IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Stdlib `net.ParseMAC` does lots of validations, but some hardware addrs
we can see (on logical interfaces) are not valid, so parse MACs in a
simple way.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Version API is only available over SideroLink connection.
This is useful to find Talos version as it got booted (e.g. to generate
proper machine configuration).
There's a security concern that version API might return sensitive
information via public API. At the same time Talos version can be
guessed by looking at the output of other APIs, e.g. resource type list
(`talosctl get rd`), which changes with every minor version.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
To enable authorization to services via siderolink on startup we extend
the kernel parameter siderolink.api to accept an optional join token as
a parameter as in grpc://<host>:<port>?jointoken=1234
Fixes#5592
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
The tag was already corrected in v1.1 of the doc but we also need to
correct it for v1.0. When we check out git tag v1.0.5 and build the
installer it will create the image with `siderolabs` in the image tag.
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Instead of hardcoded `grub.cfg`, use common code to generate list of
kernel arguments and allow using `--extra-kernel-arg` as well.
Before the change:
```
linux /boot/vmlinuz init_on_alloc=1 slab_nomerge pti=on panic=0 consoleblank=0 printk.devkmsg=on earlyprintk=ttyS0 console=tty0 console=ttyS0 talos.platform=metal
```
New (default line):
```
linux /boot/vmlinuz talos.platform=metal earlyprintk=ttyS0 console=ttyS0 console=tty0 init_on_alloc=1 slab_nomerge pti=on consoleblank=0 nvme_core.io_timeout=4294967295 random.trust_cpu=on printk.devkmsg=on ima_template=ima-ng ima_appraise=fix ima_hash=sha512
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
`GenerateKey` generates random 32 bytes vs. the key suitable for
Wireguard endpoint key.
This is the only place in code with this bug, and it is only used in
test code (`talosctl cluster create` with fixed Wireguard
configuration).
SideroLink and Kubespan are not affected.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
If SideroLink is enabled, maintenance mode should only allow Siderolink connections.
Closes#5627
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
Add extra context to error message when unable to properly
open the talos config file when creating a cluster.
Signed-off-by: Tim Jones <tim.jones@siderolabs.com>
This adds the option to toggle the automatic creation of search domains.
Signed-off-by: Bᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs <me@bjw-s.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot-based, go-mod-outdated is broken due to sum issue with Azure
SDK package :(
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Fixes:
* Node hostname has a different place in metadata config.
* Do not reboot if machine-config is empty.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This increases `initramfs` size by 356060 bytes (raw text database is
1.3 MiB).
In QEMU:
```
$ talosctl -n 172.20.0.2 get links eth0 -o yaml
spec:
...
productID: "0x1000"
vendorID: "0x1af4"
product: Virtio network device
vendor: Red Hat, Inc.
```
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
The examples contain raw structures which will be base64-encoded on
marshaling to YAML which might be confusing if someone tries to decode
values.
At the same time we want to make sure that example certs/keys are not
useable to prevent clusters being created with fixed secrets.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Adds a example setup for sending talos logs to a vector aggregator
Signed-off-by: Nat Allan <19149206+Truxnell@users.noreply.github.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
Fixes#5588
This fixes `apid` certificate generation for SideroLink IPs, so that
Talos API can be accessed over SideroLink connection.
We also drop SideroLink addresses from cluster discovery, as these
addresses don't work across nodes, so that they are not used for
KubeSpan, endpoints, etc.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
dependabot + go-mod-outdated
`arp` library is now using Go stdlib `netip.Addr`, so we need an ugly
way to convert `netaddr.IP` to `netip.Addr`. We should soon refactor to
use `netip.Addr` everywhere (starting with `siderolabs/net` package).
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
We extend the extension service spec with three security options,
WithWriteableSysfs, WithMaskedPaths, WithReadonlyPaths
Fixes#5411
Signed-off-by: Philipp Sauter <philipp.sauter@siderolabs.com>
Rewrite types in deep-copy generation line to ascending order. Coming from #5563.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
This fixes an error when integration test become stuck with the message
like:
```
waiting for coredns to report ready: some pods are not ready: [coredns-868c687b7-g2z64]
```
After some random sequence of node restarts one of the pods might become
"stuck" in `Completed` state (as it is shown in `kubectl get pods`)
blocking the check, as the pod will never become ready.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Refactor every typed.Resource except KubeletConfigSpec to use deep-copy tool for generating DeepCopy method.
KubeletConfigSpec is excluded because its DeepCopy method is not trivial.
Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com>
We are trying to get an IP-address lifetime, but we do not have it yet.
Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This affects both API server and Talos API cert SANs.
Before the fix, SANs accumulated changes over time, so even if the
hostname changes, old hostname is still kept in SANs. Even though it
shouldn't be a problem in general, it is confusing as after reboot list
will be reset back to expected value.
Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
