Commit Graph

501 Commits

Author SHA1 Message Date
Noel Georgi
fe52cb0749
chore: update protoc-gen-doc
`protoc-gen-doc` was using `pseudomuto/protoc-gen-doc` image which was
running go 1.17. Update to use `go install` from source like other
tools.

Signed-off-by: Noel Georgi <git@frezbo.dev>
2024-08-20 19:40:43 +05:30
Andrey Smirnov
61a1c946bf
feat: bundle (some) CNI plugins with Talos core
Fixes https://github.com/siderolabs/extensions/issues/448

Bundle some CNI standard plugins plus Flannel CNI plugin (as Flannel is
the default CNI in Talos) in the Talos `initramfs`.

With this change, no plugin install is required, so the `install-cni`
step is dropped from the Flannel default manifest.

The bundled plugins:

```
$ talosctl -n 172.20.0.2 ls -lH /opt/cni/bin/
NODE         MODE         UID   GID   SIZE(B)   LASTMOD       NAME
172.20.0.2   drwxr-xr-x   0     0     109 B     7 hours ago   .
172.20.0.2   -rwxr-xr-x   0     0     3.2 MB    7 hours ago   bridge
172.20.0.2   -rwxr-xr-x   0     0     3.3 MB    7 hours ago   firewall
172.20.0.2   -rwxr-xr-x   0     0     2.4 MB    7 hours ago   flannel
172.20.0.2   -rwxr-xr-x   0     0     2.4 MB    7 hours ago   host-local
172.20.0.2   -rwxr-xr-x   0     0     2.4 MB    7 hours ago   loopback
172.20.0.2   -rwxr-xr-x   0     0     2.8 MB    7 hours ago   portmap
```

The `initramfs` for amd64 grows 67 -> 73 MiB with this change.

The path `/opt/cni/bin` is still an overlay mount, so extra plugins can
be dropped to this directory (no change here).

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-08-14 14:33:18 +04:00
Dmitriy Matrenichev
622d66a98f
chore: bump deps
Bump stuff

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
2024-08-09 11:59:03 +03:00
Andrey Smirnov
32db8db606
chore: lock microsoft secureboot certs
Point to the last release to avoid updates on `make generate`.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-07-29 18:58:21 +04:00
Jean-Francois Roy
fd54dc191d
feat(talosctl): append microsoft secure boot certs
This patch adds a flag to `secureboot.database.Generate` to append the
Microsoft UEFI secure boot DB and KEK certificates to the appropriate
ESLs, in addition to complimentary command line flags.

This patch also includes a copy of said Microsoft certificates. The
certificates are downloaded from an official Microsoft repo.

Signed-off-by: Jean-Francois Roy <jf@devklog.net>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-07-22 14:15:42 +04:00
Andrey Smirnov
b07338f547
feat: provide machine config document to update trusted CA roots
Fixes #8867

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-07-12 19:28:31 +04:00
Andrey Smirnov
2512ef435f
test: fix the integrtion tests for apply-config
They got broken after refactoring.

Also use this PR to test things before the release.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-07-08 14:06:45 +04:00
Andrey Smirnov
b4c871e4b7
chore: bump dependencies
Update Go modules and other dependencies.

Fix linting of the Dockerfile.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-07-02 14:46:51 +04:00
Konrad Eriksson
bd34f71f3e
feat: add apparmor pkg
Bring in AppArmor pkg from `pkgs` which would add
`/sbin/apparmor_parser` which would get picked by containerd.

Signed-off-by: Noel Georgi <git@frezbo.dev>
2024-06-27 20:52:08 +05:30
Andrey Smirnov
9d395b9de9
chore: use bun instead of npm
This is minor, as it's lint-markdown, but seems to be
slightly faster on installing dependencies, but mostly same time on
running the actual tools.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-06-03 11:14:19 +04:00
Andrey Smirnov
1d29111d43
chore: update Go to 1.22.3
Also bump dependencies.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-05-08 14:59:41 +04:00
Andrey Smirnov
4c0c626b78
feat: use zstd compression in place of xz
Initramfs and kernel are compressed with zstd.

Extensions are compressed with zstd for Talos 1.8+.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-04-29 18:09:12 +04:00
Dmitriy Matrenichev
ccdb4c8b10
chore: update google.golang.org/grpc to 1.63.2
Update other modules while we are at it.

Closes #8628

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
2024-04-23 16:39:28 +03:00
Andrey Smirnov
bac1d00c35
chore: prepare for Talos 1.8
Fork docs, introduce version contract for 1.8.

Clean up old version contracts 0.8-0.14.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-04-19 18:19:36 +04:00
Andrey Smirnov
78b9bd9273
fix: report unsupported x86_64 microarchitecture level
Fixes #8361

Talos requires v2 (circa 2008), but VMs are often configured to limit
the exposed features to the baseline (v1).

```
[    0.779218] [talos] [initramfs] booting Talos v1.7.0-alpha.1-35-gef5bbe728-dirty
[    0.779806] [talos] [initramfs] CPU: QEMU Virtual CPU version 2.5+, 4 core(s), 1 thread(s) per core
[    0.780529] [talos] [initramfs] x86_64 microarchitecture level: 1
[    0.781018] [talos] [initramfs] it might be that the VM is configured with an older CPU model, please check the VM configuration
[    0.782346] [talos] [initramfs] x86_64 microarchitecture level 2 or higher is required, halting
```

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-04-03 16:09:57 +04:00
Dmitriy Matrenichev
19f15a840c
chore: bump golangci-lint to 1.57.0
Fix all discovered issues.

Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
2024-03-21 01:06:53 +03:00
Andrey Smirnov
403ad93c35
feat: update dependencies
containerd 1.7.14
Linux 6.6.21

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-03-14 16:17:24 +04:00
Noel Georgi
952801d8b2
fix: handle overlay partition options
Handling of Overlay PartitionOpts was missed in the previous code.

Signed-off-by: Noel Georgi <git@frezbo.dev>
2024-03-14 15:39:59 +05:30
Noel Georgi
d118a852b9
feat: implement Install for imager overlays
Implement `Install` for imager overlays.
Also add support for generating installers.

Depends on: #8377

Fixes: #8350
Fixes: #8351
Fixes: #8350

Signed-off-by: Noel Georgi <git@frezbo.dev>
2024-03-12 22:46:29 +05:30
Andrey Smirnov
8152a6dd6b
feat: update Go to 1.22.1
Update Go and other dependencies as well.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-03-07 15:53:29 +04:00
Andrey Smirnov
a1ec1705bc
chore: update Go to 1.22.0
Finally!

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-02-12 14:33:38 +04:00
Louis SCHNEIDER
1e77bb1c3d
chore: allow custom pkgs to build talos
Allow to override each package reference.

Signed-off-by: Louis SCHNEIDER <louis.schneider@bedrockstreaming.com>
Signed-off-by: Louis SCHNEIDER <louis@schne.id>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-02-08 17:07:31 +04:00
Andrey Smirnov
6ccdd2c09c
chore: fix markdown-lint call
Don't ask me why this weird syntax for flags.

Don't ask me why it fails with exit code zero (success) on invalid
flags.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-02-05 17:18:45 +04:00
Andrey Smirnov
2ff81c06bc
feat: update runc 1.1.12, containerd 1.7.13
Also:

* Linux 6.6.14 + XDP enablement
* etcd 3.5.12

Various other bumps for the tools, utilities, and Go modules.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-02-01 17:01:04 +04:00
Utku Ozdemir
cf0603330a
docs: copy generated JSON schema to host
After the JSON schema is generated in a build container, copy it over to the host, so it becomes a part of the codebase.

This is required as the location of the schema changed recently from being under `pkg/machinery/config/types/` to be under `pkg/machinery/config/schemas/`.

Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
2024-01-26 13:56:55 +01:00
Andrey Smirnov
fe24139f3c
docs: fork docs for v1.7
Time start v1.7 development cycle!

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-01-18 19:17:42 +04:00
Anthony ARNAUD
a599e38674
chore: allow custom registry to build installer/imager
Use custom pkgs repository by setting PKGS_PREFIX as argument.

Signed-off-by: Anthony ARNAUD <github@anthony-arnaud.fr>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2024-01-18 17:32:52 +04:00
Utku Ozdemir
6c5a0c2811
feat: generate a single JSON schema for multidoc config
Rework docgen to scan a whole directory for multidoc config types recursively and generate a single schema for all of them.

Annotate the files which need to be scanned by docgen while generating a schema by `//docgen:jsonschema`.

Move and rename the schema.

Bring back schema tests.

Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
2024-01-16 12:25:15 +01:00
Andrey Smirnov
e6e422b92a
chore: bump dependencies
Go modules, tools, etc.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-12-21 19:01:16 +04:00
Andrey Smirnov
01f0cbe61c
feat: support iPXE direct booting in talosctl cluster create
This embeds a tiny TFTP server which serves UEFI iPXE which embeds a
script that chainloads a given iPXE script.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-12-19 17:56:08 +04:00
Andrey Smirnov
46121c9fec
docs: rework machine config documentation generation
Generate a structured table of contents following the structure of the
config.

Make high-level examples follow the full structure of the config.

Document new multi-doc machine config.

Fixes #8023

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-12-08 14:16:40 +04:00
Andrey Smirnov
36c8ddb5e1
feat: implement ingress firewall rules
Fixes #4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-11-30 22:58:16 +04:00
Noel Georgi
4f1ad16c76
feat: support kubelet credentialprovider config
Support configuring kubelet credential provider config.

Partially fixes: #7911

Signed-off-by: Noel Georgi <git@frezbo.dev>
2023-11-13 19:40:43 +05:30
Andrey Smirnov
c97db5dfe1
chore: bump Go dependencies
Update Go modules.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-11-03 12:55:23 +04:00
Andrey Smirnov
9dfae8467d
chore: update dependencies
Containerd 1.7.7, Linux 6.1.58.

Fixes #7859

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-10-17 17:41:38 +04:00
Andrey Smirnov
c3e4182000
refactor: use COSI runtime with new controller runtime DB
See https://github.com/cosi-project/runtime/pull/336

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-10-12 19:44:44 +04:00
Andrey Smirnov
e71508ec10
chore: update dependencies
Go modules, Cilium CLI, Helm, etc.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-09-28 19:48:02 +04:00
Radosław Piliszek
f00567e20f
chore: add PKG_KERNEL arg to customize used kernel
Related to #7612

Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-09-13 14:35:44 +04:00
Noel Georgi
bbeb489aa8
chore: drop firmware from initramfs
Drop firmware from initramfs. Extra firmware can be added as system
extensions enabled through imager service.

Before:

```bash
❯ du -sh _out/initramfs-amd64.xz
58M	_out/initramfs-amd64.xz
```

After:

```bash
❯ du -sh _out/initramfs-amd64.xz
56M	_out/initramfs-amd64.xz
```

Signed-off-by: Noel Georgi <git@frezbo.dev>
2023-08-25 15:34:51 +05:30
Andrey Smirnov
74c07ed714
chore: update Go to 1.21
This fixes a problem in the `RouteSpecController` which is due to a
subtle (but correct) change in the behavior in the `stdlib`.

Also some small (but should be safe) bumps.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-08-23 22:52:04 +04:00
Andrey Smirnov
cb468c41cb
fix: copy proper modules to arm64 squashfs
Due to a mistake, the amd64 modules were copied 🤦

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-08-22 19:41:40 +04:00
Andrey Smirnov
676db97684
docs: fork docs for Talos 1.6
Create a copy of documentation for Talos 1.6.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2023-08-17 19:37:38 +04:00
Andrey Smirnov
fb536af4d1
chore: optimize memory usage of tcell library on init
There are two changes here:

* build `machined` binary with `tcell_minimal` tag (which disables
  loading some parts of the terminfo database), which also affects
  `apid`, `trustd` and `dashboard` processes, as they run from the same
  executable; in `dashboard` explicitly import `linux` terminal we're
  using when the `dashboard` runs on the machine
* pass `TCELL_MINIMIZE=1` environment variable to each Talos process
  which removes 0.5MiB of runewdith allocation for a lookup table

See #7578

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2023-08-04 17:59:18 +04:00
Andrey Smirnov
7c86a365e2
chore: publish systemd-boot and systemd-stub assets
These assets are required to build a UKI, so publish them as part of the
release.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2023-08-04 16:04:52 +04:00
Andrey Smirnov
87fe8f1a2a
feat: implement image generation profiles
Support full configuration for image generation, including image
outputs, support most features (where applicable) for all image output
types, unify image generation process.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2023-08-02 19:13:44 +04:00
Andrey Smirnov
018e7f5871
chore: bump dependencies
Linux: 6.1.42
containerd: 1.6.22
Flannel: 0.22.1

And some other Go module bumps, new pkgs/tools/extras.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2023-07-31 22:33:22 +04:00
Andrey Smirnov
53873b8444
refactor: move ukify into Talos code
This is intemediate step to move parts of the `ukify` down to the main
Talos source tree, and call it from `talosctl` binary.

The next step will be to integrate it into the imager and move `.uki`
build out of the Dockerfile.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2023-07-13 19:14:32 +04:00
Noel Georgi
79365d9bac
feat: tpm2 based disk encryption
Support disk encryption using tpm2 and pre-calculated signed PCR values.

Fixes: #7266

Signed-off-by: Noel Georgi <git@frezbo.dev>
2023-07-12 20:41:28 +05:30
Noel Georgi
94e9891c1b
chore: bump sd-boot to v254-rc1
Bump sd-boot.
Fix parsing PE executable offsets.
Set the PE file alignment to be 512 bytes.

Signed-off-by: Noel Georgi <git@frezbo.dev>
2023-07-11 15:52:57 +05:30
Noel Georgi
3206db5289
feat: drop tpm simulator for ukify measure
We do not need a tpm simulator for ukify measure. We can pre-calculate
the values. This also means we can build ukify as a static binary.

Signed-off-by: Noel Georgi <git@frezbo.dev>
2023-07-10 19:21:32 +05:30