KubePrism to connect using IPv4 and uses hardcoded "127.0.0.1" destination so
it will always use IPv4.
For #8112
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
When the dashboard is used via the CLI through a proxy, e.g., through Omni, node names or IDs can be used in the `--nodes` flag instead of the IPs.
This caused rendering inconsistencies in the dashboard, as some parts of it used the IPs and some used the names passed in the context.
Fix this by collecting all node IPs on dashboard start, and map these IPs to the respective nodes passed as the `--nodes` flag.
On the dashboard footer, we always display the node names as they are passed in the `--nodes` flag.
As part of it, remove the node list change reactivity from the dashboard, so it will always take the passed nodes as the truth.
The IP to node mapping collection at dashboard startup also solves another issue where the first API call by the dashboard triggered the interactive API authentication (e.g., the OIDC flow). Previously, because the terminal was already switched to the raw mode, it was not possible to authenticate properly.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Use `replace` patch merging strategy for `portSelector.ports` and `ingress`es in `NetworkRuleConfig` document, so that they do not have duplicate entries and/or fail on port range validation.
Closessiderolabs/talos#8136.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Add missing attributes to conversion of go-blockdevice disk
to protobuf disk.
Signed-off-by: Jonomir <68125495+Jonomir@users.noreply.github.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
We will use the default IPv6 gateway priority as 2048.
The RA default is 1024, which leads to verbose messages such as 'error adding route: netlink receive: file exists.'
Azure uses DHCPv6 and RA for configuring IPv6 on the node.
The platform sets the default gateway as a fallback in case 'accept_ra' is not set to 2.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This allows to pass direct URLs to Image Factory assets for disk
image/ISO/vmlinuz/initramfs, so that we can test Image Factory with
Talos.
Also add an integration test for Image Factory.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This filemap is used to generate installer image layer with artifacts.
Previous dumb implementation buffered in memory which leads to extensive
memory usage.
See https://github.com/siderolabs/image-factory/issues/77
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Only Talos 1.5+ provides proper optimized image,
Talos 1.4 provided a single-layer image (which worked in this case),
while Talos 1.2-1.3 have multi-layered images which can't be replaced
easily.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add some quirks to make images generated with newer Talos compatible
with images generated by older Talos.
Specifically, reset options were adding in Talos 1.4, so we shouldn't
add them for older versions.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Without truncate the file was not overwritten properly if the file with
the same name already exists and has smaller size.
Fixes#8097
Also add a 10 second timeout on UEFI ISO boot, so that boot menu can be
seen without pressing `Esc` many times.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Add note to try spamming Esc to bring up the sd-boot menu option if keys
don't automatically enroll in UEFI firmware.
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
This embeds a tiny TFTP server which serves UEFI iPXE which embeds a
script that chainloads a given iPXE script.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The previous code was a mistake, the public part of the certificate is
more easily available.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This is going to be multipart effort to finally use safe.* wrappers in the production code.
Quick regexp search shows that there are around 150 direct type assertions on resources (excluding the ones in this commit).
Also - migrate from `interface{}` to `any` and use `slices.Sort*` instead of `sort.*` where possible.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
When creating an image under non-default mount prefix, it should be
used explicitly when copying SBC files.
See https://github.com/siderolabs/image-factory/issues/65
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Updated lots of documentation with new/updated flows.
Provide What's New for Talos 1.6.0.
Update Troubleshooting guide to cover more steps.
Make Talos 1.6 docs the default.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#8057
I went back and forth on the way to fix it exactly, and ended up with a
pretty simple version of a fix.
The problem was that discovery service was removing the member at the
initial phase of reset, which actually still requires KubeSpan to be up:
* leaving `etcd` (need to talk to other members)
* stopping pods (might need to talk to Kubernetes API with some CNIs)
Now leaving discovery service happens way later, when network
interactions are no longer required.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It works well for small clusters, but with bigger clusters it puts too
much load on the discovery service, as it has quadratic complexity in
number of endpoints discovered/reported from each member.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This might come handy to distinguish sequences, tasks initiated by a
particular API request.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
Markdown/HTML can't have headings after level 6, so make sure the
maximum heading level is capped at 6.
We have just a single place with such deep nesting.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Reimplement `gopacket.PacketSource.PacketsCtx` as `forEachPacket`.
- Use `ZeroCopyPacketDataSource` instead of `PacketDataSource`. I didn't find any specific reason why `PacketDataSource` exists at all, since `NewPacket` is doing copy inside if you don't explicitly tell it not to.
- Use `WillPool` to pool packet buffers. It doesn't fully remove allocations, but it's a safe start.
Send packets back into the pool after we are done with them.
- Pass `Packet` directly to the closure instead of waiting for it on the channel. We don't store this packet anywhere so there is no reason to async this part.
- Drop `time.Sleep` code in `forEachPacket` body.
- Drop `SnapLen` support in client and server since it didn't work anyway (details in the PR).
Closes#7994
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Generate a structured table of contents following the structure of the
config.
Make high-level examples follow the full structure of the config.
Document new multi-doc machine config.
Fixes#8023
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The command should be able to deploy old versions of Talos as well,
even before KubePrism.
The version contract correctly enables/disables KubePrism by default, so
take default flag value as "don't change defaults".
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The core blockdevice library already supported resolving symlinks, we
just need to get the raw block device name from it, and use it
afterwards.
In QEMU provisioner, leave the first (system) disk as virtio (for
performance), and mount user disks as 'ata', which allows `udevd` to
pick up the disk IDs (not available for `virtio`), and use the symlink
path in the tests.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
It was using `note` instead of `notes`, so some entries got dropped.
I blame CodePilot for that ;)
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#7854
Talos runs an emergency handler if the sequence experience and
unrecoverable failure. The emergency handler was unconditionally
executing "reboot" action if no other action was received (which only
gets received if the sequence completes successfully), so the Shutdown
request might result in a Reboot behavior on error during shutdown
phase.
This is not a pretty fix, but it's hard to deliver the intent from one
part of the code to another right now, so instead use a global variable
which stores default emergency intention, and gets overridden early in
the Shutdown sequence.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Added docs for arm64 and updated packer plugin.
Signed-off-by: Sebastian Gaiser <sebastiangaiser@users.noreply.github.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
In route `LoadPatches` -> `configpatcher.Apply` -> `configloader.NewFromBytes` any leading newlines will be transformed into `|4` yaml. We want to prevent that.
Closes#7993
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
As the controller reconciles every /etc file present, it might be called
multiple times for the same file, even if the actual contents haven't
changed.
Rewriting the file might lead to some concurrent process seeing
incomplete file contents more often than needed.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Checking for `zeroValue` is not enough when accessing `map[string]any`.
Closes#8005
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
The problem was that bootloaders were correctly picking up defaults for
`installer` mode (vs. `imager` mode), but DTB and other SBC stuff wasn't
properly initialized, so installing on SBC fails.
Now all options are properly initialized with defaults early in the
process.
Fixes#8009
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Fixes#7947
This way etcd advertised address can be picked from the `external IPs`
of the machine.
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
