IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This commit replaces `ioutil.TempDir` with `t.TempDir` in tests. The
directory created by `t.TempDir` is automatically removed when the test
and all its subtests complete.
Prior to this commit, temporary directory created using `ioutil.TempDir`
needs to be removed manually by calling `os.RemoveAll`, which is omitted
in some tests. The error handling boilerplate e.g.
defer func() {
if err := os.RemoveAll(dir); err != nil {
t.Fatal(err)
}
}
is also tedious, but `t.TempDir` handles this for us nicely.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This uses all available (potential) etcd endpoints, which includes the
member being promoted as well. We avoid failures by iterating over the
list of endpoints on each attempt to make sure each and every endpoint
is tried.
Part of #5889
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes a case when some IP which became default at some point was
removed completely from the node. In that case Talos should set default
address to another address, as having default IP not on the node doesn't
make much sense.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Similar to the way kubectl reads kubeconfig, we attempt to load talosconfig file from multiple locations. If the file exists under `/var/run/secrets/talos.dev/config`, we load with higher priority before falling back to `~/.talos/config`. This will allow talosctl to be able to access Talos API from inside a pod when talosconfig is mounted into `/var/run/secrets/talos.dev/config`, similar to the way Kubernetes service account tokens work.
Part of siderolabs/talos#5980.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This commit adds gotagsrewrite tool, which is used to add `protobuf:"<n>"` tags to structs with //gotagsrewrite:gen comment. This will be used in conjunction with github.com/siderolabs/protoenc.
Closes#5941
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This fixes apid and machined shutdown sequences to do graceful stop of
gRPC server with timeout.
Also sequences are restructured to stop apid/machined as late as
possible allowing access to the node while the long sequence is running
(e.g. upgrade or reset).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fix `Talos` sequencer to run only a single sequence at the same time.
Sequences priority was updated. To match the table:
| what is running (columns) what is requested (rows) | boot | reboot | reset | upgrade |
|----------------------------------------------------|------|--------|-------|---------|
| reboot | Y | Y | Y | N |
| reset | Y | N | N | N |
| upgrade | Y | N | N | N |
With a small addition that `WithTakeover` is still there.
If set, priority is ignored.
This is mainly used for `Shutdown` sequence invokation.
And if doing apply config with reboot enabled.
Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
When message is sent via the proxy, `metadata.error` carries only string
representation which can't be unmarshalled back into an `error` which we
can match against. A similar fix was already done for "unary" responses,
but we missed the streaming case.
This fixes a spurious failure in integration tests when calling
`talosctl pcap --duration 1s`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Replace Matcher field with Matcher method and store Op and size data directly in InstallDiskSizeMatcher.
Closes#5860.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Fixing small issue in syntax.
Signed-off-by: Matthew Richardson <M.Richardson@ed.ac.uk>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes a small bug with stable hostnames when they were only enabled
for control plane nodes.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The `PacketSource` interface is racy, as it provides a channel to read
packets from, while packets are read in a (invisible) goroutine, so
closing the capture handle creates a data race with reading.
Unwrap that goroutine into an explicit loop to avoid the race.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Use machine-id as the source for the default hostname (e.g. `talos-2gd-76y`) instead of DHCP-assigned IP (e.g. `talos-172-20-0-2`). This way, DHCP IP changes won't impact the hostname. Defaults to true for Talos version >=1.2.
Closessiderolabs/talos#5896.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Instead of writing PKI "once" around the startup time, keep writing PKI
files as the certificates get updated. `etcd` is able to reload
certificates, so we should keep updating them e.g. if the hostname/IPs
change over time.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Clear the kubelet certificates and kubeconfig when hostname changes so that on next start, kubelet goes through the bootstrap process and new certificates are generated and the node is joined to the cluster with the new name.
Fixessiderolabs/talos#5834.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Fixes#4836
Firewall mark is `uint32` attached to the packet in the Linux kernel
(it's not transmitted on the wire). This is a shared value for all
networking software, so multiple components might attempt to set and
match on the firewall mark.
Cilium and Calico CNIs are using firewall marks internally, but they
touch only some bits of the firewall mark.
The way KubeSpan was implemented before this PR, it was doing direct
match on the firewall mark, and setting the whole `uint32`, so it comes
into conflict with any other networking component using firewall marks.
The other problem was that firewall mark 0x51820 (0x51821) was too
"wide" touching random bits of the 32-bit value for no good reason.
So this change contains two fixes:
* make firewall mark exactly a single bit (we use bits `0x20` and `0x40`
now)
* match and mark packets with the mask (don't touch bits outside of the
mask when setting the mark and ignore bits outside of the mask when
matching on the mark).
This was tested successfully with both Cilium CNI (default config +
`ipam.mode=kubernetes`) and Calico CNI (default config).
One thing to note is that for KubeSpan and Talos it's important to make
sure that `podSubnets` in the machine config match CNI setting for
`podCIDRs`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Capture handle should be closed in the same goroutine with packet
reading.
Fix a spurious error which might appear in `talosctl pcap`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This uses the `go-packet` library with native bindings for the packet
capture (without `libpcap`). This is not the most performant way, but it
allows us to avoid CGo.
There is a problem with converting network filter expressions (like
`tcp port 3222`) into BPF instructions, it's only available in C
libraries, but there's a workaround with `tcpdump`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This fixes a problem when platform network configuration might have
already been applied from the cached on disk representation, and in that
base e.g. `bond0` MAC is same as `eth0`, so Talos might mistakenly pick
up `bond0` as a slave to itself instead of `eth0`.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The testcase explains it better, but tl;dr is that this allows to do
strategic merge patching e.g. for the Pod Security configuration.
Fixes#5895
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Overwrite cluster's server URL in the kubeconfig file used by kubelet when the cluster control plane endpoint is changed in machineconfig, so that kubelet doesn't lose connectivity to kube-apiserver.
Closessiderolabs/talos#4470.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
This PR allows the ability to generate `secrets.yaml` (`talosctl gen secrets`) using a Kubernetes PKI directory path (e.g. `/etc/kubernetes/pki`) as input. Also introduces the flag `--kubernetes-bootstrap-token` to be able to set a static Kubernetes bootstrap token to the generated `secrets.yaml` file instead of a randomly-generated one. Closessiderolabs/talos#5894.
Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
Refactor things to remove the bootstrap sequence, this should help with
the task of sequencer concurrency changes and immediate API feedback.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This PR removes pre-v0.10 docs from the drop down. They will remain in
the content so folks can still read them if needed.
Signed-off-by: Spencer Smith <spencer.smith@talos-systems.com>
