Skip to content

Commit

Permalink
docs: add what's new and documentation for Talos 1.5
Browse files Browse the repository at this point in the history 
* SecureBoot
* TPM disk encryption
* KubePrism
* Boot Asset Generation

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
  • Loading branch information
@smira
smira committed Aug 9, 2023
1 parent c4a1ca8 commit daa4c18
Show file tree
Hide file tree
Showing 12 changed files with 632 additions and 38 deletions.
8 changes: 8 additions & 0 deletions pkg/imager/profile/default.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,14 @@ var Default = map[string]Profile{
},
},
},
"installer": {
Platform: "metal",
SecureBoot: pointer.To(false),
Output: Output{
Kind: OutKindInstaller,
OutFormat: OutFormatRaw,
},
},
"secureboot-installer": {
Platform: "metal",
SecureBoot: pointer.To(true),
Expand Down
4 changes: 2 additions & 2 deletions website/content/v1.4/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ no_list: true
linkTitle: "Documentation"
cascade:
type: docs
lastRelease: v1.4.4
kubernetesRelease: "1.27.1"
lastRelease: v1.4.7
kubernetesRelease: "1.27.4"
prevKubernetesRelease: "1.26.3"
theilaRelease: "v0.2.1"
nvidiaContainerToolkitRelease: "v1.12.1"
Expand Down
6 changes: 3 additions & 3 deletions website/content/v1.5/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ no_list: true
linkTitle: "Documentation"
cascade:
type: docs
lastRelease: v1.5.0-alpha.0
lastRelease: v1.5.0-beta.0
kubernetesRelease: "1.28.0"
prevKubernetesRelease: "1.27.1"
theilaRelease: "v0.2.1"
nvidiaContainerToolkitRelease: "v1.12.1"
nvidiaDriverRelease: "530.41.03"
nvidiaContainerToolkitRelease: "v1.13.5"
nvidiaDriverRelease: "535.54.03"
iscsiToolsRelease: "v0.1.4"
preRelease: true
---
Expand Down
4 changes: 2 additions & 2 deletions website/content/v1.5/advanced/building-images.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: "Building Talos Images"
description: "How to build Talos images from source."
title: "Building Custom Talos Images"
description: "How to build a custom Talos image from source."
---

There might be several reasons to build Talos images from source:
Expand Down
10 changes: 5 additions & 5 deletions website/content/v1.5/introduction/support-matrix.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,21 @@ description: "Table of supported Talos Linux versions and respective platforms."

| Talos Version | 1.5 | 1.4 |
|----------------------------------------------------------------------------------------------------------------|------------------------------------|------------------------------------|
| Release Date | 2023-08-15, TBD | 2023-04-18 (1.4.0) |
| End of Community Support | 1.6.0 release (2023-12-15, TBD) | 1.5.0 release (2023-08-15, TBD) |
| Release Date | 2023-08-17, TBD | 2023-04-18 (1.4.0) |
| End of Community Support | 1.6.0 release (2023-12-15, TBD) | 1.5.0 release (2023-08-17, TBD) |
| Enterprise Support | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) | [offered by Sidero Labs Inc.](https://www.siderolabs.com/support/) |
| Kubernetes | 1.28, 1.27, 1.26 | 1.27, 1.26, 1.25 |
| Architecture | amd64, arm64 | amd64, arm64 |
| **Platforms** | | |
| - cloud | AWS, GCP, Azure, Digital Ocean, Exoscale, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud | AWS, GCP, Azure, Digital Ocean, Exoscale, Hetzner, OpenStack, Oracle Cloud, Scaleway, Vultr, Upcloud |
| - bare metal | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image |
| - bare metal | x86: BIOS, UEFI, SecureBoot; arm64: UEFI, SecureBoot; boot: ISO, PXE, disk image | x86: BIOS, UEFI; arm64: UEFI; boot: ISO, PXE, disk image |
| - virtualized | VMware, Hyper-V, KVM, Proxmox, Xen | VMware, Hyper-V, KVM, Proxmox, Xen |
| - SBCs | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Nano Pi R4S, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B, Raspberry Pi Compute Module 4 | Banana Pi M64, Jetson Nano, Libre Computer Board ALL-H3-CC, Nano Pi R4S, Pine64, Pine64 Rock64, Radxa ROCK Pi 4c, Raspberry Pi 4B, Raspberry Pi Compute Module 4 |
| - local | Docker, QEMU | Docker, QEMU |
| **Cluster API** | | |
| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.6.0 | >= 0.5.6 |
| [CAPI Bootstrap Provider Talos](https://github.com/siderolabs/cluster-api-bootstrap-provider-talos) | >= 0.7.0 | >= 0.6.0 |
| [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.4.10 | >= 0.4.10 |
| [Sidero](https://www.sidero.dev/) | >= 0.6.0 | >= 0.5.7 |
| [Sidero](https://www.sidero.dev/) | >= 0.6.0 | >= 0.6.0 |

## Platform Tiers

Expand Down
162 changes: 161 additions & 1 deletion website/content/v1.5/introduction/what-is-new/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,164 @@ description: "List of new and shiny features in Talos Linux."

See also [upgrade notes]({{< relref "../../talos-guides/upgrading-talos/">}}) for important changes.

TBD
## Predictable Network Interface Names

Starting with version Talos 1.5, network interfaces are renamed to [predictable names](https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/)
same way as `systemd` does that in other Linux distributions.

The naming schema `enx78e7d1ea46da` (based on MAC addresses) is enabled by default, the order of interface naming decisions is:

* firmware/BIOS provided index numbers for on-board devices (example: `eno1`)
* firmware/BIOS provided PCI Express hotplug slot index numbers (example: `ens1`)
* physical/geographical location of the connector of the hardware (example: `enp2s0`)
* interfaces's MAC address (example: `enx78e7d1ea46da`)

The predictable network interface names features can be disabled by specifying `net.ifnames=0` in the kernel command line.
Talos automatically adds the `net.ifnames=0` kernel argument when upgrading from Talos versions before 1.5, so upgrades to 1.5 don't require any manual intervention.

This change doesn't affect "cloud" platforms, like AWS, as Talos automatically adds `net.ifnames=0` to the kernel command line.

## SecureBoot

Talos now supports booting on UEFI systems in [SecureBoot]({{< relref "../../talos-guides/install/bare-metal-platforms/secureboot" >}}) mode.
When combined with TPM-based disk encryption, this provides Trusted Boot experience.

## Boot Assets Generation

Talos provides [a new unified way]({{< relref "../../talos-guides/install/boot-assets" >}}) to generate various boot assets, including ISOs, disk images, PXE boot files, installer container images etc., which can be
further customized with system extensions, extra kernel arguments.

## Kubernetes

### KubePrism - Kubernetes API Server In-Cluster Load Balancer

Talos now supports configuring the [KubePrism]({{< relref "../../kubernetes-guides/configuration/kubeprism">}}) - Kubernetes API Server in-cluster load balancer with machine config
`features.kubePrism.port` and `features.kubePrism.enabled` fields.

If enabled, KubePrism binds to `localhost` and runs on the same port on every machine in the cluster.
The default value for KubePrism endpoint is https://localhost:7445.

The KubePrism is used by the `kubelet`, `kube-scheduler`, `kube-controller-manager`
and `kube-proxy` by default and can be passed to the CNIs like Cilium and Calico.

The KubePrism provides access to the Kubernetes API endpoint even if the external loadbalancer
is not healthy, provided that the worker nodes can reach to the controlplane machine addresses directly.

### XFS Quota

Talos 1.5+ enables XFS project quota support by default, also enabling by default
kubelet feature gate `LocalStorageCapacityIsolationFSQuotaMonitoring` to use xfs quotas
to monitor volume usage instead of `du`.

This feature is controlled by the `.machine.features.diskQuotaSupport` field in the machine config,
it is set to true for new clusters.

When upgrading from a previous version, the feature can be enabled by setting the field to true.
On the first mount of a volume, the quota information will be recalculated, which may take some time.

## System Extensions

### Installing System Extensions

The way to install system extensions on the machine using `machine.install.extensions` machine configuration option is now deprecated,
please use instead [the boot asset generation process]({{< relref "../../talos-guides/install/boot-assets" >}}) to create an image with system extension pre-installed.

### Extension Services

Talos now supports setting `environmentFile` for an [extension service container spec]({{< relref "../../advanced/extension-services/#container" >}}).
The extension waits for the file to be present before starting the service.

## Disk Encryption

### TPM-based Disk Encryption

Talos now supports encrypting `STATE`/`EPHEMERAL` with [keys bound to a TPM device]{{< relref "../../talos-guides/install/bare-metal-platforms/secureboot" >}}().
The TPM device must be TPM2.0 compatible.
This type of disk encryption should be used when booting Talos in SecureBoot mode.

Example machine config:

```yaml
machine:
systemDiskEncryption:
ephemeral:
provider: luks2
keys:
- slot: 0
tpm: {}
state:
provider: luks2
keys:
- slot: 0
tpm: {}
```
### Network KMS Disk Encryption
Talos now supports new type of encryption keys which are sealed/unsealed with an external KMS server:
```yaml
machine:
systemDiskEncryption:
ephemeral:
provider: luks2
keys:
- kms:
endpoint: https://1.2.3.4:443
slot: 0
```
gRPC API definitions and a simple reference implementation of the KMS server can be found in this
[repository](https://github.com/siderolabs/kms-client/blob/main/cmd/kms-server/main.go).
## Container Images
### `talosctl image` Command

A new set of commands was introduced to manage container images in the CRI:

* `talosctl image list` shows list of available images
* `talosctl image pull` allows to pre-pull an image into the CRI

Both new commands accept `--namespace` flag with two possible values:

* `cri` (default): images managed by the CRI (Kubernetes workloads)
* `system`: images managed by Talos (`etcd` and `kubelet`)

### `talosctl upgrade-k8s` Image Pre-pulling

The command `talosctl upgrade-k8s` now by default pre-pulls images for Kubernetes controlplane components
and kubelet.
This provides an early check for missing images, and minimizes downtime during Kubernetes
rolling component update.

## Component Updates

* Linux: 6.1.42
* containerd: 1.6.22
* runc: 1.1.8
* etcd: 3.5.9
* Kubernetes: 1.28.0-rc.0
* Flannel: 0.22.1

Talos is built with Go 1.20.7.

Talos now builds many device drivers as kernel modules in the x86 Linux kernel, which get automatically loaded on boot based on the hardware detected.

## Deprecations

### Machine Configuration Option `.machine.install.bootloader`

The `.machine.install.bootloader` option in the machine config is deprecated and will be removed in Talos 1.6.
This was a no-op for a long time: the bootloader is always installed.

### RDMA/RoCE support

Talos no longer loads by default `rdma_rxe` Linux driver, which is required for RoCE support.
If the driver is required, it can be enabled by specifying `rdma_rxe` in the `.machine.kernel.modules` field in the machine config.

### `talosctl images` Command

The command `talosctl images` was renamed to `talosctl image default`.

The backward-compatible alias is kept in Talos 1.5, but it will be dropped in Talos 1.6.
55 changes: 55 additions & 0 deletions website/content/v1.5/kubernetes-guides/configuration/kubeprism.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
title: "KubePrism"
description: "Enabling in-cluster highly-available controlplane endpoint."
---

Kubernetes pods running in CNI mode can use the `kubernetes.default.svc` service endpoint to access the Kubernetes API server,
while pods running in host networking mode can only use the external cluster endpoint to access the Kubernetes API server.

Kubernetes controlplane components run in host networking mode, and it is critical for them to be able to access the Kubernetes API server,
same as CNI components (when CNI requires access to Kubernetes API).

The external cluster endpoint might be unavailable due to misconfiguration or network issues, or it might have higher latency than the internal endpoint.
A failure to access the Kubernetes API server might cause a series of issues in the cluster: pods are not scheduled, service IPs stop working, etc.

KubePrism feature solves this problem by enabling in-cluster highly-available controlplane endpoint on every node in the cluster.

## Enabling KubePrism

> As of Talos 1.5, KubePrism is not enabled by default.
To enable KubePrism, apply the following machine config patch either during the machine config generation, or to a running cluster (the patch should be applied to all nodes):

```yaml
machine:
features:
kubeprism:
enabled: true
port: 7445
```
> Note: the `port` specified should be available on every node in the cluster.

## How it works

Talos spins up a TCP loadbalancer on every machine on the `localhost` on the specified port which automatically picks up one of the endpoints:

* the external cluster endpoint as specified in the machine configuration
* for controlplane machines: `https://localhost:<api-server-local-port>` (`http://localhost:6443` in the default configuration)
* `https://<controlplane-address>:<api-server-port>` for every controlplane machine (based on the information from [Cluster Discovery]({{< relref "../../talos-guides/discovery" >}}))

KubePrism automatically filters out unhealthy (or unreachable) endpoints, and prefers lower-latency endpoints over higher-latency endpoints.

Talos automatically reconfigures `kubelet`, `kube-scheduler` and `kube-controller-manager` to use the KubePrism endpoint.
The `kube-proxy` manifest is also reconfigured to use the KubePrism endpoint by default, but when enabling KubePrism for a running cluster the manifest should be updated
with `talosctl upgrade-k8s` command.

When using CNI components that require access to the Kubernetes API server, the KubePrism endpoint should be passed to the CNI configuration (e.g. Cilium, Calico CNIs).

## Notes

As the list of endpoints for KubePrism includes the external cluster endpoint, KubePrism in the worst case scenario will behave the same as the external cluster endpoint.
For controlplane nodes, the KubePrism should pick up the `localhost` endpoint of the `kube-apiserver`, minimizing the latency.
Worker nodes might use direct address of the controlplane endpoint if the latency is lower than the latency of the external cluster endpoint.

KubePrism listen endpoint is bound to `localhost` address, so it can't be used outside the cluster.
27 changes: 3 additions & 24 deletions website/content/v1.5/talos-guides/configuration/system-extensions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,32 +11,11 @@ container runtimes, loading additional firmware, etc.
System extensions are only activated during the installation or upgrade of Talos Linux.
With system extensions installed, the Talos root filesystem is still immutable and read-only.

## Configuration
## Installing System Extensions

System extensions are configured in the `.machine.install` section:
> Note: the way to install system extensions in the `.machine.install` section of the machine configuration is now deprecated.
```yaml
machine:
install:
extensions:
- image: ghcr.io/siderolabs/gvisor:33f613e
```
During the initial install (e.g. when PXE booting or booting from an ISO), Talos will pull down container images for system extensions,
validate them, and include them into the Talos `initramfs` image.
System extensions will be activated on boot and overlaid on top of the Talos root filesystem.

In order to update the system extensions for a running instance, update `.machine.install.extensions` and upgrade Talos.
(Note: upgrading to the same version of Talos is fine).

## Building a Talos Image with System Extensions

System extensions can be installed into the Talos disk image (e.g. AWS AMI or VMWare OVF) by running the following command to generate the image
from the Talos source tree:

```sh
make image-metal IMAGER_SYSTEM_EXTENSIONS="ghcr.io/siderolabs/amd-ucode:20220411 ghcr.io/siderolabs/gvisor:20220405.0-v1.0.0-10-g82b41ad"
```
A custom boot image of Talos can be generated with

## Authoring System Extensions

Expand Down
5 changes: 5 additions & 0 deletions website/content/v1.5/talos-guides/install/bare-metal-platforms/iso.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,8 @@ Please follow the [getting started guide]({{< relref "../../../introduction/gett
> The boot order should prefer disk over ISO, or the ISO should be removed after the installation to make Talos boot from disk.
See [kernel parameters reference]({{< relref "../../../reference/kernel" >}}) for the list of kernel parameters supported by Talos.

There are two flavors of ISO images available:

* `metal-<arch>.iso` supports booting on BIOS and UEFI systems (for x86, UEFI only for arm64)
* `secureboot-metal-<arch>.iso` supports booting on only UEFI systems in SecureBoot mode
Loading

0 comments on commit daa4c18

Please sign in to comment.